Every five seconds, a Web-attached camera snaps a picture of the computer room at US-based Arch Chemicals. Those images go to a central security console for review. Should an intruder appear, Arch security personnel will be alerted instantly. Not that it'll be easy for the intruder to get there in the first place; after all, Arch has new fences, more guards, better lighting, employee ID badges and a raft of other recent security improvements.
This is the aftermath of 9/11, a day when chemical businesses experienced an abrupt shift in their thinking about potential security threats. As Arch CSO Ross Barnes says, "Chemical companies typically haven't looked at this from an adversarial standpoint — what we have on the (manufacturing) sites that could be a target for terrorists," as opposed to perhaps simpler problems such as accidents or, at worst, vandalism. Now the industry's CSOs are pondering things like how to stop someone from blowing up a truck next to a processing plant, or finding an electronic inroad to disable shutoff valves in a hazardous mixing process. And this isn't just CSO paranoia talking. "Chemical facilities may be attractive targets for terrorists intent on causing economic harm and loss of life," said the US General Accounting Office in a March report highlighting the vulnerabilities of the industry.
As Arch Chemicals demonstrates, a new set of threats requires a new set of security measures. These challenges have set off a wave of cooperation and communication throughout the industry. At Arch, Barnes is working more closely than ever with Vice President of Information Technology and CIO Al Schmidt to keep logical and physical security in sync. And collaboration doesn't stop at company borders. The industry is taking a gang-tackling approach, creating joint efforts such as the Chemicals Sector Cyber-Security Information Sharing Forum to determine and disseminate best practices. "We've seen industries where the response is to put up a wall of lawyers and deflect responsibility as long as possible. We're making a very serious attempt" to ensure collaboratively that plants and computer infrastructures are secure, says Schmidt.
That's good because there is a lot of work to do. Chemical companies face a number of significant hurdles in their race toward better security: Small companies in the supply chain lack resources to enact new measures. Information-sharing within the industry and with the government still needs improvement. And while the industry shows progress in those two areas, there's a spanner in the works: process control systems that are increasingly internetworked but resistant to standard infosecurity tools and practices.
Baby Steps
Two of the easier hurdles to jump are ensuring that small companies also improve their security, and fostering information-sharing across the industry.
Greg Holton is leader of the security vulnerability analysis team at Crisis Management Worldwide, a security consultancy that works with chemical companies. Holton says many small companies believe they're unlikely targets for attacks, and therefore aren't as prepared as their big brothers. But given recent media attention to threats against "soft targets," they too need to take steps to guard against security breaches. In tightly interconnected industries, a breach in a small company can have a snowball effect. "The chemical industry is highly integrated, and to a large extent, companies are customers and suppliers to each other," notes Theresa Grant, director of information security at Dow Chemical. "Our security is only as strong as the weakest link. We can have strong security internally and not address the concern of partners in the supply chain, so we'd still be vulnerable."
The economy compounds this problem, of course. Budgets are battened down. "In tough economic times, it's hard getting the people and resources to participate in projects," says Grant. And the little guys have the fewest resources to begin with.
Nevertheless, collaborative projects are chipping away at both this problem and the need for greater information-sharing. One such project is the Chemical Sector Information Sharing and Analysis Center (ISAC), formed in April 2002 with the FBI's National Infrastructure Protection Center (NIPC). The ISAC, similar to efforts in other industries, enables security-related information to move effectively between the NIPC and chemical companies. It will be operated by the Chemical Transportation Emergency Center, the emergency response communications centre for a group called the American Chemistry Council (ACC). "We've embraced ISAC as a key capability for sharing information about security," says Christine Adams, Dow's performance chemicals business IS manager. Adams is also the program manager of the Cyber-Security Program, another team effort within the Chemicals Sector Cyber-Security Information Sharing Forum, also formed in April 2002. Adams says the program is developing a road map to help companies identify information for law enforcement agencies. She expects it to be available by the third quarter of this year. A key forum goal is getting the word out about security guidelines to all chemical companies, says Adams. "The success of our program hinges directly on the rate of adoption of the work that comes out of the program." She says the forum will also work with security technology vendors to identify ways the vendors can better serve the chemical industry through new products or upgrades.
Still another collaborative work, again affiliated with the forum, is the ACC's Responsible Care cybersecurity team. The ACC developed the Responsible Care program to ensure that chemical plants are operating safely and securely. It requires all members to evaluate plant vulnerabilities, including physical, IT and process control security. The team has developed a security code for all 165 ACC member companies, which account for 90 per cent of all the chemicals made in the United States. The code includes a set of industry-specific guidelines to help reduce risks, such as network intrusions by hackers. The guidelines require senior management commitment to continuous improvement in security; prioritisation and periodic analysis of potential security threats and vulnerabilities; development and implementation of security measures commensurate with risks; documentation of security management programs; and audits to assess security programs and processes. In March, the ACC's 120 highest-priority facilities completed assessments of physical and cybersecurity vulnerabilities, as required by the code's deadline.
Participants are enthused about this sharing-is-caring approach. "I think we're making good, steady progress," says Charles Curry, Eastman Chemical's senior systems associate who is responsible for information security. "It's essential that everyone in the industry work together on this. We are becoming more dependent on one another, and our industry impacts many other critical services and industries." Curry says Eastman's involvement in the cooperative initiatives has helped the company identify specific weaknesses. For example, while Eastman had adequate backup for its infrastructure and critical applications, it needed to improve its business continuity strategy — such as how to quickly react in the event of a security breach. Similarly, Grant says Dow expects to gain insight into how well its supply chain partners are securing their networks, and assess the potential risks of partners connecting to Dow's networks to place orders or provide information.
While chemicals is an interconnected industry, these companies still compete with one another. Will competitive pressures stand at odds with all the information-sharing efforts? So far, the industry is at least sounding the right notes in that regard. "There's nothing proprietary about security," says Bobby Gillham, manager of global security at ConocoPhillips, which operates a chemical joint venture with ChevronTexaco. "Are we sharing the processes we use to make products? No. But we are sharing information about vulnerabilities and threats."
"As long as it's within the guidelines of the antitrust laws, I'm quite comfortable with it," adds Eastman's Curry. "We're not sharing anything that relates to products or pricing. We're sharing our experiences with security." Or as Dow's Adams puts it, "We're not giving away any secrets."
Despite evident progress by these groups, the GAO and industry analysts question whether the industry's efforts are enough. Environmental Protection Agency officials estimate that voluntary initiatives led by industry associations reach only a portion of the 15,000 facilities that need to be secured, according to the GAO report. Although implementation of Responsible Care is a condition of ACC membership, the ACC lacks an enforcement mechanism to ensure that member companies comply.
The industry faces a number of challenges in preparing facilities against attacks, the GAO says, including ensuring that they obtain adequate information on threats and determining appropriate security measures given the level of risk. The industry also faces difficulties in making sure all facilities that produce or store hazardous chemicals are addressing security concerns. For example, "Despite the industry's voluntary efforts, the extent of security preparedness at US chemical facilities is unknown," the report says. It recommends that the US Department of Homeland Security and the EPA jointly develop a comprehensive national chemical security strategy that identifies high-risk facilities and collects information on industry security preparedness; specify the responsibilities of each federal agency partnering with the chemical industry; and develop information-sharing mechanisms.
Crisis Management Worldwide's Holton seconds the notion that more work remains. "Some chemical plants have very good security, fencing, lighting and procedures in place," he says. "Other facilities are unprepared. Fences are falling down, people wander onto the property. Access is uncontrolled." Eventually the GAO's proposed legislative action may be required to force the hand of small companies or other laggards.
The Process Problem
The process control system problem may prove more intractable. Process control systems (SCADA being the most widely known associated acronym — Supervisory Control and Data Acquisition systems) manage and oversee various pieces of the manufacturing process: tank sensors, cooling systems, and valves that stop or start the flow of chemicals, oil or other liquids.
How vulnerable these systems really are to a cyberattack is the subject of much debate. But Joe Weiss, a consultant at Kema, assures that the threat is very real indeed, and has documented at least 30 such attacks. One example was the Slammer worm, which Weiss says interfered with a number of control systems at power and oil companies — even though those companies and systems weren't the primary target. The process industry disruptions were collateral damage in an attack that was aimed at the Internet's root servers.
Simply passing legislation mandating a fix won't actually help because, according to Weiss, neither the technology nor the practices to secure process control systems currently exist.
On the technology side, control systems are designed to be highly reliable and interoperable. "The controllers used in the front-end processors of these control systems are different than those used in business systems," says Weiss. Operator and engineer workstations are now utilising off-the-shelf operating systems such as Microsoft or Unix. And some plants even connect their manufacturing systems using wireless communications devices. So the applications themselves are proprietary and not compatible with standard infosec tools — but the OSs and communication protocols are wide open.
On the practice side, Weiss notes that cybersecurity procedures widely accepted as best practices, such as ISO 17799, actually include steps that can be disastrous when applied to control systems. An example: If an employee mistypes his password three times, a common practice is to lock that access account until management can review the situation to make sure a hacker isn't flailing away with a password-guessing program. But if that employee is in fact a console operator who needs to shut a stuck valve in a hazmat manufacturing operation, the lockout can create havoc. Similarly, Weiss says that requiring console operators to frequently change passwords, and use hard-to-remember strings, is another ingredient in a recipe for failure.
At most chemical and other manufacturing companies, Weiss adds, the IT group is responsible for information security but doesn't understand control systems. And the operations group is responsible for control systems but not for security. Result: The whole issue falls through the cracks.
The industry's combined initiatives will include steps to ensure that process control systems are secure. Initiatives such as the forum are aiming to include not only information security experts but people who understand process control systems. There are standards and other organisations devoting efforts to secure control systems. For example, the Chemical Industry Data Exchange trade association is participating in the Instrumentation, Systems, and Automation Society (ISA) process controls cybersecurity committee ISA-SP99. Meanwhile, technology solutions are also needed. Weiss says the US Department of Energy, through the National SCADA Test Bed, plans to develop tools addressing this problem.
But where process control systems security is concerned, we're a long way from a solution. And that appears to be a good encapsulation of security in the chemicals industry at large. They're going after it, but they've still got a long way to go.
SIDEBAR: All Together Now
Spearheading many of the US chemical industry's security efforts is the Chemicals Sector Cyber-Security Information Sharing Forum, which was created in April 2002 in response to the federal government's call for enhanced security in the industry.
The Washington, DC-based forum includes 10 industry associations representing more than 2000 chemical companies. The group initially created a task force of 16 security experts in the industry, covering areas such as physical, information and process control security; supply chain management and logistics; industry collaborations; standards development; legal; and telecommunications.
The plan was submitted to Richard Clarke, former chairman of President Bush's Critical Infrastructure Protection Board, for inclusion in the National Strategy to Secure Cyberspace.
Late in 2002, the forum created a Cyber-Security Program to evaluate security technologies and collaborate with technology providers, determine a common industry standard, recommend security practices and policies, and develop an information-sharing network through which members could exchange ideas and distribute warnings about security threats.
In January, the forum and the Chemical Industry Data Exchange (CIDX) trade association unveiled the Chemicals Sector Cyber-Security Practices, Standards and Technology Initiative. This effort, run by a newly formed CIDX business unit, will implement the standards and practices component of the forum program.
SIDEBAR: Uncle Sam Wants More
While the chemical industry tries to improve security through collaborative efforts, the federal government may provide further impetus to ensure that the critical sector is well protected.
Congress is considering legislation introduced in May that would allow the Department of Homeland Security to mandate chemical facility security measures. The Chemical Facilities Security Act of 2003, introduced by Senator James Inhofe (Republican-Oklahoma) and Senator Zell Miller (Democrat-Georgia), requires chemical companies to complete vulnerability assessments and site security plans. Penalties for noncompliance are stiff.
"No one gets a free pass under this bill; no one is exempt," Inhofe said in introducing the bill. "Chemical facilities must abide by the legislation's security requirements and any rules, procedures or standards developed by the Department of Homeland Security."
Such regulation would fill a void noted in "The National Strategy for Physical Protection of Critical Infrastructure and Key Assets" report, issued by the White House in February. While the report applauded the industry's security initiatives, it noted that a "significant percentage of companies that operate major hazardous chemical facilities do not abide by voluntary security codes developed by other parts of the industry."
Christine Adams, performance chemicals business IS manager at Dow Chemical and program manager of the Cyber-Security Program within the Chemicals Sector Cyber-Security Information Sharing Forum, says the group supports the new legislation. "It will assure that vulnerability assessments are being conducted," she says.