WIXLIB

CFATS Risk BasedPerformance StandardsDeep Dive and Best PracticesKelly MurrayBranch Chief, CFATS Operations, CISA ChemicalSecurity1#ChemicalSecurity

Today’s Session Will Cover Risk-BasedPerformanceStandards (RBPS)Deep DiveAlert! SSP EditTips!Case Studies: Physical Security FacilityPlot Cybersecurity NetworkDiagram2

Overarching Security ObjectivesCISA has grouped these 18 RBPS into 5 Security ObjectivesDetection Covers portions of Risk-Based Performance Standards (RBPS) 1-7Delay Covers portions of RBPS 1-7Response Covers portions of RBPS 11 and RBPS 9, 13-14Cybersecurity Covers RBPS 8Security Management Covers portions of RBPS 7 and 11 and RBPS 10, 12, and 15-183

Detect and Delay RBPSThe first seven RBPS address the Detection and Delay objectives RBPS 1—Restrict Area Perimeter RBPS 2—Secure Site Assets RBPS 3—Screen and Control Access RBPS 4—Deter, Detect, and Delay RBPS 5—Shipping, Receipt, and Storage RBPS 6—Theft or Diversion RBPS 7—Sabotage4

DetectionSecurity IssueTier 1Tier 2Theft/DiversionReleaseSabotageMaintain a high likelihood ofdetecting attacks at early stagesresulting in the capability tocontinuously monitor the criticalasset or facility perimeter; allow forthe notification of intrusion to acontinuously manned location. Thismay be achieved by physicalsecurity systems (such as intrusiondetection system [IDS] or closedcaption television [CCTV]) orpersonnel presence, or acombination thereof, with no gaps.Tier 3Tier 4Maintain reasonable ability to detect andinitiate a response in real time. Forexample, ensuring monitoring systems arechecked multiple times a day, includingweekends.Maintain some ability to detect andinitiate a response. For example,ensuring monitoring systems arechecked at least once a day,including weekends.Maintain a high likelihood of detecting attacks at early stages resulting in thecapability to continuously monitor the critical asset or facility perimeter; allow forthe notification of intrusion in real time. This may be achieved by physicalsecurity systems or personnel presence, or a combination thereof, with nogaps, OR via process alarms with automatic mitigation measures.**Maintain ability to detect attempted tampering prior to shipment. This mayinclude traditional detection methods or perimeter-based detection of incomingsubstances through ingress screening and inspections or shipping procedures5requiring inspection prior to egress.

Detection (cont.)If a facility choosesto utilize systems(IDS, ACS, or CCTV)for detection, askyourself:Do they covertheappropriateareas and/orentry points?Are theyactivated atappropriatetimes?Do they alarmto aresponsibleand trainedindividual(s) inorder to initiatea response?If the facility utilizes employees or onsite security personnel,they must: Be capable and trained to provide detection. Be dedicated to or conduct patrols of the necessary areas.6

Layers of Securitys7

Tools for DetectionAlarm activation procedures: Call tree (facility personnel, local lawenforcement, third-party support, etc.) Keep the caller on the line as long aspossible. Be polite and show interest to keepthem talking. DO NOT HANG UP, even if the caller does. If possible, signal or pass a note to otherstaff to listen and help notify authorities. Write down as much information aspossible—caller ID number, exact wording ofthreat, type of voice or behavior, etc.—thatwill aid investigators. Record the call, if possible.Confirmation Via camera Via personnelIf able: Note description of eventNote date/time/locationRecord as many details as possible (personneldescription, vehicle and license plate, equipment,etc.) Keep recording For threats made via phone:Do NOT touch, tamper with, or moveany package, bag, or item.8

Alert! SSP Edits Tip! Detection planned measures being implemented may result in MANYadditional questions requiring responses: Doors/Walls/Gates Asset Areas Operational Hours Personnel Detection Local vs third-party monitoring9

Facility vs. Asset Protection Facilities may choose to deploy security measures at the perimeter, asset, orboth. Defining assets and deploying security measures at specific assets isparticularly important to facilities that require restriction to some employees,customers, etc., such as: Universities/CollegesTier 1AssetTier 1AssetTier 1AssetTier 3AssetTier 3AssetTier 3Asset Hospitals Store front operations Co-located facilities10

Alert! SSP Edits Tip! Assets: Ensure that security measures are appropriately selected for all theasset check boxes.11

Shipping and ReceiptCarrier and Shipment Facility AccessSecurity of Transportation Containerson SiteKnow YourCustomerChecklist: Identity Verification of shippingaddress Confirmation offinancial status Verification of productend-use Evaluation of on-sitesecurity CFATS FlyerIn-Transit Security and TrackingConfirmation of ShipmentMissing Shipment Reporting12

Ordering and Inventory Control Who at your facility orders/conductsinventory of COI? Do they have a copy of Appendix A? Do they know what has beenreported on the Top-Screen? Are there checks and balances? How is inventory managed? Are inventories documented? Process controls that monitor thelevel, weight, and/or volume Other process parameters thatmeasure the inventory ofpotentially dangerous chemicals Other security measures, such ascross-checking of inventorythrough periodic inventoryreconciliation to ensure that noproduct loss has occurred13

ResponseDevelop and exercise an emergency plan to respond to security incidentsinternally and with assistance of local law enforcement and first responders. Response focuses on the planning to mitigate, respond to, and report incidents in atimely manner between facility personnel, first responders, and law enforcement. Local Emergency Planning Committees (LEPC) may be contacted by local ChemicalSecurity Inspectors to verify that facilities have developed plans for emergencynotification, response, evacuation, etc. CISA Gateway – A CISA platform to share and coordinate CFATS information amongfederal, state, local, territorial, and tribal (SLTT) agencies partners.14

Alert! SSP Edit Tip!Consider all theelements of yourfacility’s crisismanagement plan oremergency responseplan as it relates toyour COI15

Crisis Management PlanPurposeMissionContact and Resource ListsEmergency ContactsUtility ResourcesDefinitions and ScenariosCall Log / Phone TreeCommunity Contacts-Vision-ObjectivesRoles and ResponsibilitiesTeam Structure, Roles, & ResponsibilitiesPreparednessResponseOrganizational ChartOutreachDocumented AgreementsJoint Exercises / DrillsNTAS Policies and PlansSecurity and Emergency Response ProceduresCommunity NotificationRecoveryContinuity of OperationsTemplates and WorksheetIncident WorksheetsContingency PlanLessons Learned FormInvestigations WorksheetRe-entry and Post-IncidentProcedures16

Outreach with Local RespondersInvite Local LawEnforcement (LLE)and Responders toCISA inspectionsCoordinate with LLEto conduct jointexercises and drillsCreate a FirstResponder Toolkit: Keys/Access Cards Facility Plot RadioMaintaininvolvement in LocalEmergency PlanningCommittee (LEPC)17

CybersecurityRBPS 8 addresses the deterrence of cyber sabotage, including preventingunauthorized on-site or remote access to critical process controls, criticalbusiness systems, and other sensitive computerized systems.When considering what systems could impact the security of the COI, facilitiesshould examine: Physical Security Systems An access control or security system that is connected to other systems Does the facility employ an intrusion detection system or cameras? Inventory Management A business system that manages the ordering / shipping of a COI Does the facility utilize software to manage ordering, shipping, or inventory? COI Processing A control system that monitors or controls physical processes that contain COI Does the facility employ control systems (ICS, DCS, SCADA)?18

Cybersecurity PoliciesPurposeSecurity PoliciesAccess Controland ManagementNetwork SecurityBusinessPlanningConfigurationManagement Critical System Identification / Protection Mission Roles and Responsibilities Contacts Rules of Behavior Password Policies Access Determination / Least Privilege External Connections Remote Access Third-party Cyber Support Cybersecurity Controls System Boundaries Monitoring Audits Continuity Plan Disaster Recovery Plan Training Incident Reporting Cyber Asset Identification Network/System Architecture Business Needs19

Alert! SSP Edit Tip!Don’t forget to add cyber systems!20

Security ManagementSecurity Management is the capability tomanage the SSP/ASP, including thedevelopment of policies, procedures, and otherprocesses that support Site Security Planimplementation and oversight.Inspection,Testing andMaintenanceReporting andInvestigationsSecurityOrganizationand RecordsPersonnelSuretySecurityManagementTraining21

Security Management Cont.TrainingandExercisePoliciesandRecords To ensure your facility is effectivelyimplementing all RBPS within the securitymanagement guidepost: Clearly document and communicate all policiesand procedures. Maintain all associated records.Incident andThreatPolicies andRecordsMaintenanceProgramRecords Be capable of presenting these to inspectors.Outreach ProceduresContractualDocuments22

Security Awareness & nd RolesTopics andFrequencySecurityAwarenessTrainingDrills andExercises Security Laws Threats SSP Requirements Recognition ofsuspicious activities Reporting ofsuspicious activities Simulations Exercises Joint Initiatives TestsTrainingRecordsOutreach23

Alert! SSP Edit Tip!24

Personnel SuretyMaintain a checklist, or similardocument, to assist humanresources (HR) personnel inensuring all affected Individuals areproperly on-boarded.Hiring Checklist Valid Form of IDCriminal Background CheckI-9 FormTSDB submission Provided Privacy Notice BadgeAccess Credentials/KeysIT AccessEmergency ContactOrientationSecurity Training25

Alert! SSP Edit Tip!26

Reporting Significant Security IncidentsWhat is Significant? Breach of perimeter or asset Inventory issue Suspicious order Suspicious person, vehicle, or UAS Broken equipment Missing shipment/order Cyber intrusion, phishing, orransomwareContact local law enforcement andemergency responders: If a significant security incident orsuspicious activity is detected while inprogress. If a significant security incident orsuspicious activity has concluded, butan immediate response is necessary. Once a security incident or suspiciousactivity has concluded and anyresulting emergency has been dealtwith.27

Incident eportInvestigateDistribute throughupdated training,briefings, memos,posters, etc.In order to understand, resolve,and learn from all of thecircumstances, evidence, andother factors, use facilityinvestigators, local lawenforcement, or a third partyLessonsLearned28

Officials and OrganizationDefine a securityorganizational structurein writing, that identifiesspecific security dutiesand responsibilities.OwnerK. MurrayCorporate SecurityOfficeS. JeffersonFacility SecurityOfficerA. AdamsSecurity ForceCorporateCybersecurityOfficerJ. BauerCybersecurityOfficerOperations ManagerM. JonesFacilityManagementT. TurnerContractors/VisitorsEmployeesEmployees withSecurity Duties29

Annual AuditThe required SSP/ASP annual audit is one wayfacilities should ensure they are staying in compliancewith their approved SSP/ASP. This audit could include: Verification of Top-Screen and Security Vulnerability Assessment (SVA) data. Confirmation of all Chemical Security Assessment Tool (CSAT) user roles. Confirmation of all existing and planned measures from the SSP/ASP. Sampling of RBPS 18 records. Review of current policies, procedures, training, etc.30

AnnualAuditExample31

Case Study: Physical Security324/8/2020FOR OFFICIAL USE ONLY

Case Study: CybersecurityIDS Sensor33