White House Announces Public-Private Cybersecurity Partnership With The Chemical Industry

The White House released a statement announcing that the government is extending its public-private cybersecurity partnership to the chemical industry:

The majority of chemical companies are privately owned, so we need a collaborative approach between the private sector and government. The nation’s leading chemical companies and the government’s lead agency for the chemical sector – the Cybersecurity and Infrastructure Agency (CISA) – have agreed on a plan to promote a higher standard of cybersecurity across the sector, including capabilities that enable visibility and threat detection for industrial control systems.

The Chemical Action Plan will serve as a roadmap to guide the sector’s assessment of their current cybersecurity practices over the next 100 days, building on the lessons learned and best practices of the previously launched action plans for the electric, pipeline, and water sectors to meet the needs for this sector. 

I secured a pair of comments on this statement from leading industry experts.

Jerry Caponera, General Manager, Cyber Risk at ThreatConnect:

There are a couple of things that worry me concerning the chemical sector. The first is that the chemical sector produces items that we may not necessarily think about but can’t survive without in modern society. Imagine a world without plastics to store our food or chemicals to make electronics.

The second is the real risk. We saw three ransomware attacks in 2019, including 2 in the US (a bigger one was Norsk Hydro). They mitigated the impact because the hit was on IT, not OT systems. But it could have been worse.

Third, there’s a massive risk with the materials in question. Chemicals produce much of what we need, but a chemical material in raw form can be dangerous. A cyber attack on a chemical system where the IT and OT systems are linked could cause a consequential loss of life. 

I’m glad the chemical industry is high on the list of sectors to watch. The ransomware attack on the colonial pipeline caused a minor blip in the supply of gas. Suppose a significant ransomware attack on chemical plants would destroy plastic packaging. That would be devastating. 

Padraic O’Reilly, Co-Founder and Chief Product Officer, CyberSaint Security

The biggest issue is that almost all infrastructure is privately held. Analogous to the pipeline: large cyber-to-physical systems with extensive OT. Complex segregation issues and legacy protocols and infrastructure. Malicious attacks and control of SCADA systems and PLCs are real vulnerabilities. Internet-connected devices and cloud migration are an issue, too. On the upside, the chemical sector has been under CFATS through DHS for over a decade. That will oil the gears. Likely that sophisticated monitoring and detection lag behind the most mature industries. Likely, too, that cyber risk management needs to be done at the executive level to ensure proper resourcing.

This can only be good for the security of the sector. Hopefully this idea spreads to other sectors as that will make us all safer.

UPDATE: I have a third comment from Wade Ellery, Field Chief Technology Officer, Radiant Logic:

     “These developments show the steady course our country is moving in to protect our most vulnerable assets, which have huge implications on the lives of our citizens. A comprehensive cybersecurity plan is the first step in tackling the immediate threat of cyber attacks. An identity-first security foundation–in which information sharing can cohesively exist throughout the different operations within the United States and our allies–must be a key component of that plan. In order for that to happen, identity security must be taken as the first line of defense for our most valued resources.”

Leave a Reply

%d bloggers like this: