Cool Audit

CISA's CSAT Tool Hacked, Systems Taken offline

The Cybersecurity and Infrastructure Security Agency’s (CISA) Chemical Security Assessment Tool (CSAT) was the target of a cybersecurity intrusion by a malicious actor from January 23-26-2024.

The breach, which has raised significant concerns within the cybersecurity community, potentially exposed sensitive information including Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts.

Although CISA’s investigation found no evidence of data exfiltration, the potential unauthorized access has prompted immediate action.

Response and Recommendations

In compliance with the Federal Information Security Modernization Act (FISMA), CISA promptly notified participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the intrusion and the potentially impacted information.

CISA is urging facilities to bolster their cyber and physical security measures. Despite no evidence of stolen credentials, CISA recommends that individuals with CSAT accounts reset their passwords, mainly if the same password is used across multiple accounts, to mitigate the risk of “password spraying” attacks.

For organizations utilizing Ivanti appliances, CISA advises reviewing the Cybersecurity Alert (AA24-060B) regarding exploiting multiple vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways.

CISA has clarified that it did not collect address or contact information for individuals vetted under the CFATS Personnel Surety Program, thus, it cannot directly notify those individuals.

Notification and Support

CISA requests that facilities that received the CSAT Ivanti Notification Letter inform individuals submitted for vetting under the CFATS Personnel Surety Program about the incident.

Facilities can use a provided template letter for this purpose. Alternatively, if facilities choose not to notify these individuals, CISA requests that they provide contact information for the affected personnel so that CISA can handle the notifications.

CISA is hosting two webinars to support stakeholders to review the incident details and answer frequently asked questions.

The webinars are scheduled for Monday, June 24, 2024, at 2:30 pm ET (11:30 am PT) and Tuesday, July 9, 2024, at 2:30 pm ET (11:30 am PT).

Facilities can send contact information for personnel affected by the breach to