Protecting SCADA and DCS systems for over 17 years      

   
 
 
 

Power:NERC CIP
  Chemical:
6 CFR Part 27
 

Resources

   
 

Department of Homeland Security Appropriations Act of 2007,
Section 550 for Chemical Facilities

On June 8, 2007 The Department of Homeland Security Chemical Facility Anti-Terrorism Standards, 6 CFR Part 27, became effective. This rule establishes risk-based performance standards for the security of the United States of America's chemical facilities. It requires covered chemical facilities to prepare for Security Vulnerability Assessments (SVAs). It also requires facilities to develop and implement Site Security Plans (SSPs), which include measures that satisfy the identified risk-based performance standards. The rule also allows certain covered chemical facilities, in specified circumstances, to submit Alternate Security Programs (ASPs) in lieu of an SVA, SSP, or both.

The rule contains associated provisions addressing inspections, audits, recordkeeping and the protection of information that constitutes Chemical-terrorism Vulnerability Information (CVI). Finally, the rule provides the Department of Homeland Security with authority to seek compliance through the issuance of orders, including Orders Assessing Civil Penalty and Orders for the Cessation of Operations.


Overview of the Compliance Process

Phase 1 Rank Each Facility
Phase 2 Complete DHS Top-Screen registration of Facility Rankings
Phase 3 Conduct Site Vulnerability Assessments (SVAs)
Phase 4 Develop the SSPs and ASPs
Phase 5 Monitoring & Recordkeeping

Time Table for Compliance

All Tiers: Upon publishing the final Appendix A of 6 CFR Part 27 for Tiers 1-4, then
  The Top-Screen web registration of all facilities must be done in 60 days
  Site Vulnerability Assessments (SVAs) must be completed within 90 days
  Site Security Plans (SSPs) or Alternate Security Plans (ASPs) must be completed within 120 days
Tiers 1 or 2: The Top-Screen, SVA, and SSP/ ASP should be updated every 2 years
Tiers 3 or 4: The Top-Screen, SVA, and SSP / ASP should be updated every 3 years


Overview of How Industrial Defender Services and Products Support Homeland Security Appropriations ACT of 2007, Section 550

Glossary:

SEM - Security Event Monitoring
NIDS - Network Intrusion Detection System
HIDS - Host Intrusion Detection Software
Guard - Perimeter security device that includes firewall, VPN, anti-virus technologies
CMSS - Co-Managed Security Service
Section 550 Compliance Phase Requirement Industrial Defender Service/Product Offering
Phase 1
Rank Each Facility		 Use Appendix A to rank all facilities Tier 1, 2, 3, or 4 and create a spreadsheet to document all known chemicals produced at each facility. ID Professional Services can work with a client's staff to assess each facility and rank them according to Appendix A. The client can also take on this work, and use our services when needed for support.
Phase 2

Complete DHS Top-Screen registration of Facility Rankings		 Log onto the Top-Screen/Chemical Security Assessment Tool web page and enter in the data from Step 1 into the web site. A person of responsibility must be identified in the Top-Screen system using a CSAT submission. Typically, the client performs this step, however, the Industrial Defender Professional Services team can offer support during this phase.
Phase 3

Conduct Site Vulnerability Assessments (SVAs)		 Perform security assessments at high-risk facilities to identify security vulnerabilities, and develop and implement Site Survey Plans (SSPs). Performing Site Vulnerability Assessments is a core competency of Industrial Defender. Our Professional Services team has performed over 70 assessments of SCADA, DCS, and control systems, and modified our assessment process to match the requirements for SVAs.
Phase 4

Develop the SSPs and ASPs		 Use results from the SVAs to drive either development of Site Survey Plans (SSPs) or Alternate Security Plans (ASPs), which include technology implementation to mitigate security risks. Industrial Defender's Professional Services has developed security policies, plans, and procedures for some of the largest companies in the world. We also have unique technology that can mitigate cyber security issues that exist during SVAs. We will partner with physical security companies to source or recommend critical physical components.
Phase 5

Monitoring & Recordkeeping		 Records should be kept in case of process malfunction or attempted terrorist attack. Operators must be trained on incident response so that plant operations can be tracked. The Industrial Defender SEM console maintains all records dealing with the health, performance, and security of a system. Our clients can manage the system themselves or opt to have it Co-Managed by our 24x7 manned Security Operations Center. The SOC can manage all aspects of Incident Response and Change Management.


   
  More
 
  Industrial Defender, Inc.
  Corporate Brochure
 
  Risk Assessment
  Professional Security Sevices Brochure
 
  Risk Mitigation
  Technology Suite Brochure
  RTAP - Secure SCADA Brochure
 
  Risk Management
  Threat Services Brochure
 
  Whitepapers
  Register
 
 

© 2008 Industrial Defender