The chemical industry makes safety a top priority. To do otherwise could be catastrophic. So, in addition to protecting physical assets and supply chains, the industry devotes substantial resources to cyber-security.
Even before the terrorist attacks on Sept. 11, 2001, chemical industry automation and IT personnel were taking steps to address vulnerabilities associated with the growing number of systems set up to capture information in real time. New safeguards were needed in response to the rising deployment of automated process control systems, the transition from proprietary to open systems, and increased access to the Internet from the plant floor. Other concerns included higher levels of integration between enterprise IT and manufacturing systems; escalating threats from viruses, worms, and malware; and an upsurge in e-business.
In the wake of 9/11, the chemical industry launched a series of efforts designed to help shore up manufacturers' defenses against cyber-attack. Although many guidelines and standards are still being developed, several cyber-security tools and techniques are in use by chemicals manufacturers.
In 2002, the industry established the Chemical Sector Cyber Security Program (CSCSP) to help protect people, property, products, processes, information, and the environment. It operates under the Chemical Information Technical Council (ChemITC) of the American Chemistry Council (ACC), a trade association with 130 major chemical manufacturers as members.
The CSCSP provides a roadmap for managing and reducing risk across the enterprise in the form of the Chemical Sector Cyber Security Strategy, published in 2002 and updated in 2006. The updated strategy focuses on both IT and manufacturing system security and addresses five elements: sharing information, enhancing guidance documents, increasing adoption, supporting development of security-enhanced technology solutions, and strengthening government relations.
Although the strategy provides a framework and goals, it leaves the choice of tactics up to individual manufacturers. To help chemical manufacturers craft and implement a cyber-security management system, the ChemITC has published a series of guidance documents, including the Cyber Security Journey — How to Begin an Integrated Cyber Security Program and the Guidance for Addressing Cyber Security in the Chemical Sector 3.0. Centered on risk management, the latter document outlines a continuous improvement cycle in four phases: plan, do, check, and act.
Dow Chemical Co. used these documents plus the ISO/IEC International Standard 17799 Code of Practice for Information Security Management to craft its cyber-security management system (CSMS). ISO 17799 helped to determine critical control elements within domains such as communication and operations management and with preparation of the statement of applicability, which provides documentation of security controls and risk assessment.
Dow's CSMS follows a six-step process: Identify and classify assets; assess the assets; plan for risk management; draft a statement of applicability; implement risk mitigation; and implement identified controls. In practice, the CSMS involves identifying gaps and opportunities, prioritizing risks, and mitigating the ones determined to be the most serious. An audit validates the effectiveness of the implementation, and starts the process over again with a reassessment.
"We achieved results in less than two years," Ton van Kerkhoven, senior architect I/S at Dow, said during a January 2007 Webinar organized by CSCSP. The "guidance documents provided structure and information on how to start and what to do," he noted.
In a recent interview with Managing Automation, Global Supply Chain Director Donald J. Weintritt, Jr., said Dow Chemical parries roughly 25,000 cyber-attacks a day.
ChemITC's guidance documents also are designed to help ACC members comply with the industry's Responsible Care Security Code. This global, state-of-the-art security management system addresses not only site and transportation security, but also cyber-security components, such as intrusion detection and access controls for voice and data networks. Compliance is mandatory for ACC members and requires certification by an independent auditing firm such as QMI Management Systems Registration.
Uniform Policy Needed
With the plant floor and enterprise becoming more tightly linked and use of plant floor networks increasing, "it is critical for companies to develop a uniform IT policy that not only covers the enterprise IT environment, but also the plant environment," says Todd Nicholson, chief marketing officer at Industrial Defender, Inc., supplier of the newly patented Industrial Defender risk mitigation technology suite, which covers all seven layers of the process control environment — from perimeter protection and gateway virus filtering to network/host intrusion detection and security event management. The company also provides risk assessment services and risk management co-managed security services. Du Pont, for example, relies on co-managed services to protect more than 200 plants worldwide.
Fortunately, good practices for securing IT systems also apply to cyber-security for process control systems. "We've found 80% to 90% of IT security practices can be applied directly to process control systems," says Kevin Staggs, global security architect at Honeywell Process Solutions. Security practices suitable for both IT and process control use include firewalls, intrusion detection, and encryption. However, different security practices may be needed to protect legacy SCADA systems that were never intended for use as network devices.
Another likely exception is the security patch application process. Not only should vendors provide accreditation that patches are safe for process systems, but timing should be set so there's no loss of view or control.
"When our Honeywell Specialty Materials plant in Geismar, LA, deployed a Honeywell Experion Process Knowledge System (PKS), it worked closely with Honeywell corporate IT to ensure that all IT practices were followed and exception specifications were created where deviations from the corporate standard were needed," Staggs says.
This was especially critical because the PKS system, which controls production of hydrofluoric acid, fluorocarbon refrigerants, and Alcon resin, links with the complex's building control system to integrate process control, physical control, and cyber-security.
Once a system is in place, triennial or more-frequent audits help assess performance. In a two-day visit to Geismar, Honeywell's cyber-security audit team examined the layers of defense around the controllers in the network and the process control system itself, and checked the status of security patches and antivirus software. The team also interviewed personnel to determine how well they understand the security process. "Even with the best security program, its effectiveness can be completely nullified if people aren't aware of their responsibilities," Staggs explains.
At the device level, certification programs for controllers already exist. For example, the Mu Security Industrial Control Certification (MUSIC), offered by Mu Security, a specialist in IT certification that is moving into the industrial space, validates that a controller is hardened against malicious activity on IP or TCP/IP networks and that it won't be overwhelmed by high levels of traffic. The first unit to receive the certification is Honeywell's Experion PKS C300 Process Controller.
Under a Wurldtech Security Technologies controller certification program, units from ABB, Yokogawa Electric Corp., Emerson Process Management, Invensys Process Systems-Triconex, and ICS Triplex hold Achilles Level 1 Certification.
What's Next?
Despite the chemical manufacturing industry's progress, much remains to be accomplished. Security tools must be simpler to implement and maintain. For example, virtually all automation system security personnel need to configure and manage some sort of firewall or separation between the automation and business networks. The task requires a relatively deep understanding of both firewalls and networks, and quickly becomes time-consuming and prone to error, particularly if a large number of devices are connected to the network.
"We need suppliers to increase the ease-of-use factor," says Eric Cosman, engineering solutions architect at Dow Chemical, who is a member of the Cyber Security Program Steering Team and serves as the steering team sponsor for the program's Manufacturing and Control Systems Team.
Finally, constant vigilance is needed. "Threats are ever-changing," says Neil Hershfield, CSCS program director and another Dow Chemical employee. "New ones emerge regularly."
Cosman advises: "Don't think of this as a diet; think of it as a lifestyle change."