Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

White House Adds Chemical Sector to ICS Cybersecurity Initiative

The White House announced on Wednesday that the Industrial Control Systems (ICS) Cybersecurity Initiative has been expanded to include the chemical sector.

The White House announced on Wednesday that the Industrial Control Systems (ICS) Cybersecurity Initiative has been expanded to include the chemical sector.

The ICS Cybersecurity Initiative was first announced in July 2021 — after the disruptive attack on Colonial Pipeline — and its goal is to improve critical infrastructure security by encouraging and facilitating the deployment of threat detection technologies and systems.

Chemical is the fourth sector added to the initiative, after electric, pipeline and water. Chemical organizations can analyze the best practices and lessons learned from these other sectors and create a cybersecurity action plan for the next 100 days.

The plan needs to focus on high-risk chemical facilities, and it needs to drive information sharing between the government and the chemical sector.

The government says it will not endorse or recommend any specific provider or technology. Instead, owners and operators are encouraged to deploy solutions based on their own risk assessment and cybersecurity posture.

The plan also needs to focus on the continuity of chemical production critical to national and economic security — the Biden-Harris administration highlights that the chemical sector produces disinfectants, personal care products, fertilizers, and energy sources.

It’s worth noting that sophisticated threat actors targeting chemical companies is not unheard of.

Several industry professionals have commented on the White House’s initiative…

Jerry Caponera, general manager, cyber risk, ThreatConnect:

“There are a couple of things that worry me concerning the chemical sector. The first is that the chemical sector produces items that we may not necessarily think about but can’t survive without in modern society. Imagine a world without plastics to store our food or chemicals to make electronics.

 

The second is the real risk. We saw three ransomware attacks in 2019, including 2 in the US (a bigger one was Norsk Hydro). They mitigated the impact because the hit was on IT, not OT systems. But it could have been worse.

 

Third, there’s a massive risk with the materials in question. Chemicals produce much of what we need, but a chemical material in raw form can be dangerous. A cyber attack on a chemical system where the IT and OT systems are linked could cause a consequential loss of life.

 

I’m glad the chemical industry is high on the list of sectors to watch. The ransomware attack on the Colonial pipeline caused a minor blip in the supply of gas. Suppose a significant ransomware attack on chemical plants would destroy plastic packaging. That would be devastating.”

Learn more about industrial cybersecurity at SecurityWeek’s ICS Cyber Security Conference

Padraic O’Reilly, co-founder and chief product officer, CyberSaint Security:

“The biggest issue is that almost all infrastructure is privately held. Analogous to the pipeline: large cyber-to-physical systems with extensive OT. Complex segregation issues and legacy protocols and infrastructure. Malicious attacks and control of SCADA systems and PLCs are real vulnerabilities. Internet-connected devices and cloud migration are an issue, too. On the upside, the chemical sector has been under CFATS through DHS for over a decade. That will oil the gears. Likely that sophisticated monitoring and detection lag behind the most mature industries. Likely, too, that cyber risk management needs to be done at the executive level to ensure proper resourcing.”

Chris Gray, AVP of cybersecurity, Deepwatch:

“The Chemical Sector is a significant component of both the critical infrastructure and manufacturing industries. As part of the interoperability of critical infrastructure chains, the Chemical Sector heavily influences and enables areas such as agriculture, water, nuclear, defense, and transportation. Damages to chemical manufacturing, storage, transportation, and use are not self contained; they have significant effects upon a much broader ecosystem, including economic markets.

 

The big security concerns in this sector include safety, including physical and potential for downstream environmental damages. The interoperability and reliance that exist between the Chemical Sector and other industries is another major consideration. If the production and delivery of chemicals is stopped or impeded, massive effects will be felt by manufacturing, healthcare, fuel, and many other areas. A third concern is system and platform vulnerability. The last major security framework requirements that have governance over this area predate 2010. This sector is likely underserved, highly remote and unattended, old technologies, and outdated security standards and expectations.”

Related: Chemicals Company Element Solutions Discloses Cybersecurity Incident

Related: Major U.S. Chemical Firms Hit by Cyberattack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.