Six years after a chemical industry initiative in cyber security was launched involving just a few individuals, the program has expanded to involve participation by more than 30 major chemical companies, and the industry today is better prepared to fend off cyber attacks.
That’s the word from Eric Cosman, who serves as a member of the Cyber Security Program Steering Team for the Chemical Sector Cyber Security Program, a strategic program within the Chemical Information Technology Center (ChemITC) of the American Chemistry Council. Cosman is engineering solutions architect at The Dow Chemical Co., in Midland, Mich.
Automation World caught up with Cosman recently for an update on cyber security progress in the chemical sector. The interview took place in late October, corresponding with the fifth observance of National Cyber Security Awareness Month, led by the Department of Homeland Security’s National Cyber Security Division.
The chemical sector initiative on cyber security that was started in 2002 has gone through several stages, Cosman said. “In the initial phases, we concentrated a lot on awareness [of cyber security threats and issues] and then on guidance. Then a few years ago, we shifted our focus to implementation and more sharing of best practices, or good practices, and what’s working within our respective companies.”
Program members have produced a number of guidance documents and white papers that are available for download on the ChemITC Web site (www.chemitc.com). One document on designing a cyber security management system was provided to the International Society of Automation’s ISA99 committee that is working on an industrial cyber security standard, and much of its content resurfaced recently in the ISA99 Part 2 document, said Cosman, who also co-chairs the ISA99 committee. “A lot of this information, particularly in the control systems space, is not uniquely applicable to the chemical sector, so if it can be applied for the greater good, then that’s what we should do,” Cosman commented.
More recently, as part of an “implementation” phase, Program members have been surveying chemical companies on their approach to various cyber security issues. The results are analyzed and distilled into a document describing accepted or common industry practices for use as a guide by interested companies. “Our goal is not to be prescriptive in any way,” said Cosman, but instead to provide examples of what “could” be done in regard to specific cyber security issues. Recent surveys have covered approaches to network separation between control systems and business systems, as well as the use of intrusion detection and prevention technology in a control systems environment.
Is the chemical industry safer from cyber attack due to the work done through the ChemITC program? While that’s hard to measure, Cosman believes the answer is yes. “We’ve raised awareness and we’ve gotten more people knowledgeable about what the risks are and what they can do about them,” he said. That has contributed to “active, thriving programs” in cyber security at the 34 ChemITC member companies, which make up a “who’s who of chemical companies,” Cosman added.
Challenges for the future include reaching the many small companies in the chemical industry that don’t have the resources to participate in ChemITC, as well as sustaining a high level of continuing cyber security activity at those companies that are active. “Cyber security is not a project that you can take on and do and be done,” Cosman said. “The adversaries, or the risks that you’re facing, are evolving constantly. So the big challenge, I think, is sustaining the imperative, the initiative and the energy level that you have, and doing it in a business-sensible way.”
To download or listen to a Podcast of the full interview with Eric Cosman, visit www.automationworld.com/podcast-4820.
Chemical Information Technology Center