-security across the supply chain, and then some"> The CSCSP has created a Chemical Sector Cyber Security Strategy, a unified plan of action to address cyber-security across the industry with vendors, supply chain partners and other critical infrastructure partners, according to Hershfield. Included in the plan are a number of guidance documents and tools that companies can use to access and enhance the cyber-security performance of both business and manufacturing control systems. Founded in 2002 and based in Arlington, Va., the CSCSP acts as a working team, promoting one of the four major IT initiatives of ChemITC, a self-funded panel within the American Chemistry Councils Chemstar program.Examples of cyber-attacks to critical infrastructure, according to the CSCSP, include a cyber-attack on a SCADA (Supervisory Control and Data Acquisition)-run computerized waste treatment system in Queensland, Australia, that caused the diversion of millions of gallons of raw sewage into local parks and rivers. Closer to home, a teenage hacker disrupted the scheduling computer systems at the worlds eighth-largest shipping port, in Houston, making it impossible to help ships navigate safely from the harbor. The CSCSP is looking to partner with other chemical companies, trade groups, vendors and suppliers. Support from IT vendors, in particular, is critical and a two-way street. IT vendor partners will include both vendors of manufacturing and control systems and IT product providersthat is, hardware, software and servicesaccording to the CSCSP director. Of the nine providers already contacted, Hershfield reports that IBM, SAP, Intelligroup and BearingPoint have expressed strong interest in partnering with the CSCSP, and the group has plans to meet with an additional 20 prospects. The CSCSP already has targeted access control, host and network security, and operational monitoring as its key technology initiatives through 2007. Within the area of access control, organization teams will focus on Microsofts Active Directory and its integration in the manufacturing and control systems environment, device authentication, strong user identification, federated identity, and network access control. Under host and network security, teams will look at wireless networking and technology, secure computing, dynamic system protection, SANs (storage area networks), and OLE (Object Linking and Embedding) for process control. Operational monitoring areas for investigation include intrusion detection and intelligent agents, according to the CSCSP. Another important partner of the group is the Idaho National Laboratory. One of 10 multiprogram national labs owned by the Department of Energy, INLs supporting activities include matters related to national security, with a focus on wireless and communications systems, process control, and cyber-security, among other efforts. Getting control systems to meet todays cyber-security requirements is a huge challenge. When originally developed, the technology was designed for day-in, day-out reliability and efficiency, not security. "At that time, control systems werent networked, or operated remotely," said Mike Assante, infrastructure protection strategist with the INL, in Idaho Falls. Furthermore, control systems, unlike office technology, are multimillion-dollar machines built to last decades. The security challenge facing product vendors today is twofold: designing new systems that meet cyber-security standards for the chemical industry and retrofitting legacy systems to meet cyber-security requirements. INL houses a pilot chemical plant that replicates manufacturing processes with control systems. "We use the facility to run tests [and] demos [and to] conduct education and awareness seminars and training," said Assante. At the heart of the CSCSPs efforts is outreach. This year, the group has several outreach initiatives, including the formation of a European Networking and Implementation Team to exchange information and knowledge about cyber-security with chemical companies overseas. In another effort to encourage communication among those who hold a stake in ensuring cyber-security within their own organizations, the Manufacturing and Control Team of the CSCSP is working to bring together those professionals responsible for plant security with the IT business side of the house. The CSCSPs Technology Team continues to develop and disseminate guidance on topics such as wireless security, device authentication, user authentication, secure computing and directory services. "The challenge we face regarding cyber-security is that its a moving target and something we must deal with day in and day out," said Air Products and Chemicals Flannery. With the efforts of CSCSP chemical companies, vendors, suppliers and business partners will be better equipped to keep vigilant and focused, she added. Lynn Haber is a freelance writer based in Norwell, Mass. She can be reached at firstname.lastname@example.org. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
A $459 billion enterprise within the United States, the chemical sector faces many of the same cyber-security challenges that other industries face, such as cyber-security risks to IT business systems. But it also faces unique security risks related to manufacturing control systems and critical infrastructure. And, although largely underreported, according to Jones, cyber-threats happen.