Discrepancies in Security Regulations Pose Risks to Critical Infrastructure

More than 1,600 public water systems or wastewater treatments systems in the United States are exempt from regulations that would require them to implement certain security measures, posing potential risks, a watchdog report found.

The U.S. Government Accountability Office (GAO) conducted an audit of the eight federal programs that address chemical safety or security in the United States that align with the U.S. Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards (CFATS) program standards. The GAO found that about 16 percent (550 of 3,300) facilities subject to CFATS regulations are also subject to other federal programs.

One caveat, however, was that numerous public water systems and wastewater treatment systems are excluded from the CFATS statute.

“While such facilities are subject to other programs, those programs collectively do not contain requirements or guidance that align with four CFATS standards,” the GAO wrote. “According to DHS, public water systems and wastewater treatment facilities are frequently subject to safety regulations that may have some security value, but in most cases, these facilities are not required to implement security measures commensurate to their level of security risk, which may lead to potential security gaps.”

Chemical Security: Overlapping Programs Could Better Collaborate to Share Information and Identify Potential Security Gaps https://t.co/IS0UWIX8pP

— U.S. GAO (@USGAO) January 21, 2021

One example the GAO’s review pointed out was a discrepancy between CFATS program standards and the U.S. Environmental Protection Agency’s (EPA’s) approach to insider threats. The EPA is responsible for regulating water systems and treatment centers in the United States.

“…CFATS requires facilities to comprehensively address insider sabotage, whereas the [EPA’s program] requires facilities to implement safe work practices that may have the added benefit of preventing sabotage,” the GAO found. “Under the CFATS program, facilities must deter insider sabotage to prevent the facility’s property and activities from being used by a potential terrorist against the facility through, among other things, background checks, visitor controls, and restriction of access to certain areas of the facility through physical security measures and cybersecurity measures.

“While the [EPA program] includes a requirement intended to prevent inadvertent or unauthorized entry, the program does not require the other measures that might be used to meet the CFATS standard.”

Additionally, the GAO’s review found that some facilities subject to U.S. Department of Transportation (DOT) oversight—instead of CFATS—are not required to have emergency response plans in place.

“Specifically, under the CFATS program, facilities must develop and exercise an emergency plan to respond to security incidents internally and with the assistance of local law enforcement,” the GAO assessed. “Under the hazardous materials transportation program, facilities are required to maintain emergency response information, including a description of the hazardous materials, whenever such materials are present.”

The GAO also found discrepancies in how the U.S. Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) approaches background checks for facilities personnel; seven of ATF’s requirements or guidance did not align with the CFATS program.

“For example, ATF requirements and guidance do not include a cybersecurity program, while CFATS requires facilities to take certain steps to deter cyber sabotage,” the GAO wrote. “Similarly, ATF does not require security training, drills, or exercises, whereas under CFATS, facilities must ensure proper security and response training, exercises, and drills of facility personnel.”

To address the overlap and discrepancies, the GAO made seven recommendations for U.S. federal agencies, including for agency heads to create lists to identify facilities that are covered by CFATS and other agency oversight programs; instructing DHS’s Cybersecurity and Infrastructure Security Agency (CISA), which runs the CFATS program, to collaborate with the EPA to assess security gaps at water and wastewater facilities; and suggesting CISA update its program guidance on CFATS to list commonly accepted actions facilities have taken—or may take—to be prepared for other federal program oversight.

“Facilities with hazardous chemicals could be targeted by terrorists to inflict mass casualties or damage,” the GAO wrote. “Federal regulations applicable to chemical safety and security have evolved over time as authorizing statues and regulations established programs for different purposes, such as safety versus security, and with different enforcement authorities. GAO has reported that such programs may be able to achieve greater efficacy where overlap exists by reducing duplication and better managing fragmentation.”

The CFATS program was established in 2007 to assess risks posed by U.S. chemical facilities, require facilities handling chemicals of interest to report their holdings, and mandate facilities implement security measures to mitigate risks posed by access and damage to those chemicals—including that of a terrorist attack.