White House expands industrial control system security Initiative to chemical sector

SECURITY

The White House has added the chemical industry to the administration’s Industrial Control Systems Cybersecurity Initiative, which was launched in July 2021 following the attack on Colonial Pipeline Co. earlier the same year.

The expansion to chemical companies, the majority privately owned, is said by the White House to be needed to strengthen the resilience of U.S. critical infrastructure. The partnership, which includes the Cybersecurity and Infrastructure Security Agency, is based on a plan to promote higher standards of cybersecurity across the sector, including capabilities that enable visibility and threat detection for industrial control systems.

The Chemical Action Plan provides a roadmap to guide the sector’s assessment of its current cybersecurity practices over the next 100 days. Key parts of the plan include a focus on high-risk chemical facilities, information sharing and analytical coordination between the Federal Government and the chemical sector, collaboration to facilitate and encourage the deployment of appropriate technologies, and support for the continuity of chemical production critical to the national and economic security of the U.S.

It was noted, though, that the Federal Government will not select, endorse or recommend any specific technology or provider, with each chemical facility encouraged to undertake its own risk assessment and cybersecurity posture.

“The chemical sector produces and manufactures chemicals that are used directly or as building blocks in the everyday lives of Americans, from fertilizers and disinfectants to personal care products and energy sources, among others,” the White House said in its Oct. 26 briefing.

James Lively, endpoint security research specialist and cybersecurity and systems management company Tanium Inc., told SiliconANGLE that many industrial control systems were not built or developed with security as a consideration, but attacks on ICS systems are extremely rare.

“Attackers need significant in-depth knowledge of the policies, processes and procedures about the company that they are targeting,” Lively explained. “Where do the networks reside with ICS systems attached? What is the layout of said network? What is the make, model, and versions of software running on the ICS systems? Who has access? When are these systems normally accessed? How are these systems updated?”

Added to the mix is that ICS systems are often not internet-connected and another level of challenge for would-be attackers. Lively notes that despite the difficulty, they are still attractive targets.

“The advantages that attackers have are that a copious number of companies with ICS systems controlling critical infrastructure have deficient policies, processes, and procedures,” Lively added. “A well-funded attacker only needs to locate one company with inadequate security measures, and they have all the time in the world to develop capabilities against them.”

Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence, described the plan as admirable but did warn that it’s not without risks.

“CISA’s plans to draft sector-specific goals with regulatory agencies may become a slippery slope to maintain over time without very intimate involvement with the industry vertical operators,” Liebig said. “There should be a concerted effort to establish and encourage participation in industry-specific industry sharing and analysis centers as a collaboration among vendors will go further in solving the problems within operational technology security.

Photo: The White House