Roberts Law Group News

CFATS Cyber Reporting Requirements

 

The Cybersecurity and Infrastructure Security Agency (CISA) has released a new webpage and fact sheet to provide guidance to Chemical Facility Anti-Terrorism Standards (CFATS)-regulated facilities regarding how and when to report cybersecurity incidents.
 
Through these resources, CISA provides that reportable significant cybersecurity incidents at a CFATS facility may include, but are not limited to:
  • Known security issues, vulnerabilities, and exploits that impact a CFATS Chemical of Interest (COI) asset or system;
  • Attempts to gain unauthorized access to a critical cyber system;
  • Threats to Operational Technology (OT) systems;
  • Ransomware incidents;
  • Phishing, malware, trojan horse, or virus attacks that were not contained;
  • Structured Query Language (SQL) injections where malicious code is injected into a server and forces it to disclose private data;
  • Attempts to gain unauthorized access to a system’s wireless network or mobile devices on the network;
  • Changes to a system’s firmware, software, or hardware without the system owner’s consent;
  • Disruption or Denial of Service (DOS) or Distributed Denial of Service (DDOS) attempts; and
  • Impacts to national security, economic security, or public health and safety systems.
 
Cyber systems that CISA considers critical are systems related to controlling, processing, ordering, and/or accessing CFATS COIs – including control systems, business systems, access control systems, Enterprise Resource Planning (ERP) systems, sales systems, and safety instrumented systems.
 
Once a cyber incident has been detected and response measures have been initiated, CFATS facilities are now required to report significant cybersecurity incidents to CISA via CISA Central at central@cisa.gov.
 
When contacting CISA Central, facilities should indicate they are “critical infrastructure” within the Chemical Sector. Facilities should also include a description of the incident, indicate that they are CFATS regulated, and include their CFATS facility identification number.