In This Issue
- From the Executive Liaison
- ChemITC Annual Conference
- Cyber Security at the Annual Conference
- Survey and Benchmarking at the Annual Conference
- Interactions with DHS
Upcoming Events
- May 6-7, 2009
Spring CIO Roundtable
Houston, TX
Hosted by Shell
Interactions with DHS
Cyber Security Program Participating in Several DHS Initiatives
When the Department of Homeland Security (DHS) was created in 2002, the intent was to form a single, unified homeland security structure that would improve protection against threats to our nation. Since the very beginning, it was recognized that homeland security was not a task that any one entity could handle on its own. Instead, DHS was built on the principles of shared responsibility and partnership with federal, state and local governments, the private sector and the American people. These continue to be essential elements in the equation today.
Over the last six years, the chemical sector has diligently worked to increase interactions with DHS from a cyber security perspective to help ensure that sector efforts are aligned with government priorities. Its effort seems to be paying off. The lines of communication are open and the increase in ChemITC member company participation in DHS/National Cyber Security Division (NCSD) initiatives has been dramatic.
Earlier this year, ChemITC members formed a group to provide input to DHS/NCSD as they crafted the guidance around the Chemical Facility Anti-Terrorism Standards (CFATS) Risk-Based Performance Standards (RBPS). Ten chemical companies also participated in the DHS-sponsored Cyber Storm II exercise. Today, cyber security experts from ChemITC member companies are working with DHS on a number of initiatives, most notably the Strategic Homeland Infrastructure Risk Assessment (SHIRA), Roadmap to Secure Control Systems in the Chemical Sector and the chemical sector cyber security crisis information sharing process.
SHIRA is a comparative assessment of the risks to the nation’s 17 Critical Infrastructure and Key Resource (CI/KR) sectors from international terrorists and their affiliates. In 2007 and again in 2008, members of the Cyber Security Program Steering Team participated in working sessions to provide input on potential cyber threat scenarios that are deemed most likely, highest impact to the chemical sector. This information, along with the input from the other CI/KR sectors, provides the basis for the National CI/KR Terrorism Risk Profile and supports the National Infrastructure Protection Plan (NIPP) and Sector Specific Plan (SSP) development.
From an industrial automation and control system perspective, the DHS/NCSD Control Systems Security Program has been working for several years to reduce potential control system risks within and across all critical infrastructure sectors in an effort to minimize the likelihood of success and severity of impact of a cyber attack against critical infrastructure control systems. To that end, the DHS/NCSD Control Systems Security Program has been called upon to develop and implement a strategy for coordinating with the private sector and other government agencies to improve control system security. The creation of industry roadmaps provides a means to outline a sector’s vision, goals and challenges, as well as near-, mid- and long-term milestones.
Members of the Cyber Security Program Manufacturing and Control Systems Team are participating in the DHS-sponsored initiative to create a Roadmap to Secure Control Systems in the Chemical Sector. Similar to roadmaps already developed for the energy and water sectors, the chemical sector roadmap will provide a strategic framework for improving cyber security in manufacturing and control systems and promote the systematic implementation of practices designed to enhance security and reliability. DHS is planning to finalize all initial input by the end of the year, with a first draft for review in the first quarter of 2009. Broad sector participation is encouraged in the roadmap development process, so if your company is not currently participating, please contact ChemITC Panel Manager Bridgette Bourge to find out how you can get involved. Keep an eye on future issues of ChemITC Connections for more details.
Last but certainly not least, a valuable lesson from the Cyber Storm II exercise earlier this year was the benefit and value that can be gained from improving information sharing during crisis conditions, both within individual companies as well as when companies need to escalate communication to the sector level and engage entities outside the chemical sector. The Cyber Security Program Risk Assessment and Preparedness (RAP) Team is in the process of documenting sustainable processes and procedures for cyber security crisis information sharing among ChemITC member companies as well as between ChemITC member companies, the Chemical Sector Coordinating Council and DHS.
The process and associated procedures, which are scheduled to be unveiled in the first quarter of 2009, are intended to provide a communication mechanism with the goal of improved cyber security situational awareness, response and recovery. The team has already started collecting primary IT and manufacturing control system security contacts from ChemITC member companies to be engaged in times of crisis. If you would like to ensure your company has a representative on this list, please contact ChemITC Panel Manager Bridgette Bourge.
Cyber security has always been a piece of the homeland security puzzle and was given increased priority in 2008 as part of the President’s National Strategy for Homeland Security. While this area of security is better understood today than it was six years ago, emerging technology coupled with the evolving threat landscape make it more important than ever that the chemical sector sustain current efforts and remain engaged with DHS. The Cyber Security Program is committed to working with DHS to draw us closer to our shared goal – a safer, more secure cyberspace.