13 Nov 2018 Protecting Chemical Plants
Chemical REGULATIONs EMPHASIZE ICS SECURITY BEST PRACTICE
Governments all over the world are beginning to toughen cyber regulations imposed on industry to respond to the increasing threat of cyber attacks on national critical infrastructure. If the control systems of a digitized petro-chemical plant, for example, fall in the hands of a ‘threat actor, not only can the national energy supply be in danger, but the physical plant itself could be at risk of explosion.
This clear and present danger is considered a serious threat in Israel, where several such attacks have been attempted on industrial sites in the past 12 months. The Israeli Ministry of Environmental Protection, in its new regulation on cyber requirements for plants handling hazardous materials, has adopted the national best practices for cyber protection to guard against risks to public health due to cyber attacks on industrial sites.
New regulations in an uncertain world
According to the Israeli Hazardous Materials Act, any company handling hazardous materials in a quantity or concentration exceeding a specified amount will be required to possess a Hazardous Materials/Toxins Permit from the Ministry of Environmental Protection. According to the new regulations, companies who do not comply with the new cyber security protection guidelines risk losing their license to operate altogether.
A model worth following
What is impressive about the Israeli regulation is the level of sophistication the regulation demonstrates regarding the methodology and protections required to safeguard control systems against cyber attacks:
- The regulation follows a cyber classification methodology specifically appropriate for industrial networks: the IDENTIFY, CLASSIFY, & PROTECT model, similar to what we see in France’s ANSSI regulations.
- The document prioritizes perimeter protections above all other methods of network cyber defense, reasoning that when the consequences of compromise are thoroughly unacceptable, prevention of compromise must be the protected site’s first priority.
Long live the perimeter
The new regulation forbids firewalled connections between the most critical networks and any less-critical network, and require unidirectional, hardware-enforced technology and one-way information flows at such connections. See the use case for further details.
Complete below to access use case:
- Capabilities vs Probabilities: Ask Different Questions & you get Different Answers | Episode #68 - September 20, 2021
- Maritime Systems: Incidents, Issues and What to do About Them | Episode #67 - September 5, 2021
- New survey: one in four Israeli companies have been hit by hackers in 2020 - August 24, 2021