GAO 重要インフラ保護：国土安全保障省はリスクが高い化学施設のサイバーセキュリティにもっと注意を払え

こんにちは、丸山満彦です。

GAOが国土安全保障省に対して、リスクが高い化学施設のサイバーセキュリティにもっと注意を払うように指摘し、６つの推奨事項を報告していますね。

● U.S. Government Accountability Office (GAO) [wikipedia]

・2020.05.14 CRITICAL INFRASTRUCTURE PROTECTION:Actions Needed to Enhance DHS Oversight of Cybersecurity at High-Risk Chemical Facilities

　・[PDF] Highlights Page

　・[PDF] Full Report

-----

Fast Facts

Terrorists and others may pose a cyber-threat to high-risk chemical facilities. Control systems, for example, could be manipulated to release hazardous chemicals. The Department of Homeland Security started a program more than a decade ago to help address these security risks.

We reviewed the program. DHS guidance designed to help about 3,300 facilities comply with cybersecurity and other standards has not been updated in over 10 years. Also, its cybersecurity training program for its inspectors does not follow some key training practices.

We made 6 recommendations, including that DHS review and update guidance and improve training.

-----

Recommendation:

1. The Assistant Director of the Infrastructure Security Division should implement a documented process for reviewing and, if deemed necessary, revising its guidance for implementing cybersecurity measures at regularly defined intervals.
2. The Assistant Director of the Infrastructure Security Division should incorporate measures to assess the contribution that its cybersecurity training is making to program goals, such as inspector- or program-specific performance improvement goals.
3. The Assistant Director of the Infrastructure Security Division should track delivery and performance data for its cybersecurity training, such as the completion of courses, webinars, and refresher trainings.
4. The Assistant Director of the Infrastructure Security Division should develop a plan to evaluate the effectiveness of its cybersecurity training, such as collecting and analyzing course evaluation forms.
5. The Assistant Director of the Infrastructure Security Division should develop a workforce plan that addresses the program's cybersecurity-related needs, which should include an analysis of any gaps in the program's capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them.
6. The Assistant Director of the Infrastructure Security Division should maintain reliable, readily available information about the cyber integration levels of covered chemical facilities and inspector cybersecurity expertise. This could include updating the program's inspection database system to better track facilities' cyber integration levels. 

-----

要は、

1. セキュリティガイダンスの定期的な見直し
2. サイバーセキュリティ研修の実施状況の把握
3. サイバーセキュリティ研修の有効性の評価
4. セキュリティプログラムを実施する際の能力についてのフィットギャップ
5. サイバーセキュリティ人材リソース計画
6. 化学物質施設検査官のサイバーセキュリティ専門知識の維持

と言うことかなぁ・・・