The chemical industry makes safety a top priority. To do otherwise could be catastrophic. So, in addition to protecting physical assets and supply chains, the industry devotes substantial resources to cyber-security.

Even before the terrorist attacks on Sept. 11, 2001, chemical industry automation and IT personnel were taking steps to address vulnerabilities associated with the growing number of systems set up to capture information in real time. New safeguards were needed in response to the rising deployment of automated process control systems, the transition from proprietary to open systems, and increased access to the Internet from the plant floor. Other concerns included higher levels of integration between enterprise IT and manufacturing systems; escalating threats from viruses, worms, and malware; and an upsurge in e-business.

In the wake of 9/11, the chemical industry launched a series of efforts designed to help shore up manufacturers' defenses against cyber-attack. Although many guidelines and standards are still being developed, several cyber-security tools and techniques are in use by chemicals manufacturers.

In 2002, the industry established the Chemical Sector Cyber Security Program (CSCSP) to help protect people, property, products, processes, information, and the environment. It operates under the Chemical Information Technical Council (ChemITC) of the American Chemistry Council (ACC), a trade association with 130 major chemical manufacturers as members.

The CSCSP provides a roadmap for managing and reducing risk across the enterprise in the form of the Chemical Sector Cyber Security Strategy, published in 2002 and updated in 2006. The updated strategy focuses on both IT and manufacturing system security and addresses five elements: sharing information, enhancing guidance documents, increasing adoption, supporting development of security-enhanced technology solutions, and strengthening government relations.

Although the strategy provides a framework and goals, it leaves the choice of tactics up to individual manufacturers. To help chemical manufacturers craft and implement a cyber-security management system, the ChemITC has published a series of guidance documents, including the Cyber Security Journey — How to Begin an Integrated Cyber Security Program and the Guidance for Addressing Cyber Security in the Chemical Sector 3.0. Centered on risk management, the latter document outlines a continuous improvement cycle in four phases: plan, do, check, and act.

Dow Chemical Co. used these documents plus the ISO/IEC International Standard 17799 Code of Practice for Information Security Management to craft its cyber-security management system (CSMS). ISO 17799 helped to determine critical control elements within domains such as communication and operations management and with preparation of the statement of applicability, which provides documentation of security controls and risk assessment.

Dow's CSMS follows a six-step process: Identify and classify assets; assess the assets; plan for risk management; draft a statement of applicability; implement risk mitigation; and implement identified controls. In practice, the CSMS involves identifying gaps and opportunities, prioritizing risks, and mitigating the ones determined to be the most serious. An audit validates the effectiveness of the implementation, and starts the process over again with a reassessment.

"We achieved results in less than two years," Ton van Kerkhoven, senior architect I/S at Dow, said during a January 2007 Webinar organized by CSCSP. The "guidance documents provided structure and information on how to start and what to do," he noted.

In a recent interview with Managing Automation, Global Supply Chain Director Donald J. Weintritt, Jr., said Dow Chemical parries roughly 25,000 cyber-attacks a day.