Federal watchdog finds chemical facilities vulnerable to cyberattacks

Chemical facilities are vulnerable to crippling cyberattacks due to outdated government cybersecurity guidance, the Government Accountability Office (GAO) concluded in a report released this week.

The report released Thursday found that the Department of Homeland Security (DHS), which oversees the security of “high-risk” chemical facilities through the Chemical Facilities Anti-Terrorism Standards program, hasn’t updated cybersecurity guidance for those facilities in more than a decade.

“A successful cyberattack against chemical facilities’ information and process control systems can disrupt or shut down operations and lead to serious consequences, such as health and safety risks, including substantial loss of life,” the GAO wrote.

The agency found that DHS does not collect data to track or assess the cybersecurity knowledge of inspectors in the program who evaluate the facilities, jeopardizing overall security.

The GAO said that the “inspectors that are evaluating a facility’s cybersecurity posture may not have the knowledge, skills, and abilities to fully support the program’s cybersecurity-related mission.”

The watchdog agency said DHS should consider revising its cybersecurity guidance for chemical facilities, along with developing a plan to track and assess cybersecurity training for the inspectors. 

DHS concurred with all six recommendations laid out in the GAO report.

“Cybersecurity is an integral part of DHS’s national approach to chemical security,” DHS official Jim Crumpacker wrote in response to GAO. “The Department remains committed to ensuring that high-risk chemical facilities are implementing appropriate physical and cyber security measures.”

The security vulnerabilities are complicated by the fact that the Chemical Facilities Anti-Terrorism Standards program is in danger of expiring in July. The House Homeland Security Committee approved a bill to renew it last year, but the legislation has not come to the floor for a vote.

Committee Chairman Bennie Thompson (D-Miss.) pointed to the GAO report as evidence that Congress needed to “act quickly” to renew the program.

“GAO makes clear that cybersecurity vulnerabilities at chemical facilities could jeopardize the safety and security of surrounding communities — an unacceptable risk,” Thompson said in a statement on Friday. “Congress needs to act quickly to reauthorize [the program] and empower DHS officials to make long-term improvements to the program that will promote strong cybersecurity in the chemical sector.”

The GAO highlighted the risks involved in a successful cyberattack on a chemical facility.

DHS sent out an alert to companies operating critical systems in February warning that they were targets for hackers. The alert was put out after a successful cyberattack on a “natural gas compression facility” that forced the group to temporarily shut down operations.