Q&A: How to Secure a Critical Infrastructure

A cybersecurity group works to improve security in the chemical industry.

How do you better secure an entire industry, especially a critical infrastructure that relies upon manufacturing control systems?

Thus far, you do it voluntarily. Both Congress and the president are taking a non-regulatory, non-binding approach to improving critical infrastructures’ information security. How are industries accomplishing this task, and when will there be demonstrable improvements?

To discuss the security-improvement timeline, working with the Department of Homeland Security (DHS), and challenges faced (including just identifying the security contact for every company in the industry), Security Strategies spoke with Christine Adams, director of the Chemical Sector Cybersecurity Program.

How is your program targeting improved security across the chemical industry?

For more than two years, our industry counterparts have been working to develop a suite of guidance and tools to help chemical companies enhance the security of their business and manufacturing control systems.

But those tools provide little value if they are not being used broadly, throughout the sector. … [By] working with the 10 chemical industry trade associations that comprise the Chemical Sector Cybersecurity Information Sharing Forum, we are reaching out to chemical companies throughout the sector, encouraging them to use available tools to improve their cybersecurity performance.

Are there any specific economic or regulatory incentives for chemical companies to improve their information security?

In the chemical industry, we’ve asked, “Can we do any sort of certification or accreditation or validation?” or “How can we show proof of due diligence in this area?” That’s an ongoing challenge for us. The economic incentives are within our own industry—to ensure business continuity across our value chain. Right now, the [approach] we’ve taken is … product stewardship [taking accountability for chemical products all the way from supplier through manufacturer to customer], programs’ due diligence, and also CIDX (Chemical Industry Data Exchange) initiatives.

So far, what strategies have been effective for getting companies to participate in your program?

We have had some success working with the American Chemistry Council (ACC), which represents many of the larger chemical companies in the industry. We asked the president of the association to author a letter to member-company CEOs last year to frame cybersecurity in the context of the ACC Responsible Care Security Code … and pointed them to the program and all the work the program has been doing on cybersecurity, as a resource.

Who funds your program?

Two of our biggest challenges continue to be [resources] and funding. Leading chemical-company CIOs support our program, providing funding and volunteer forces with expertise in IT security and manufacturing and control-system security.

Have you released public details of funding to date?

No, we haven’t, [but] around the fourth quarter of 2003 we [estimated] the chemical companies supporting the program spent over $5 million in out-of-pocket costs and personnel resources, and in 2004 we [received] another $2 million or more. … This spending does not include investments made by individual companies over the past three years to improve their company performance in cybersecurity.

Will the security best practices you’re garnering from larger companies, such as Dow Chemical, translate to smaller companies?

Chemical sector companies range from multi-billion dollar corporations to small companies with sales revenues of less than $10 million.

With the smaller companies, we can’t assume their organizations have the same level of resources to address cybersecurity. In addition, the level of sophistication in manufacturing and control systems may also vary in complexity, depending on the size of the corporation. In the chemical industry, manufacturing and control-system personnel are usually organized within a physical plant, so they don’t necessarily report to one head of engineering or manufacturing—very often they report up to the general manager of the manufacturing plant site.

Therefore, as soon as you get past the very large companies organized globally and centrally, it becomes difficult to identify a point of contact in the manufacturing and control system environment.

It’s a continuing challenge, but we are confident that by working through our trade associations,—as we did with the ACC—we will be able to reach the right people who can implement and utilize the program’s guidance and tools within their companies.

How did you formulate your information security guidance?

We started with the ISO 17799 standard for security management policies and practices … and strongly encouraged companies to review their practices around this standard. Then we provided guidance around conducting cybersecurity vulnerability assessments. As part of our 2005 implementation goals, we are strongly encouraging each chemical trade association to make cybersecurity part of its security and product stewardship initiatives.

Where do companies’ security assessments go?

To help protect against potential misuse, records and results of assessments conducted by the individual chemical companies remain within those companies.

Does anyone outside of the individual company regulate or review these assessments?

The ACC … requires companies to provide third-party certification of a Responsible Care management system, which includes security-management practices. [By] doing so, companies acknowledge that a management system has been put in place and they can demonstrate performance improvements.

The Department of Homeland Security (DHS) has been tasked to work with companies in critical infrastructures. What are your experiences with DHS?

We spent a lot of time [in 2003] trying to understand DHS and how it’s organized, and developing relationships with that department. We’ve had various opportunities to meet with a number of different folks in the DHS as we’re trying to understand their organization and their priorities, and we’re participating in several DHS-sponsored initiatives.

Most of our interaction, to date, has been with the National Cyber Security Division and the Infrastructure Coordination Division. Both are organized under Homeland Security Infrastructure Protection.

What is DHS looking for from chemical companies?

Their message is consistent: they are implementing, from a cyber perspective, the National Strategy to Secure Cyberspace. Their priorities are laid out there, and one of the key initiatives that they are looking for is more open sharing of information on cyber threats, vulnerabilities, attacks, intrusions, etc.

What about coordinating information sharing in the chemical industry?

One of our key program initiatives is addressing information sharing, and part of our strategy has been to embrace the Chemical Sector ISAC (Information Sharing and Analysis Center).

Why aren’t ISACs such as the chemical industry’s used more to disseminate security information?

The chemical sector has moved very conscientiously and very slowly in this area, in terms of investing a lot of money here. [That’s because] the ISACs were the product of a presidential directive (PDD-63) issued in the late ’90s, and there has been a good deal of speculation about whether they could effectively serve the future.

More recently, there’s been a new presidential directive, Homeland Security Presidential Directorate 7, which gives the DHS responsibility for improving information sharing and analyzing information. So they’ve moved the agencies and the function that the ISACs provided between private sector and the government into DHS, and all of that functionality has been re-discussed and revisited over the last [two years].

Some critical infrastructures … have invested multimillions of dollars and have had varying degrees of success. We are currently working with the Chemical Sector ISAC, other critical infrastructure ISACs, and the government to determine what information is relevant to be shared and what form it should take.

Are there any lingering concerns in your industry, besides the model for information sharing?

Yes—what kind of protections are in place when security-related information is shared with the government. So we’ve been looking to make sure information provided to the government cannot be obtained by individuals intending to harm people or property.

When do you think we’ll have full-fledged information security coordination between the government and the chemical industry?

From my perspective, this is a journey, not a project that’s going to be over in 18 months or two years. This is a culture shift, both from the private sector and the government’s perspective. It takes building relationships and trust, and that takes time.

Related Articles:

Critics Blast Cybersecurity at Department of Homeland Security

Corporate Governance Task Force Pushes Security Best Practices