CISA Issues Notification of Chemical Security Assessment Tool (CSAT) Cybersecurity Intrusion

If your utility participates in the DHS Chemical Facility Anti-Terrorism Standards (CFATS) program, you have likely been notified if you were impacted due to this incident. For more information, members may wish to:

• Visit CISA’s Chemical Security Assessment Tool (CSAT) Ivanti Notification
• Register for one of the following webinars:
  • Monday, June 24, 2024, at 2:30 pm ET (11:30 am PT)
  • Tuesday, July 9, 2024, at 2:30 pm ET (11:30 am PT)

Analyst comment (Jennifer Lyn Walker): Given this incident and the recent alert that phone scammers have been impersonating CISA employees, utilities are urged to remind staff to remain vigilant when handling communications with CISA personnel, including the importance of validating the contact by calling CISA at (844) SAY-CISA (844-729-2472) or report it to law enforcement.

What happened with CSAT?

CISA’s Chemical Security Assessment Tool (CSAT) was the target of a cybersecurity intrusion between January 23-26, 2024. The compromise was due to exploitation of the CSAT Ivanti Connect Secure appliance. While CISA’s investigation found no evidence of exfiltration of data, this intrusion may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts.

Following the reporting requirements under the Federal Information Security Modernization Act (FISMA), CISA notified participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the intrusion and the potentially impacted information.

How was the CSAT compromise identified?

On January 26, CISA identified potentially malicious activity affecting the CSAT Ivanti Connect Secure appliance. During the investigation, we identified that a malicious actor installed an advanced webshell on the Ivanti device. This type of webshell can be used to execute malicious commands or write files to the underlying system. Our analysis further identified that a malicious actor accessed the webshell several times over a two-day period. Importantly, our investigation did not identify adversarial access beyond the Ivanti device nor data exfiltration from the CSAT environment.

Questions about this incident by chemical facilities or their third-party partners should be addressed to CISA Chemical Security at CF*****************@******hs.gov. Potentially impacted individuals should also contact CF*****************@******hs.gov until the call center is stood up.