The US Cybersecurity and Infrastructure Security Agency (CISA) has urged Congress to reauthorize a critically important program designed to protect the nation from terrorist attacks on its chemicals sector.
Four months ago, lawmakers allowed the Chemical Facility Anti-Terrorism Standards (CFATS) program’s statutory authority to expire, leaving the industry exposed for the first time in 15 years.
“CFATS provides essential resilience for the chemical industry by enabling chemical facility owners and operators to understand the risks associated with their chemical security holdings, develop site security plans and programs, conduct site inspections, coordinate with local law enforcement and first responders, and continue to reevaluate each facility’s security posture based on changes in its chemical holdings and threat nexus,” explained CISA associate director for chemical security, Kelly Murray.
“We at CISA follow our own advice: we believe in putting the right security plans and countermeasures in place before an incident occurs to reduce the risk of incidents occurring and improving resilience during and after incidents to reduce the impact on our communities and our nation.”
Murray warned that over the past four months, CISA estimates that 200 new facilities have acquired dangerous chemicals, while others could be stockpiling chemicals to dangerous levels – increasing the risk of terrorist attacks.
She added that for the past few months CISA has been unable to vet an estimated 36,000 employees in the sector against a Terrorist Screening Database. Hundreds of site inspections have also been missed, meaning CISA has been unable to identify security gaps and suggest remediation.
Although much of the program focuses on physical security, there is also a strong cyber element to it, given that facilities are controlled and managed by computer systems.
In fact, the chemical industry was selected by the White House last year as the fourth critical infrastructure (CNI) sector to take part in a 100-day cybersecurity sprint, under the Industrial Control Systems (ICS) Cybersecurity Initiative.