In the wake of the Sept. 11 terrorist attacks, the federal government met with chemical manufacturers and industry trade groups to discuss developing a plan to protect against physical or network-related attacks. This meeting led to the creation of the Chemical Sector Cybersecurity Program, which seeks to unite the highly diverse $450 billion chemicals industry - an employer of more than 1 million people and producer of more than 70,000 products - with one protective strategy. Christine Adams, IT staff member at Dow Chemical and director of the Chemical Sector Cybersecurity Program, recently talked with Network World Senior Editor Ellen Messmer about the program.

How did this voluntary effort get started?

Dow Chemical was approached by [then Presidential adviser] Richard Clarke at the White House to discuss the government's expectations for cybersecurity. The CIO of Dow and the CIO of DuPont agreed to initiate an organization on behalf of the industry to improve the industry's cybersecurity. We crafted a very high-level strategy in 2002 with help from the Chemical Industry Data Exchange [CIDX], the trade association for e-commerce standards for the chemical industry's supply chain. Some of the same CIOs that formed CIDX also formed the cybersecurity program.

CIDX last December published "Guidance for Addressing Cybersecurity in the Chemical Sector," a 100-page document on planning network security for corporate LANs and databases, as well as factory and supervisory control and data acquisition systems. What's happening with this?

We have the document to offer to industry, and we're telling the chemical companies they need to implement this cybersecurity-management policy. It's based on the international standard ISO 17799, an excellent framework. In 2003, we conducted an extensive assessment based on ISO 17799, with help from IBM, for 14 of our leading chemical companies. The Guidance document involves how to conduct vulnerability assessment in IT and process control systems. We also have the American Chemistry Council's Responsible Care Program for safe handling of chemical products, which was invented after [Sept. 11].

The Guidance doesn't seem to be a mandate that the chemical companies have to follow.

It's deliberately not a prescription because all the companies have different IT infrastructures.