Home » Physical Security » Critical Infrastructure

Chemical Industry Security: Bonding Time

Chemical companies may be terrorist targets. The industry is pulling together to tighten physical and electronic security, but it still faces a troubling mixture of vulnerabilities.

Still another collaborative work, again affiliated with the forum, is the ACC's Responsible Care cybersecurity team. The ACC developed the Responsible Care program to ensure that chemical plants are operating safely and securely. It requires all members to evaluate plant vulnerabilities, including physical, IT and process control security. The team has developed a security code for all 165 ACC member companies, which account for 90 percent of all the chemicals made in the United States. The code includes a set of industry-specific guidelines to help reduce risks, such as network intrusions by hackers. The guidelines require senior management commitment to continuous improvement in security; prioritization and periodic analysis of potential security threats and vulnerabilities; development and implementation of security measures commensurate with risks; documentation of security management programs; and audits to assess security programs and processes. In March, the ACC's 120 highest-priority facilities completed assessments of physical and cybersecurity vulnerabilities, as required by the code's deadline.

Participants are enthused about this sharing-is-caring approach. "I think we're making good, steady progress," says Charles Curry, Eastman Chemical's senior systems associate who is responsible for information security. "It's essential that everyone in the industry work together on this. We are becoming more dependent on one another, and our industry impacts many other critical services and industries." Curry says Eastman's involvement in the cooperative initiatives has helped the company identify specific weaknesses. For example, while Eastman had adequate backup for its infrastructure and critical applications, it needed to improve its business continuity strategysuch as how to quickly react in the event of a security breach. Similarly, Grant says Dow expects to gain insight into how well its supply chain partners are securing their networks, and assess the potential risks of partners connecting to Dow's networks to place orders or provide information.

While chemicals is an interconnected industry, these companies still compete with one another. Will competitive pressures stand at odds with all the information-sharing efforts? So far, the industry is at least sounding the right notes in that regard. "There's nothing proprietary about security," says Bobby Gillham, manager of global security at ConocoPhillips, which operates a chemical joint venture with ChevronTexaco. "Are we sharing the processes we use to make products? No. But we are sharing information about vulnerabilities and threats."

"As long as it's within the guidelines of the antitrust laws, I'm quite comfortable with it," adds Eastman's Curry. "We're not sharing anything that relates to products or pricing. We're sharing our experiences with security." Or as Dow's Adams puts it, "We're not giving away any secrets."