U.S. Chemical Sector Cyber Security Strategy Edition. Chemical Sector Cyber Security Program

Transcription

1 Strategy Document U.S. Chemical Sector Cyber Security Strategy 2006 Edition Chemical Sector Cyber Security Program Prepared by the Chemical Sector Cyber Security Program Steering Team September 2006 U.S. Chemical Information Sector Technology Cyber Security Council Strategy (ChemITC) is 2006 a trademark Edition of the American Page 1 of Chemistry 19 Council. All rights reserved.

2 Table of Contents 1. CURRENT STATE OF CHEMICAL SECTOR CYBER SECURITY Potential impacts of cyber security threats Strategic successes to date Driving adoption of cyber security practices Manufacturing system security efforts Accelerating the development of improved technology Enhancing sector information sharing Aligning sector priorities with the Department of Homeland Security (DHS) Challenges DESIRED STATE OF CHEMICAL SECTOR CYBER SECURITY Information sharing Guidance enhancement and relevance Sector-wide adoption Enhanced security in technology solutions Government relations CHEMICAL SECTOR CYBER SECURITY STRATEGY Guiding principles Strategic elements Information sharing Information sharing within the chemical sector Information sharing with the U.S. federal government Information sharing in other world areas Information sharing across critical infrastructure industries Guidance enhancement and relevance Addressing needs of sub-sections of the chemical sector Addressing emerging cyber security needs Participating in external forums for standards development Sector-wide adoption Advocate adoption across the sector Sustain improvements throughout the sector Measure trade association engagement across the sector Enhanced security in technology solutions Engaging technology providers in the Chemical Sector Cyber Security Program Engaging technology providers in external venues Advocating technology provider adoption of alternative solutions Government relations Advocacy on public policy issues Resource to government agencies...3 APPENDIX I CHEMICAL SECTOR BACKGROUND... 3 A1.1 History of security and risk management...3 A1.2 Organizing the sector around cyber security...3 A1.3 Implementation of the initial Chemical Sector Cyber Security Strategy...3 A1.3.1 Advancing involvement and commitment across the sector and public policy...3 A1.3.2 Advancing information sharing...3 A1.3.3 Advancing practices, standards and technology...3 APPENDIX II: ACKNOWLEDGEMENTS... 3 U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 2 of 19

3 1. Current State of Chemical Sector Cyber Security Cyber security, which encompasses the security of information and assets used in both business systems and industrial automation and control systems, is an integral part of overall chemical sector security. When evaluating the chemical sector cyber security landscape, it is important to recognize that many steps have been taken to enhance the chemical sector s cyber security preparedness and performance through a collection of individual company efforts and a sector-wide approach. The widespread use of technology in the chemical sector both in manufacturing and business operations coupled with a continued emphasis on cyber security is important to help protect not only information technology (IT) and manufacturing control systems, but the industry s physical assets which many rely on to conduct business. Identified by the U.S. government as a critical infrastructure industry, the chemical sector has a strong interdependency with many other industries, which rely on the manufacture, availability, transport and secure delivery of chemical products. For example, chlorine is critical to purify our nation's drinking water sources. In addition, agriculture, pesticides, fertilizers and preservatives help provide a safe and abundant food supply. The automotive industry depends on thousands of chemical products from polyurethane seat cushions to neoprene hoses and belts to enhance the performance, fuel efficiency and safety of automobiles. Similarly, the chemical industry is dependent on many other critical infrastructures. The industry has a strong relationship with emergency services to facilitate our emergency response capabilities. It relies on technology solutions from the information and telecommunications sector to enhance the performance, operation and communication of the chemical sector. It is highly dependent on rail, trucking and pipeline services for the secure transport of its products. These and the many other interdependencies among the chemical sector and other critical infrastructure industries demonstrate the importance of having proactive risk management and reduction strategies in place to help protect chemical industry companies, communities and the nation as a whole. 1.1 Potential impacts of cyber security threats In 2004, an industry-level vulnerability assessment was conducted to better understand approaches to prevent and reduce the potential impacts of cyber security threats. The available information suggested that the physical structure of the chemical industry reduces the likelihood and scope of a cascading failure effect. Manufacturing and control systems in the chemical sector typically control processes and equipment that are contained within the physical boundaries of a manufacturing facility. Various security checks have been developed to determine the validity of information being transported across facility boundaries before such information is used in a control action. Several layers of protection are available beyond the manufacturing system that include physical access controls, independent safety interlock systems, emergency shutdown systems and auxiliary independent backup devices. Information that is communicated between a plant and central business information systems is primarily for optimization and supply chain operations, not for direct control of a physical process. Because of this, an incident at a chemical facility is more likely to impact that site alone, rather than cause a chain reaction across multiple sites or companies. However, unless adequate safeguards are in place, cyber attacks could result in business interruption, lost capital, risks to plant employees and communities, and more. The potential of a combined physical and cyber attack and the criminal use of illegally obtained information U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 3 of 19

4 represent possible threat scenarios that could impact industries such as the chemical sector. In addition, without the use of protective measures, there is an increased risk of threats such as: Using shipment, product inventory or site information to construct a physical attack Stealing personal identity information to acquire chemicals for improper use Gaining inappropriate access to systems to cause isolated disruptions 1.2 Strategic successes to date Through the effort of leading chemical sector companies, the chemical sector has taken a number of steps to help facilitate company activities to enhance chemical sector cyber security Driving adoption of cyber security practices From , the Chemical Industry Data Exchange (CIDX) developed a set of guidance documents and white papers to help chemical companies evaluate, assess and improve the cyber security posture of their business and manufacturing systems. Additionally, chemical industry manufacturing system security professionals provided expertise to external industry organizations toward the development of several manufacturing system-specific guidance documents. The following documents are available for all industry organizations and include assessment and preventative measures 1. A Case for Taking Action on Cyber Security Cyber Security Architecture Reference Model Guidance for Addressing Cyber Security in the Chemical Industry Version 3.0 Integrating Electronic Security into the Manufacturing and Control Systems Environment Key Technology Issues White Paper Making the Case for Addressing Cyber Security in Manufacturing Control Systems Report on the Evaluation of Cyber Security Self-Assessment Tools and Methods Report on the Evaluation of Cyber Security Vulnerability Assessment Methodologies and Processes Security Capabilities Profile for Industrial Control Systems Security Technologies for Manufacturing and Control Systems The Cyber Security Journey How to Begin an Integrated Cyber Security Program Working with chemical industry trade associations to increase the adoption of cyber security guidance and tools, integrate cyber security into security or product stewardship initiatives, and encourage member companies to implement cyber security guidance remains a priority for chemical sector cyber security activities Manufacturing system security efforts A variety of industry organizations are working to develop cyber security practices and standards for manufacturing systems. Chemical sector manufacturing system security experts are contributing to the work of several organizations, including: The ISA SP-99 Committee, which is developing an international standard for Industrial Automaton and Control Systems security Department of Homeland Security (DHS)-sponsored Process Control Systems Forum (PCSF) DHS-funded Idaho National Laboratory (INL) Control Systems Security Center National Institute of Standards and Technology (NIST) Process Control Security 1 Guidance documents and white papers are available on the Chemical Sector Cyber Security Program Web site at U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 4 of 19

5 Requirements Forum (PCSRF) Accelerating the development of improved technology Improving existing and yet-to-be-developed technology solutions is a fundamental aspect of enhanced cyber security. The chemical sector is working with technology providers to help ensure they are aware of and taking appropriate actions on technology issues important to the chemical sector. Several areas of interest have been identified, including wireless networking and enterprise directory services Enhancing sector information sharing The chemical sector has worked to explore current information sharing resources and determine how they could address sector needs. A variety of available resources can enable chemical companies to respond to emerging threats, reduce the impact of cyber security incidents and be better positioned to maintain safe and secure operations. These include: United States Computer Emergency Readiness Team (US-CERT) Chemical Sector Information Sharing and Analysis Center (ISAC) Business Roundtable s CEO ComLink Homeland Security Information Network (HSIN) Aligning sector priorities with the Department of Homeland Security (DHS) The chemical sector has long understood the importance of having a constructive relationship with governmental authorities. The sector has had extensive dialogue with DHS and continues to do so to ensure sector cyber security efforts are aligned with DHS priorities so that together, both parties can make good strategic decisions and benefit from each other s initiatives. Additionally, the sector continues to work with DHS to improve the availability, reliability and accessibility of threat information for the sector. 1.3 Challenges The most significant challenge the sector faces continues to be the successful engagement of chemical companies throughout the sector. The sector has made progress in delivering useful guidance to help assist chemical companies in elevating their level of cyber security, raising awareness of the critical issue of cyber security and establishing a working relationship with the Department of Homeland Security. However, it is important to recognize that there is disparity among chemical sector companies and their implementation of cyber security practices. The greatest success in addressing cyber security in the chemical sector has been achieved in reaching large chemical manufacturers who are members of the American Chemistry Council and subscribe to the Responsible Care Security Code. While the American Chemistry Council represents approximately 85 percent of U.S. chemical manufacturing capacity, it is still important that companies large, medium and small that are members of other chemical industry trade associations take appropriate steps to enhance their cyber security stature. Broad participation among companies in all segments of the sector is required to elevate our industry s cyber security preparedness and performance. U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 5 of 19

6 2. Desired State of Chemical Sector Cyber Security In the desired state, all chemical sector companies will be actively working together to achieve common cyber security goals. Additionally, using the latest practices and guidance will be an inherent part of company cyber security programs to help ensure proper controls are in place to protect company systems. Finally, the sector will have solid working relationships with strategic technology providers and government agencies. 2.1 Information sharing In the desired state, information sharing will be seamless within the chemical industry, between the chemical sector and government agencies including the Department of Homeland Security (DHS) and among critical infrastructure industries at a strategic, tactical and operational level. United States cyber security activities will be coordinated with global efforts to enhance chemical sector performance worldwide. Chemical companies will have a clear understanding of the Protected Critical Infrastructure Information (PCII) program and will be comfortable sharing appropriate yet security-sensitive information with DHS and industry counterparts. 2.2 Guidance enhancement and relevance Chemical companies have access to new and improved practices, resources and standards created by external organizations and/or the Chemical Sector Cyber Security Program to help them address maturing cyber security needs and legislative requirements. Guidance documents will remain evergreen through periodic reviews and will be available to assist chemical companies in enhancing their cyber security preparedness and performance. 2.3 Sector-wide adoption In the desired state, cyber security is recognized as a critical aspect of overall security. The degree of focus and emphasis on cyber security will be elevated to a level at which it is consistent with physical and transportation security within chemical industry trade associations and individual chemical companies. The increased emphasis on cyber security will lead all chemical trade associations to incorporate cyber security requirements as a condition of membership within existing product stewardship programs or to create new cyber security programs to address emerging needs. Additionally, the sector s activity will be managed through one consistent, coordinated program. Member companies of each Chemical Sector Coordinating Council trade association and those in other world areas would have implemented practices and controls to help protect highly integrated chemical company systems. Available guidance, including guidance that is offered by the Chemical Sector Cyber Security Program, will provide the basis for cyber security improvements. Cyber security will be an intrinsic part of company security programs. All trade associations that are members of the Chemical Sector Coordinating Council and those in other world areas will incorporate regular cyber security updates at their annual or semi-annual meetings to meet evolving member needs. Leaders across the various security disciplines within a company will better coordinate efforts in the desired state. Physical, transportation, cyber and supply chain security experts, process safety experts and others will regularly communicate and work together to identify interdependencies among the different security disciplines, understand the consequences of security incidents and achieve common security objectives. U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 6 of 19

7 2.4 Enhanced security in technology solutions In terms of addressing and enhancing the security of technology products and solutions, two methods of successful engagement with technology providers are clear in the desired state. Strategic information technology and manufacturing control system technology providers will be actively participating in all available Cyber Security Program working teams and general meetings. Additionally, chemical sector cyber security experts will be actively engaged in external organizations and standards bodies in which technology providers important to the industry play a role. This engagement will contribute to a better understanding of chemical industry needs and the development and delivery of more secure products and services. Additionally, enhanced security controls created through research and development initiatives conducted by technology providers, government agencies and academia will be integrated into technology offerings. Product testing and enhancement prior to release into the marketplace will result in the availability of products free of vulnerabilities. 2.5 Government relations In the desired state, federal legislation will exist to establish national security guidelines for chemical facilities; require companies to conduct site vulnerability assessments and implement security plans; and create strong enforcement authority to ensure facilities and systems have used appropriate security measures. Additionally, federal, state and local regulations will be aligned and incorporate flexibility to accommodate evolving cyber security challenges. This legislation will create a level playing field in which chemical companies can operate in a safer, more secure manner. Government agencies will also recognize the chemical sector as a leader in implementing security practices to improve sector performance and point to the sector as a model for others. When government agencies seek expertise and input on cyber security matters, the sector s unified cyber security program will be their first point of contact. U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 7 of 19

8 3. Chemical Sector Cyber Security Strategy The Chemical Sector Cyber Security Strategy is designed to provide a roadmap for improving the level of cyber security across the chemical sector. With five strategic elements at its core, the strategy provides the framework for a sector-wide program that leverages technology, processes and people to help protect communities, facilitate safe operations, shield proprietary information and enable business continuity throughout the global industry. The Chemical Sector Cyber Security Program will facilitate implementation of the Chemical Sector Cyber Security Strategy on behalf of the chemical sector in an effort to increase the cyber security performance and preparedness throughout the diverse chemical sector. 3.1 Guiding principles To be successful and meet the cyber security needs of both large and small companies in various segments of the chemical sector, the sector will use the following principles to guide its cyber security program. Cyber security is an integral part of overall security. The scope of cyber security includes information technology systems and manufacturing systems 2. Cyber security risk can be reduced through the effective management of cyber security practices. Guidance can be applied to help address the common and unique needs and risk profiles in the chemical sector. The Chemical Information Technology Council (ChemITC) is intentionally not developing industry-specific cyber security standards, but rather is identifying and leveraging existing practices and standards that are relevant to address industry needs. Regional and global needs should be addressed, with initial priorities driven by the U.S. sector. The interdependencies between chemical companies and their extended supply chain including formulators, distributors, carriers and others should be considered. Cyber security expertise will be drawn from within the sector and from other sectors. Emphasis is placed on aligning cyber security activities with government efforts whenever possible. Adoption will be through chemical industry trade associations and their respective product stewardship programs. 3.2 Strategic elements The Chemical Sector Cyber Security Strategy is comprised of five key elements. Information sharing Guidance enhancement and relevance Sector-wide adoption Enhanced security in technology solutions Government relations 2 In the broader community, manufacturing systems are commonly referred to as industrial automation and control systems (IACS) because the applicability of these systems and the practices and standards they subscribe to extend beyond the manufacturing community. U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 8 of 19

9 3.2.1 Information sharing For a security program to be successful, reliable and timely information is essential. Chemical companies can derive much value from accessing and sharing appropriate information regarding physical and cyber security threats. A strategic element of the Program focuses on facilitating appropriate information sharing at a strategic, tactical and operational level within the chemical sector, with the federal government and across critical infrastructure industries Information sharing within the chemical sector The Chemical Sector Cyber Security Program has been recognized as an effective channel for sharing information within the chemical industry. The Program will continue to provide opportunities for information technology (IT) and manufacturing control system professionals to come together to address common issues through the creation of and participation in new and existing working teams. Additionally, the Program plans to host two networking meetings each year to provide opportunities for cyber security experts from all ChemITC Charter member companies to share experiences and discuss topics relating to cyber security trends, issues and needs. In addition to general opportunities for information sharing among chemical industry peers, the Program will define a process to provide support to chemical industry IT and manufacturing system professionals during times of crisis. The defined process will provide a venue for cyber security experts in the chemical industry to share incident response strategies in an effort to help decrease the time it takes to address eminent issues (e.g. viruses, worms, etc.) Information sharing with the U.S. federal government Understanding the benefits of working and aligning with the government to achieve common objectives, the chemical sector will continue to develop its relationship with the various divisions within the Department of Homeland Security (DHS) National Cyber Security Division (NCSD). In particular, the chemical sector will work with the DHS NCSD Critical Infrastructure Protection Cyber Security (CIP CS) Program, the Control Systems Security Program and others. This will help enable the chemical sector to align its cyber security priorities with those of the federal government. Using the United States Computer Emergency Readiness Team (US-CERT) capabilities, the chemical sector will develop a process for sharing information with DHS as facilitated through the Protected Critical Infrastructure Information (PCII) program. It will also focus on ways to more effectively receive information from DHS to enable chemical companies to have more advance warning of threats and vulnerabilities that could potentially impact chemical operations Information sharing in other world areas With many chemical companies operating on a global scale in every region around the globe, United States-based chemical companies realize the value of working closely with international counterparts to understand regional needs and establish cooperative mechanisms that can help elevate the sector s cyber security performance worldwide. The Chemical Sector Cyber Security Program will monitor evolving cyber security activities in other world areas, particularly in Europe and Asia Pacific, and will coordinate and share relevant information to advance shared cyber security goals. In Europe, the Cyber Security Program will leverage Verband der Chemischen Industrie (VCI), a German chemical industry trade association, to help facilitate coordination and information sharing with European-based chemical companies Information sharing across critical infrastructure industries The chemical industry has a strong interdependency with many of the other critical infrastructure U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 9 of 19

10 sectors, which rely on the manufacture, availability, transport and secure delivery of chemical products. Similarly, the chemical industry is dependent on many other critical infrastructures (see Section 1 for additional information). These and the many other interdependencies among the chemical sector and other critical infrastructure industries suggest significant benefits can be gained from a coordinated approach to cyber security. Several venues currently exist to facilitate cross-sector information sharing, and DHS NCSD is exploring opportunities to provide a forum for cyber information sharing across sectors. The chemical sector will participate in cross sector information sharing opportunities as they arise Guidance enhancement and relevance Following several years focused on guidance development, the Chemical Sector Cyber Security Program has shifted its attention from facilitating guidance development to increasing adoption of cyber security guidance and tools within the chemical sector. Moving forward, emphasis will be placed on helping to ensure that existing guidance documents (see Appendix 1, Section A1.3.3 for detailed information and a list of documents) remain relevant and applicable to address emerging chemical industry cyber security needs Addressing needs of sub-sections of the chemical sector In support of the strategic element to drive adoption across the sector, the Program will work with chemical industry trade associations to customize existing guidance documents to meet member needs. Work in this area may include creating abbreviated documents that are relevant to small- or medium-size chemical companies or developing guidance focused on specific elements of the sector s comprehensive guidance document, such as risk management and adoption or access control Addressing emerging cyber security needs Enabling technology in a variety of forms is an essential part of chemical product life cycles, from early research and development efforts to their manufacture, distribution, storage and proper use. However technology advancement comes with the potential for new and increased risk. As technology solutions and capabilities in both the information technology and manufacturing system arenas continue to evolve, the chemical sector will need to maintain its pace to mitigate and manage potential risks associated with emerging and maturing technologies. In response, the Program plans to periodically review and assess existing guidance documents to evaluate their relevancy under current conditions and incorporate emerging needs and potential enhancements Participating in external forums for standards development A variety of outside industry organizations are working to develop practices and standards for IT and manufacturing systems. The Program has provided leadership to many of these efforts to date, and will continue to interact with external organizations to provide chemical industry insights and experiences to standards under development. When approached by new organizations, the Program will evaluate projects and requests based on their relevance to the chemical sector, and will participate in efforts that provide the most value to chemical companies interested in elevating cyber security performance. As new practices and standards that are relevant to the chemical industry become available, the Program will support and provide access to this important information as appropriate Sector-wide adoption The Chemical Sector Cyber Security Program is built on the principle that widespread awareness, acceptance and adoption of cyber security practices and guidance are important to effectively enhance chemical sector cyber security. Yet one of the most significant challenges U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 10 of 19

11 the Program faces continues to be the successful engagement of chemical companies throughout the sector. A critical piece of the sector s strategy involves advocating and sustaining adoption of cyber security practices based on existing guidance throughout the global chemical sector Advocate adoption across the sector A plan will be implemented to facilitate widespread adoption of cyber security guidance throughout the global chemical sector. Using chemical industry trade associations as a vehicle, the Program will work to understand trade association member needs and encourage and facilitate action in their member companies. Taking a tiered approach based on priority and resources, the Program will first reach out to chemical industry trade associations that have historically supported Program activities. It will then expand its reach to encompass the remainder of the trade associations that participate in the Chemical Sector Coordinating Council (see Appendix 1, Section A1.2 for a list of associations and further details). The goal is for each chemical industry trade association to lead adoption of cyber security guidance by their member companies. This may be achieved through the establishment of cyber security programs within their organization that encourage companies to adopt cyber security guidance and implement practices based on individual company needs. Ensuring that cyber security requirements are integrated into existing security or product stewardship initiatives is another possible approach. Understanding the global nature of the chemical industry, the Program will continue to explore opportunities to engage chemical companies internationally. Using the trade association engagement approach, the Program will coordinate its efforts with chemical companies in other world areas in an attempt to encompass the full spectrum of chemical sector companies. Recognizing the benefits of a common cyber security framework for our industry, the Program will work to understand avenues for success in other world areas. Initially, the Program will reach out to its European counterparts to understand and address regional cyber security needs. The Program will expand its efforts to other world areas as interests arise Sustain improvements throughout the sector Since 2002, outreach efforts have proven most successful among members of the American Chemistry Council. This success was due in large part to member compliance with the Responsible Care Security Code, of which cyber security requirements are a part, as well as their commitment to enhancing safety and security within the sector. As part of the sector s strategy to sustain cyber security improvements in the chemical sector, the Program will provide companies who are interested in elevating their cyber security performance with access to Program guidance documents and supporting reference materials Measure trade association engagement across the sector As the Program engages the various trade associations in the Chemical Sector Coordinating Council and those in other world areas, it will be important to track engagement and adoption efforts. A sector performance tool will be created to enable trade associations to evaluate, measure and report cyber security progress within their member companies. The tool will include a scorecard that trade associations can use with their member companies to measure target goals and key metrics aligned with each of the Program s strategic elements. The information gathered from each trade association can provide a high-level snapshot of sectorlevel activity. It can also provide information to help certify compliance with any cyber security programs or processes an association has established. U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 11 of 19

12 3.2.4 Enhanced security in technology solutions The rapid acceleration of improved technology products and services is a critical aspect of the sector s cyber security strategy. The chemical sector's cyber security efforts rely on increased coordination between technology providers and the industry to foster an understanding of the common and unique needs of the sector, facilitate enhancements to the security of products scheduled for release, and enable technology providers to become better stewards of their products and services. Since suppliers of technology products and services are best positioned to address issues within the solutions they create, the Chemical Sector Cyber Security Program will work closely with information technology and manufacturing system product and service providers to identify security needs and provide input on challenges chemical companies face in deploying products and solutions currently in use, as well as improving those in development. This interaction, which will take place both within the Program and in forums outside the chemical sector, will help facilitate improvements in technology to better meet business needs for safe, secure and integrated operations Engaging technology providers in the Chemical Sector Cyber Security Program The Chemical Sector Cyber Security Program provides a venue for chemical company cyber security experts to interact with IT and manufacturing system product and service providers. Representatives from industry technology providers that join ChemITC will be integrated into Program project teams to facilitate an open exchange of information regarding chemical industry technology offerings and interests. It will also give chemical companies an opportunity to express perspectives regarding potential security improvements to technology products and solutions Engaging technology providers in external venues Many security issues and topics are not unique to the chemical sector. Additionally, some strategic technology providers may not be actively engaged in the Chemical Sector Cyber Security Program. The chemical sector will take steps to engage technology providers in external venues in which they are actively participating. By actively engaging in external forums that are working to address key technology issues with solution providers, chemical sector cyber security professionals can contribute to the acceleration of improved technology security for the industry Advocating technology provider adoption of alternative solutions Government agencies, academia and other institutions are regularly conducting research and development initiatives in an effort to create improved technology solutions. In some cases, research initiatives are aimed at developing better approaches to enhance the security of technology solutions. As these efforts produce new technologies that would improve chemical industry cyber security effectiveness, the Chemical Sector Cyber Security Program will encourage technology providers to appropriately adopt and take stewardship responsibilities for these emerging solutions Government relations The chemical sector has a long history of working with the government to improve its knowledge and understanding of the vital role chemical companies play in society, the environment and the economy. The Cyber Security Program's government relations initiatives build on the industry s history of effective partnership with the government to articulate industry positions on chemical and cyber security legislation and provide a resource to government agencies on matters pertaining to chemical sector cyber security. U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 12 of 19

13 Advocacy on public policy issues With a focus on helping to protect the physical and electronic assets of the chemical sector, the Program will leverage the greater ChemITC organization for advocacy on public policy issues. Working with ChemITC s public advocacy committee, the Program will help articulate positions on chemical and cyber security legislation that support industry perspectives, and will assist the public advocacy committee in understanding the impact of proposed or recently-implemented legislation or regulation. If, and when, a ChemITC member company is asked to share industry perspectives on cyber security legislation affecting the chemical industry, ChemITC will help prepare talking points in an effort to align advocacy positions consistent with ChemITC and the Program. In addition, ChemITC and the Cyber Security Program will leverage opportunities to voice chemical sector positions on issues important to the industry with the media and other external sources Resource to government agencies At times, government agencies seek the perspectives of critical infrastructure industries to help ensure the government understands the views of affected stakeholders. In matters pertaining to cyber security efforts in the chemical industry, the Chemical Sector Cyber Security Program will provide input and expertise to government agency requests. For example, the National Infrastructure Protection Plan (NIPP) outlines a structure for critical infrastructure risk management. The NIPP includes sector-specific plans for all critical infrastructure and key resources, including the chemical sector. The Cyber Security Program contributed input and perspectives to the development of the chemical industry s sector-specific plan to help ensure the government acknowledges chemical sector cyber security efforts as it develops the broader industry plan. U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 13 of 19

14 Appendix I Chemical Sector Background The chemical sector is an essential element of the nation s economic security, our homeland defense and the public s health and welfare. As a critical infrastructure sector, the chemical sector has a rich history of providing products that are essential to the U.S. economy and way of life. The sector transforms natural raw materials into more than 70,000 commonly used products including basic and intermediate chemicals, specialty chemicals, agricultural chemicals, fertilizers, petrochemicals, plastics and fibers, paints and coatings and pharmaceuticals benefiting society s health, safety and productivity. A $516 billion enterprise in the United States alone, the U.S. chemical industry accounts for a quarter of the $2.24 trillion in global chemical sales. The chemical sector is the largest exporting sector in the United States with $109 billion in shipments, accounting for more than ten cents out of every dollar of U.S. exports. The nation s food, safe water supply, clothing, shelter, health care, computer technology, transportation and many other facets of modern life depend upon the business of chemistry. The chemical sector employs nearly one million employees that can be found in all 50 states and the District of Columbia, and accounts for more than four million additional related jobs in other U.S. industries. The sector pays 45 percent higher wages than any other manufacturing sector, invests more than $23 billion in research and development activities annually and generates one of every eight patents issued by the U.S. Patent and Trademark Office. An environmentally responsible industry, the chemical sector invests approximately $14 billion each year to improve the environment and health and safety. Since 1988, industry emissions have decreased 75 percent while industry output volume rose 29 percent. The security and reliability of the chemical sector benefits all other critical infrastructure communities communities that rely on the secure delivery of chemicals to serve the nation s security and defense as well as the public s welfare. Silicon chemistry and fiber optics have enabled the nation s vast communications infrastructure, from computer networks and the Internet to the electrical grids and water supply in American cities. The products of chemistry are also a key aspect of how we live our lives from enabling modern health care to improving the safety and performance of the products used to build our homes and cars, to providing plant nutrients to grow the crops that feed the world. Chemistry innovations also lead to drug innovations that eliminate a wide range of diseases and decrease time spent in hospital care. A1.1 History of security and risk management The chemical sector has a clear understanding of its value and its impact on individual communities and the economy. The sector also possesses a sharp awareness of risk factors and how to responsibly manage risk. Hundreds of thousands of highly trained chemists, engineers and operators are experts in the business of managing and reducing risks associated with making chemicals. The chemical sector s commitment to both safety and security is demonstrated through the sector s long-standing voluntary initiatives and programs; its adherence to and support for government standards and research; and its longstanding and effective partnerships with local, state and federal government agencies. Risk encompasses the combination of vulnerability, threat and consequence. Information and communications infrastructures have become a critical part of chemical sector operations. Communications technology and controlled sharing of business information are essential aspects of all company operations and processes in the sector. However, the same U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 14 of 19

15 technologies that make business faster and more efficient can introduce new vulnerabilities. As the world continues to face new threats with varying levels of consequence, the chemical sector continues to increase its capability to manage exposure to information and manufacturing control system security risk. The industry established a sector-wide initiative in 2002, which focuses on risk management and reduction to minimize the potential impact of cyber attacks on both public safety and the economy. Mitigating information security risks will require a combination of leading edge security technology, accepted cyber security practices and policies, and timely information sharing throughout the sector. The unified sector cooperation needed to address the current threat has many precedents in the chemical sector, and the sector has a long history of addressing important issues proactively. The sector has demonstrated commitment to issues-management and the ability to respond quickly, in a sector-wide cooperative manner, to effectively address key issues from Y2K to emergency response and standards for e-commerce transactions. The chemical sector is fortunate to draw upon the following established and proven programs and many others that provide the groundwork for improving today s security processes and establishing better safety practices for tomorrow. Responsible Care Be Aware and Be Secure Programs Chem estandards TRANSCAER CHEMTREC Additionally, the sector has a long history of working with the government to improve its knowledge and understanding of how chemicals interact with human health and the environment. The chemical sector works closely with the Department of Homeland Security, Department of Defense, Federal Bureau of Investigation, Environmental Protection Agency, Department of Transportation, Federal Emergency Management Agency, Department of Energy, Coast Guard and many others to bring the federal government s security expertise together with industry innovation. A1.2 Organizing the sector around cyber security Given the chemical sector s history as a performance industry, the sector has set and consistently delivered against self-imposed goals and standards. The chemical sector has aligned itself through a network of trade associations around the world. These organizations enabled the sector to quickly deploy a similar proactive, coordinated approach for enhancing cyber security as it has taken on previous issues addressed by the sector. In this same spirit of cooperation, the sector aligned ten trade associations representing over 2,000 companies to address the issue of cyber security in As the Department of Homeland Security (DHS) organized its approach to working with the nation s various critical infrastructure sectors, the concept of creating sector coordinating councils was developed. In 2004, the chemical sector formed the Chemical Sector Coordinating Council to facilitate interactions with DHS. The Chemical Sector Coordinating Council consists of various chemical industry trade associations who are committed to enhancing the physical and cyber security of our sector. DHS, other federal agencies and other critical infrastructure sectors recognize the Coordinating U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 15 of 19

16 Council as a focal point for any activities relating to chemical sector security. Among the Coordinating Council's goals are helping the federal government understand the sector's security priorities, coordinating policy decisions with the government and representing the sector in discussions with other sectors and government agencies. The Chemical Sector Coordinating Council encompasses a broader range of chemical sector companies within the combined membership of its 16 chemical industry trade associations than those that originally supported the Program. In light of that, our strategy moving forward is to leverage the Chemical Sector Coordinating Council as our channel to reach the multitude of chemical companies small and large represented within our sector. We will continue working with any trade associations who we worked with at the onset of our Program that are not currently members of the Chemical Sector Coordinating Council on an individual basis. The following trade associations are members of the Chemical Sector Coordinating Council, as of March American Chemistry Council American Forest & Paper Association Chemical Producers and Distributors Association Chlorine Chemistry Council Compressed Gas Association CropLife America Institute of Makers of Explosives International Institute of Ammonia Refrigeration National Association of Chemical Distributors National Paint & Coatings Association National Petrochemical & Refiners Association Synthetic Organic Chemical Manufacturers Association The Adhesive and Sealant Council The Chlorine Institute The Fertilizer Institute The Society of the Plastics Industry, Inc. A1.3 Implementation of the initial Chemical Sector Cyber Security Strategy The initial Chemical Sector Cyber Security Strategy was reviewed, fully endorsed and delivered to the industry in June The Strategy was subsequently appended to the February 2003 National Strategy to Secure Cyberspace. One of the primary objectives outlined in the 2002 Chemical Sector Cyber Security Strategy was the formation of a sector-wide program focused on cyber security risk management and reduction a program that promotes the use of open, secure information and manufacturing systems to help protect communities and facilitate business operations. The Chemical Sector Cyber Security Program was established in September 2002 to implement the five strategic elements of the cyber security strategy across the chemical sector. Fostering involvement and commitment across the sector Maintaining a robust cyber security public affairs program Encouraging the adoption of established risk-based practices and guidance Strengthening the industry's information sharing network Encouraging the acceleration of improved security technology and solutions U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 16 of 19

17 To facilitate implementation of the Cyber Security Strategy, the Chemical Sector Cyber Security Program originally leveraged three proven sector initiatives. A1.3.1 Advancing involvement and commitment across the sector and public policy The Program leveraged industry trade associations to foster involvement and commitment throughout the sector, working extensively to engage their member companies and achieve industry-wide participation and adoption of cyber security guidance. One of the key learnings from the Program s work is that most trade associations focus on public advocacy and safety standards and regulations, with little or no attention given to information technology (IT) or manufacturing system issues. Because of this, there is no existing environment well suited for engaging our target audience IT and manufacturing system executives and their respective cyber security leadership. This remains an ongoing challenge for advancing the mission of the Program, and will continue to be a major focus going forward. The Program addressed the public policy element of our strategy by leveraging the government affairs staff at the trade associations to monitor legislative and regulatory activities. To date, relevant cyber security public policy issues have been addressed as part of overall chemical security issues, and have not required separate efforts. The Program will continue to leverage the trade associations to monitor public policy issues that impact chemical sector cyber security, and develop appropriate advocacy strategies as required. A1.3.2 Advancing information sharing The Chemical Sector Information Sharing and Analysis Center (ISAC) was created in 2001, and was later identified as the key organization to address the Information Sharing component of the Chemical Sector Cyber Security Strategy. The Chemical Sector ISAC provides an avenue for the exchange of cyber security-related information between companies in our sector and the DHS. However, the volume and quality of the information exchanged has been less than what was originally anticipated. In addition, the Chemical Sector Cyber Security Program has proven to be one of the most effective channels for sharing cyber security information across our sector. In 2004, the Program conducted an Information Sharing Feasibility Study in cooperation with the Chemical Sector ISAC to explore current information sharing tools and determine how they could meet our sector needs. The tools identified enable chemical companies to respond to emerging threats, reduce the impact of cyber security incidents and be better positioned to maintain safe and secure operations. These tools include: Business Roundtable s CEO ComLink Chemical Sector ISAC Homeland Security Information Network (HSIN) United States Computer Emergency Readiness Team (US-CERT) Government Emergency Telecommunications Service (GETS) The results of the feasibility study will help the Program continue to shape its future information sharing strategy. A1.3.3 Advancing practices, standards and technology The Chemical Industry Data Exchange (CIDX) is an independent trade association and standards body focused on realizing transactional efficiency throughout the global chemical industry supply chain. In January 2003, CIDX established the CIDX Cyber Security Initiative U.S. Chemical Sector Cyber Security Strategy 2006 Edition Page 17 of 19