WIXLIB

2021December 1, 2021#ChemicalSecurityKelly SpadeDecember 1, 20211

CFATS Risk-BasedPerformance Standards (RBPS)Deep Dive and Best PracticesKelly SpadeProgram Analyst, Compliance BranchChemical SecurityInfrastructure Security DivisionCybersecurity and Infrastructure Security AgencyKelly SpadeDecember 1, 2021#ChemicalSecurity

What to ExpectGuide to the RBPSSite Security Plan TipsCase StudyKelly SpadeDecember 1, 20213

Overarching Security ObjectivesCISA has grouped facility security into five security objectives:Detection Addressed by portions of RBPS 1-7Delay Addressed by portions of RBPS 1-7Response Addressed by portions of RBPS 9, 11, and 13-14Cybersecurity Addressed by RBPS 8Security Management Addressed by portions of RBPS 7, 10-12, and 15-18Kelly SpadeDecember 1, 20214

Facility vs. Asset Protection Facilities may choose to deploy security measures at the perimeter, asset, or both. Defining assets and deploying asset-based security is particularly important atfacilities that require restriction to certain employees, customers, etc., such as: Universities/Colleges Hospitals Storefront operations Co-located facilitiesTier 1AssetTier 1AssetTier 1AssetTier 3AssetTier 3AssetTier 3AssetKelly SpadeDecember 1, 20215

Layers of SecuritysKelly SpadeDecember 1, 20216

SSP Tip!Ensure that all applicable asset check boxes are selected for relevant security measures.Kelly SpadeDecember 1, 20217

Detection and Delay RBPS 1—Restrict Area Perimeter RBPS 2—Secure Site Assets RBPS 3—Screen and Control Access RBPS 4—Deter, Detect, and Delay RBPS 5—Shipping, Receipt, and Storage RBPS 6—Theft or Diversion RBPS 7—SabotageKelly SpadeDecember 1, 20218

Detection and Delay Tier ConsiderationsDetectionDelay Theft/Diversion Tiers 1-2, ReleaseTiers 1-4: Maintain a high likelihoodof detecting attacks at early stagesresulting in capability to continuouslymonitor. Theft/Diversion Tier 3: Maintainreasonable ability to detect andinitiate a response in real time. Theft/Diversion Tier 4: Maintain someability to detect and initiate aresponse. Tier 1: The facility has a very highlikelihood of deterring and/or delayingan attack. Tier 2: The facility has a high likelihoodof deterring and/or delaying an attack. Tiers 3-4: The facility has some abilityto deter and/or delay an attack.Kelly SpadeDecember 1, 20219

Detection and Delay ConsiderationsIf a facility choosesto utilize systems(IDS, ACS, or CCTV)for detection anddelay, consider:Do they covertheappropriateareas and/orentry points?Are theyactivated atappropriatetimes?Do they alarmto aresponsibleand trainedindividual(s) inorder to initiatea response?If the facility utilizes employees or on-site security personnel, they must: Be capable and trained to provide detection. Be dedicated to or conduct patrols of the necessary areas.Kelly SpadeDecember 1, 202110

Example: Interrelation of Guideposts Alarm activation procedures:Call tree (facility personnel, local lawenforcement, third-party support, etc.)Confirmation Via camera Via personnelIf able: Note description of eventNote date/time/locationRecord as many details as possible (personneldescription, vehicle and license plate, equipment,etc.)Keep recordingDo NOT touch, tamper with, or moveany package, bag, or item.For threats made via phone: Keep the caller on the line as long aspossible. Be polite and show interest tokeep them talking. DO NOT HANG UP, even if the caller does. If possible, signal or pass a note to otherstaff to listen and help notify authorities. Write down as much information aspossible—caller ID number, exact wordingof threat, type of voice or behavior, etc.—that will aid investigators. Record the call, if possible.Kelly SpadeDecember 1, 202111

SSP Tip!Implementing Detection and Delay planned measures may result in MANY additionalquestions requiring responses: Doors/Walls/Gates Asset Areas Operational Hours Personnel Detection Local vs third-party monitoringKelly SpadeDecember 1, 202112

Shipping and ReceiptCarrier and Shipment Facility AccessSecurity of Transportation Containerson SiteIn-Transit Security and TrackingConfirmation of ShipmentMissing Shipment ReportingKnow YourCustomerChecklist: Identity Verification of shippingaddress Confirmation offinancial status Verification of productend-use Evaluation of on-sitesecurity CFATS FlyerKelly SpadeDecember 1, 202113

Ordering and Inventory Control Who at your facilityorders/conducts inventory of COI? Process controls that monitorthe level, weight, and/or volume Do they have a copy of AppendixA? Other process parameters thatmeasure the inventory ofpotentially dangerous chemicals Do they know what has beenreported on the Top-Screen? Are there checks and balances? How is inventory managed? Are inventories documented? Other security measures, suchas cross-checking of inventorythrough periodic inventoryreconciliation to ensure that noproduct loss has occurredKelly SpadeDecember 1, 202114

Response RBPS 9—Response RBPS 11—Training RBPS 13—Elevated Threats RBPS 14—Specific Threats, Vulnerabilities, or RisksKelly SpadeDecember 1, 202115

Response Planning and ResourcesDevelop and exercise an emergency plan to respond to security incidentsinternally and with assistance of local first responders. Response focuses on the planning to mitigate, respond to, and report incidents in atimely manner, with coordination between facility personnel and first responders suchas and law enforcement and fire departments. Chemical Security Inspectors may contact local response organizations to strengthenties and verify coordination regarding emergency notification, response, evacuation,etc. CISA Gateway – A CISA platform where CFATS information can be shared amongfederal, state, local, territorial, and tribal (SLTT) agencies partners.Kelly SpadeDecember 1, 202116

Crisis Management PlanPurposeMissionContact and Resource ListsEmergency ContactsUtility ResourcesDefinitions and ScenariosCall Log / Phone TreeCommunity ContactsTeam Structure, Roles, & s and ResponsibilitiesOrganizational ChartOutreachDocumented AgreementsJoint Exercises / DrillsNTAS Policies and PlansResponseSecurity and Emergency Response ProceduresRecoveryContinuity of OperationsTemplates and WorksheetsIncident WorksheetsCommunity NotificationContingency PlanRe-entry and PostIncident ProceduresLessons Learned FormInvestigations WorksheetKelly SpadeDecember 1, 202117

SSP Tip!Consider all the elementsof your facility’s crisismanagement plan oremergency responseplan as they relate toyour COI.Kelly SpadeDecember 1, 202118

Outreach to Local RespondersInvite localresponders toCFATSinspections.Create a FirstResponder Toolkit: Keys/Access Cards Facility Plot RadioCoordinate withlocal responders toconduct jointexercises anddrills.Maintaininvolvement inLocal EmergencyPlanningCommittee (LEPC).Kelly SpadeDecember 1, 202119

Cybersecurity RBPS 8—CyberRBPS 8 addresses the deterrence and detection ofcyber sabotage, including preventing unauthorizedon-site or remote access to critical processcontrols, critical business systems, and othersensitive computerized systems.Kelly SpadeDecember 1, 202120

Cyber SystemsConsider what systems could impact the security of the COI. Physical Security Systems Access control or other electronic security that is connected to other systems Does the facility employ an intrusion detection system or cameras? Business Systems Inventory management systems Ordering, shipping, and receiving systems Process and Control Systems Systems that monitor or control physical processes that contain COI Does the facility employ control systems (ICS, DCS, SCADA)?Kelly SpadeDecember 1, 202121

SSP Tip!Don’t forget to add cyber systems!Kelly SpadeDecember 1, 202122

Cybersecurity Measures and PoliciesPurposeSecurity PoliciesAccess Controland ManagementNetwork SecurityBusinessPlanningConfigurationManagement Critical System Identification / Protection Mission Roles and Responsibilities Contacts Rules of Behavior Password Policies Access Determination / Least Privilege External Connections Remote Access Third-Party Cyber Support Cybersecurity Controls System Boundaries Monitoring Continuity Plan Disaster Recovery Plan Incident Reporting Cyber Asset Identification Network/System Architecture Business Needs Audits TrainingKelly SpadeDecember 1, 202123

Security Management RBPS 7—Sabotage RBPS 10—Monitoring RBPS 11—Training RBPS 12—Personnel Surety RBPS 15—Reporting Significant Security Incidents RBPS 16—Significant Security Incidents and Suspicious Activities RBPS 17—Officials and Organization RBPS 18 —RecordsKelly SpadeDecember 1, 202124

Security Management (cont.)Security Management is the capability to managethe SSP/ASP, including development of policies,procedures, and other processes that support SiteSecurity Plan implementation and oversight.Inspection,Testing retySecurityManagementSecurityOrganizationand RecordsTrainingKelly SpadeDecember 1, 202125

Security Awareness and nd RolesTopics andFrequencySecurityAwarenessTrainingDrills andExercisesTrainingRecordsOutreachKelly SpadeDecember 1, 202126

SSP Tip!Kelly SpadeDecember 1, 202127

Personnel SuretyHiring ChecklistMaintain a checklist or similardocument to assist humanresources (HR) personnel inensuring all affected individualsare properly on-boarded. Valid Form of IDCriminal Background CheckI-9 FormTSDB submission BadgeAccess Credentials/KeysIT AccessEmergency ContactOrientationSecurity Training Provided Privacy NoticeKelly SpadeDecember 1, 202128

As a Reminder: Affected Individuals Affected individuals are:Facility personnelwith or seekingaccess to restrictedareas or criticalassets at high-riskchemical facilitiesANDUnescorted visitorswith or seekingaccess to restrictedareas or criticalassets at high-riskchemical facilities High-risk facilities may classify particular contractors aseither “facility personnel” or “visitors.” This determination should be facility-specific and based on facility security,operational requirements, and business practices.Kelly SpadeDecember 1, 202129

Reporting Significant Security IncidentsWhat is significant? Breach of perimeter or asset Inventory issue Suspicious order Suspicious person, vehicle, or UAS Broken equipment Missing shipment/order Cyber intrusion, phishing, orransomwareContact local law enforcement andother emergency responders: If a significant security incident orsuspicious activity is detected while inprogress. If a significant security incident orsuspicious activity has concluded, butan immediate response is necessary. Once a security incident or suspiciousactivity has concluded and anyresulting emergency has been dealtwith.Kelly SpadeDecember 1, 202130

Incident eportInvestigateLessonsLearnedDistribute throughupdated training,briefings, memos,posters, etc.In order to understand, resolve,and learn from the circumstances,evidence, and other factors, usefacility investigators, local lawenforcement, or a third party Kelly SpadeDecember 1, 202131

Officials and OrganizationDefine a securityorganizational structurein writing that identifiesspecific security dutiesand responsibilities.OwnerK. MurrayCorporate SecurityOfficeS. JeffersonFacility SecurityOfficerA. AdamsSecurity ForceCorporateCybersecurity OfficerJ. BauerCybersecurity OfficerOperations ManagerM. JonesFacility ManagementT. TurnerContractors/VisitorsEmployeesEmployees withSecurity DutiesKelly SpadeDecember 1, 202132

Annual AuditThe required SSP/ASP annual audit helps facilities ensurecontinued compliance with their approved SSP/ASP.This audit could include: Verification of Top-Screen and Security Vulnerability Assessment(SVA) data. Confirmation of all Chemical Security Assessment Tool (CSAT)user roles. Confirmation of all existing and planned measures from theSSP/ASP. Sampling of RBPS 18 records. Review of current policies, procedures, training, etc.Kelly SpadeDecember 1, 202133

AnnualAuditExampleKelly SpadeDecember 1, 202134

Case Study: Physical SecurityKelly SpadeDecember 1, 2021FOR OFFICIAL USE ONLY35