Advertisement

If you have an ACS member number, please enter it here so we can link this account to your membership. (optional)

ACS values your privacy. By submitting your information, you are gaining access to C&EN and subscribing to our weekly newsletter. We use the information you provide to make your reading experience better, and we will never sell your data to third party members.

ENJOY UNLIMITED ACCES TO C&EN

Business

Battening down Cyberspace

As the government struggles for a foothold, chemical makers develop a strategy

by RICK MULLIN, C&EN NORTHEAST NEWS BUREAU
November 22, 2004 | A version of this story appeared in Volume 82, Issue 47

CODE ORANGE
[+]Enlarge
Credit: HOVIONE PHOTO
The chemical industry is taking threats to cyberspace seriously.
Credit: HOVIONE PHOTO
The chemical industry is taking threats to cyberspace seriously.

The cybersecurity division of the Department of Homeland Security (DHS) is a mess, according to Rep. Zoe Lofgren (D-Calif.). In an article posted last month at CNET News.com, an online information technology (IT) news service, Lofgren wrote that the department dithered for months in 2002 when it assumed the function of securing the nation's computer infrastructure from Richard Clarke, the short-tenured senior adviser to the President on cybersecurity. Only after the private sector pressured the government to provide leadership, Lofgren says, did DHS establish the National Cybersecurity Division. The division's first director, Amit Yoran, recently resigned after a year. He gave one day's notice.

Lofgren, the ranking member of the House Homeland Security Committee's Subcommittee on Cybersecurity, Science & Research & Development, contends that Yoran's departure was prompted largely by "the serious structural problems with the Department of Homeland Security."

Meanwhile, private industry, including the chemical sector, continues to advance cybersecurity. Large chemical companies, as well as chemical, fertilizer, and explosives industry trade associations, have joined to form the Chemical Sector Cybersecurity Program (CSCP), a forum to develop guidelines for cybersecurity.

The group, which began work last year, stems from a 2002 meeting between Clarke and chemical industry representatives, including David Kepler, chief information officer of Dow Chemical, and Robert R. Ridout, chief information officer of DuPont. Chemical executives submitted an outline for an IT security strategy that was included in the Bush Administration's National Strategy to Secure Cyberspace, issued in the fall of 2002.

More recently, the chemicals forum has been meeting with software and IT system suppliers, other industry groups, and DHS, according to Christine Adams, an IT manager in Dow's performance chemicals division and the program manager for CSCP. The group has also begun trying to get smaller chemical companies involved.

Clearly, the chemical industry cannot wait to take on cybersecurity. The high level of computer interconnectivity via the Internet and the rapid replacement of proprietary software with open operating systems have opened the gate to a range of vulnerabilities.

COMMON COMPUTER viruses such as My Doom, for example, can now as easily infect a process control system as they can a home computer. Random hacking, malicious tampering by employees, and targeted attacks on computers are all expedited by networking over the Internet.

Kepler sees three fronts in the battle to secure cyberspace. First, he says, industry must make sure IT systems and software are compatible and that networks work. Second, systems must be protected against viruses and indiscriminate hacking. And last, IT networks need to be secured against targeted attacks. Most companies experience two or three targeted attempts to hack into their systems every year, he says.

DuPont's Ridout says much of the risk is associated with the open computing platforms that users have established for plant automation over the past two decades. "So many of the industry's operations now depend on our computing that, if we have a virus, we have a significant impact," he says. Most large companies are spending about 3 to 4% of their IT budgets on basic security, according to Ridout.

When it comes to hacking, Lance Travis, an analyst with IT consultancy AMR Research, says one of the biggest risks is the inside job--"system users maliciously doing something that damages your company." With the advent of e-business, he says, "users" now include customers and suppliers.

Predictably, the desire for cybersecurity has sparked a new market for software. It has also forced IT system suppliers to the table with users in an effort to foster industry standards. Travis notes the emergence of software for identity management, which automates, controls, and records access to networks. Earlier this year, Microsoft announced a collaborative marketing arrangement with six leading vendors of ID management software.

Travis maintains that industry is generally in good shape on protecting against viruses and inappropriate system access by users.

Industry, however, is less prepared for the threat of terrorists. "That is the most dramatic threat," he says. "The multi-million-dollar blockbuster movie threat, where problems are becoming well understood, but the solutions just don't exist yet."

The vulnerability, he says, arises from the connection between plant automation and business computing. "In the old days, someone hacking into your network could steal passwords or credit card numbers. It is now theoretically possible for that person to get into your control systems," Travis says. "A terrorist can begin to open and shut valves in the production environment."

Dow's Adams says production processes will be an area of focus in dealing with system suppliers. The National Institute of Standards & Technology, a U.S. standards-setting body, has established a forum, including chemical companies and system vendors, to address security issues for process controls.

Adams adds that the chemical industry is also working with the Instrumentation, Systems & Automation Society (ISA), another standards organization, which has convened a committee to develop cybersecurity guidelines. There is also an International Organization for Standardization cybersecurity auditing regime, ISO 17799, that the chemicals group supports.

Adams and others point to the incorporation of IT concerns in the new Responsible Care security code. They also note the involvement of the Chemical Industry Data Exchange, a 15-year-old organization that sets standards for IT-based commerce, and the industry's Information Sharing & Analysis Center, run by the American Chemistry Council's ChemTrec logistics management forum.

Ridout and Kepler say liaison with IT system vendors is an important focus now. According to Kepler, basic operability issues are still a contention, especially the current practice of "patching," where vulnerabilities are identified and dealt with after a major software installation. "Vendors have to have a higher level of fail-safe design in their systems," he says.

THE INDUSTRY also continues to meet with DHS. Kepler says the government needs to clarify its objectives. "What are priorities from the point of view of true homeland security versus issues around quality management or the software industry? They haven't been able to segment that, and they need to."

Any endeavor that mixes technology standards bodies, industry consortia, and newly minted government bureaucracies is bound to move at a snail's pace. Sources in the chemicals cybersecurity group say, however, that a decent body of best practices is already being shared and that auditing is catching on.

A 2003 notice from ISA sums up current conventional wisdom: "Although the committee has a sense of urgency, the consensus standards-setting process is time-consuming. Manufacturers need to evaluate their cybersecurity now."

Article:

This article has been sent to the following recipient:

0 /1 FREE ARTICLES LEFT THIS MONTH Remaining
Chemistry matters. Join us to get the news you need.