News

Updated NTAS Bulletin

On November 10, 2021, the Secretary of Homeland Security issued an updated National Terrorism Advisory System (NTAS) Bulletin regarding the current heightened threat environment across the United States.

While the Department of Homeland Security is not aware of an imminent and credible threat to a specific location in the United States, the NTAS Bulletin notes that the United States continues to face threats posed by individuals and small groups engaged in violence, including Domestic Violent Extremists (DVEs) and those inspired or motivated by foreign terrorists and other malign foreign influences. Among other things, the NTAS Bulletin provides the following:

• Following the 20^th anniversary of the September 11^th attacks and the U.S. withdrawal from Afghanistan, violent extremist media branches of al-Qa’ida and its affiliates, as well as the Islamic State of Iraq and as-Sham (ISIS), have celebrated perceived victories over the United States and encouraged the use of violence by their followers and supporters to further their objectives.

• Historically, DVEs and individuals inspired by foreign terrorist organizations have targeted crowded commercial facilities, among other locations, which have at times caused mass causalities. The continued reopening of commercial facilities and the potential for ongoing societal and economic disruptions due to the pandemic, as well as mass gatherings associated with several dates of religious significance over the next few months, could provide increased targets of opportunity for violence.

• Foreign and domestic threat actors, to include foreign intelligence services, foreign terrorist organizations, and DVEs, continue to introduce, amplify, and disseminate narratives online that promote violence, and have called for violence against commercial facilities, among other perceived ideological opponents.

• Ideologically motivated violent extremists fueled by personal grievances and violent extremist ideological beliefs continue to derive inspiration from and obtain operational guidance, including regarding the use of improvised explosive devices and small arms, through the consumption of information shared in online forums.

Area Maritime Security Committee 2020 Annual Report

On November 2, 2021, the Office of Port and Facility Compliance (CG-FAC) published the Area Maritime Security Committee 2020 Annual Report.

The Annual Report highlighted challenges, suggestions, accomplishments, and best practices across the 43 Area Maritime Security Committees (AMSCs) in 2020. These included, among others, COVID-19 impacts, cybersecurity, Unmanned Aircraft Systems, and Homeport 2.0.

Continuing the Coast Guard’s focus on the cyber domain, a large portion of the Annual Report was focused on cybersecurity and related matters. The Annual Report noted “a noticeable lack of cyber expertise among some AMSC’s membership and regulated facility or vessel operators” and that a “copious amount of information on cyber is being shared, but there is a gap in the technical expertise to translate this information into actionable efforts.”

In response, the majority of AMSCs established cyber subcommittees to help understand and address cybersecurity risks. Additionally, Coast Guard Headquarters is developing cyber training for the field, including a Learning Management System-based module, a Stevens Institute course, and combined CG-FAC / Coast Guard Cyber Command (CGCYBER) / Office of Cyberspace Forces (CG-791) virtual and roadshow workshops.

Nonetheless, despite these efforts and the publication of Navigation and Vessel Inspection Circular (NVIC) 01-20: Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities, the  future expectations in the cyber domain and how they will impact Maritime Transportation Security Act (MTSA)-regulated facilities remains a concern for many in industry and many AMSCs.

CFATS Cyber Reporting Requirements

The Cybersecurity and Infrastructure Security Agency (CISA) has released a new webpage and fact sheet to provide guidance to Chemical Facility Anti-Terrorism Standards (CFATS)-regulated facilities regarding how and when to report cybersecurity incidents.

Through these resources, CISA provides that reportable significant cybersecurity incidents at a CFATS facility may include, but are not limited to:

• Known security issues, vulnerabilities, and exploits that impact a CFATS Chemical of Interest (COI) asset or system;

• Attempts to gain unauthorized access to a critical cyber system;

• Threats to Operational Technology (OT) systems;

• Ransomware incidents;

• Phishing, malware, trojan horse, or virus attacks that were not contained;

• Structured Query Language (SQL) injections where malicious code is injected into a server and forces it to disclose private data;

• Attempts to gain unauthorized access to a system’s wireless network or mobile devices on the network;

• Changes to a system’s firmware, software, or hardware without the system owner’s consent;

• Disruption or Denial of Service (DOS) or Distributed Denial of Service (DDOS) attempts; and

• Impacts to national security, economic security, or public health and safety systems.

Cyber systems that CISA considers critical are systems related to controlling, processing, ordering, and/or accessing CFATS COIs – including control systems, business systems, access control systems, Enterprise Resource Planning (ERP) systems, sales systems, and safety instrumented systems.

Once a cyber incident has been detected and response measures have been initiated, CFATS facilities are now required to report significant cybersecurity incidents to CISA via CISA Central at [email protected].

When contacting CISA Central, facilities should indicate they are “critical infrastructure” within the Chemical Sector. Facilities should also include a description of the incident, indicate that they are CFATS regulated, and include their CFATS facility identification number.

DHS Semiannual Regulatory Agenda

The Department of Homeland Security (DHS) published its Semiannual Regulatory Agenda on July 30, 2021, which included proposed actions related to the Ammonium Nitrate Security Program and the Chemical Facility Anti-Terrorism Standards (CFATS).

Ammonium Nitrate Security Program

DHS’s Cybersecurity and Infrastructure Security Agency (CISA) proposed a rulemaking to implement the December 2007 amendment to the Homeland Security Act titled “Secure Handling of Ammonium Nitrate.” The amendment requires DHS to “regulate the sale and transfer of ammonium nitrate by an ammonium nitrate facility . . . to prevent the misappropriation or use of ammonium nitrate in an act of terrorism.” CISA previously issued a Notice of Proposed Rulemaking (NPRM) on August 3, 2011, and CISA is planning to issue a Supplemental NPRM in November 2021.

CFATS

Taking into consideration the comments received during the August 2014 Advance NPRM regarding potential revisions to the CFATS regulations, CISA has determined to limit the scope of its next CFATS rulemaking to improving Appendix A to the CFATS regulations and addressing concerns with release-flammable security issues. Additionally, in June 2020, CISA published a notice announcing the availability of a retrospective analysis of the data, assumptions, and methodology that were used to support the 2007 CFATS interim final rule and provided the public an opportunity to provide comment. CISA is reviewing the comments received on the retrospective analysis and determining the next appropriate step for this rulemaking.

TSA Issues Additional Cybersecurity Requirements for Critical Pipeline Owners and Operators

The Transportation Security Administration (TSA) announced the issuance of a Second Security Directive that requires owners and operators of TSA-designated critical pipelines to: (1) implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems; (2) develop and implement a cybersecurity contingency and recovery plan; and (3) conduct a cybersecurity architecture design review.   

A few hours after announcing its issuance, TSA began notifying affected companies of the requirement to comply with the Second Security Directive by the effective date. Deadlines for required actions range from 30-180 days. TSA indicated that it would host calls with affected parties to discuss specific requirements after the Second Security Directive’s publication. The Second Security Directive is considered Sensitive Security Information (SSI), which will limit its distribution in some regard.

In May 2021, TSA issued an Initial Security Directive that requires critical pipeline owners and operators to: (1) report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA); (2) designate a Cybersecurity Coordinator to be available 24 hours a day, seven days a week; (3) review current practices; and (4) identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators

The Department of Homeland Security’s Transportation Security Administration (TSA) announced a new Security Directive that will require critical pipeline owners and operators to:

• Report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA);

• Designate a Cybersecurity Coordinator that must be available 24 hours a day, seven days a week; and

• Review their current practices and identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

TSA is also considering follow-on mandatory cybersecurity measures for the pipeline industry.