Wednesday, December 22, 2021

Review - ChemLock – Secure Your Chemicals – Cyber

NOTE: On November 18th, 2021, CISA announced their new voluntary chemical security program, ChemLock. This post is part of a deep dive into that program. Earlier posts in this series include:

CISA Announces ChemLock – Voluntary Chemical Facility Security (short version)

ChemLock and the Chemical Security Summit

ChemLock – On-Site Assessments and Assistance (short version)

ChemLock – Secure Your Chemicals – Overview (short version)

ChemLock – Secure Your Chemicals – Detect (short version)

ChemLock – Secure Your Chemicals – Delay (short version)

As is increasingly becoming obvious to organizations across the country, cyber assets are increasingly becoming a prime target for attacks on industrial organizations, including chemical facilities. Terrorists could leverage cyberattacks to cause chemical releases or to divert precursor chemicals to allow for the construction of chemical weapons or improvised explosives. With that in mind, Chapter 6 of the Secure Your Chemicals manual provides an overview of cybersecurity actions that can be taken by chemical facilities.

Cybersecurity Definition

The introduction to the chapter provides a very good, operational definition of cybersecurity:

“Cybersecurity is the capability to protect critical information, business, and control systems against damage, unauthorized on-site or remote access, modification, or exploitation.”

A key word in that definition is ‘critical’. While every piece of electronic equipment in the facility deserves protection, facility security managers are going to have to prioritize their activities to protect critical systems. Those could include systems that:

Monitor and/or control physical processes that contain a chemical.

Manage physical processes that contain a chemical which could be used to cause disruption or even destruction to the process and surrounding environment.

Contain business or personal information that, if exploited, could result in the theft, diversion, or sabotage of a chemical.

Missing Discussion

One critical cybersecurity area not addressed in this manual is the intersection of cybersecurity and process safety. Facilities that use industrial control system to control the handling, manufacturing and use of hazardous materials need to ensure that a key component of their cybersecurity response plan addresses the safe shutdown of chemical processes. Additionally, facilities must ensure that chemical process safety controls that rely on automated control systems have analog safety measures or manual controls in place to ensure an adequate response to safety incidents in the event of a loss of control systems due to a cyberattack.

And, as I mentioned in the previous posts in this series, the discussions in this section fall far short of providing facility security officers with all of the knowledge necessary to cyersecurity features in their facility security plans. It provides an overview of considerations to help FSO’s ask the right questions of CSI, vendors and integrators. This chapter does, however, point to CISA’s Cyber Essentials webpage for additional assistance on the topic.

For more details about the Cyber Chapter, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */