Beyond CFATS: Evolving Chemical Industry Cybersecurity for a New Era                     

By Chad Vicknair

The Impact of CFATS on Cybersecurity

The expiration of the Chemical Facility Anti-Terrorism Standards (CFATS) marks a significant shift in the regulatory landscape for chemical manufacturers. As facilities reassess their security programs, it’s necessary to reflect on the impact of CFATS and chart a course forward that maintains robust cybersecurity practices.

CFATS played a pivotal role in shaping cybersecurity practices within the chemical industry, particularly in the realm of Industrial Control Systems (ICS) and IT/OT collaboration. Before CFATS, security measures for ICS were primarily driven by change management and basic access control. The regulation’s implementation initially caused confusion, but ultimately led to the establishment of ICS cybersecurity budgets, increased awareness of cyber threats, development of vendor solutions, and recognition of the need for IT/OT collaboration.

Key Takeaways from the CFATS Era

One of the most effective measures implemented under CFATS was the development of documented programs. These policies, standards, procedures, training protocols, and audit trails have built resilience within the chemical sector that persists today.

Transitioning to Risk-Based Security

With CFATS no longer in effect, chemical manufacturers should transition from a compliance-based approach to risk-based security. This shift involves conducting baseline and cyclical risk assessments based on ICS standards like IEC/ISA 62443, prioritizing mitigations for mission-critical and high-consequence systems, and maintaining core cybersecurity practices such as access control, least privilege, segmentation, and patching.

Addressing Potential Security Gaps

The absence of CFATS could lead to reduced focus on cybersecurity risks, especially during leadership changes or budget cuts. To mitigate this, companies should establish cybersecurity as a core value, maintain vigilance through changes in executive leadership, and ensure consistent cybersecurity budgeting to maintain incident response capabilities.

Industry-Led Initiatives

The ISA/IEC 62443 series of standards offers a robust framework for automation and control system cybersecurity. These consensus-based standards, developed by industry stakeholders, can help fill the void left by CFATS.

Recommendations for Chemical Facilities

As chemical facilities reassess their security programs in the post-CFATS landscape, they should transition to risk-based security using methodologies from standards like ISA/IEC 62443. It’s crucial to develop a prioritized roadmap based on risk assessment results and document all aspects of the security program to ensure resilience through staff changes. Finally, facilities should create detailed procedures for managing critical systems and engage third-party security vendors for assessments to avoid overlooking critical flaws.

By embracing these strategies, chemical facilities can maintain and even enhance their security posture in the absence of CFATS regulations. Remember, the goal is not just compliance, but creating a robust, adaptable security program that effectively protects your assets and operations in an ever-evolving threat landscape.