October is not just about trick or treat – it’s also about protecting bits and bytes. This month marks Cybersecurity Awareness Month, which was created to make folks more aware of the potential cyber threats they are exposed to every day and to take appropriate precautions against cyberattacks.
With that in mind, we asked ACC’s subject matter resource on cybersecurity, Bill Gulledge, to answer several questions to get his take on the threats facing the chemical industry. Mr. Gulledge manages ACC’s Chemical Information Technology Center (ChemITC), which among other things helps provide chemical companies with in-depth analysis of global cybersecurity trends.
Why is cybersecurity so important for ACC?
Cutting-edge technology and innovation are two mainstays for our industry. Chemical companies use information and operations technology to help manage the complex process for developing, manufacturing, and delivering their products. Our industry also generates valuable intellectual property related to new chemistries, processes and customer databases. All of these can be attractive and valuable targets that may need to be protected from cyberattacks.
What are the biggest cyber vulnerabilities for the chemical industry?
Computer-based automated Industrial Control Systems (ICS) are widely used by chemical companies to manage and operate their facilities. While the ICS technology is normally separated from internet access by non-approved users, cyber hacking into a chemical facility by other means still poses a challenge for our industry. For example, we have seen the frequency of ransomware cyberattacks dramatically increase over the past few years.
How often is the chemical industry targeted by cyber-attacks?
The enterprise Information Technology (IT) and ICS computer systems of many chemical producers are probed by attackers daily. However, chemical producers typically institute cyber detection and protection programs for both IT and ICS technologies to guard against these attacks. To date, very few significant cyberattacks against chemical producers have been successful. Of course, companies cannot rest on past success since these attacks continue to evolve. Our members must constantly be on their toes and be prepared to address new threats.
How do ACC members identify and address new and ever-changing cyber-threats?
Chemical companies have made significant investments to put internal and external based cyber detection, protection, and response programs in place. These internal programs are frequently supplemented by specialized cyber vendors who continuously track the latest cyber threats and attack strategies. Additionally, ACC maintains a Cyber Security Information Sharing Group through its ChemITC. ACC also collaborates on cyber threat information through its membership in the National Council of Information Sharing and Analysis Centers, a cross-sector information exchange organization representing 25 industrial and public sectors.
What are some programs that have been particularly effective in helping chemical companies address cybersecurity?
Many organizations have implemented the National Institute of Standards and Technology (NIST) cybersecurity framework as the basis for creating a cyber risk management program. NIST also has a specific cyber framework for industrial control systems, which has been helpful to our members. In addition to the tools provided by NIST, our members utilize ACC’s Responsible Care® Security Code, which requires companies to assess cybersecurity vulnerabilities, implement security measures to address them, and provide appropriate training and guidance to employees on current and emerging cyber-related threats.
Do you think the federal government is doing enough to protect critical infrastructure like the chemical industry from cyberattacks?
In addition to ACC’s Security Code, guidance and resources available from the Cybersecurity and Infrastructure Security Agency (CISA), NIST, and other federal agencies are effectively helping companies to identify and manage cyber risks. Our industry has also made great progress working with the Department of Homeland Security through the Chemical Facility Anti-Terrorism Standards, which contains requirements specific to cybersecurity.
Looking ahead, Congress appears likely to approve legislation to strengthen CISA’s existing outreach programs and resources and enhance the reporting and information exchange for significant cyberattacks. ACC joined with several other industry groups to send a letter to the Senate outlining key recommendations to help lawmakers create a successful cyber incident reporting program.
To learn more about cybersecurity and the chemical industry, please visit our policy page.