Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

White House Adds Chemical Sector to ICS Cybersecurity Initiative

The White House announced on Wednesday that the Industrial Control Systems (ICS) Cybersecurity Initiative has been expanded to include the chemical sector.

The White House announced on Wednesday that the Industrial Control Systems (ICS) Cybersecurity Initiative has been expanded to include the chemical sector.

The ICS Cybersecurity Initiative was first announced in July 2021 — after the disruptive attack on Colonial Pipeline — and its goal is to improve critical infrastructure security by encouraging and facilitating the deployment of threat detection technologies and systems.

Chemical is the fourth sector added to the initiative, after electric, pipeline and water. Chemical organizations can analyze the best practices and lessons learned from these other sectors and create a cybersecurity action plan for the next 100 days.

The plan needs to focus on high-risk chemical facilities, and it needs to drive information sharing between the government and the chemical sector.

The government says it will not endorse or recommend any specific provider or technology. Instead, owners and operators are encouraged to deploy solutions based on their own risk assessment and cybersecurity posture.

The plan also needs to focus on the continuity of chemical production critical to national and economic security — the Biden-Harris administration highlights that the chemical sector produces disinfectants, personal care products, fertilizers, and energy sources.

It’s worth noting that sophisticated threat actors targeting chemical companies is not unheard of.

Several industry professionals have commented on the White House’s initiative…

Advertisement. Scroll to continue reading.

Jerry Caponera, general manager, cyber risk, ThreatConnect:

“There are a couple of things that worry me concerning the chemical sector. The first is that the chemical sector produces items that we may not necessarily think about but can’t survive without in modern society. Imagine a world without plastics to store our food or chemicals to make electronics.

 

The second is the real risk. We saw three ransomware attacks in 2019, including 2 in the US (a bigger one was Norsk Hydro). They mitigated the impact because the hit was on IT, not OT systems. But it could have been worse.

 

Third, there’s a massive risk with the materials in question. Chemicals produce much of what we need, but a chemical material in raw form can be dangerous. A cyber attack on a chemical system where the IT and OT systems are linked could cause a consequential loss of life.

 

I’m glad the chemical industry is high on the list of sectors to watch. The ransomware attack on the Colonial pipeline caused a minor blip in the supply of gas. Suppose a significant ransomware attack on chemical plants would destroy plastic packaging. That would be devastating.”

Learn more about industrial cybersecurity at SecurityWeek’s ICS Cyber Security Conference

Padraic O’Reilly, co-founder and chief product officer, CyberSaint Security:

“The biggest issue is that almost all infrastructure is privately held. Analogous to the pipeline: large cyber-to-physical systems with extensive OT. Complex segregation issues and legacy protocols and infrastructure. Malicious attacks and control of SCADA systems and PLCs are real vulnerabilities. Internet-connected devices and cloud migration are an issue, too. On the upside, the chemical sector has been under CFATS through DHS for over a decade. That will oil the gears. Likely that sophisticated monitoring and detection lag behind the most mature industries. Likely, too, that cyber risk management needs to be done at the executive level to ensure proper resourcing.”

Chris Gray, AVP of cybersecurity, Deepwatch:

“The Chemical Sector is a significant component of both the critical infrastructure and manufacturing industries. As part of the interoperability of critical infrastructure chains, the Chemical Sector heavily influences and enables areas such as agriculture, water, nuclear, defense, and transportation. Damages to chemical manufacturing, storage, transportation, and use are not self contained; they have significant effects upon a much broader ecosystem, including economic markets.

 

The big security concerns in this sector include safety, including physical and potential for downstream environmental damages. The interoperability and reliance that exist between the Chemical Sector and other industries is another major consideration. If the production and delivery of chemicals is stopped or impeded, massive effects will be felt by manufacturing, healthcare, fuel, and many other areas. A third concern is system and platform vulnerability. The last major security framework requirements that have governance over this area predate 2010. This sector is likely underserved, highly remote and unattended, old technologies, and outdated security standards and expectations.”

Related: Chemicals Company Element Solutions Discloses Cybersecurity Incident

Related: Major U.S. Chemical Firms Hit by Cyberattack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.