Chem teams mix potent antidote
Chemical industry gets serious about security: Perfecting programs, educating users
By Ellen Fussell Policastro
Even before 11 September 2001, chemical companies realized they needed to pay attention to cyber security.
Experts in the industry saw an increased use in the Internet through corporate networks. E-marketplaces were becoming more popular for corporations to do business, and control system automation, embracing open Ethernet technology, was moving farther away from proprietary systems. After 9/11, a heightened sense of urgency emerged in the chemical industry, not only in business systems, but in manufacturing and control systems. The chemical industry got busy building a strategy and sharing it with others. In fact, the work that followed brought about the chemical sector cyber security strategy in 2002, which the White House subsequently referenced for its national strategy to secure cyber space.
Now the industry is sharing its knowledge about security and helping manufacturers build their fortresses, to not only comply with new government regulations, but to enhance the overall security of control systems throughout the industry.
Program guides industry
“When we wrote our strategy, one of our primary objectives was to form a sector-wide program focusing on cyber security risk management and reduction,” said Christine Adams, director of the chemical sector cyber security program in Washington, D.C. That’s how the chemical sector cyber security program was born in September 2002 and set about to implement that sector-wide strategy.
The cyber security program can actually serve as a focal point for users, building awareness, networking, and guidance as it addresses the chemical sector’s maturing needs. “Because we’re organized under the American Chemistry Council, the program enables us to closely link our cyber security efforts with those of their overall security program,” Adams said.
One of the biggest bodies of work the program has produced is the cyber security guidance documents. “We didn’t want to develop standards because we figured there were IT security standards in existence already,” Adams said. “Where there weren’t, our strategy was to join those organizations developing standards and [transfer] their meaning to the chemical industry. We took experts from within our industry, [those] active in ISA and various technical publications ISA has produced around process control security systems,” Adams said. “Those participating in ISA initiatives bring that information back and use our program as networking opportunities and sounding boards to help them bring the chemical sector’s perspective on that body of work to the ISA table.”
“The chemical industry’s cyber security efforts have provided value beyond the chemical industry as their input has been utilized directly by the electric industry in developing their cyber security programs and indirectly for other industries through the ISA99 process,” said Joe Weiss, Managing Partner at Applied Control Solutions.
The cyber security program has also released guidance on how to use Department of Homeland Security (DHS) information-sharing capabilities. “We’re trying to get the people in the industry aware of US-CERT, the cyber communication vehicle of the DHS National Cyber Security Division, which communicates with the private sector through portals in a private web capability. You subscribe to them and have access to alerts and exchanges of information over this particular channel,” Adams said. “Enhancing information-sharing with DHS, we’ve been documenting the channels for sharing information for the chemical sector.”
Preparing to comply
The DHS has asked every sector to form a sector coordinating council. So the chemical industry has a chemical sector coordinating council of about 16 people who represent major associations in the chemical industry. This council has been in dialog with DHS all year to figure out what manufacturers can do ahead of time to prepare.
“The problem is whatever we did before now, we might have to do again, but we can certainly use the information,” Adams said. If a company has conducted a site vulnerability assessment, “there’s a strong chance the information we pulled together is pretty close to the kind of information we’ll have to give DHS,” Adams said. “We’ll just have to enter information into their tool” because DHS has a specific set of questions they expect you to answer in a vulnerability assessment. “It’s not totally redoing your efforts. In fact, it probably helps if you did a bit ahead of time,” she said. “But there will be a specific process; you’ll have to use their tools and their process for submitting information they’re requesting.”
Three components to compliance
The DHS released the Chemical Facility Anti-Terrorism Standards in April 2007. These standards cover all aspects of chemical facility anti-terrorism standards, and cyber security is part of that. “Implementation was delayed because there was an appendix to the regulations that describes DHS chemicals of interest—those chemicals they thought were particularly sensitive—and the threshold quantity [limits with which manufacturers needed to comply],” said Eric Cosman, engineering solutions architect at The Dow Chemical Company in Midland, Mich. “If you have a chemical on this list in a quantity that exceeds the threshold amount, your facility is subject to these regulations. (See accompanying article on DHS requirements.)
The regulatory process initiated has three major components. The first one is called the top screen. All chemical facilities that meet requirements of having to participate in the top screen will be required to go through screening to determine if they’ll be regulated.
Once the rule goes into effect, chemical facilities around the country will have a certain amount of time—a deadline by which we have to submit a top screen assessment, Cosman said. “That means the chemical companies have to go through a process the DHS has determined to send them some information which allows them to determine which of our facilities are of most interest in this assessment. The outcome is chemical facilities will be placed in tiers 1, 2, or 3,” he said. “Based on the tier you’re in, the DHS will tell you what the next steps are. I can’t speak for other companies, but for our company, most of this is being done through our physical security function. When you look at the regulations, cyber is a fairly minor component.”
The second step is to complete a facility or site vulnerability assessment that DHS has designed. “The difference is, not only do we do voluntary assessments, now if we are a site that’s to be regulated, we have to conduct them and do the vulnerability assessment DHS prescribes,” Adams said.
The third step after the assessment and response from DHS is creating a site-specific plan. “For several years as an industry, we’ve been developing security plans. We’ve been incorporating cyber into our companies’ corporate and site security plans,” Adams said. “We now have to document these plans in a format acceptable to DHS, including components they believe need to be included. Then we have to be prepared to be audited against site-specific plans we submit to DHS.”
Manufacturer sets priorities
Dow is approaching automation system security with two challenges: how to secure existing installations (go back and retrofit software and hardware) to make them secure, and how to make sure new systems going in are secure by design. “We’re attacking both simultaneously,” Cosman said. “We have a program in place that has people dedicated to it full time. They are looking at all our facilities on an ongoing basis, assessing vulnerabilities as situations change, and making whatever improvements are necessary.”
But there are not enough hours to do everything at once, Cosman said. “You have to set priorities based on risk. Based on the outcome of our risk analysis, we take whatever steps are necessary to improve systems that have the highest risk,” he said. “In doing that, we establish minimum standards that must apply everywhere, then we systematically make sure we live up to those standards.”
Those standards as Dow defines them tie in to the concept of secure by design. The task of Cosman’s team is to make sure new systems meet those standards on day one. “We do that in conjunction with our suppliers, making sure the automation systems we design use their technology, going in secure from the beginning. We use the lessons learned from our risk and vulnerability assessment to improve design of new systems so we don’t have to go back and retrofit after the fact,” he said.
One example of risk assessment is looking at the nature of the chemical process. How risky is the process? What could be the consequences in the case of a cyber security event? “Some processes that use dangerous chemicals at high pressures that could cause release of dangerous chemicals would get more attention than a process that puts product in a plastic bag,” Cosman said. The nature of the process is an important factor. To some degree, the location of a facility is important—how tightly it is connected to other facilities. There is a tie to the physical obviously because physical and cyber are related.
“We also look at the nature of the automation system, how open or not open it is,” he said. “If it’s an older proprietary system and not connected to the network, it’s much less likely to be vulnerable to a cyber attack. We have a fairly large installed base of proprietary process control technology that is more resistant because it’s custom built. Open systems of course bring risk, and productivity brings risk. If you’re using open technology-based control systems, you should understand the risk that entails and make sure you’ve mitigated that risk appropriately.”
The biggest vulnerability in industry is “people are connecting these systems without fully understanding the risk,” Cosman said. That’s part of what ISA99 and people working in this space are trying to address. Whether it is ISA99 or chemical security in general, “we’re trying to get the word out that these risks do exist. But it’s not hopeless,” he said There are things you can do about it. One of those things includes looking at material produced by guidance programs from the chemical security program and ISA99. “Both of those efforts have produced educational material to help people improve their systems. All that information is readily available.”
ABOUT THE AUTHOR
Ellen Fussell Policastro is the associate editor of InTech . Her e-mail is firstname.lastname@example.org.
DHS has final word
Appendix A of the Chemical Facility Anti-Terrorism Standards (CFATS) defines nearly 300 chemicals of interest and screening threshold quantities at or above which facilities that possess those chemicals are required to conduct a top-screen or initial-consequence assessment. “Many facilities that will fill out the top screen may not be subject to further regulation under CFATS,” said DHS spokeswoman, Laura Keehner.
If a facility possesses a chemical of interest at or above the listed screening threshold quantity, the facility must complete and submit a top screen to DHS within 60 calendar days of coming into possession of the listed chemical. Some of the chemicals listed in Appendix A include propane, chlorine, ammonium nitrate, and hydrogen peroxide.
DHS will have the authority to “seek compliance through audits and inspections of high-risk facilities,” Keehner said. “It also has the authorities to impose civil penalties of up to $25,000 per day, and the ability to shut down non-compliant facilities.”
DHS understands the CFATS will reach facilities not traditionally thought of as part of the chemical sector. “Not all facilities present the same level of risk, and most scrutiny should be focused on those that, if attacked or otherwise compromised, could endanger the greatest number of lives, have the greatest economic impact, or present other very significant consequences,” Keehner said.
Since the auto industry encompasses as much as a third of all manufacturing, everything from paint and coatings plants, extrusion, urethanes, sealants, and epoxys, to structural graphites, nylon, rubber, fibers and dyestuffs, coolants, lubes, and fuels, chemical facilities associated with the auto industry may be required to fill out a top-screen. “To exclude the automobile sector would be to exclude most chemical processing in America, and that would not be in the best interest of the security of the American people, which is our top priority,” she said.
Programs that help
Cyber security in the chemical sector has a thriving program under the auspices of the Chemical Information Technology Council (ChemITC). The program has been in place for nearly six years, and its purpose is to promote and advance the state of cyber security in the chemical industry, all aspects of cyber security, not just process. This includes business systems, supply chain, and others. One of the work teams focuses on manufacturing and control whose purpose is to act as the voice of the chemical sector in matters of cyber security to manufacturing control systems.
ChemITC was established under the auspices of the American Chemistry Council (ACC) because the chemical industry member companies are predominantly members of ACC.
The Chemical Sector Cyber Security program became one of the major strategic initiatives under ChemITC, offering manufacturers sources of information to find out what they can do to prepare to comply with new DHS regulations and to better understand how the new regulations will work. Users can read about the latest in control system security in an ACC newsletter called ChemITC Connections, or view webcasts, white papers, and guidance documents at www.americanchemistry.com under ChemITC.
—Ellen Fussell Policastro