CISA’s CSAT Tool Hacked, Systems Taken Offline


The Cybersecurity and Infrastructure Security Agency’s (CISA) Chemical Security Assessment Tool (CSAT) experienced a cybersecurity breach between January 23 and January 26, 2024, by a malicious actor.

This incident has caused significant concern within the cybersecurity community as it potentially exposed sensitive data including Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts.

Despite the investigation revealing no evidence of data being extracted, the possibility of unauthorized access has led to immediate and proactive measures.

Response and Recommendations

In line with the Federal Information Security Modernization Act (FISMA), CISA quickly informed participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the breach and the types of information that may have been compromised.

CISA is encouraging facilities to enhance their cyber and physical security practices. Although there is no indication that credentials were stolen, CISA advises all CSAT account holders to change their passwords, especially if they use the same password across multiple platforms, to prevent “password spraying” attacks.

CISA has also recommended that organizations using Ivanti appliances should consult the Cybersecurity Alert (AA24-060B) which details vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways that could be exploited.

CISA noted that it does not hold address or contact information for individuals vetted under the CFATS Personnel Surety Program and therefore cannot directly contact those individuals.

Notification and Support

CISA has issued a CSAT Ivanti Notification Letter to facilities, asking them to notify individuals who were submitted for vetting under the CFATS Personnel Surety Program about the breach. Facilities can use a provided template letter for this communication. Alternatively, if facilities opt not to notify these individuals directly, they are asked to furnish CISA with the contact details of the affected personnel so that CISA may undertake the notifications.

To further assist stakeholders, CISA is hosting two webinars to discuss the details of the incident and respond to frequently asked questions.

These webinars are scheduled for Monday, June 24, 2024, at 2:30 pm ET (11:30 am PT) and Tuesday, July 9, 2024, at 2:30 pm ET (11:30 am PT).

Facilities impacted by the breach should send the contact information for affected personnel to [email protected]. This proactive communication will help manage the situation and mitigate potential risks arising from the breach.