The Cybersecurity and Infrastructure Security Agency (CISA) has released a new webpage and fact sheet to provide guidance to Chemical Facility Anti-Terrorism Standards (CFATS)-regulated facilities regarding how and when to report cybersecurity incidents.
Through these resources, CISA provides that reportable significant cybersecurity incidents at a CFATS facility may include, but are not limited to:
- Known security issues, vulnerabilities, and exploits that impact a CFATS Chemical of Interest (COI) asset or system;
- Attempts to gain unauthorized access to a critical cyber system;
- Threats to Operational Technology (OT) systems;
- Ransomware incidents;
- Phishing, malware, trojan horse, or virus attacks that were not contained;
- Structured Query Language (SQL) injections where malicious code is injected into a server and forces it to disclose private data;
- Attempts to gain unauthorized access to a system’s wireless network or mobile devices on the network;
- Changes to a system’s firmware, software, or hardware without the system owner’s consent;
- Disruption or Denial of Service (DOS) or Distributed Denial of Service (DDOS) attempts; and
- Impacts to national security, economic security, or public health and safety systems.
Cyber systems that CISA considers critical are systems related to controlling, processing, ordering, and/or accessing CFATS COIs – including control systems, business systems, access control systems, Enterprise Resource Planning (ERP) systems, sales systems, and safety instrumented systems.
Once a cyber incident has been detected and response measures have been initiated, CFATS facilities are now required to report significant cybersecurity incidents to CISA via CISA Central at firstname.lastname@example.org.
When contacting CISA Central, facilities should indicate they are “critical infrastructure” within the Chemical Sector. Facilities should also include a description of the incident, indicate that they are CFATS regulated, and include their CFATS facility identification number.