• About CSIA
  • Mission Statement
  • Committees
  • CSIA Team
  • CSIA Offices
• Board Members
• Events
  • CSIA Events
  • Industry / Gov't Events
  • Member Events
• Member Directory
• Newsletters
  • Current Issue
  • Archive
  • Sign Up
• Testimonials
• Join CSIA

Chemical Plant Security: Get the Facts

How vital is the seamless operation of the chemical sector to the overall U.S. economy?

America's chemical sector is an essential part of the nation's critical infrastructure. The production of medicine, plastics, electronics, and drinking water rely on the chemicals manufactured, processed and stored at facilities, processing plants and storage tanks, as well as transported throughout the United States. Our economic vitality, national security, and way of life depend on the production and dissemination of these chemicals and chemical bi-products. Considering the nation's dependence on chemicals, it is important to address the potential threats facing the chemical sector such as physical attacks on a plant, and the increasing concern of a cyber attack.

Why is cyber security important to the chemical sector?

Physical threats aside, the chemical sector - and much of the nation's critical infrastructure - functions on control systems, which are electronic, software-based systems that monitor and control the functions and processes of the plants. Establishing and implementing minimum cyber security standards in order to protect our chemical plants from system failures, intrusions or terrorist attacks is crucial to the viability of our overall critical infrastructure.

Are there federal laws that address these cyber threats?

Both the chemical industry and the federal government have considered these threats and continue to take steps to address them. Federal laws established in the 1980s and early 1990s such as the Emergency Response and Community Right-to-Know Act (EPCRA) and the Clean Air Act (CAA) require chemical plant facilities to address potential risks to the general public, primarily as they relate to the release of hazardous chemicals into the environment. In 1997, the President's Commission on Critical Infrastructure Protection recognized the possibility of cyber attacks on our critical infrastructure, and following the attacks on September 11, the President's National Strategy to Secure Cyberspace outlined the Department of Homeland Security's (DHS) role to coordinate with other government agencies and industry to improve cyber security, including critical infrastructure and control systems.

What has the chemical sector done to mitigate these threats?

Over the past five years, the chemical sector has invested almost $3 billion on facility security enhancements, including intrusion prevention/detection and perimeter protection, screening employees and improving cyber security. The American Chemistry Council (ACC), which represents the leading companies engaged in the business of chemistry, has developed and adopted the mandatory Responsible Care® Security Code, a comprehensive, multi-layered security program developed by safety and security experts, which addresses site, transportation, and cyber security. One of the Code's 13 management practices focuses solely on information and cyber security. It requires the ACC companies to incorporate the following:

• Application of security practices to cyber as well as physical assets 
•  Appropriate attention to systems that support e-commerce, business management, telecommunications, and process controls 
•  Additional intrusion detection and access controls for voice and data networks 
•  Verification of information security practices applied by digitally-connected business partners 
•  New controls on access to digital process control systems at facilities

Within a majority of the remaining 12 management practices, there are suggested enhancements for cyber security controls, particularly within the areas of:

• Threat and vulnerability analyses and consequences 
• Response to security threats
• Response to security incidences 
• Management of change, as new process equipment or computer software or hardware is installed

According to the ACC, their members have completed vulnerability assessments, and developed and implemented security plans.

Where programs such as the Code take steps to enhance cyber security at chemical plants, not all plants within the chemical sector are members of the ACC, and therefore, may not adhere to ACC programs and security measures. Continued federal government involvement through public-private partnerships with the sector will help ensure that all facilities institute uniform, aggressive and appropriate security protections. As a critical infrastructure, chemical plant security is a national security issue; compliance with minimum security standards across the industry is necessary.

Is there new chemical security legislation?

Prior to legislation recently enacted, the chemical sector voluntarily implemented security enhancements. The 109th Congress passed chemical plant security legislation requiring that "high risk" chemical facilities implement security measures.

On October 4, 2006, President Bush signed into law a new chemical plant security bill contained within HR 5441, the Department of Homeland Security Appropriations Bill. While there is no specific provision addressing cyber security measures, this law authorizes the Department to regulate security in general at chemical facilities by establishing risk-based performance standards for the security of chemical facilities, and requiring vulnerability assessments and the development and implementation of site security plans for chemical facilities.

When will DHS address cyber security for chemical plants?

The Department of Homeland Security will issue new regulations in 2007, adding a cyber security component to existing sector regulations. According to Assistant Secretary for Infrastructure Protection Bob Stephan, "There will be cyber security-focused standards companies will have to adhere to, based on the level of risk."

This new law and its implementing regulations will apply to chemical facilities that present high levels of security risk. Each "high-risk" facility will need to select layered security measures based on the results of a vulnerability assessment and adhere to risk-based performance security standards. High-risk facilities may employ adequate alternative security programs established by private sector entities, Federal, State, or local authorities. The Secretary of Homeland Security will also review and approve each vulnerability assessment and site security plan. Under the new law, ACC's Responsible Care Security Code - including the cyber security provisions - could be approved as an alternative security program.

Chemical facilities will be audited and inspected by DHS to determine compliance with the law; civil penalties will be assessed for anyone in violation of any orders issued. If a facility is not in compliance with the established regulations, the Secretary of DHS will notify the owner or operator, outlining the deficiencies in the vulnerability assessment and site security plan, and setting a deadline by which to be in compliance. If there is continued noncompliance, the Secretary will have the authority to levy fines and/or shut down the facility until it is in compliance.

What is CSIA's position on the cyber security issues that the chemical sector is facing?

CSIA believes that stronger cyber protection is needed to secure the chemical sector and that closer cooperation is needed between the private sector and agencies responsible for certifying information security products purchased by the federal government. While some progress has been made, much work remains to properly secure the chemical sector's critical infrastructure. CSIA urges President Bush to form a task force of key government agencies, appropriate regulators, experts in the cyber security field and representatives from not only the chemical sector, but also other utilities and suppliers, to meet and recommend concrete actions to improve the security of control systems supporting critical infrastructure.