Security Q&A: New Ways to Prevent Intrusions
Cheryl Flannery is the director of information-technology security, compliance and risk management at Air Products and Chemicals, the $8 billion chemical and gas supplier. Her responsibilities cover everything from information-technology security strategy, to policies and practices, to overseeing electronic and forensic investigations.
Flannery also serves on the Chemical Sector Cyber Security Program Steering Team, a group set up by the Chemical Information Technology Council (ChemITC)—an organization of chemical companies that addresses common technology issues—to drive cybersecurity practices and guidelines across the industry. She talked last month with Baseline editor-in-chief John McCormick.
Q: How does the Chemical Sector Cyber Security Program look at the issue of cybersecurity?
A: The way we look at information security and cybersecurity, because of the industries we’re in, is really twofold. There’s the traditional information-technology side, which deals with all your traditional business systems. The other aspect is the manufacturing and control systems—we do have many systems that control the operations of our plants.
So that is one thing that is different from, say, financial services. They don’t have that other half of actually controllin manufacturing and operations.
We are very similar to other industries in our concerns around viruses and worms and malicious software—certainly the continued, growing threat of identity theft and malicious code. We’re concerned about the loss of intellectual property. So we have many of these same concerns.
But we also are concerned about a blended attack, where a hacker could try to break in and [then] cause harm—physical harm—to one of our facilities and have a physical outcome, not just a business systems outcome.
Q: How would one of these blended attacks happen?
A: Over the past seven [or] eight years, in order to gain efficiencies, those systems [were built] to allow support from really anywhere across the company. You don’t have to physically be at a location. They were connected to the traditional business network. It did open up more vulnerabilities.
So a lot of the effort over the past few years has been [on] how we can better protect these systems and actually add some layers of protection in between the normal business-systems network and the manufacturing-and-control systems networks.
Q: How do you go about protecting them?
A: One of the things that a number of companies have done is [put in basically] a firewall—another layer of protection—between the business system network and the process control network.
Q: What else?
A: A second thing we’ve done is to work with the process control vendors and industrial automation vendors to better protect their software and add some other security features.
Another simple thing that we’ve from a policy and architecture perspective is to say that the sole purpose of those computers [running the plant] should be to run the plant. They should not be general-purpose computers that can read e-mail or surf the Internet.
Even though they are on the network, you can set them up to not allow them to have browser access.
Q: You mentioned working with the vendors to get them to build in more security to their products, but with the type of systems used in chemical plants, that presents its own challenges, doesn’t it?
A: If you look at the operations of a chemical plant, you may have a plant that is running for years and years without a shutdown. And many of these systems are operational for 20 to 25 years. So many companies don’t want to spend the money to upgrade to a newer system.
Q: I haven’t heard of any major incidents in which a chemical plant manufacturing system was compromised. Does that make it tougher to convince people to maintain a level of urgency?
A: One of the biggest preventative techniques you can use is awareness education. What we’ve done in the chemical sector program, as well as within many of our chemical companies, is provide some awareness of different incidents that have happened. We’ll go back to incidents that actually happened in other industries that use automated systems.
So, for example, when the Slammer [worm] hit back in 2003, there was actually an [infection] at a nuclear power plant. There was also [an incident] back in 2001 where a hacker got into [the systems for] the port in Houston. I think people are surprised that incidents can happen and that they do happen.