Security is on everyone’s mind. Heightened awareness and concerns have affected the way we live and the way we work. Those of us who are part of the chemical process industries (CPI) and have a great respect for the materials we work with, are well aware of the importance in safeguarding against potential threats. Indeed, the U.S. Dept. of Homeland Security (DHS; Washington, D.C.; dhs.gov) has identified chemicals as one of 17 critical infrastructure industries. Not waiting for legislative guidance, the CPI has been pro-active in putting up a united front to safeguard against potential threats, both cyber and physical.
Cyber security
“People are much more aware of security,” notes Neil Hershfield, a Dow Chemical Co. employee who serves as director of the Chemical Information Technology Council’s (ChemITC) Chemical Sector Cyber Security Program (chemicalcybersecurity.com). As new threats emerge, he adds, the security challenges also broaden. Established in 2002 as a strategic initiative of ChemITC, which is a CHEMSTAR Panel of the American Chemistry Council (ACC; Arlington, Va.; americanchemistry.com), the Chemical Sector Cyber Security Program was designed to enhance cyber security throughout the chemical sector to help protect people, property, products, processes, information and the environment.
A few months ago, this program unveiled its updated strategy, which focuses on the two main aspects of cyber security in the chemical industry — information technology (IT) and manufacturing system security. The 2006 strategy organizes the path forward into five key elements: information sharing, guidance enhancement and relevance, sector-side adoption, enhanced security in technology solutions and government relations. A snapshot of the strategy for each of these elements is given in the box (p. 18).
With well over 100 member companies, the ACC is a leader in voluntarily addressing and implementing security enhancements. ACC members adopted the Responsible Care Security Code, which requires companies to conduct comprehensive security vulnerability assessments of their facilities, implement security enhancements and obtain independent verification that those enhancements have been made.
The recently approved DHS Appropriations Bill, H.R. 5441, gives the DHS authority to regulate security at chemical facilities. As we await the actual legislation, the strides already made by the chemical community lead Hershfield to say that there is “some optimism in the group of experts, the thought leaders, that what we will see there [in the legislation] is already in place.”
The CPI are very diverse, with many different sizes of companies. As Calvin Jaeger, project manager in security risk assessment at Sandia National Laboratories (Albuquerque, N.Mex.; sandia.gov) points out, some companies, especially smaller ones “where people wear a lot of hats,” may need some guidance or direction for their security efforts. Hershfield notes that his program is open to sharing its guidance with those who want it.
The national laboratories. Sandia and the Idaho National Laboratories (INL; Idaho Falls, Idaho; inl.gov) are playing very active roles in security. Jaeger explains that Sandia has been involved with developing security risk assessments for some time, even prior to 2000. He further explains that whereas “risk basically considers threats and consequences,” the risk assessment methodologies (RAM) that have been developed in cooperation with the chemical industry and others also consider the effectiveness of protective systems. Several versions of RAM are available from Sandia and from other sources.
This past year, Sandia has served as the lead national lab in project LOGIIC (Linking the oil and gas industry to improve cyber security). LOGIIC, funded by the DHS’s Science and Technology Directorate, brought together experts in homeland security, oil and gas, security research, security technology and process control technology, to identify ways to reduce cyber vulnerabilities in process control and SCADA (supervisory control and data acquisition) systems. The project was created to keep U.S. petroleum-and-gas control systems safe and secure, and to help minimize the chance that a cyber attack could severely damage this infrastructure. Ben Cook, project leader for Sandia, says that “In LOGIIC, industry leaders chose to focus the partnership team’s initial work on addressing their concern that control networks aren’t monitored for cyber intrusions as is routinely done on business networks. As a result, it’s difficult to detect cyber adversaries who might be attempting to compromise critical system components.”
Servicing security needs. System suppliers are very much aware of security issues and are active within their own companies and through collaborative efforts to help secure our chemical plants. Ernie Rakaczky, program director for the security team at Invensys Process Systems (Foxboro Mass.; invensys.com/ps), describes his company’s most recent work in security as focusing on two goals: building inherent security functionality into equipment, and creating a stronger security posture to service security needs. The commitment to create a stronger security posture is evident through recent personnel additions to the company’s Enterprise Network and Security Services group.
In addition to helping in assessments and setting up policies and procedures, Rakaczky says his company is particularly strong in “bridging the gap of IT and control at plants.” Cooperation between disciplines is key in confronting security threats.
Increased awareness about security has led to a new breed of customers. “As the community gets more intelligent about security, we are getting more and more specifications on customer requests related to security,” explains Rakaczky. In addition to incorporating the best available security functionality in their products, the company is also focused on making products that are adaptable to future security profiles.
Beyond cyber security
Decades ago, the word security conjured up visions of fences and locks. It still does, to some extent, except that the physical side of security is progressing to a degree of sophistication once only imagined in science fiction. “We are on the edge of huge strides in techniques and processes on how to secure our sites and people,” says Richard Kucharyson, security marketing manager for Honeywell Process Solutions (Phoenix, Ariz.; honeywell.com). Along with advances in cyber security, this company’s approach integrates physical components into their security systems. In a somewhat unique position because the company also owns and operates chemical facilities, Honeywell uses one of its own facilities in Geismer, La. as a test site for its industrial security products. Located on the Mississippi River, this site produces several chemical products, including refrigerants and hydrofluoric acid. A few of the capabilities incorporated in the Geismer site’s security system include: identifying and controlling who enters and exits the facility, tracking movements of building occupants and assets, and integrating waterway and dock monitoring through a radar system (see Figure 1).
Technology advances. Advanced technology is already demonstrated at Geismer, and there is the promise of much more. Just placing more cameras around a site is not enough if there is no one to monitor them. As Kucharyson points out, what is needed are “smarter technologies that are more automatic to make suggestions to people at the right time.” With smart technology that can recognize a potential threat and alert the right people at the right time — operators at a plant, for example — everyone, not just security guards, will be an integral part of security. Kucharyson explains that combinations of technologies — including video analytics, which give cameras the “smarts” to identify something unusual, along with global positioning systems (GPS) and radar systems — are the direction that technology is moving in.
And the technology is advancing at a rapid pace. Just a couple of months ago, a subsidiary of Bayer AG, Bayer Innovation GmbH (Dusseldorf, Germany; bayer-innovation.de) released information about PhenoStor, which the company says is the world’s first system based on holographic data storage for passes of the future. The company reports that it has succeeded in writing data holographically into a plastic, thereby providing extremely high protection against unauthorized access to the stored data. It is expected that in the future, it will be possible to store several megabytes of data on a PhenoStor card the size of a standard credit card. The biometric data saved on the card are aligned with the presented data, such as iris-biometry of the person, to verify.
Biometric techniques such as iris recognition combined with face recognition are under development, as reported at the Honeywell Users Group meeting earlier this year. Advances in this technology allow these systems to be used for recognizing people in motion — one does not have to stand directly in front of the camera to be recognized.
While some very sophisticated technology is available today, another challenge is making it more accessible in smaller, less expensive systems. This, too, is already happening. Last month, Sandia released news that by combining inexpensive off-the-shelf sensors with a more sophisticated one, they have solidified a sensor system complete with onboard GPS, compass, local and long-haul radios, digital signal processor and video capabilities. The demonstrated technology is expected to eventually be transferred to a manufacturer.
As Kucharyson predicts, we are likely to see a huge jump in security technology in the next year.