Hardening plants is hard work

Industry should welcome the new, first-ever federal security rules, advises Editor in Chief Mark Rosenzweig in this month's From the Editor column.

By Mark Rosenzweig, Editor in Chief

Share Print Related RSS

It wasn’t that long ago that getting into many chemical plants was really easy. As a visitor, you went to the guardhouse, wrote your name, company and the person you were seeing in a logbook. The guard checked with the person you were to see and then gave you a visitor’s badge. At sites with tight security, you might have to wait until someone actually came to escort you. Employees, regular contractors and other people known to the guards usually didn’t even face cursory checks.

The guardhouse or plant gate wasn’t much of a barrier anyway. Overall physical security around many facilities was less than daunting. For instance, a chain-link fence around the perimeter might serve as the prime deterrent to entry.

Once on the site, a person had access to most outdoor units, and often to control rooms and many buildings without too much trouble. A contractor frequently would have full run of the plant, while a visitor, by simply asking to go to the bathroom, could wander freely.

Of course, 9/11 changed that, spurring significant industry efforts such as the American Chemistry Council’s Responsible Care Security Code and leading to far better security at many sites. But undoubtedly more needs to be done.

For instance, the cyber-security of plant networks in many ways has gotten worse. Control systems, once relatively invulnerable because they used proprietary protocols, now are open, generally using OPC communications. This poses real risks, according to a recent survey, “OPC Security Whitepaper #1 — Understanding OPC and How it is Deployed.” Produced jointly by the British Columbia Institute of Technology, Digital Bond and Byres Research, it gathered inputs from 113 OPC users. More than 25% said that loss of OPC communications would lead to a production shutdown. Other worrying results, the authors say, are that about one-fifth of users reported deploying OPC over site business networks and corporate Intranets and 12% used OPC over the Internet, most without encryption.

“The results were a surprise to us because they indicate that industry has been using OPC in ways that are far more risky than we expected,” says Eric Byres, CEO of Byres Security. “Not only are the chances of a successful cyber attack on OPC more likely (considering the networks it’s being used on), but the consequences are significantly more severe.”

The OPC Foundation, for its part, certainly is striving to address security issues through the development of OPC Unified Architecture. But, as Ian Verhappen of MTL Instruments points out (p. 33), control system vulnerabilities extend well beyond OPC. Make a point to check out his “Top 10” list.

Yet, the need for effective physical and cyber security measures is particularly acute at many chemical facilities; the nature of the materials they handle and their operations make them potential targets for terrorist attacks.

Protecting our sites demands a coherent and consistent nationwide approach to assess and address vulnerabilities — and this is what the new, first-ever federal security rule for high risk chemical facilities promises. As Dave Moore and Dorothy Kellogg of AcuTech Consulting explain (p. 20), it treats risk severity via four tiers, while combining a uniform methodology for looking at vulnerabilities with a flexible approach for addressing them. Facilities that fall within the rule must achieve compliance with 19 risk-based performance standards.

While it’s too early to know how the rule actually will play out, the chemical industry certainly should welcome it.

Share Print Reprints Permissions

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments