In a worst-case scenario, lax cyber-security at a chemical company could be truly explosive. Security inadequacies have the potential to result in safety risks to plant employees and local communities, business interruption, lost capital, physical attack, identity theft for the purpose of acquiring chemicals, and access to systems to cause plant disruptions, according to a position paper issued by the Chemical Information Technology Council Executive Board.
To help one another as well as other chemical industry players maximize cyber-security, industry leaders Dow Chemical, DuPont, Rohm and Haas, Eastman Chemical, Nova Chemicals, and Celanese are stepping up their efforts with the alliance they had previously formed—the Chemical Sector Cyber Security Program.
“CIOs at leading chemical companies know how important security, both physical and cyber, is within our industry. And we believe that the industry as a whole has much to gain by sharing security information and practices,” said Neil Hersh-field, director of the CSCSP and cyber-security director at Dow, in Midland, Mich.
To achieve its goals, the CSCSP must partner with business, industry and vendors. Thats why getting IT suppliers on board with the group is a key initiative in 2006.
“We need to get IT vendors to address issues within the products they develop and to test and enhance product security prior to commercial release,” said Hershfield.
The CSCSP currently has identified 29 prospective IT service and product providers that its targeting for affiliate membership.
According to the CSCSP, its mission is to provide a single channel through which the industry can drive a coordinated sectorwide implementation of cyber-security practices and tools as well as respond to emerging sector needs. The group seeks to drive the adoption of best cyber-security practices, support manufacturing and control systems security efforts, accelerate the development of improved technology, enhance information sharing among chemical companies, and align the chemical industrys priorities with those of the Department of Homeland Security.
The chemical industry is one of 13 sectors identified as critical infrastructure by the National Strategy for Homeland Security in 2002, and it was asked to develop a sectorwide strategy to address cyber-security issues. In addition, chemical industry IT executives were increasingly aware that a growing number of IT trends within the industry were jeopardizing security more than ever before.
For example, “as companies increase manufacturing and control automation, which improves productivity, it opens [them] up to increased risk,” said Cheryl Flannery, director of IT security, compliance and risk management at Air Products and Chemicals, in Allentown, Pa., and a member of the CSCSP Steering Committee.
Flannery added that the move away from proprietary technology and toward more industry-standard, off-the-shelf solutions introduces new cyber-risks into the industry.
Another security risk stems from the fact that chemical companies are often one anothers customers and suppliers.
“Theres a lot of system integration, business-to-business connections and joint ventures. And if the companies were interacting with dont have good cyber-security practices in place, it puts us at risk,” said Theresa Jones, global director of information security at Dow, and a member of the CSCSP Steering Committee.
-security across the supply chain, and then some”>
The CSCSP has created a Chemical Sector Cyber Security Strategy, a unified plan of action to address cyber-security across the industry with vendors, supply chain partners and other critical infrastructure partners, according to Hershfield. Included in the plan are a number of guidance documents and tools that companies can use to access and enhance the cyber-security performance of both business and manufacturing control systems.
Founded in 2002 and based in Arlington, Va., the CSCSP acts as a working team, promoting one of the four major IT initiatives of ChemITC, a self-funded panel within the American Chemistry Councils Chemstar program.
A $459 billion enterprise within the United States, the chemical sector faces many of the same cyber-security challenges that other industries face, such as cyber-security risks to IT business systems. But it also faces unique security risks related to manufacturing control systems and critical infrastructure. And, although largely underreported, according to Jones, cyber-threats happen.
Examples of cyber-attacks to critical infrastructure, according to the CSCSP, include a cyber-attack on a SCADA (Supervisory Control and Data Acquisition)-run computerized waste treatment system in Queensland, Australia, that caused the diversion of millions of gallons of raw sewage into local parks and rivers. Closer to home, a teenage hacker disrupted the scheduling computer systems at the worlds eighth-largest shipping port, in Houston, making it impossible to help ships navigate safely from the harbor.
The CSCSP is looking to partner with other chemical companies, trade groups, vendors and suppliers. Support from IT vendors, in particular, is critical and a two-way street.
IT vendor partners will include both vendors of manufacturing and control systems and IT product providers—that is, hardware, software and services—according to the CSCSP director. Of the nine providers already contacted, Hershfield reports that IBM, SAP, Intelligroup and BearingPoint have expressed strong interest in partnering with the CSCSP, and the group has plans to meet with an additional 20 prospects.
The CSCSP already has targeted access control, host and network security, and operational monitoring as its key technology initiatives through 2007.
Within the area of access control, organization teams will focus on Microsofts Active Directory and its integration in the manufacturing and control systems environment, device authentication, strong user identification, federated identity, and network access control. Under host and network security, teams will look at wireless networking and technology, secure computing, dynamic system protection, SANs (storage area networks), and OLE (Object Linking and Embedding) for process control. Operational monitoring areas for investigation include intrusion detection and intelligent agents, according to the CSCSP.
Another important partner of the group is the Idaho National Laboratory. One of 10 multiprogram national labs owned by the Department of Energy, INLs supporting activities include matters related to national security, with a focus on wireless and communications systems, process control, and cyber-security, among other efforts.
Getting control systems to meet todays cyber-security requirements is a huge challenge. When originally developed, the technology was designed for day-in, day-out reliability and efficiency, not security.
“At that time, control systems werent networked, or operated remotely,” said Mike Assante, infrastructure protection strategist with the INL, in Idaho Falls. Furthermore, control systems, unlike office technology, are multimillion-dollar machines built to last decades.
The security challenge facing product vendors today is twofold: designing new systems that meet cyber-security standards for the chemical industry and retrofitting legacy systems to meet cyber-security requirements.
INL houses a pilot chemical plant that replicates manufacturing processes with control systems.
“We use the facility to run tests [and] demos [and to] conduct education and awareness seminars and training,” said Assante.
At the heart of the CSCSPs efforts is outreach. This year, the group has several outreach initiatives, including the formation of a European Networking and Implementation Team to exchange information and knowledge about cyber-security with chemical companies overseas. In another effort to encourage communication among those who hold a stake in ensuring cyber-security within their own organizations, the Manufacturing and Control Team of the CSCSP is working to bring together those professionals responsible for plant security with the IT business side of the house.
The CSCSPs Technology Team continues to develop and disseminate guidance on topics such as wireless security, device authentication, user authentication, secure computing and directory services.
“The challenge we face regarding cyber-security is that its a moving target and something we must deal with day in and day out,” said Air Products and Chemicals Flannery. With the efforts of CSCSP chemical companies, vendors, suppliers and business partners will be better equipped to keep vigilant and focused, she added.
Lynn Haber is a freelance writer based in Norwell, Mass. She can be reached at [email protected].
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.