Chemical Industry Giants Zone in on Cyber-Security

Case study: Chemical industry bigwigs launch a cyber-security program to guard against shared threats-and possible disaster.

In a worst-case scenario, lax cyber-security at a chemical company could be truly explosive. Security inadequacies have the potential to result in safety risks to plant employees and local communities, business interruption, lost capital, physical attack, identity theft for the purpose of acquiring chemicals, and access to systems to cause plant disruptions, according to a position paper issued by the Chemical Information Technology Council Executive Board.

To help one another as well as other chemical industry players maximize cyber-security, industry leaders Dow Chemical, DuPont, Rohm and Haas, Eastman Chemical, Nova Chemicals, and Celanese are stepping up their efforts with the alliance they had previously formed—the Chemical Sector Cyber Security Program.

"CIOs at leading chemical companies know how important security, both physical and cyber, is within our industry. And we believe that the industry as a whole has much to gain by sharing security information and practices," said Neil Hersh-field, director of the CSCSP and cyber-security director at Dow, in Midland, Mich.

To achieve its goals, the CSCSP must partner with business, industry and vendors. Thats why getting IT suppliers on board with the group is a key initiative in 2006.

"We need to get IT vendors to address issues within the products they develop and to test and enhance product security prior to commercial release," said Hershfield.

The CSCSP currently has identified 29 prospective IT service and product providers that its targeting for affiliate membership.

According to the CSCSP, its mission is to provide a single channel through which the industry can drive a coordinated sectorwide implementation of cyber-security practices and tools as well as respond to emerging sector needs. The group seeks to drive the adoption of best cyber-security practices, support manufacturing and control systems security efforts, accelerate the development of improved technology, enhance information sharing among chemical companies, and align the chemical industrys priorities with those of the Department of Homeland Security.

The chemical industry is one of 13 sectors identified as critical infrastructure by the National Strategy for Homeland Security in 2002, and it was asked to develop a sectorwide strategy to address cyber-security issues. In addition, chemical industry IT executives were increasingly aware that a growing number of IT trends within the industry were jeopardizing security more than ever before.

For example, "as companies increase manufacturing and control automation, which improves productivity, it opens [them] up to increased risk," said Cheryl Flannery, director of IT security, compliance and risk management at Air Products and Chemicals, in Allentown, Pa., and a member of the CSCSP Steering Committee.

Flannery added that the move away from proprietary technology and toward more industry-standard, off-the-shelf solutions introduces new cyber-risks into the industry.

Another security risk stems from the fact that chemical companies are often one anothers customers and suppliers.

"Theres a lot of system integration, business-to-business connections and joint ventures. And if the companies were interacting with dont have good cyber-security practices in place, it puts us at risk," said Theresa Jones, global director of information security at Dow, and a member of the CSCSP Steering Committee.

Next Page: Enhancing cyber-security across the supply chain, and then some.