In 2009, the CSCC adopted sector-specific metrics for security that were developed through the leadership of the CSCC Metrics Working Group. Tailored for members at the corporate level, the metrics capture progress made in reducing risk in five focus areas including cybersecurity.
Owner and Operator Metrics Analysis Survey
Responses to the metrics questionnaire were received by 102 owner /operators in the chemical sector through a voluntary reporting process. Respondents voluntarily reported on various company demographics, including how many chemical production sites, facilities, distribution and/or storage sites their company operates by selecting one of the following categories: one site, 2–5 sites, 6–10 sites, 11–25 sites, 26–50 sites, or more than 50 sites. Using the most conservative assumptions, the 102 survey respondents represent no fewer than 1,264 facilities. Only four respondents indicated they were not subject to one or more of the following regulations:
- Chemical Facility Anti-Terrorism Standards (CFATS);
- Maritime Transportation Security Act of 2002 (MTSA);
- Transportation Security Administration’s Freight Rail Security (TSA-2006-26514);
- Department of Transportation Hazardous Materials Security Planning/Training (HM-232).
Trends and Findings
Overall, survey respondents reported that they are making good progress in securing critical cyber assets. In general, respondents who reported that their companies operate from one to five facilities responded in a similar fashion when compared to respondents from medium-to-large companies.
Over 80 percent of all respondents indicated that work is underway to identify critical cyber assets or that all critical cyber assets have been documented. Critical cyber assets were defined to include company network perimeters, industrial automation and control systems, storage and transport systems, customer order validation systems, or personnel systems.
Critical Cyber Assets Identified
For those companies indicating that critical cyber assets have been or are in the process of being identified, 97 percent of these respondents indicate that cyber vulnerability assessments (CVA) are planned, underway, completed, or have been completed with risk appropriate safeguards in place.
For those respondents indicating that critical cyber assets have been or are being identified, 85 percent indicated that their companies are currently planning to develop procedures to test security controls, are in the process of developing such procedures, have developed such procedures, or have developed such procedures to test security controls, and periodically conduct tests.
Survey results indicate that a high percentage of industry respondents are subject to one or more chemical security regulatory programs as noted above. Although not reported in this survey, respondents also indicated they are actively engaged in a number of voluntary initiatives, including voluntary assessments, tabletop exercises, and voluntary awareness training for cybersecurity. The voluntary initiatives are sponsored by federal, state and local governments, as well as the industry trade associations.
The metrics survey also found that the chemical sector encompasses a broad range of components across the sector, to include basic and specialty chemical product manufacturing wholesale and retail distribution, as well as storage. Although cybersecurity initiatives may be in the early development and implementation stages when compared to other security initiatives, survey responses indicate that the sector is aware of the importance of critical cyber assets and is currently working to make those assets more secure.