The US Government Accountability Office (GAO) has issued a report on the cybersecurity of the high-risk chemical facilities and found serious security issues as the guidance for policies and protection procedures hasn’t been updated in a decade.
The Department of Homeland Security (DHS) is responsible for monitoring all high-security installations, including high-risk chemical facilities. More precisely, oversight is provided by the Chemical Facility Anti-Terrorism Standards (CFATS) program within the DHS.
The latest GAO report found that the CFATS program is in charge of setting the policies for around 3,300 facilities, but the guidance issued by the program hasn’t been updated in 10 years, leaving all facilities open to current threats and technological advances.
“A successful cyberattack against chemical facilities’ information and process control systems can disrupt or shut down operations and lead to serious consequences, such as health and safety risks, including substantial loss of life,” concludes the report.
“The chemical sector’s increasing reliance on these systems to more efficiently control and automate the production and use of hazardous chemicals combined with the rise in adversaries’ efforts to manipulate and exploit vulnerabilities via evolving techniques, such as malware, and others, illustrate the importance of ensuring that high-risk chemical facilities are fully prepared to sustain and recover from these types of attacks.”
GAO made a series of recommendations to the DHS, which includes the revision of the old guidance, the implementation of cybersecurity measures at regular intervals and tracking their effectiveness, and more.
High-risk industries, such as power generation, chemical facilities, utilities, government and military, are regularly targeted by ransomware, APT groups and even state actors. It stands to reason that DHS would be directly interested in keeping these facilities as secure as possible.