There continues to be a fair amount activity around cybersecurity in our nation’s capital, and this week — dubbed “Cyber Week” the U.S. House of Representatives — will be no different, as House leaders looks to work in a proposal passed out of the House Intelligence Committee with bipartisan support.
ACC would like to give a tip of the cap to the House for its leadership on this important issue and remind all policymakers that chemical producers continue to focus their efforts on enhancing cybersecurity every day.
Within months of the terrorist attacks of 9/11, ACC created a stringent, mandatory security program called the Responsible Care® Security Code. To date, ACC members have invested more than $11 billion to bolster security at its manufacturing sites and across the global supply chain.
ACC and its members take pride that the Security Code has become the gold standard for the industry, and has served as a model for numerous federal, state and local security regulatory programs.
The Security Code specifically calls on ACC members to:
- Assess cybersecurity vulnerabilities
- Implement security measures to address vulnerabilities
- Provide appropriate training and guidance to employees on cybersecurity threats
- Conduct periodic drills or exercises to test cybersecurity systems
- Work with designated authorities to share information from cybersecurity incidents
- Periodically audit cybersecurity systems to identify opportunities for improvement
Our efforts don’t stop there. ACC continues to work proactively with the U.S. Department of Homeland Security (DHS) to improve information sharing between industry executives and government officials, enhancing security of industrial control systems and sharing best practices to better prepare and respond to cyber threats.
To help share best practices across the industry, ACC in collaboration with the Chemical Sector Coordinating Council launched a “Roadmap Implementation Website.” This site serves as a clearing house of information and provides a dashboard on progress for securing control systems in the chemical sector.
ACC members have been active participants in the DHS Cyber Storm and NLE Emergency Response Exercises designed to test our incident response and crisis communication processes and identify areas for improvement.
Unlike many other critical infrastructure sectors, the federal government regulates cybersecruity for the chemical sector.
In 2007, DHS published the “Chemical Facilities Anti-Terrorism Standards” (CFATS) regulatory program. This comprehensive federal regulatory program requires high-risk chemical facilities to register with DHS, conduct a comprehensive security assessment and implement protective measures that comply with 18 risk based performance standards (RBPS).
CFATS requires that critical cyber systems have enhanced cyber security measures. RBPS #8 includes performance standards for cybersecurity that requires covered facilities to deter cyber sabotage and prevent unauthorized access to critical chemical process control systems. To do this, RBPS #8 requires a combination of policies and practices that facilities must address to effectively secure their cyber systems from attack or manipulation.
Policy and a path forward
ACC supports cyber security policies that promote the free flow of commerce and spurs economic growth while protecting critical cyber systems and the privacy of information. We have offered a set of policy principles to help lawmakers focus on the key issues for our sector including information sharing, strengthening laws against cybercrime and recognizing industry efforts.
We appreciate the administration’s engagement on this important issue and just submitted comments to the National Institute of Standards and Technology for development of best practices under the recent executive order. In our comments we agree that the NIST should continue to engage stakeholders to create a framework that will continue to evolve with cyber threats and avoid creating an unnecessarily burdensome check the box exercise.
Issues surrounding cybersecurity are in constant flux and proper management requires a fluid and fast response. Complex regulatory schemes will only slow cyber risk management systems.
Finally, ACC and its members continue to support the engagement by Congress and have offered input at a recent joint committee hearing in the Senate and supported legislative like CISPA and the “Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2012” (The PRECISE Act).
Progress ahead requires engagement by all of the key players to put together an approach that addresses the evolving cyber threat and allows the U.S. producers to continue to drive the nation’s economy and create growth.
For ACC and its members, it’s all in a day’s work.