The long road to security

In the wake of the Sept. 11 terrorist attacks, the federal government met with chemical manufacturers and industry trade groups to discuss developing a plan to protect against physical or network-related attacks. This meeting led to the creation of the Chemical Sector Cybersecurity Program, which seeks to unite the highly diverse $450 billion chemicals industry - an employer of more than 1 million people and producer of more than 70,000 products - with one protective strategy. Christine Adams, IT staff member at Dow Chemical and director of the Chemical Sector Cybersecurity Program, recently talked with Network World Senior Editor Ellen Messmer about the program.

How did this voluntary effort get started?

Dow Chemical was approached by [then Presidential adviser] Richard Clarke at the White House to discuss the government's expectations for cybersecurity. The CIO of Dow and the CIO of DuPont agreed to initiate an organization on behalf of the industry to improve the industry's cybersecurity. We crafted a very high-level strategy in 2002 with help from the Chemical Industry Data Exchange [CIDX], the trade association for e-commerce standards for the chemical industry's supply chain. Some of the same CIOs that formed CIDX also formed the cybersecurity program.

CIDX last December published "Guidance for Addressing Cybersecurity in the Chemical Sector," a 100-page document on planning network security for corporate LANs and databases, as well as factory and supervisory control and data acquisition systems. What's happening with this?

We have the document to offer to industry, and we're telling the chemical companies they need to implement this cybersecurity-management policy. It's based on the international standard ISO 17799, an excellent framework. In 2003, we conducted an extensive assessment based on ISO 17799, with help from IBM, for 14 of our leading chemical companies. The Guidance document involves how to conduct vulnerability assessment in IT and process control systems. We also have the American Chemistry Council's Responsible Care Program for safe handling of chemical products, which was invented after [Sept. 11].

The Guidance doesn't seem to be a mandate that the chemical companies have to follow.

It's deliberately not a prescription because all the companies have different IT infrastructures.

So what's expected going forward?

Trading of chemicals is now done a lot through e-marketplaces. Our focus is taking all the excellent work that CIDX has done and working with each of the trading associations to produce cybersecurity programs for their members.

What have been the biggest obstacles?

One is information sharing. It's a cultural change for our industry to share a lot of detailed information. We never saw until now a need to share this kind of information. But we're not unique to other sectors - we all use similar products, enterprise systems, desktop computing. We're mostly getting hit with the same thing. The large companies contract with suppliers to watch for these attacks and help patch our systems. This year we're doing a study on the most effective ways to share information with ourselves and the government. We've not yet come to a clear conclusion.