If you have an ACS member number, please enter it here so we can link this account to your membership. (optional)

ACS values your privacy. By submitting your information, you are gaining access to C&EN and subscribing to our weekly newsletter. We use the information you provide to make your reading experience better, and we will never sell your data to third party members.




Chemical sector faces uncertainty about how to protect critical information

by Rochelle F. H. Bohaty
November 3, 2008 | A version of this story appeared in Volume 86, Issue 44

Credit: Shutterstock
Credit: Shutterstock

PERHAPS YOU KNOW all too well the casualties of cyber war—loss of time, money, and maybe even your identity. In what seems to be a pandemic, cyber attacks on both individuals and organizations are increasing in frequency, sophistication, and the collateral damage they cause.

Cybersecurity is of particular interest to the chemical industry not only because a cyber attack on a company could directly affect its business operations, but the possibility of an attack also places the company under heightened scrutiny by federal regulators who will consider such threats, among other factors, in assessing chemical facilities' vulnerability to a terrorist attack. For these reasons, chemical industry trade associations have developed cybersecurity programs to help their members comply with federal regulations and mitigate vulnerabilities to cyber attacks.

Despite these programs, however, companies will be seriously challenged in deciding what steps to take because of the ever-changing tactics of cyber attackers, the cost of cybersecurity, and the fact that the Department of Homeland Security will decide companies' cybersecurity on a case-by-case basis.

"The chemical sector is not alone in being vulnerable to cyber attacks," says Sue Armstrong, acting director of DHS's Infrastructure Security Compliance Division. But an attack has the potential to cause more direct physical damage and injury to the chemical sector than to other sectors such as banking and finance, she adds.

"An attack on a chemical facility could have devastating consequences regardless of the type of attack," Armstrong notes. Types of scenarios could range from cyber attacks such as hacking to physical actions such as bombing. For this reason, she explains, DHS is implementing a regulatory program now.

DHS's cybersecurity efforts are part of its role in assessing and ensuring that chemical installations are secure, thereby decreasing the possibility that terrorists will exploit them in an attack. Under a set of rules known as the Chemical Facility Anti-terrorism Standards (CFATS), DHS has preliminarily ranked more than 7,000 facilities into four tiers according to risk of a terrorist attack (C&EN, July 7, page 7).

Ranked facilities are in the process of submitting additional security and vulnerability information to DHS that the department will use to determine each facility's final ranking. DHS has identified 18 criteria, including cybersecurity and perimeter security, that companies must address for this assessment.

The additional data from preliminarily ranked facilities are due to DHS by the end of the year. This means that DHS expects to collect thousands of assessments from the chemical industry—assessments that not only include details about each company's cybersecurity problems but that also become cybersecurity risks themselves.

The security risk of information submitted by the chemical industry through DHS's online system is something DHS takes very seriously.

"The systems that collect all this information from industry under the CFATS program are hosted at federally owned sites, on dedicated subnetworks that have been hardened to meet or exceed" stringent federal security and encryption standards for information processing, Armstrong tells C&EN.

Even so, some cybersecurity experts question just how secure these data really will be. The method that DHS uses to "encrypt communications with the chemical industry does not in itself provide much insight into the overall security of the information exchange," says Ronald W. Ritchey, a cyber associate with consulting group Booz Allen Hamilton. He adds that attackers would tend not to focus on the encryption systems—because they are hard targets—but instead would focus on attacking elements such as workstations or servers used to create, store, process, or transmit the information.

For classified government systems such as DHS's, the "risk is low" for a cyber attack, says Andy Singer, a principal cyber campaign and intelligence consultant with Booz Allen Hamilton. But the system may be a prime target for espionage because of its "aggregate value," he adds.

For example, hacking into a single site that houses a database of chemical companies' information has more bang for the buck than hacking into a single company's website.

"If someone decides specifically to go after your organization, it is going to be very difficult to prevent them from breaking in."

But, Ritchey points out, any network can be exploited, even those considered low-risk. "If someone decides specifically to go after your organization, it is going to be very difficult to prevent them from breaking in," he says. This gives the chemical sector reason to be concerned that DHS's system could be breeched, resulting in an unintended dissemination of high-risk facilities' security and vulnerability information.

FUELING CONCERN is the fact that the Federal Bureau of Investigation is currently examining thousands of cyber attacks. Already, the FBI has noticed that the usual suspects are evolving, changing tactics, and increasing the sophistication of their attacks.

For example, in the past, cyber assailants did not associate with each other, but now virtual gangs are a growing threat, according to Shawn Henry, assistant director of the FBI's Cyber Division. Hackers are banding together to pool their expertise and carry out coordinated attacks, he said at a briefing in Washington, D.C., on Oct. 17.

Cyber experts with Booz Allen Hamilton also agree that attackers' tactics are changing to become more sophisticated and, they say, more prevalent.

When it comes to breeching a system, Ritchey says targeting an individual who has broad access within an organization with the intention of stealthily extracting information or waging an attack is the simplest way for a cyber assailant to affect companies in the chemical industry. He says the industry is extremely vulnerable to such "targeted phishing attacks."

For example, Ritchey explains, a company employee could receive an e-mail that says: "Hey Joe, I saw you talking on such and such a topic. The attached report might interest to you." The attached file may in fact be interesting, relevant, and appear completely authentic, Ritchey says, but when Joe opens the file, his user profile, computer, or network could be compromised without Joe even knowing. "At this point the attackers have control," Ritchey tells C&EN.

This scenario could cause problems for a company and for its employees, who could become suspects if information such as user names and passwords were used by perpetrators to coordinate an attack.

The fear of what terrorists might do if they had access to valuable business information or learned how to remotely control a manufacturing process is one of the reasons that DHS has included cybersecurity when evaluating a chemical facility's risk of attack, agency officials note.

Although DHS requires high-risk facilities to address cybersecurity challenges, including cybersecurity in a plant's overall security profile is a good business practice, says Christine Adams, director of the Chemical Sector Cyber Security Program for industry trade group American Chemistry Council (ACC) and a senior information systems manager at Dow Chemical.

The fact that much of the chemical industry is made up of automated processing plants that handle large quantities of dangerous materials not only makes it a target for terrorist attacks but for cyber attacks, too, according to Ritchey and Singer.

And adding to industry's vulnerability are the sector's extensive computer networks, which circle the globe and provide more access points for intruders to hack.

"Networks are meant to be open," Singer says. This makes them perhaps impossible to secure unless a "fortune" is invested to secure them, he adds. Software companies are working to alleviate some of the security vulnerabilities that arise from developing open-source systems, he says.

For the chemical industry, an attack such as a virus or worm could have far-reaching implications. Illegal tapping of a company's internal networks could allow unintentional access to highly valued trade secrets and other intellectual property, personnel and financial information, and inventory data. In addition, a computer malfunction could cause a manufacturing or control process to go wrong, according to Singer.

Over time these attacks could degrade their business, Singer says. A single attack may not appear to be catastrophic, but it could cause a company to go out of business if the problem becomes repetitive, he adds.

Unintended access to manufacturing and control processes is what probably keeps industry representatives up at night, Ritchey notes.

A cyber attack targeting manufacturing and control processes could limit product output or cause chemical reactions to go bad, according to Eric C. Cosman, a member of ACC's Chemical Sector Cyber Security Program Steering Team and an engineering solutions architect at Dow.

TO HELP chemical companies combat some of these threats, ACC and the Synthetic Organic Chemical Manufacturers Association (SOCMA) have each developed programs. These programs focus on the business and information technology aspects of cybersecurity along with manufacturing and control processes.

Adams tells C&EN that the first thing members of the chemical sector should do is a risk analysis of their cyber infrastructure. She encourages industry to take a holistic approach when thinking about threats, rather than focusing on one type of cyber assailant or attack.

To help companies, ACC's cybersecurity program offers guidance about educating employees on cybersecurity issues, computerizing inventory control processes, and segregating networks such as manufacturing control and business.

Although the ACC and SOCMA programs do represent good business practices for cybersecurity, DHS's Armstrong says the agency does not endorse either program. She adds that trade groups' cybersecurity programs instituted by companies may or may not meet CFATS standards. She underscores that high-risk chemical facilities will be looked at on an individual basis and that DHS will not provide prescriptive cybersecurity measures.

For its part, ACC says it is committed to working with DHS to make sure its program will meet the needs of the chemical sector so that it can comply with DHS regulations. ACC is working "to develop the right information-sharing mechanisms and to understand the relevant information that needs to be shared with DHS," Adams says. This, in turn, should help DHS complete the national threat analysis and understand the state of the chemical industry, Adams notes.


This article has been sent to the following recipient:

Chemistry matters. Join us to get the news you need.