More than a year has passed since Congress allowed the chemical industry’s main anti-terrorism program to expire.

Since then, industry advocates have pled with U.S. lawmakers to reauthorize the bill, called the Chemical Facility Anti-Terrorism Standards, or CFATS.

Industry groups, including the American Chemistry Council (ACC) and the Alliance for Chemical Distribution (ACD), have warned that their members face increasing threats. Whether it’s drones flying overhead or cyberattacks, CFATS proponents say chemical facilities are targets for bad actors from abroad.

Scott Jensen, ACC’s communications director, points to the arrest of eight would-be terrorists in June as an example of the threat potential. The men from Tajikistan had possible ties to ISIS, according to an NBC News report.

“You’re seeing a lot of warning signs and red flags going up,” Jensen says. “You have the FBI expressing concerns about a coordinated attack in the United States. We’ve had other issues of people coming over, foreign nationals coming over the border between the United States and Mexico. Yet we can’t get this program restored.”

Anti-Terrorism Bill Takes Shape

Congress initially approved CFATS in 2007 after several failed attempts to push through chemical plant security legislation. The desire to secure chemical operations stemmed from the Sept. 11, 2001, attacks. The fear was that terrorists could target chemical facilities or use their products as weapons. 

ACC initially objected to the proposals, with former ACC President Jack Gerard writing in a 2006 New York Times op-ed that CFATS was an environmental bill “masquerading as a security bill.” The industry was concerned about language that would require plants to consider inherently safer technologies.

“There were several different bills early on that wanted to create something entirely different from CFATS – a prescriptive program that focused heavily on IST (inherently safer technology) mandates and would have been administered by EPA,” Jensen wrote in an email.

ACC favored the current CFATS approach, which focuses on risk-based performance standards, Jensen says.

Some 300 chemicals of interest fall under the CFATS reporting rules. These are chemicals that could cause serious harm if released or easily converted into weapons. Companies in possession of these substances reported them to the federal Cybersecurity and Infrastructure Security Agency, or CISA, using an online tool.

If CISA determined a facility was high risk, that company would have to establish a security plan and undergo regular inspections. Facilities could request compliance assistance from CISA.

CFATS Today

CFATS officially expired on July 27, 2023. Republican Sen. Rand Paul of Kentucky has been the primary obstacle to reauthorization. Paul blocked a vote on the bill last year, saying it favored big businesses while overburdening smaller companies, according to a Bloomberg report (Sen. Paul’s office did not return a Chemical Processing request for comment).

But Jensen and others say without the cooperation of government, the burden is solely on chemical manufacturers to protect themselves. CFATS provides tools that help chemical facilities identify security vulnerabilities, including cyberthreats, they say. This includes the ability to crosscheck job candidates against the FBI’s terrorist database.

Read More: Protecting Water Utilities from Rising Cyber Threats

Eric Byer, president and CEO at the Alliance for Chemical Distribution (ACD), has been a vocal supporter of CFATS. He issued a statement ahead of a House reauthorization hearing in June, calling on lawmakers to restore the program. In a July interview with Chemical Processing, Byer said his members are doing the best they can but need the extra protections afforded by CFATS.

“Our members have been able to get by, to some degree, but when you don’t have access to the terrorist screening database, the employees you’re going to hire aren’t vetted. It’s a big deal not being able to actively talk to your inspector,” says Byer.

Why CFATS Matters

Prior to its implementation, security practices for industrial control systems largely relied on change management and basic access control practices, says Chad Vicknair, a principal specialist with OT cybersecurity solutions provider Armexa. Vicknair was working as a cybersecurity expert for a large chemical company when CFATS went into effect. At the time, the regulatory requirements were vague and difficult to follow, he says.

“We were largely at a loss as to exactly what ‘secure your ICS systems’ meant and confusion abounded as to whether it was even applicable to OT since we were ‘isolated,’ or so we believed at the time,” said Vicknair in an email.

Ostensibly validating some of Sen. Paul’s concerns, Vicknair said it seemed at the time that the regulation itself was the true threat to the chemical industry. The business side worried about fines, and “everything was shrouded in secrecy,” Vicknair says.

But, in hindsight, the pressure to comply and the trial and error of understanding the process was a blessing in disguise, he says. The chemical industry became better prepared for future cyber threats, leading to dedicated ICS cybersecurity budgets, greater IT/OT collaboration and heightened awareness.

Vicknair cites the implementation of documented programs within chemical process environments that include policies, standards, procedures, training and audit trails as direct benefits of the CFATS program.

“No matter how wonderful a shiny new security technology is, without documented practices, it is unlikely the initial level of risk reduction achieved upon implementation will persist over time,” he says.

Chemical Security Continues Despite CFATS Lapse

The absence of CFATS doesn’t mean chemical manufacturers are completely vulnerable to terrorist attacks, says ACC’s Jensen.

“Chemical companies are going to take precautions, and they’re going to focus on security,” he explains. “It’s not like all the sudden chemical facilities are no longer secure, but we know there’s a way that we can work with the federal government that we can do it better. And, quite frankly, chemical companies shouldn’t be forced to go it alone. That’s not the way you should be fighting terrorism.”

In the interim, there are several steps chemical companies have been taking or should adopt to minimize risk. 

The key, says Vicknair, is to move from compliance-based security to a risk-based approach. While CFATS reinforced basic cybersecurity principles like access control, least privilege, separation of duties, segmentation and offline backups, companies must apply them strategically to manage their unique environment, Vicknair says.

He recommends adopting industrial control standards like IEC/ISA 62443 to understand actual risk and prioritize corrective actions for mission-critical/high-consequence systems.

ISA/IEC 62433 is a series of cybersecurity standards developed through industry working groups. It incorporates risk assessment requirements and introduces the concept of zones and conduits. This approach groups assets based on risk or criticality and communication channels that share common security requirements.

CISA has urged chemical manufacturers to continue using the agency’s free services even without a regulatory requirement in place. Jason Burt, a CISA adviser, pitched the agency’s free services during an ARC Advisory Group Forum in early 2024.

Some of these offerings include on-site exercises, weekly vulnerability scanning and report cards and resilience reviews, Burt said.

What’s Next for CFATS

Sen. Paul contended that “nobody will notice” when the standards lapse, according to a Bloomberg article.

“People have had 20 years to harden their facilities,” he told Bloomberg. “You think they’re going to run out and tear down their fence with the razor wire on the top? Nothing’s going to change.”

Read More: Global Tensions Fuel Cyber Threats to Critical Infrastructure

Paul added that CFATS is another regulatory hurdle for smaller businesses, placing them at a competitive disadvantage. But Byer said if Paul understood the program, he would likely take a different position.

 “If anything else, CFATS relieves a burden because our members know exactly what they should be looking out for, so they don’t spend time trying to figure it out by word of mouth or searching online,” he says.

Byer says CFATS has fostered unusual government-industry collaboration due to mutual security benefits. He fears that if the bill isn’t renewed now, Congress will be compelled to take action in the future following a catastrophic event.

Some states, like Nebraska and Iowa, are adopting their own programs modeled after CFATS. This could lead to a patchwork of regulations that chemical companies must follow for each state, Byer says.

“These are the type of burdens that don’t accomplish anything to improve security,” he adds.   

In the meantime, Jensen said in September that ACC would try to make “another push” for CFATS by attaching it to a spending bill as Congress returned to session.

“It has been a long (and somewhat tortured) process to get CFATS in place,” Jensen said in an email. “It’s proving equally difficult to keep it!”