Printer friendly version Site Survey


Cyber Security Program Common Questions

About The Strategy

About The Program

About Program Implementation

About Challenges Facing the Industry

About The Strategy

What is the Chemical Sector Cyber Security Strategy?

The Chemical Sector Cyber Security Strategy provides a generalized roadmap for improving the level of cyber security across the chemical sector. Originally created by a chartered taskforce comprised of 16 high-level subject matter experts, the Strategy focuses on cyber security risk management and reduction to promote the use of open but secure information and manufacturing systems that facilitate business operations within the chemical sector. The Strategy provides the framework for the Chemical Sector Cyber Security Program, a sector-wide program that leverages collective knowledge, shared technology and practices development to improve the level of cyber security in the industry. The original Strategy was reviewed, endorsed and delivered to the industry in June 2002 and was subsequently appended to the February 2003 National Strategy to Secure Cyberspace.

In 2006, the chemical sector examined its progress against the original strategy and renewed the industry’s strategic vision and direction. The 2006 edition of the Chemical Sector Cyber Security Strategy was published in September 2006. This updated document lays out the path forward as the Cyber Security Program works to enhance both IT and manufacturing system security and describes the chemical sector's notable achievements since the original strategy was released in 2002.

The 2006 Strategy is organized into five key elements: information sharing, guidance enhancement and relevance, sector-wide adoption, enhanced security in technology solutions, and government relations.

« back to top

What prompted the development of the Strategy? Why was the Strategy updated in 2006?

The continued threat of viruses combined with the sector's increased use of the Internet, the upsurge of e-business and increased integration of chemical company's IT and manufacturing systems prompted the sector to reevaluate its cyber security environment. Cyber security is an integral part of overall security, which is why we decided to address the challenge as a sector-wide initiative.

Chemical sector CIOs began working together in the early 2000's to address cyber security issues in the sector. The emerging threats that followed the events of 9/11 intensified our focus and accelerated our efforts to develop a cyber security strategy. As a sector, we are fortunate to be able to draw upon established and proven programs that provide the groundwork for improving our cyber security practices.

With direction from the Strategy published in 2002, the Cyber Security Program achieved many notable accomplishments including providing guidance to assist companies, increasing chemical company participation and establishing a relationship with the Department of Homeland Security (DHS). To ensure the Cyber Security Program continues to address the needs of chemical sector companies, the Cyber Security Program Steering Team reviewed progress made and developed the 2006 edition of Chemical Sector Cyber Security Strategy to renew the Program’s vision and determine the sector’s path forward.

« back to top

Were the interests of small companies included in the strategy development? Were small companies a part of the approval process?

Yes. Broad support and participation from all segments of the sector are critical to the success of the Program. As a result, the strategy published in 2002 was intended to meet the common and unique needs of the industry. Trade Association representatives, with more than 2,000 companies of varying sizes as part of their collective membership, reviewed and supported the original strategy.

The 2006 edition of the Chemical Sector Cyber Security Strategy underwent a similar process. The Cyber Security Program Steering Team, comprised of five chemical company IT and manufacturing system security experts, developed the updated document. The 2006 Strategy incorporates input from ChemITC member Chief Information Officers (CIOs). In addition, the Chemical Sector Coordinating Council, which represents 16 chemical industry trade associations committed to enhancing sector security, reviewed the document.

« back to top

Which companies and associations supported the strategy? Were there any trade associations that disagreed with the approach or did not endorse the strategy?

The 2006 edition of the Chemical Sector Cyber Security Strategy incorporates input from 33 ChemITC member CIOs. In addition, the Strategy was presented to and reviewed by trade association representatives from the Chemical Sector Coordinating Council. None of the chemical company CIOs or trade association representatives expressed disagreement with the Strategy.

« back to top

Was the Chemical Sector Cyber Security Strategy developed in conjunction with the National Strategy to Secure Cyberspace?

The sector expanded the scope of cyber security efforts already underway in response to the White House's desire to engage both the public and private sectors in the development of security strategies. The chemical sector's efforts complement the broader national strategy the government has developed, but the sector's strategy was created to give the chemical sector a generalized roadmap for facilitating broad-based cyber security improvements throughout the global chemical sector.

The original Chemical Sector Cyber Security Strategy published in 2002 is appended to the U.S. Government's National Strategy to Secure Cyberspace.

« back to top

About The Program

Why was The Program created?

Safety and security have long been a priority for the chemical sector. The sector's common goals have enabled it to address these issues proactively and effectively. In recent years, the business of the chemical sector has increasingly relied on the use of manufacturing control systems in its plants and information systems in its business units. Because of this, the sector considered it a priority to unify to develop and implement a strategy that addresses cyber challenges as a sector-wide initiative.

« back to top

Can you expand on the key initiatives in the recommended Program?

The Chemical Sector Cyber Security Program includes five strategic elements:

These originated from the Chemical Sector Cyber Security Strategy.

« back to top

How does the Program help its members address cyber security issues associated with operating in other countries?

United States domestic efforts alone cannot completely deter or prevent cyber attacks. The chemical sector is well aware of the need to work closely with its international partners to put into place those cooperative mechanisms that can help prevent the damage resulting from infringement on cyber security. In 2006, the Cyber Security Program created the European Networking and Implementation team. This team provides a venue for representatives from ChemITC member companies that operate in Europe to network with other global representatives and help address unique cyber security challenges within the European community. The Cyber Security Program continues to monitor cyber security activities in other world areas, and will consider forming additional global teams if member interests arise.

« back to top

What else is the sector doing to address security issues?

Sector initiatives to secure the chemical sector include:

  • Responsible Care® Security Code: A state-of-the-art security management system to address site, transportation and cyber security that is mandatory for all American Chemistry Council members. The Cyber Security Program’s Guidance for Addressing Cyber Security in the Chemical Industry is aligned with the Responsible Care ® Security Code.
  • CHEMTREC®: A 24-hour-a-day, seven-day-a-week emergency communication center that provides emergency responders with technical assistance and helps shippers meet their Department of Transportation requirement of having a 24-hour emergency telephone number.

« back to top

What value does the Program bring to the chemical sector?

By uniting all segments of the chemical sector, the Chemical Sector Cyber Security Program brings added value to our sector by reaffirming our commitment to safety and strengthening our ability to withstand cyber attacks. Together, we can address and respond to issues of importance with one clear voice.

Chemical companies that join the Program's effort enjoy a number of advantages, including the ability to leverage resources to develop common solutions, rather than incurring the costs of going it alone. Additionally, companies have cost-effective access to sector practices for risk mitigation, networking opportunities with companies of similar size and scope, and opportunities to influence the development of improved technology solutions.

« back to top

About Program Implementation

What has the Program delivered to date, and what is the timeline for implementation?

Since 2002, the Program has reached out to chemical companies in an effort to promote cyber security awareness and help increase cyber security preparedness in the industry. The Program has also leveraged several existing organizations to create cyber security guidance and tools for the sector, and has worked to establish a relationship with the Department of Homeland Security. For a complete list of Program milestones, please refer to the Implementation Timeline.

« back to top

What is the future direction of the Cyber Security Program?

The Cyber Security Program will continue its work to understand, prioritize and coordinate chemical industry efforts to address IT and manufacturing control system cyber security issues, including cyber security implementation, advocacy and outreach. The Cyber Security Program will also place a significant emphasis on continuing to strengthen the chemical industry’s relationship with the Department of Homeland Security (DHS) to help ensure that sector activities are aligned with DHS priorities.

« back to top

How is Program development and implementation being executed and/or funded?

The chemical sector has a rich history of proactively addressing issues. Past efforts have demonstrated the sector's ability to develop and implement strategic approaches to address challenges. Time and again, chemical companies have worked together to dedicate people and financial resources to initiatives that benefit society, the environment and the economy. When approaching cyber security, the sector has deployed the same proactive approach as it has with previous issues.

Project teams aligned with each of the Program’s strategic elements began working against project plans in late 2002. Volunteers from ChemITC Charter and Affiliate member companies participate in team activities. The Cyber Security Program operates under the Chemical Information Technology Center (ChemITC) of the American Chemistry Council and is funded by ChemITC member companies. ChemITC leadership will help ensure that each of the Program's project teams is adequately resourced and progressing toward its goal.

« back to top

How will the Cyber Security Program assist in the development of cyber security practices and tools for use throughout the sector?

The Cyber Security Program offers companies throughout the global chemical sector with free access to a variety of guidance documents, white papers and webcasts designed specifically with chemical company interests in mind. Companies interested in downloading one of these resources may visit the Cyber Security Tools section of the Cyber Security Program Web site.

« back to top

Will there be more cyber security tools developed for the chemical industry?  If so, who will take on these activities?

The Cyber Security Program understands the benefits of having a useful set of guidance documents, white papers and webcasts available for use by companies throughout the global chemical sector. The Cyber Security Program regularly reviews its existing guidance documents and tools for relevance and applicability to the chemical industry. As the cyber security landscape evolves and new technologies are introduced, the Cyber Security Program may form new project teams to create guidance documents, white papers or other resources to address emerging topics of interest. For information on the current activities of each of the Cyber Security Program’s Work Teams, please visit the Work Team section of the Cyber Security Program Web site.

« back to top

Have any IT partners or standards bodies been identified for the implementation of the strategy?

Reducing current and future information security challenges will require leading edge technology, responsible sector practices and timely information sharing throughout the sector. A number of technology providers participate in ChemITC as Affiliate Members to provide insight into cyber security solutions in development and available for use by the sector. Participants in the Program also proactively work with external standards bodies, government, academia and others to address cyber security challenges facing the chemical industry.

« back to top

What is the Program's approach to cyber security guidance?

The Cyber Security Program offers a number of guidance documents to assist companies as they work to enhance the cyber security performance of their IT and manufacturing control systems. Guidance for Addressing Cyber Security in the Chemical Sector offers a glimpse at the elements of a cyber security management system (CSMS) that address manufacturing control systems, information technology systems and the chemical sector value chain. The guidance exists on three levels: a governance perspective that aligns to the Responsible Care® Security Code and gives detailed information about cyber security management practices; establishing practices around the baseline controls from an IT perspective; and types of control to assist from a manufacturing and control system perspective.

« back to top

What can companies do today to enhance their cyber security?

There are a number of steps companies can take right now to enhance the security of their systems.

  • Develop a Cyber Security Management Policy: After carefully assessing potential risks in the company's infrastructure, operations, services and control systems, a company can develop a plan to manage cyber security within the corporation. As part of this activity, it is important to facilitate open communication between various divisions and businesses within the corporation. It may also be beneficial to communicate with industry counterparts and the government.
  • Conduct a Vulnerability Assessment: Companies can periodically assess their systems based on potential vulnerabilities, threats and consequences to identify risks and begin to understand and evaluate risk mitigation strategies.
  • Conduct an ISO 17799 Assessment: ISO/IEC International Standard 17799 is an extensive set of management practices for information security. It helps companies identify risks, and select appropriate control measures to mitigate risk and manage incidents. By conducting an ISO 17799 assessment, chemical companies can assess their cyber security strategy, policy and capabilities.

« back to top


What tools or resources are available to assist companies in enhancing their cyber security capabilities?

The Program offers a suite of guidance and tools to help companies enhance the security of their business and manufacturing control systems. Please visit Cyber Security Tools for more information.

« back to top

About Challenges Facing the Industry

How can government research funds be best used to assist chemical sector security efforts?

The chemical sector is actively engaging the government to work toward the common goal of a safer, more secure cyberspace. The sector has identified a number of areas that would benefit from additional research and development funds from the government. These include:

  • Enhancing the reliability and security of general use operating systems.
  • Further securing electronic business-to-business environments.
  • Identifying ways to improve the containment of cyber security problems within a specific area of a company or the nation's network systems, including developing a secure approach to connect domains of differing security levels.
  • Increasing user authentication measures and techniques.
  • Improving investigative techniques to enable proactive risk mitigation, threat reductions and quick recovery from cyber attacks.

« back to top

Does the chemical sector support chemical security legislation and regulation?

Chemical sector companies support legislation that will ensure the physical and electronic assets of our nation's chemical facilities are secure against the threat of terrorism, business interruption and improper use. The Program supports legislation that will establish national security guidelines for chemical facilities; require companies to conduct site vulnerability assessments and implement security plans; and create strong enforcement authority to ensure facilities and systems are secure. Federal, state and local regulations must also be aligned and incorporate flexibility to accommodate evolving cyber security challenges.

« back to top

What can IT suppliers do to support the industry's cyber security efforts?

Suppliers of IT products and services are best positioned to address issues within the solutions they create and have a responsibility to test and enhance product security before releasing it in the marketplace. The chemical sector's cyber security efforts rely on increased coordination between technology providers and the industry to foster an understanding of the common and unique needs of the sector, begin enhancing the security of products scheduled for release and become better stewards of IT products and services.

The Cyber Security Program invites IT providers to join as Affiliate Members to work with the Program so that together, they can work to better understand and address the chemical sector's security and technology needs. Affiliate membership is available to organizations engaged in the provision of hardware, software and IT services to the chemical industry.

« back to top

Can we characterize the economic impact of the chemical sector? Of cyber security incidents on business and society?

The chemical sector is an essential contributor to today's standard of living and quality of life. The business of chemistry represents a $637 billion enterprise in the United States. The sector transforms natural raw materials into more than 70,000 commonly used products benefiting society's health, safety and productivity. The chemical industry employs nearly one million workers; for each one of these jobs, four more are created in other industries. The business of chemistry is also the largest exporting sector in the United States, accounting for more than ten cents out of every dollar of U.S. exports. In 2006, U.S. chemical exports totaled more than $135 billion.

IT and manufacturing control systems play an integral role in the operations of chemical plants. With the increasing number of cyber security incidents throughout society, the management and reduction of risk is even more important to reduce the potential impact of cyber attacks on this critical infrastructure industry.

« back to top

How can we describe the chemical industry's interdependency with other sectors?

The chemical industry has a strong interdependency with many of the other critical infrastructure sectors, which rely on the manufacture, availability, transport and secure delivery of chemical products. For example, chlorine is critical to purify our nation's drinking water sources. In addition, agriculture, pesticides, fertilizers and preservatives help provide a safe and abundant food supply. The automotive industry depends on thousands of chemical products from polyurethane seat cushions to neoprene hoses and belts to enhance the performance, fuel efficiency and safety of automobiles.

Similarly, the chemical industry is dependent on many other critical infrastructures. The industry has a strong relationship with emergency services to facilitate our emergency response capabilities. It relies on technology solutions from the information and telecommunications sector to enhance the performance, operation and communication of the chemical sector. It is highly dependent on rail, trucking and pipeline services for the secure transport of our products.

These and the many other interdependencies among the chemical sector and other critical infrastructure industries require a coordinated approach to cyber security.

« back to top

What is different between process control in the chemical sector and the energy/power sector?

Power distribution in the energy sector is substantially different from the majority of the systems operated within the chemical sector. Since the power grid is tightly linked and dependent upon power supplied by several different companies, the management systems are highly interconnected over public and private networks. This high level of integration over numerous types of networks, including wireless technologies, creates numerous opportunities for unauthorized access. If a cyber incident occurred in this environment, it could generate a cascading impact.

The physical structure of the chemical industry, on the other hand, reduces the likelihood of a cascading failure effect as production and distribution systems are separate. Process control systems in the chemical sector typically control a single operation within the physical boundaries of the manufacturing facility. Several layers of protection are available beyond the process control system that include physical access controls, independent safety interlock systems, emergency shutdown systems, and auxiliary independent backup devices. Furthermore, information that is communicated between a plant and central IT systems is primarily for optimization and supply chain operations, not plant operations. Because of this, an incident at a chemical facility has the potential to cause a delayed, economic impact, but any physical impact is more likely to impact that site alone, rather than causing a chain reaction across multiple sites or companies. These differences necessitate different technical approaches to security design for the chemical and energy industries.

« back to top

What are the main areas/issues to address in developing a security plan?

Each company can benefit from the development of an overall policy for managing cyber security based on an understanding of their product, service and exposure risks. ISO/IEC International Standard 17799 for cyber security management practices is a useful approach to assess a company's strategy, policy and capability.  

Industry participants can benefit from evaluating their level of risk and determine if follow-up action is appropriate. It is important for companies to conduct a security vulnerability assessment and evaluate risk based on three elements: vulnerability, threat and consequence. Once the potential risk is identified, the next step is to understand and evaluate mitigation strategies. Risk mitigation often is comprised of three main elements: improved technology, operating discipline and information sharing.

It is essential to develop practices and standards and make them an evergreen part of operating discipline to address ever changing technologies and vulnerabilities over time. Corporations also enhance their security through opening the lines of communication within their operating units, with other companies and industry partners, and with the federal government.

« back to top

Where can I get more information?

Visit the Contact Us section of the Web site to find appropriate contact information for the Chemical Sector Cyber Security Program.

« back to top