CISA to Congress: US Under Threat of Chemical Attacks

CISA warned this week that facilities maintaining dangerous chemicals across the US are no longer receiving adequate security support.

Compared with such industries as energy, water, and telecoms, cybersecurity professionals tend to be less au courant with the chemicals sector, despite the physical and cybersecurity threats it faces.

CISA used to plug that gap with its Chemical Facility Anti-Terrorism Standards (CFATS). In CISA's own words, CFATS "identifies and regulates high-risk facilities to ensure security measures are in place to reduce the risk that certain dangerous chemicals are weaponized by terrorists." But on July 28, Congress allowed the statutory authority of the CFATS program to expire.

Yesterday, in a blog marking the fourth monthiversary of that decision, CISA associate director for chemical security Kelly Murray warned that "the absence of the CFATS program is a national security gap too great to ignore," likely leading to security gaps, unsafe conditions, and possibly even access by a terrorist.

Terrorist Threats to the Chemicals Industry

There are four primary pillars to CFATS, each with an important security function.

Firstly, CISA has screened over 40,000 chemical facilities through the program, identifying 3,200 of them as high-risk. With four months of downtime, the agency estimates that at least 200 new facilities have likely acquired dangerous chemicals, and that "facilities could be stockpiling these chemicals in excess of their existing security precautions, increasing the risk of terrorist exploitation."

Equally, through CFATS, CISA worked with facilities to identify risks to them and their surroundings, and develop cyber and physical safety plans to mitigate those risks, improving their security postures by around 60%. As Murray explained, approximately one third of CISA's site visits historically tended to reveal security gaps, thus "we can safely estimate that hundreds of security gaps have gone unidentified since July."

Perhaps most importantly, chemical facilities used CFATS to run personnel against a Terrorist Screening Database. CISA used to vet an average of 9,000 names per month, flagging in all more than 10 individuals with terrorist ties. At these rates, Murray estimated, its missed screenings "likely would have identified an individual with or seeking access to dangerous chemicals as a known or suspected terrorist at some point over the past four months."

Lastly, CFATS was designed to help the chemical industry stay ahead of the evolving threat landscape, both from a physical and cyber standpoint. "Prior to the lapse in authority, this process was going to be further enhanced by a proposed rulemaking effort to enhance the physical and cybersecurity standards required of CFATS," Murray explained, though now no longer.

Murray ended the letter with a call to Congress to reinstate CFATS. "This is a resolution we cannot afford to break," she concluded.