The US Government Accountability Office (GAO) has issued
a report on the cybersecurity of the high-risk chemical facilities and found serious
security issues as the guidance for policies and protection procedures hasn’t
been updated in a decade.
The Department of Homeland Security (DHS) is responsible
for monitoring all high-security installations, including high-risk chemical
facilities. More precisely, oversight is provided by the Chemical Facility
Anti-Terrorism Standards (CFATS) program within the DHS.
The latest GAO report found that the CFATS program is in
charge of setting the policies for around 3,300 facilities, but the guidance
issued by the program hasn’t been updated in 10 years, leaving all facilities
open to current threats and technological advances.
“A successful cyberattack against chemical facilities’
information and process control systems can disrupt or shut down operations and
lead to serious consequences, such as health and safety risks, including
substantial loss of life,” concludes the report.
“The chemical sector’s increasing reliance on these
systems to more efficiently control and automate the production and use of
hazardous chemicals combined with the rise in adversaries’ efforts to
manipulate and exploit vulnerabilities via evolving techniques, such as malware,
and others, illustrate the importance of ensuring that high-risk chemical
facilities are fully prepared to sustain and recover from these types of
attacks.”
GAO made a series of recommendations to the DHS, which
includes the revision of the old guidance, the implementation of cybersecurity
measures at regular intervals and tracking their effectiveness, and more.
High-risk industries, such as power generation, chemical
facilities, utilities, government and military, are regularly targeted by
ransomware, APT groups and even state actors. It stands to reason that DHS
would be directly interested in keeping these facilities as secure as possible.