ChemITC
The Chemical Sector Cyber Security Program offers companies a suite of guidance and tools to assess and enhance the cyber security performance of their business and manufacturing control systems.
Cyber Security in Emerging Geographies (PDF)
Executive Summary - Cyber Security in Emerging Geographies (PDF)
Release Date: September 2009
As global chemical companies expand into regions outside the United States and Western Europe, there is a growing need to understand the evolving cyber security issues in these emerging world areas. This document helps illustrate why companies should want to maintain a keen emphasis on cyber security when expanding business operations into emerging geographies. It outlines six key cyber security issues – intellectual asset protection, U.S. export compliance, data privacy, the corruption index, cryptography and the regulatory law and judicial environment – for companies to pay particular attention to, as well as key themes and the impact that different business environments can have when addressing cyber security risks. The research focused on cyber security in Asia, Eastern Europe, South America and the Middle East.
Information Security Checklists for Mergers and Acquisitions, Joint Ventures and Divestitures (PDF)
Release Date: July 2009
Members of the Chemical Sector Cyber Security Program have consistently cited information technology (IT) security issues related to mergers and acquisitions (M&As), joint ventures (JVs) and divestitures as top priorities, especially as companies reorganize portfolios and align their business accordingly in response to current economic challenges. This document outlines common IT security considerations for each of these types of business transactions in a checklist format, which includes potential IT security activities for consideration and company-specific tailoring prior to the close, at the close and after the close of the transaction. A list of IT security services and capabilities for consideration in the execution of each is also included.
The Protection of Intellectual Property (PDF)
Executive Summary - The Protection of Intellectual Property (PDF)
Release Date: January 2009
For many companies, intellectual property (IP) is an essential component of their competitive advantage in the marketplace. The growing trend of workforce mobility coupled with the deterioration of the corporate network perimeter makes it more important than ever for companies to ensure that their IP is protected against misuse. This document describes practices associated with establishing an intellectual property protection policy, including the definition, implementation and ongoing management of the policy and its associated training and awareness program. It also introduces potential technology solutions for the protection of IP from information leakage risks, providing a review of relevant evaluation criteria and implementation considerations.
Data Privacy in the European Union (PDF)
Executive Summary - Data Privacy in the European Union (PDF)
Release Date: December 2008
Solid data privacy practices are critical to a chemical company, not only from a compliance standpoint, but also because they help preserve the integrity of relationships the organization has with various stakeholders, such as employees, customers and vendors. With global operations becoming increasingly common and data transfers subject to multiple jurisdictional requirements, this is particularly important for companies in the chemical industry. Data Privacy in the European Union is designed to help chemical company information security professionals better understand the EU Directive on Data Protection, as well as other global data protection principles and global models of data transfer.
Implementing a Cyber Security Management System (PDF)
Release Date: March 2008
A companion to the complete Guidance for Addressing Cyber Security in the Chemical Sector, Implementing a Cyber Security Management System is designed to provide a quick reference for chemical companies interested in understanding possible elements of a cyber security management system. This guidance document provides an explanation of the Plan, Do, Check, Act continuous improvement cycle and an overview of 19 general elements chemical companies may consider as they work to enhance the cyber security performance of their business and manufacturing control systems. The information described is an overall management system framework that chemical companies – large, medium and small – can tailor to address their own specific needs.
HSIN-CS: Applicability and Usefulness in the Chemical Sector (PDF)
Release Date: January 2008
The Homeland Security Information Network – Critical Sectors (HSIN-CS) is a Department of Homeland Security (DHS)-funded platform designed to help enhance the protection and performance of the nation’s critical infrastructure sectors through the strategic use of communication, coordination and information sharing capabilities. This document describes HSIN-CS and the many benefits chemical companies can experience through its use. It also provides comments from ChemITC® members who use HSIN-CS on a regular basis, as well as registration information for those ready to enroll.
US-CERT: Applicability and Usefulness in the Chemical Sector (PDF)
Release Date: January 2008
Sponsored by the Department of Homeland Security (DHS), the United States Computer Emergency Readiness Team (US-CERT) fosters communication among federal agencies, industry, research communities, state and local governments, and other organizations to broadly disseminate important cyber security information. This document describes US-CERT and the various attributes chemical companies may find useful. It also provides comments from a ChemITC member that uses different aspects of the tool on a regular basis to help improve their cyber security team’s effectiveness. Finally, it contains registration information for those interested in signing up for US-CERT.
Overview of Information Sharing Tools (PDF)
Release Date: December 2007
As cyber security threats continue to emerge, it is important for chemical companies to know where to go to find security information and resources, particularly in the event that an incident occurs. This document provides a synopsis of six available information sharing tools – including the United States Computer Emergency Readiness Team (US-CERT) and Homeland Security Information Network–Critical Sectors (HSIN-CS) – for chemical companies to consider. It also provides an overview of the many benefits chemical companies can experience from the sharing of appropriate security information.
Using the Protected Critical Infrastructure Information (PCII) Program to Share Information with the Department of Homeland Security (PDF)
Release Date: August 2007
Information sharing within companies, with other companies and with the federal government is an important aspect of a successful security program. As implementation of the Chemical Facility Anti-Terrorism Standards begins, it is increasingly important for chemical companies to understand what types of information are protected from disclosure by the government, and the protections that such information is afforded through the PCII program. This document describes the types of information protected and administrative requirements, as well as a list of protections, benefits, and additional resources for your company.
Guidance for Addressing Cyber Security in the Chemical Sector (PDF)
Release Date: May 2006
This document defines the elements of a cyber security management system (CSMS) that address manufacturing control systems, information technology systems, and the chemical sector value chain. The document is designed to provide general information and guidance to assist companies conducting business within the chemical sector supply chain in implementing cyber security management system practices and controls. Reflecting a risk-based approach, the document presents a continuous improvement cycle in four phases – Plan, Do, Check, and Act. The CSMS covers 19 key elements and aligns with multiple industry standards including ISO 17799, BS 7799-2:2002, ISA Tech Reports 99.00.01 and 99.00.02. For ease of integration of cyber security considerations with overall security activities, this guidance document is aligned with chemical sector product stewardship programs such as the American Chemistry Council’s Responsible Care® Security Code of Management Practices.
The Cyber Security Journey – How to Begin an Integrated Cyber Security Program (PDF)
Release Date: March 2005
This document provides a high-level roadmap to educate and guide chemical companies as they establish or enhance their cyber security program. Using easy-to-follow diagrams, this document provides a step-by-step set of activities that are fundamental to establishing a cyber security management system, and points readers to other documents that provide detailed guidance on specific activities.
Report on the Evaluation of Cyber Security Self-Assessment Tools and Methods (ZIP)
Release Date: November 2004
This report shares the results of an evaluation of self-assessment tools and solution provider offerings. This document helps enable chemical companies to select tools and methods that will work best in their operating environments so that companies can identify gaps and measure the performance and improvement of cyber security management systems against standards such as ISO 17799 and ISA publications such as ISA-TR99.00.02-2004, “Integrating Electronic Security into the Manufacturing and Control Systems Environment.”
Report on the Evaluation of Cyber Security Vulnerability Assessment Methodologies and Processes (ZIP)
Release Date: November 2004
This report provides a set of criteria for chemical companies to adapt and use to select an appropriate methodology or process for conducting cyber security vulnerability assessments for plant sites, IT assets, and value chain systems.
Cyber Security Architecture Reference Model (PDF)
Release Date: August 2004
The Architecture Reference Model creates a common understanding of terms and vocabulary related to security vulnerabilities, risks, and requirements. The document describes the IT infrastructure of a chemical company as a collection of zones, each with a specific set of characteristics and requirements that influence or dictate how elements in that zone should be acquired, operated, managed, and supported.
Other Tools: