US administration announces Chemical Action Plan to expand public-private cybersecurity partnership

The U.S. administration expanded its industrial control systems (ICS) cybersecurity initiative to a fourth sector – the chemical sector. The Chemical Action Plan will serve as a roadmap to guide the sector’s assessment of their current cybersecurity practices over the next 100 days, building on the lessons learned and best practices of the previously launched action plans for the electric, pipeline, and water sectors to meet the needs for this sector. 

With most chemical companies privately owned, there is a need for a collaborative approach between the private sector and the government, according to a Fact Sheet released by the government. Key chemical companies and the government’s lead agency for the chemical sector – the Cybersecurity and Infrastructure Agency (CISA) – have agreed on a Chemical Action Plan to promote a higher standard of cybersecurity across the sector, including capabilities that enable visibility and threat detection for ICS.

The Chemical Action Plan will focus on high-risk chemical facilities that present significant chemical release hazards with the goal of supporting enhanced ICS cybersecurity across the entire chemical sector. It will also drive information sharing and analytical coordination between the federal government and the chemical sector. Additionally, the Chemical Action Plan will also foster collaboration with the sector owners and operators to facilitate and encourage the deployment of appropriate technologies based on each chemical facility’s own risk assessment and cybersecurity posture. The federal government will not select, endorse, or recommend any specific technology or provider. 

The plan is also set to support the continuity of chemical production critical to the national and economic security of the U.S. The chemical sector produces and manufactures chemicals that are used directly or as building blocks in the everyday lives of Americans, from fertilizers and disinfectants to personal care products and energy sources, among others. 

The ICS cybersecurity initiatives emphasize that cybersecurity continues to be a top priority for the administration, and is a keystone of the administration’s cybersecurity commitment to strengthening the resilience of the nation’s critical infrastructure that safeguards the services Americans rely on.

Following last year’s National Security Memorandum, the administration had in August this year said it is set to address the cybersecurity issues faced by the chemical sector. The voluntary-first approach to cybersecurity is set to assist the chemical sector in a fourth 100-day sprint to gain insights into the cybersecurity posture of the nation’s critical infrastructure and work its way up to improving its resilience.

Securing the nation’s chemical sector infrastructure is crucial to the U.S.’s economic prosperity, national security, and public health and safety. Every day, thousands of chemical facilities across the country—from small companies to national laboratories—use, manufacture, store, and transport hazardous chemicals in a complex, global chain that affects other critical infrastructure sectors. Enhancing security and resilience across the chemical industry will also reduce the risk of hazardous chemicals being weaponized requires a collaborative effort. 

The CISA has developed voluntary and regulatory programs and resources to help stakeholders—private industry, public sector, and law enforcement—secure chemical facilities from many threats: cyberattacks, biohazards, insider threats, and theft and diversion for use in chemical or explosive weapons.

Commenting on the Chemical Action Plan, Padraic O’Reilly, co-founder and chief product officer at CyberSaint Security, wrote in an emailed statement that the biggest issue is that almost all infrastructure is privately held. 

“Analogous to the pipeline: large cyber-to-physical systems with extensive OT. Complex segregation issues and legacy protocols and infrastructure. Malicious attacks and control of SCADA systems and PLCs are real vulnerabilities,” O’Reilly highlighted. “Internet-connected devices and cloud migration are an issue, too. On the upside, the chemical sector has been under CFATS through DHS for over a decade. That will oil the gears. Likely that sophisticated monitoring and detection lag behind the most mature industries. Likely, too, that cyber risk management needs to be done at the executive level to ensure proper resourcing,” he adds.

“There are a couple of things that worry me concerning the chemical sector,” Jerry Caponera, general manager for cyber risk at ThreatConnect, wrote in an emailed statement. “The first is that the chemical sector produces items that we may not necessarily think about but can’t survive without in modern society. Imagine a world without plastics to store our food or chemicals to make electronics.”

“The second is the real risk. We saw three ransomware attacks in 2019, including two in the US (a bigger one was Norsk Hydro). They mitigated the impact because the hit was on IT, not OT systems. But it could have been worse,” Caponera said. “Third, there’s a massive risk with the materials in question. Chemicals produce much of what we need, but a chemical material in raw form can be dangerous. A cyber attack on a chemical system where the IT and OT systems are linked could cause a consequential loss of life.” 

Caponera added that he is “glad the chemical industry is high on the list of sectors to watch. The ransomware attack on the colonial pipeline caused a minor blip in the supply of gas. Suppose a significant ransomware attack on chemical plants would destroy plastic packaging. That would be devastating.” 

“These developments show the steady course our country is moving in to protect our most vulnerable assets, which have huge implications on the lives of our citizens,” Wade Ellery, field chief technology officer at Radiant Logic, wrote in an emailed statement. “A comprehensive cybersecurity plan is the first step in tackling the immediate threat of cyber attacks. An identity-first security foundation–in which information sharing can cohesively exist throughout the different operations within the United States and our allies–must be a key component of that plan. In order for that to happen, identity security must be taken as the first line of defense for our most valued resources.”

Chris Gray, AVP of cybersecurity for Deepwatch, points out that the chemical sector is a significant component of both the critical infrastructure and manufacturing industries. “As part of the interoperability of critical infrastructure chains, the chemical sector heavily influences and enables areas such as agriculture, water, nuclear, defense, and transportation. Damages to chemical manufacturing, storage, transportation, and use are not self-contained;  they have significant effects upon a much broader ecosystem, including economic markets.”

“The big security concerns in this sector include safety, including physical and potential for downstream environmental damages. The interoperability and reliance that exist between the chemical sector and other industries is another major consideration,” according to Gray. “If the production and delivery of chemicals are stopped or impeded, massive effects will be felt by manufacturing, healthcare, fuel, and many other areas. A third concern is system and platform vulnerability. The last major security framework requirements that have governance over this area predate 2010. This sector is likely underserved, highly remote and unattended, old technologies, and outdated security standards and expectations,” he adds.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.