Chem teams mix potent antidote

InTech, Feb 2008 by Policastro, Ellen Fussell

Chemical industry gets serious about security: Perfecting programs, educating users

Even before 11 September 2001, chemical companies realized they needed to pay attention to cyber security.

Experts in the industry saw an increased use in the Internet through corporate networks. Emarketplaces were becoming more popular for corporations to do business, and control system automation, embracing open Ethernet technology, was moving farther away from proprietary systems. After 9/11, a heightened sense of urgency emerged in the chemical industry, not only in business systems, but in manufacturing and control systems. The chemical industry got busy building a strategy and sharing it with others. In fact, the work that followed brought about the chemical sector cyber security strategy in 2002, which the White House subsequently referenced for its national strategy to secure cyber space.

Now the industry is sharing its knowledge about security and helping manufacturers build their fortresses, to not only comply with new government regulations, but to enhance the overall security of control systems throughout the industry.

Program guides industry

"When we wrote our strategy, one of our primary objectives was to form a sector-wide program focusing on cyber security risk management and reduction," said Christine Adams, director of the chemical sector cyber security program in Washington, D. C. That's how the chemical sector cyber security program was born in September 2002 and set about to implement that sector-wide strategy.

The cyber security program can actually serve as a focal point for users, building awareness, networking, and guidance as it addresses the chemical sector's maturing needs. "Because we're organized under the American Chemistry Council, the program enables us to closely link our cyber security efforts with those of their overall security program," Adams said.

One of the biggest bodies of work the program has produced is the cyber security guidance documents. "We didn't want to develop standards because we figured there were IT security standards in existence already," Adams said. "Where there weren't, our strategy was to join those organizations developing standards and [transfer] their meaning to the chemical industry. We took experts from within our industry, [those] active in ISA and various technical publications ISA has produced around process control security systems," Adams said. "Those participating in ISA initiatives bring that information back and use our program as networking opportunities and sounding boards to help them bring the chemical sector's perspective on that body of work to the ISA table."

"The chemical industry's cyber security efforts have provided value beyond the chemical industry as their input has been utilized directly by the electric industry in developing their cyber security programs and indirectly for other industries through the ISA99 process," said Joe Weiss, Managing Partner at Applied Control Solutions.

The cyber security program has also released guidance on how to use Department of Homeland security (DHS) information-sharing capabilities. "We're trying to get the people in the industry aware of US-CERT, the cyber communication vehicle of the DHS National Cyber security Division, which communicates with the private sector through portals in a private web capability. You subscribe to them and have access to alerts and exchanges of information over this particular channel," Adams said. "Enhancing information-sharing with DHS, we've been documenting the channels for sharing information for the chemical sector."

Preparing to comply

The DHS has asked every sector to form a sector coordinating council. So the chemical industry has a chemical sector coordinating council of about 16 people who represent major associations in the chemical industry. This council has been in dialog with DHS all year to figure out what manufacturers can do ahead of time to prepare.

"The problem is whatever we did before now, we might have to do again, but we can certainly use the information," Adams said. If a company has conducted a site vulnerability assessment, "there's a strong chance the information we pulled together is pretty close to the kind of information we'll have to give DHS," Adams said. "We'll just have to enter information into their tool" because DHS has a specific set of questions they expect you to answer in a vulnerability assessment. "It's not totally redoing your efforts. In fact, it probably helps if you did a bit ahead of time," she said. "But there will be a specific process; you'll have to use their tools and their process for submitting information they're requesting."

Three components to compliance

The DHS released the Chemical Facility AntiTerrorism Standards in April 2007. These standards cover all aspects of chemical facility anti-terrorism standards, and cyber security is part of that. "Implementation was delayed because there was an appendix to the regulations that describes DHS chemicals of interestthose chemicals they thought were particularly sensitive-and the threshold quantity [limits with which manufacturers needed to comply]," said Eric Cosman, engineering solutions architect at The Dow Chemical Company in Midland, Mich. "If you have a chemical on this list in a quantity that exceeds the threshold amount, your facility is subject to these regulations. (see accompanying article on DHS requirements.)