Home » Physical Security » Critical Infrastructure

Chemical Industry Security: Bonding Time

Chemical companies may be terrorist targets. The industry is pulling together to tighten physical and electronic security, but it still faces a troubling mixture of vulnerabilities.

On the technology side, control systems are designed to be highly reliable and interoperable. "The controllers used in the front-end processors of these control systems are different than those used in business systems," says Weiss. Operator and engineer workstations are now utilizing off-the-shelf operating systems such as Microsoft or Unix. And some plants even connect their manufacturing systems using wireless communications devices. So the applications themselves are proprietary and not compatible with standard infosec toolsbut the OSs and communication protocols are wide open.

On the practice side, Weiss notes that cybersecurity procedures widely accepted as best practices, such as ISO 17799, actually include steps that can be disastrous when applied to control systems. An example: If an employee mistypes his password three times, a common practice is to lock that access account until management can review the situation to make sure a hacker isn't flailing away with a password-guessing program. But if that employee is in fact a console operator who needs to shut a stuck valve in a hazmat manufacturing operation, the lockout can create havoc. Similarly, Weiss says that requiring console operators to frequently change passwords, and use hard-to-remember strings, is another ingredient in a recipe for failure.

At most chemical and other manufacturing companies, Weiss adds, the IT group is responsible for information security but doesn't understand control systems. And the operations group is responsible for control systems but not for security. Result: The whole issue falls through the cracks.

The industry's combined initiatives will include steps to ensure that process control systems are secure. Initiatives such as the forum are aiming to include not only information security experts but people who understand process control systems. There are standards and other organizations devoting efforts to secure control systems. For example, the Chemical Industry Data Exchange trade association is participating in the Instrumentation, Systems, and Automation Society (ISA) process controls cybersecurity committee ISA-SP99. Meanwhile, technology solutions are also needed. Weiss says the U.S. Department of Energy, through the National SCADA Test Bed, plans to develop tools addressing this problem.

But where process control systems security is concerned, we're a long way from a solution. And that appears to be a good encapsulation of security in the chemicals industry at large. They're going after it, but they've still got a long way to go.