The White House announced on Wednesday that the Industrial Control Systems (ICS) Cybersecurity Initiative has been expanded to include the chemical sector.
The ICS Cybersecurity Initiative was first announced in July 2021 — after the disruptive attack on Colonial Pipeline — and its goal is to improve critical infrastructure security by encouraging and facilitating the deployment of threat detection technologies and systems.
Chemical is the fourth sector added to the initiative, after electric, pipeline and water. Chemical organizations can analyze the best practices and lessons learned from these other sectors and create a cybersecurity action plan for the next 100 days.
The plan needs to focus on high-risk chemical facilities, and it needs to drive information sharing between the government and the chemical sector.
The government says it will not endorse or recommend any specific provider or technology. Instead, owners and operators are encouraged to deploy solutions based on their own risk assessment and cybersecurity posture.
The plan also needs to focus on the continuity of chemical production critical to national and economic security — the Biden-Harris administration highlights that the chemical sector produces disinfectants, personal care products, fertilizers, and energy sources.
It’s worth noting that sophisticated threat actors targeting chemical companies is not unheard of.
Several industry professionals have commented on the White House’s initiative…
Jerry Caponera, general manager, cyber risk, ThreatConnect:
“There are a couple of things that worry me concerning the chemical sector. The first is that the chemical sector produces items that we may not necessarily think about but can’t survive without in modern society. Imagine a world without plastics to store our food or chemicals to make electronics.
The second is the real risk. We saw three ransomware attacks in 2019, including 2 in the US (a bigger one was Norsk Hydro). They mitigated the impact because the hit was on IT, not OT systems. But it could have been worse.
Third, there’s a massive risk with the materials in question. Chemicals produce much of what we need, but a chemical material in raw form can be dangerous. A cyber attack on a chemical system where the IT and OT systems are linked could cause a consequential loss of life.
I’m glad the chemical industry is high on the list of sectors to watch. The ransomware attack on the Colonial pipeline caused a minor blip in the supply of gas. Suppose a significant ransomware attack on chemical plants would destroy plastic packaging. That would be devastating.”
Padraic O’Reilly, co-founder and chief product officer, CyberSaint Security:
“The biggest issue is that almost all infrastructure is privately held. Analogous to the pipeline: large cyber-to-physical systems with extensive OT. Complex segregation issues and legacy protocols and infrastructure. Malicious attacks and control of SCADA systems and PLCs are real vulnerabilities. Internet-connected devices and cloud migration are an issue, too. On the upside, the chemical sector has been under CFATS through DHS for over a decade. That will oil the gears. Likely that sophisticated monitoring and detection lag behind the most mature industries. Likely, too, that cyber risk management needs to be done at the executive level to ensure proper resourcing.”
Chris Gray, AVP of cybersecurity, Deepwatch:
“The Chemical Sector is a significant component of both the critical infrastructure and manufacturing industries. As part of the interoperability of critical infrastructure chains, the Chemical Sector heavily influences and enables areas such as agriculture, water, nuclear, defense, and transportation. Damages to chemical manufacturing, storage, transportation, and use are not self contained; they have significant effects upon a much broader ecosystem, including economic markets.
The big security concerns in this sector include safety, including physical and potential for downstream environmental damages. The interoperability and reliance that exist between the Chemical Sector and other industries is another major consideration. If the production and delivery of chemicals is stopped or impeded, massive effects will be felt by manufacturing, healthcare, fuel, and many other areas. A third concern is system and platform vulnerability. The last major security framework requirements that have governance over this area predate 2010. This sector is likely underserved, highly remote and unattended, old technologies, and outdated security standards and expectations.”