Just [as] in the old mind-set of physical security—yes, it helps to have a lock on the gate, but that's not going to prevent everyone from possibly breaking in and stealing something. Make sure you have strong passwords—and some type of monitoring for activity that looks like it may be an issue.

[Another] area where we could focus more is doing more planned and unplanned drills. On the physical side, they do many drills, [such as] if an incident were to happen at a plant or an [accident with] a truck, transporting goods.

I don't think we in the [computer security] industry do enough drilling with either a cybersecurity incident or a blended attack. I think more attention needs to be given to actually planning drills.

Q: And this would include setting up a disaster scenario and then seeing it through from first alerts, to response, to problem resolution?

A: Right. The chemical industry has very robust crisis management processes and structures in place to deal with various crises. I think a key improvement would be to actually incorporate cybersecurity, information security, manufacturing control security into that crisis management process. So we look [more broadly] at the type of crises you could have, and to make sure we are addressing the information security and cybersecurity component.

Q: So the bottom line?

A: Thinking about security as we do safety.

It's really about [managing] risk, not eliminating risk. And trying to have a more robust risk management process in place so that we're looking at our overall risk and trying to manage it as appropriately as we can.

Another key thing is sharing information across the industry so that we're all better protecting ourselves.