Converging on an Un-Common Cure for the Chemical Terrorist

This entry was posted by on .

On June 26, 2009 in a congressional roll call joint statement issued by four powerful congressional leaders (Thompson, Waxman, Jackson Lee and Markey) called for support for the bill HR 2868 that would grant Department of Homeland Security the authority to make the CFATS program permanent going forward. Some of the important provisions of this bill include reducing the threshold amounts of dangerous chemicals or switching to safer chemicals. Additionally water treatment and distribution systems, waste water treatment and port facilities would no longer be exempt from complying with these safety provisions.

The risk-based approach to securing facilities and access to chemicals is a sound concept. In addition to securing the physical access and the cyber assets, it is equally important to monitor physical access to determine and track who has physical access and what they are doing with this access. The convergence of IT security, physical access security and control systems security deliver the ability to detect and identify blended threats that reside in between these traditional islands of automation.

AlertEnterprise provides security convergence software that delivers a complete CFATS solution including a risk-based approach to combining vulnerability assessments with background checks and certifications, plus the ability to monitor insider access to information, systems, assets, materials and facilities. AlertEnterprise delivers a continuous risk management environment including the ability to aggregate results from checks on production control systems such as DCS and SCADA systems to ensure that they are not operating outside of their prescribed thresholds. AlertEnterprise is the only solution that can not only measure and report on risk, but can then automate the remediation process delivering access policy enforcement – such as cutting off physical access to remote facilities at the same time as de-provisioning from the IT systems.

Speaking of convergence, there is another kind of convergence going on that is really interesting. It is the convergence of safety systems and security systems relating to industrial controls.

The thinking goes something like this – for years engineers have designed safety processes into control systems (like interlocks designed into the electrical grid) that will trigger if things go wrong in chemical processes including temperature thresholds or explosive conditions if the wrong amount of materials are combined. The concept of Functional Safety was developed in response to the growing need for improved confidence in safety systems. Major accidents around the world, as well as the increasing use of electrical, electronic or programmable electronic systems to carry out safety functions, have raised awareness and the desire to design safety systems in such a way as to prevent dangerous failures or to control them when they arise. Industry experts began to address functional safety and formalize an approach for reducing risk in the process plant environment through the development of standards IEC 61508, IEC 61511, and ANSI/ISA 84.

Threat actors with bad intentions can target the safety systems and disable them rendering the operations unsafe creating the potential for catastrophic spectacular events. ISA (the International Society for Automation) as part of the ISA 99 standards for control systems security is adopting a framework similar to the Safety Integrity Levels (SIL), outlined in ISA 84 to classify the criticality of the system being protected. ISA 99 has created a working group in conjunction with ISA 84 (WG7) to promote the use of Security Assurance Levels (SAL) to assist in the classification of process industry installations including chemical facilities and categorize them based on the criticality. Bryan Singer (Kenexis), Eric Cosman (Dow Chemical), Mike Boudreaux (Emerson Process Management) and numerous other industry participants are driving the extension of this important ISA standard to consider security as part of safety when designing, deploying and operating processes and systems.

Reading this don’t you think combining CFATS and ISA 99 for chemical process systems in a security solution makes a lot of sense?

For further information please email me; as a participant in the WG7 working group for ISA 99 I hope I can play a very small part in contributing to the security of our chemical process infrastructure.