Security Q&A: New Ways to Prevent Intrusions

Cheryl Flannery is the director of information-technology security, compliance and risk management at Air Products and Chemicals, the $8 billion chemical and gas supplier. Her responsibilities cover everything from information-technology security strategy, to policies and practices, to overseeing electronic and forensic investigations.

Flannery also serves on the Chemical Sector Cyber Security Program Steering Team, a group set up by the Chemical Information Technology Council (ChemITC)—an organization of chemical companies that addresses common technology issues—to drive cybersecurity practices and guidelines across the industry. She talked last month with Baseline editor-in-chief John McCormick.

Q: How does the Chemical Sector Cyber Security Program look at the issue of cybersecurity?

A: The way we look at information security and cybersecurity, because of the industries we’re in, is really twofold. There’s the traditional information-technology side, which deals with all your traditional business systems. The other aspect is the manufacturing and control systems—we do have many systems that control the operations of our plants.

So that is one thing that is different from, say, financial services. They don’t have that other half of actually controlling [their] manufacturing and [their] operations.

We are very similar to other industries in our concerns around viruses and worms and malicious software—certainly the continued, growing threat of identity theft and malicious code. We’re concerned about the loss of intellectual property. So we have many of these same concerns.

But we also are concerned about a blended attack, where a hacker could try to break in and [then] cause harm—physical harm—to one of our facilities and have a physical outcome, not just a business systems outcome.

Q: How would one of these blended attacks happen?

A: Over the past seven [or] eight years, in order to gain efficiencies, those systems [were built] to allow support from really anywhere across the company. You don’t have to physically be at a location. They were connected to the traditional business network. It did open up more vulnerabilities.

So a lot of the effort over the past few years has been [on] how we can better protect these systems and actually add some layers of protection in between the normal business-systems network and the manufacturing-and-control systems networks.

Q: How do you go about protecting them?

A: One of the things that a number of companies have done is [put in basically] a firewall—another layer of protection—between the business system network and the process control network.

Q: What else?

A: A second thing we’ve done is to work with the process control vendors and industrial automation vendors to [get them to] better protect their software and add some other security features.

Another simple thing that we’ve [done] from a policy and architecture perspective is to say that the sole purpose of those computers [running the plant] should be to run the plant. They should not be general-purpose computers that can read e-mail or surf the Internet.

Even though they are on the network, you can set them up to not allow them to have browser access.

NEXT PAGE: Securing an Older I.T. Infrastructure