It wasnt that long ago that getting into many chemical plants was really easy. As a visitor, you went to the guardhouse, wrote your name, company and the person you were seeing in a logbook. The guard checked with the person you were to see and then gave you a visitors badge. At sites with tight security, you might have to wait until someone actually came to escort you. Employees, regular contractors and other people known to the guards usually didnt even face cursory checks.
The guardhouse or plant gate wasnt much of a barrier anyway. Overall physical security around many facilities was less than daunting. For instance, a chain-link fence around the perimeter might serve as the prime deterrent to entry.
Once on the site, a person had access to most outdoor units, and often to control rooms and many buildings without too much trouble. A contractor frequently would have full run of the plant, while a visitor, by simply asking to go to the bathroom, could wander freely.
Of course, 9/11 changed that, spurring significant industry efforts such as the American Chemistry Councils Responsible Care Security Code and leading to far better security at many sites. But undoubtedly more needs to be done.
For instance, the cyber-security of plant networks in many ways has gotten worse. Control systems, once relatively invulnerable because they used proprietary protocols, now are open, generally using OPC communications. This poses real risks, according to a recent survey, OPC Security Whitepaper #1 Understanding OPC and How it is Deployed. Produced jointly by the British Columbia Institute of Technology, Digital Bond and Byres Research, it gathered inputs from 113 OPC users. More than 25% said that loss of OPC communications would lead to a production shutdown. Other worrying results, the authors say, are that about one-fifth of users reported deploying OPC over site business networks and corporate Intranets and 12% used OPC over the Internet, most without encryption.
The results were a surprise to us because they indicate that industry has been using OPC in ways that are far more risky than we expected, says Eric Byres, CEO of Byres Security. Not only are the chances of a successful cyber attack on OPC more likely (considering the networks its being used on), but the consequences are significantly more severe.
The OPC Foundation, for its part, certainly is striving to address security issues through the development of OPC Unified Architecture. But, as Ian Verhappen of MTL Instruments points out (p. 33), control system vulnerabilities extend well beyond OPC. Make a point to check out his Top 10 list.
Yet, the need for effective physical and cyber security measures is particularly acute at many chemical facilities; the nature of the materials they handle and their operations make them potential targets for terrorist attacks.
Protecting our sites demands a coherent and consistent nationwide approach to assess and address vulnerabilities and this is what the new, first-ever federal security rule for high risk chemical facilities promises. As Dave Moore and Dorothy Kellogg of AcuTech Consulting explain (p. 20), it treats risk severity via four tiers, while combining a uniform methodology for looking at vulnerabilities with a flexible approach for addressing them. Facilities that fall within the rule must achieve compliance with 19 risk-based performance standards.
While its too early to know how the rule actually will play out, the chemical industry certainly should welcome it.