Chemical Sector-Specific Goals (SSGs)

Chemical Sector-Specific Goals (SSGs) Overview

The Chemical SSGs are additional voluntary practices with high-impact security actions, beyond the Cross-Sector CPGs, that outline measures Chemical Sector businesses and critical infrastructure owners can take to protect themselves against cyber threats. They were developed based on CISA’s operational data, research on the current threat landscape, and in collaboration with government, industry groups, and private sector experts. 

Learn more about the Cross-Sector CPGs that SSGs are based off of by clicking here:  Cybersecurity Performance Goals (CPGs).

Chem.1 - System Lifecycle Management

RBPS-8 metric:

• RBPS-8 metric Q3.40.290-02.0 16330-00

RBPS-8 Description: 

• Does the facility incorporate cybersecurity into its system lifecycle?              

Security Practice: 

• System Lifecycle Management              

Outcome:

• Cybersecurity considerations for systems, hardware, software, services, and data are managed through their entire lifecycle

TTP or Risk Addressed: 

• Initial Access (TA0001)
• Active Scanning - Vulnerability Scanning (T1595.002)
• Exploit Public-Facing Application (T1190, ICS T0819)
• Exploitation of Remote Service (T1210, ICS T0866)
• Supply Chain Compromise (T1195, ICS T0862)
• External Remote Services (T1133, ICS T0822)

Scope: 

• IT and OT (Operational Technology) assets (including physical access control systems that are connected to networks).

Recommended Action: 

• Implement a system lifecycle management process for applications and assets in use throughout facility networks.  Existing applications or assets that are no longer supported by the manufacturer should be prioritized for retirement and replacement. 

CSF 2.0 Reference: 

• ID.AM-08          

NIST CSF 1.0 Reference: 

• PR.IP-2

Additional External References: 

• ISA 62443-2-1:2009 4.3.4.3.3 

NICE Framework Mapping: 

• Securely Provision

Cost:

• High

Impact:              

• High

Complexity:

• High

Chem.2 - Disable unnecessary systems, applications, and services

RBPS-8 metric:

• RBPS-8 metric Q3.40.270-14.016433-04

RBPS-8 Description: 

• Facility documents all systems, applications, and services running on their network and disables all unnecessary systems, applications, and services.            

Security Practice: 

• Disable unnecessary systems, applications, and services.              

Outcome:

• Disable all applications, services, and other devices not used on the facility networks.

TTP or Risk Addressed: 

• Hardware Additions (T1200)
• Exploit Public-Facing Application (T0819, ICS T0819)
• Internet Accessible Device (ICS T0883)
• Supply Chain Compromise (T1195, ICS T0862)

Scope: 

• IT and OT (Operational Technology) assets (including physical access control systems that are connected to networks).

Recommended Action: 

• Implement a program to identify and inventory unused IT/OT services and devices on the facility network(s) and disable and/or remove any that are not in use or not needed for facility operations.

CSF 2.0 Reference: 

• ID.AM-05     

NIST CSF 1.0 Reference: 

• ID.AM-5

Additional External References: 

• ISA 62443-2-1:2009 4.2.3.6

NICE Framework Mapping: 

• Operate and Maintain

Cost:

• Medium

Impact:              

• Medium

Complexity:

• Medium

Chem.3 - Mobile Device Management

RBPS-8 Description: 

• No RBPS-8 metric currently addresses Mobile Device Management (MDM)           

Security Practice: 

• Mobile Device Management

Outcome:

• Identify all mobile devices in use within the organization and applications used on those devices and approve use. 

TTP or Risk Addressed: 

• Persistence (Mobile T1577 – Compromise Application Executable) 
• Persistence (Mobile T1624 – Event Triggered Execution) 
• Privilege Escalation (Mobile – T1404 Exploitation for Privilege Escalation) 
• Command and Control (Mobile T1481 – Web Service)

Scope: 

• IT and OT (Operational Technology) assets (including physical access control systems that are connected to networks).

Recommended Action: 

An inventory of mobile assets within an organization can lower the likelihood of exploitation of these devices. Additional measures to document and approve certain applications for use on these mobile devices can reduce organizational vulnerabilities. Acceptable use policies for mobile devices can (1) reduce the installation of unapproved applications (Shadow IT), and (2) restrict access to websites or programs which do or may contain vulnerabilities. 

MDM programs can be implemented by first conducting asset inventory and ensuring the devices are regularly updated and that only approved applications are on the device. Additionally, password protection would prevent unauthorized access, particularly within facilities which use mobile/edge devices for OT networks. For Bring Your Own Device (BYOD) policies, entities should note the type of device used, along with documentation that the end user will maintain vulnerability management and adhere to applicable company policies. 

Over the longer-term, use of the resources noted here can help mature an MDM program over time and assist in the entity's efforts to mitigate vulnerabilities while governing use of mobile applications. 

• Initial steps for establishing an MDM program include:

1. Asset and Application Inventory 
   NIST SP 800-124, Rev 1 (Keep a current inventory of all applications installed on each device), page 20.
   NIST SP 1800-4 (Inventory of mobile device hardware, firmware, and software), page 33.
2.  Password Protection 
   NIST SP 800-124, Rev 1 (Require basic parameters for password strength)
    CISA Checklist for Organizations Mobile Devices, page 1. 
   NSA Mobile Device Checklist, all
3.  3. Application Vulnerability Management 
   NCCOE Mobile Device Cybersecurity- Cloud and Hybrid Builds, section 3.4
   OWASP Mobile Application Security, all

• Supporting capabilities for establishing an MDM program include:
  Many organizations utilize endpoint management solutions to aid in inventorying deployed mobile devices and helping to determine which applications should be approved for those devices.

CSF 2.0 Reference: 

• ID.AM-1
• ID.AM-2

NIST CSF 1.0 Reference: 

• ID.AM-1
• ID.AM-2

Additional External References: 

• MITRE ATT&CK Mobile
• NIST SP 1800-21 
• NIST SP 800-124, Rev 2 
•  NIST SP 800-163, Rev 1
• NCCOE Mobile Device Cybersecurity- Cloud and Hybrid Builds (NIST SP 1800-4B)
•  CISA Capacity Enhancement Guide- Mobile Device Cybersecurity Checklist for Organizations 
• CISA Capacity Enhancement Guide - Cybersecurity Checklist for Consumers
• NSA Mobile Device Best Practices
• National Vulnerabilities Database
• CVE Catalogue
• OWASP Mobile Application Security

NICE Framework Mapping: 

• Operate and Maintain

Cost:

• Low [minimal cost required to conduct inventory. Cost associated with application and device protection may be primary associated cost]

Impact:              

• High [results will include awareness of mobile device health, vulnerabilities, and increased protection of resources within a chemical facility; information on IT/OT connections to the mobile device]

Complexity:

• Medium [level of effort increased workloads, data management costs, and other resources]