To avoid events that could result in manipulation of controls within chemical sites, the Chemical Industry Data Exchange (CIDX) urges all chemical sector companies to review and take appropriate security measures.
In the past few years, the chemical industry has invested considerable effort in managing the physical risks of terrorism and other deliberate criminal acts against facilities. However, these efforts have focused primarily on site risks and have not focused on attacks via the company’s own computer systems—whether deliberate or random. Nor have they addressed how attacks of worms, Trojans and viruses have occurred and adversely impacted computer systems at operating manufacturing facilities.
A concerted, industry-wide effort to understand, anticipate and prevent cyber attacks is just now beginning to generate the traction needed. To avoid attacks, CIDX urges all chemical sector companies to review and take appropriate security measures.
Maintaining cybersecurity vigilance is an established discipline for commercial and business computer systems. For these areas, the practice deals with protecting valuable information from adversaries who want to obtain, corrupt, damage, destroy or prohibit access to it.
However, for process plants, cybersecurity vigilance includes protecting against adversaries who wish to disable or manipulate computers or their support systems in an effort to cause harm to the process equipment controlled by the system. Examples include opening/closing valves, starting/stopping equipment, and overriding alarm and trip settings. Cybersecurity countermeasures that protect the technology specifically are not adequate to protect against attacks on control systems.
Connections pose threats
Historically, computer control systems were separate from business and enterprise computer systems. Increasingly today, they are connected through networks, driven by the needs to communicate process information to business groups and the opportunity to intervene in manufacturing processes through the corporate intranet or the Internet.
More than ever, process control systems are exposed to penetration when they are connected to other networks or when there are provisions for remote access. Current control systems typically were not designed with public access in mind, so security is often poor, and these systems are vulnerable to attack because much of the technical information needed to penetrate them is readily available.
A link to a site on the Internet is a potential two-way street. Connecting control systems to networks or providing dial-up access without protections is like leaving the doors of your house unlocked. There may not be a problem immediately, but the likelihood of the house being burglarized or vandalized rises. Accessibility issues also affect other types of computer systems, including communications, access control, inventory control, power, transportation and financial systems.
One large chemical manufacturing company reported that firewalls recently installed to separate manufacturing and process control systems from the business network successfully stopped a recent round of virus attacks. None of the process control systems that were protected by a process control firewall became infected by the viruses that were common on the business network.
Responsible risk management mandates that this threat should be managed to protect the interests of employees, the public, shareholders, customers, vendors and the larger society. Proactive measures by companies can also forestall new and more prescriptive regulations that increase costs and impede business flexibility.
This article is drawn from a white paper of the Chemical Industry Data Exchange (CIDX), www.cidx.org, a trade association and neutral standards body focused on improving the ease, speed and cost of transacting business electronically between chemical companies and their trading partners.
See sidebar to this article: Companies should do the following
