Home » Physical Security » Critical Infrastructure

Chemical Industry Security: Bonding Time

Chemical companies may be terrorist targets. The industry is pulling together to tighten physical and electronic security, but it still faces a troubling mixture of vulnerabilities.

Despite evident progress by these groups, the GAO and industry analysts question whether the industry's efforts are enough. Environmental Protection Agency officials estimate that voluntary initiatives led by industry associations reach only a portion of the 15,000 facilities that need to be secured, according to the GAO report. Although implementation of Responsible Care is a condition of ACC membership, the ACC lacks an enforcement mechanism to ensure that member companies comply.

The industry faces a number of challenges in preparing facilities against attacks, the GAO says, including ensuring that they obtain adequate information on threats and determining appropriate security measures given the level of risk. The industry also faces difficulties in making sure all facilities that produce or store hazardous chemicals are addressing security concerns. For example, "Despite the industry's voluntary efforts, the extent of security preparedness at U.S. chemical facilities is unknown," the report says. It recommends that the U.S. Department of Homeland Security and the EPA jointly develop a comprehensive national chemical security strategy that identifies high-risk facilities and collects information on industry security preparedness; specify the responsibilities of each federal agency partnering with the chemical industry; and develop information-sharing mechanisms.

Crisis Management Worldwide's Holton seconds the notion that more work remains. "Some chemical plants have very good security, fencing, lighting and procedures in place," he says. "Other facilities are unprepared. Fences are falling down, people wander onto the property. Access is uncontrolled." Eventually the GAO's proposed legislative action may be required to force the hand of small companies or other laggards (see "Uncle Sam Wants More," this page).The Process ProblemThe process control system problem may prove more intractable. Process control systems (SCADA being the most widely known associated acronymSupervisory Control and Data Acquisition systems) manage and oversee various pieces of the manufacturing process: tank sensors, cooling systems, and valves that stop or start the flow of chemicals, oil or other liquids.

How vulnerable these systems really are to a cyberattack is the subject of much debate. But Joe Weiss, a consultant at Kema, assures that the threat is very real indeed, and has documented at least 30 such attacks. One example was the Slammer worm, which Weiss says interfered with a number of control systems at power and oil companieseven though those companies and systems weren't the primary target. The process industry disruptions were collateral damage in an attack that was aimed at the Internet's root servers.

Simply passing legislation mandating a fix won't actually help because, according to Weiss, neither the technology nor the practices to secure process control systems currently exist.