Christine Adams is a principal consultant for Catalyst35 and has 37 years of experience in information technology. She is speaking this week at the American Chemistry Council’s ChemSecure Conference & Expo in New Orleans. SmartBrief interviewed her about the state of cybersecurity. Here is an edited version of the conversation:
How do you define cybersecurity, and why should industry leaders make it a priority?
I define cybersecurity as the comprehensive program to secure computer systems critical to efficient business operations. These include corporate e-mail and communications systems, enterprise information systems, industrial control systems, as well as networks that provide systems connectivity. Industry leaders should make cybersecurity a priority because potential consequences of a system breach include the loss of intellectual property, compromised data integrity, impact to a company’s reputation, reduction or loss of production at a manufacturing facility, injury or loss of life, damage to equipment, or the release, diversion or theft of hazardous materials.
Could a Stuxnet worm scenario affect U.S. industries the way it did with Iran’s Bushehr nuclear plant?
Absolutely. Stuxnet is beautifully constructed, highly complex malware code, using a combination of known cyberattack techniques and written to specifically target mission-critical control systems running a specific combination of software and hardware. Malware being written today is portable, hides its presence so that the operator and system do not suspect malicious activity and then begins acting on the system it is designed to attack.
What steps are the chemicals industry taking to address cybersecurity concerns?
The [ACC] has provided sector leadership on cybersecurity since 2002. ACC members developed cybersecurity guidance for inclusion in the Responsible Care Security Code; this guidance was provided to [the Department of Homeland Security] to inform [Chemical Facility Anti-Terrorism Standards] regulation. … ACC members have formed a trusted community in which they openly share information on cybersecurity vulnerabilities and attacks. ACC has participated in two DHS-sponsored, national-level cybersecurity exercises. In 2009, in partnership with [DHS], ACC members participated in the development of the Roadmap to Secure Control Systems in the Chemical Sector, a 10-year strategy to advance security of industrial control systems in the chemical industry. Implementation of the road map is under way, and ACC is providing the leadership on this initiative.
How does the chemicals industry compare with other industries at the moment?
Of the 18 critical infrastructure sectors, I would place the chemical sector in the top third. Highly regulated sectors such as the financial sector and nuclear sector have done extensive work in this area. … Because of efforts of the ACC, the chemical sector ranks among the better-organized and focused sectors on cybersecurity. … The ultimate responsibility for securing the cyber-environment lies with the owner and operator. The most effective company approach seems to be when cybersecurity is addressed through cross-functional involvement between professionals from the information technology, engineering, process safety, manufacturing and supply-chain communities. The chemical industry’s cybersecurity posture will continue to improve as individual companies improve their cybersecurity programs.