The bill would specifically direct DHS to conduct cyber risk assessments of the nation’s critical infrastructure in different economic sectors to determine the level of cyber risk within each sector. Owners of critical infrastructure would then be required to meet specific security outcomes using a Risk-Based Performance Standard (RBPS) model – starting with companies in economic sectors that present the highest risk. Given the current cyber risks facing industry (e.g., Stuxnet), it is very likely that companies in the chemical/petrochemical sector would be among those deemed to present a higher level of risk.
The risk-tier and performance-based structure envisioned by the bill is similar to that utilized by the Chemical Facility Anti-Terrorism Standards (CFATS). In other words, DHS could not prescribe any specific cyber security measures. Rather, companies would select and implement the cyber measures they determine to be best suited to satisfy the performance standards. Companies that meet the designated performance standard but still fall victim to a cyber attack would be granted certain liability protections.
The bill also requires DHS to evaluate whether existing regulations sufficiently protect the cyber assets of critical infrastructure owners. If DHS determines that an existing law provides a sufficient level of cyber security, then it would not double-regulate the company (i.e., DHS would not require companies already regulated by that law to meet any new performance standards for the affected cyber assets):
How This Can Affect Your Site:
- Regulated Sites: Companies with facilities subject to CFATS for instance, could make the case that CFATS RBPS 8 (Cyber) already provides a sufficient level of cyber security and that CFATS-regulated sites should therefore be exempt from the new law.
- Non-Regulated Sites: Companies with facilities that possess critical cyber assets but are not subject to any other laws or regulations that affect those cyber assets may be required to meet the new cyber RBPSs.
It is however too early to speculate whether or not DHS would find that existing regulations such as CFATS provide a sufficient level of cyber security protection. Until the bill becomes law and DHS issues implementing regulations, it will not be possible to assess its full scope and potential impact on critical infrastructure owners.
I will continue to monitor the bill and related cyber security legislation closely.
Ryan Loughin is Director of Petrochemical & Energy Solutions for the Advanced Integration division of ADT- www.adtbusiness.com/petrochem. He provides security education to CFATS and MTSA-affected companies and is a member of the National Petrochemical and Refiners Association (NPRA), Society of Chemical Manufacturers and Associates (SOCMA), Energy Security Council (ESC) and American Society for Industrial Security (ASIS). Loughin has also completed multiple levels of CVI Authorized User training (Chemical-Terrorism Vulnerability Information) which was authored by the U.S. Department of Homeland Security.
Copyright © ADT Security Services, Inc. 2012 - All Rights Reserved. Legal Disclaimer - Some of the individuals posting to this site, including the moderators, work for ADT Security Services, Inc. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of ADT Security Services, Inc. The content is provided for informational purposes only and is not meant to be an endorsement or representation by ADT Security Services, Inc. or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release ADT Security Services, Inc. from any liability related to your use of the Website. You also grant to ADT Security Services, Inc. a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.