Regulatory Requirements

Under the Chemical Facility Anti-Terrorism Standards (CFATS), regulated facilities are required to address the risk of potential cyber-attacks, including taking steps to secure ICS. 

The requirements under CFATS are spelled out in Risk-Based Performance Standard (RBPS) 8 that states regulated facilities must “Deter cyber sabotage, including preventing unauthorized onsite or remote access to critical process controls, such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), process control systems (PCS), industrial control systems (ICS); critical business systems, and other sensitive computerized systems.”

For more information on CFATS, please visit