Chemical industry focuses on cyber-security
Aug 8, 2006 11:15 AM
In a worst-case scenario, porous cyber-security at a chemical company could potentially result in safety risks to plant employees and local communities; not to mention business interruption, lost capital, physical attack, identity theft for the purpose of acquiring chemicals, and access to systems to cause plant disruptions, according to a position paper issued by the Chemical Information Technology Council Executive Board.
To help chemical industry players maximize cyber-security, industry leaders Dow Chemical, DuPont, Rohm and Haas, Eastman Chemical, Nova Chemicals, and Celanese are stepping up their efforts with a previously-formed alliance called the Chemical Sector Cyber Security Program (CSCSP).
"CIOs at leading chemical companies know how important security, both physical and cyber, is within our industry. And we believe that the industry as a whole has much to gain by sharing security information and practices," Neil Hershfield, director of the CSCSP and cyber-security director at Dow, Midland, Mich., told eWeek news.
To achieve its goals, the CSCSP must partner with business, industry and vendors. That's why getting IT suppliers on board with the group is a key initiative in 2006. "We need to get IT vendors to address issues within the products they develop and to test and enhance product security prior to commercial release," Hershfield adds.
CSCSP's mission is to provide a single channel through which the industry can drive a coordinated sectorwide implementation of cyber-security practices and tools as well as respond to emerging sector needs. The group seeks to drive the adoption of best cyber-security practices, support manufacturing and control systems security efforts, accelerate the development of improved technology, enhance information sharing among chemical companies and align the chemical industry's priorities with those of the Department of Homeland Security.
The chemical industry is one of 13 sectors identified as critical infrastructure by the National Strategy for Homeland Security in 2002, and it was asked to develop a sectorwide strategy to address cyber-security issues.
"As companies increase manufacturing and control automation, which improves productivity, it opens [them] up to increased risk," Cheryl Flannery, director of IT security, compliance and risk management at Air Products and Chemicals in Allentown, Pa., told eWeek. Flannery, who is also a member of the CSCSP Steering Committee, adds that the move away from proprietary technology and toward more industry-standard, off-the-shelf solutions has introduced new cyber-risks into the industry.
The CSCSP has created a Chemical Sector Cyber Security Strategy, a unified plan of action to address cyber-security across the industry with vendors, supply chain partners and other critical infrastructure partners, Hershfield says.
Included in the plan are a number of guidance documents and tools that companies can use to access and enhance the cyber-security performance of both business and manufacturing control systems.
Examples of cyber-attacks to critical infrastructure, according to the CSCSP, include a cyber-attack on a SCADA (Supervisory Control and Data Acquisition)-run computerized waste treatment system in Queensland, Australia, that caused the diversion of millions of gallons of raw sewage into local parks and rivers. Closer to home, a teenage hacker disrupted the scheduling computer systems at the world's eighth-largest shipping port, in Houston, making it impossible to help ships navigate safely from the harbor.
Getting control systems to meet today's cyber-security requirements is a huge challenge. When originally developed, the technology was designed for day-in, day-out reliability and efficiency, not security. "At that time, control systems weren't networked, or operated remotely," said Mike Assante, infrastructure protection strategist with the Idaho National Laboratory in Idaho Falls. Furthermore, control systems, unlike office technology, are multimillion-dollar machines built to last decades.
The security challenge facing product vendors today is twofold: designing new systems that meet cyber-security standards for the chemical industry and retrofitting legacy systems to meet cyber-security requirements, Assante adds.
Want to use this article? Click here for options!
© 2014 Penton Media Inc.
Today's New Product
In support of the Privaris family of personal identity verification tokens for secure physical and IT access, an updated version of its plusID Manager Version 2.0 software extends the capabilities and convenience to administer and enroll biometric tokens. The software offers multi-client support, import and export functionality, more extensive reporting features and a key server for a more convenient method of securing tokens to the issuing organization.