Chemical industry drafts cybersecurity plan

A broad cross-section of trade associations and individual companies from the U.S. chemical industry is moving forward this month with a comprehensive plan for improving cybersecurity at chemical companies and facilities.

The plan will be submitted to the White House for inclusion in the forthcoming National Strategy for Protecting Cyberspace and marks the first time the industry has developed a unified strategy for cybersecurity. It was endorsed officially last month by the Chemicals Sector Cyber-Security Information Sharing Forum, a consortium led by David Kepler, corporate vice president and CIO at The Dow Chemical Co., as well as by a dozen other industry associations.

The strategy represents “a road map for developing a cybersecurity standard and practices, and it calls for leveraging technologies, processes and people to protect our communities,” said Christine Adams, a spokeswoman for the forum.

The plan was designed to be flexible enough so that IT security managers at chemical companies of all sizes can pick the modules that are most appropriate for their businesses, said Adams. The strategy also focuses on everything from “traditional business information systems to process control systems.”

The forum chartered a task force of 16 high-level subject matter experts from the chemical industry to develop the strategy.

Adams said the plan also builds on established programs, including an emergency communications network. The proposed Cyber-Security Information Sharing Network will distribute advance warnings of cybersecurity threats, vulnerabilities and incidents.

The American Chemicals Council last month also endorsed a new set of requirements that would compel each of its 163 member companies, which account for 90 percent of all chemicals manufactured in the U.S., to “prioritize and assess security at their facilities, take corrective actions and independently verify what they have done,” said Owen Kean, a senior director at the council.

By this fall, the forum expects to have developed a set of best management practices, he said.

Joe Weiss, an energy cybersecurity analyst at Kema Consulting in Fairfax, Va., said the focus on industrial control systems is a positive development but one whose success is dependent on federal funding.

“Once the government puts money in [control systems cybersecurity development], you can have prototypes, if not products, on the street within three to five years,” said Weiss. “But right now … all of the money is going to traditional business cybersecurity; it’s not going to control systems.”