Concerns arise over the security of CISA's sensitive data following a cyberattack on the CSAT tool, prompting inquiries from Senator Charles Grassley and calls for improved safeguards.
On January 23-26, 2024, cyber attackers breached the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Chemical Security Assessment Tool (CSAT). The CSAT tool is used by “high risk” chemical facilities to electronically process many areas like user registration and site vulnerability assessments. More recently, in June 2024, CISA released an advisory detailing the situation.
Hackers were able to access the tool through Ivanti IT vulnerabilities which were exploited through products like Ivanti Connect Secure and Ivanti Policy Secure. According to the CISA there was “no evidence of exfiltration of data'' in their investigation of the attack, but the intrusion “may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts.”
Documents like Top-Screen Surveys, Security Vulnerability Assessments, Site Security Plans, and PSP submissions, hold important industrial information (with varying sensitivities) about the chemical facilities, detailing what chemicals are on site, what the critical assets are, and the specific physical and cyber security plans.
PSP submissions involve more individually private information including name, date of birth, and citizenship (with even more information for non-U.S. people) of people who work in restricted areas, as required for a screen for possible terrorist ties. Because CISA doesn’t have the authority to access these individuals’ contact information, they have requested that facilities that get the advisory letter alert the people who may have been screened and thus exposed.
CISA maintains that while their investigation “did not result in any evidence of exfiltration of data or lateral movement, [they] are notifying all potentially impacted facilities out of the abundance of caution that this information could have been inappropriately accessed.” Still, some see this intrusion as a sign that the Cybersecurity and Infrastructure Security Agency is not secure enough.
This week, U.S. Senator Charles Grassley (R-IA) sent a letter to Jen Easterly, the Director of CISA asserting that the CSAT intrusion, along with previous queries he raised with the agency, prove that “CISA hasn’t taken adequate steps to ensure the safety of its own systems, leaving the nation at risk.” Grassley has given Easterly a list of nine items to answer before July 17, 2024, so that Congress can “conduct objective and independent oversight” on CISA’s recent actions. The items center on the January 23-36 cyberattack, specifically CISA’s readiness for the event and their response - like how they addressed the potential victims and what they will do to prevent another incident.
Grassley is the Republican Party’s Ranking Member on the Senate Budget Committee, so his inquiry demands attention. While it’s not clear when (or how) Easterly will respond, it’s apparent that the fallout of this cyber attack may lead to serious changes around CISA to prevent future attacks and safeguard private information from malicious threat actors.