The Cybersecurity and Infrastructure Security Agency’s (CISA) Chemical Security Assessment Tool (CSAT) was the target of a cybersecurity intrusion by a malicious actor from January 23-26, 2024. While CISA’s investigation found no evidence of exfiltration of data, this intrusion may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts.
Following the reporting requirements under the Federal Information Security Modernization Act (FISMA), CISA notified participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the intrusion and the potentially impacted information.
View a copy of the CSAT Notification letters
Recommendations for Facility Action
CISA is encouraging facilities to maintain cyber and physical security measures. While the investigation found no evidence of credentials being stolen, CISA encourages individuals who had CSAT accounts to reset passwords for any account, business or personal, which used the same password. This can help to prevent possible “password spraying” attacks in the future.
For organizations that use Ivanti appliances, please review Cybersecurity Alert (AA24-060B) Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways.
Voluntary Notification Options
CISA was not authorized to, and did not collect, the address or contact information for individuals vetted under the CFATS Personnel Surety Program. As a result, CISA is unable to directly contact those individuals who had their information submitted by chemical facilities for terrorist vetting.
CISA is thereby requesting, on a voluntary basis, that facilities that received the CSAT Ivanti Notification Letter notify individuals submitted by that facility for vetting under the CFATS Personnel Surety Program of this incident. Download a template letter that facilities can use to notify personnel. Alternatively, should facilities decline to notify these individuals, CISA requests that facilities provide CISA with the contact information for individuals submitted under the CFATS Personnel Surety Program on a voluntary basis so that CISA can notify impacted individuals. Facilities can send contact information for personnel that had Personally Identifiable Information (PII) submitted for vetting under CFATS Personnel Surety Program to CFATS.Notifications@cisa.dhs.gov.
Webinar Information
In addition to the notifications, CISA is hosting two webinars for stakeholders during which we will review the information provided in the frequently asked questions. The first webinar was held Monday, June 24, 2024, at 2:30 pm ET (11:30 am PT). The next webinar will be held on Tuesday, July 9, 2024, at 2:30 pm ET (11:30 am PT).
Register for July 9, 2024, Webinar
CSAT Notifications Email Distribution List
To receive updates on the latest information regarding the CSAT notifications, we recommend you subscribe to the new "CSAT Notifications" distribution list.
Frequently Asked Questions
Frequently Asked Questions
How was this compromise identified?
On January 26, CISA identified potentially malicious activity affecting the CSAT Ivanti Connect Secure appliance. During the investigation, we identified that a malicious actor installed an advanced webshell on the Ivanti device. This type of webshell can be used to execute malicious commands or write files to the underlying system. Our analysis further identified that a malicious actor accessed the webshell several times over a two-day period. Importantly, our investigation did not identify adversarial access beyond the Ivanti device nor data exfiltration from the CSAT environment.
Read more
What actions did CISA take to address the compromise?
CISA immediately took the system offline, isolated the application from the rest of the network, and began a forensic investigation. This investigation included technical experts from CISA’s Office of the Chief Information Officer, our Cybersecurity Division’s Threat Hunting team, and the Department of Homeland Security’s Network Operations Center. The investigation did not identify adversarial access beyond the Ivanti device nor data exfiltration from the CSAT environment. All information in CSAT was encrypted using AES 256 encryption, and information from each application had additional security controls limiting the likelihood of lateral access. Encryption keys were hidden from the type of access the threat actor had to the system.
Read more
If CISA does not have any evidence of data exfiltration, why are notifications being sent?
CISA is notifying all impacted participants in the CFATS program out of an abundance of caution that this information could have been inappropriately accessed. Even without evidence of data exfiltration, the number of potential individuals and organizations whose data was potentially at risk met the threshold of a major incident under the Federal Information Security Modernization Act (FISMA).
Read more
Where can I get more information on this cybersecurity incident?
For more on this type of malicious activity, visitCybersecurity Alert (AA24-060B) Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways.
Read more
As a facility official, who do I contact if I have more questions about this incident?
Questions about this incident by chemical facilities or their third-party partners should be addressed to CISA Chemical Security atCFATS.Notifications@cisa.dhs.gov.
Read more
As a potentially impacted individual, who do I contact if I have more questions?
CISA is in the process of establishing a call center for impacted individuals; however, at the time of the emailing of the notification, the center has not been stood up. Individuals may reach out toCFATS.Notifications@cisa.dhs.gov initially, but we are recommending that individuals wait for the call center to be operational as this would be the best way to get your questions answered.
Read more
Who is eligible for identity protection based on this compromise?
Individuals whose information was submitted for vetting under the CFATS Personnel Surety Program by their employer or a third party between December 2015 and July 2023.
Read more
How do I apply for identity protection?
CISA is in the process of procuring identity protection services for those impacted. We recommend you visit our website and subscribe to the GovDelivery CSAT Notifications distribution list so you can receive follow-up news on this.
Read more
Why is identity protection not available to me?
The Department of Homeland Security performed a risk-based assessment as to which individuals may face adverse consequences if worst-case circ*mstances were realized. In this assessment, it was determined that individuals vetted under the CFATS Personnel Surety Program between December 2015 and July 2023 were the only population that faced this risk due to the information that was potentially exposed.
Read more
What data was collected in the CFATS Top-Screen survey?
The Top-Screen was an online survey that gathered information from facilities that possessed chemicals of interest (COI) at or above screening thresholds quantities and/or concentration. Information submitted in a Top-Screen may have included (but was not limited to):
- Facility name and address
- COI amount (quantity and concentration)
- Chemical properties (e.g., phase, temperature, pressure)
- Chemical storage (e.g., container type)
Read more
What data was collected in the Security Vulnerability Assessment (SVA)?
All high-risk facilities were required to complete and submit an SVA to identify the facility's use of COI, critical assets, and measures related to the facility’s policies, procedures, and resources that were necessary to support the security plan. The SVA provided an analysis of the facility's security posture and potential vulnerabilities. Information submitted in an SVA may have included (but was not limited to):
- Cyber and physical security features
- Location of security features
- Use of COI and method of shipping/receiving COI
Read more
What data was collected in the Site Security Plan/Alternative Security Program (SSP/ASP)?
All high-risk facilities were required to submit a security plan that described existing or planned measures that met the CFATS risk-based performance standards (RBPS). Facilities may have submitted either an online-generated SSP or an ASP generated in their own template that holistically met security measures for their tier and security concern. Information submitted in an SSP/ASP may have included (but was not limited to):
- How vulnerabilities from SVA were addressed
- Security measures for each COI
- How security measures met or exceeded the RBPS, such as:
- Type of delay barriers (fencing, locks, access control system)
- Type of alarms
- Type of cybersecurity controls
Read more
What data was collected in the Personnel Surety Program?
The CFATS Personnel Surety Program gathered Personally Identifiable Information (PII) about individuals seeking access to restricted areas and critical assets to be vetted for terrorist ties. At minimum, information provided under Personnel Surety Program must have included an individual’s name, date of birth, and citizenship or gender. Facilities may have chosen to provide additional PII, including aliases, place of birth, passport number, redress number, Global Entry ID number, or Transportation Worker Identification Credential (TWIC) ID number.
Read more
