Speaker: David E. Kepler, Corporate Vice President and Chief Information Officer
Event: ISA Expo 2003
Location:
Date: 10/21/2003

Slide 1
When we wake up in the morning, technology greets us in the form of an alarm clock and the running water we’ve come to take for granted.  As we head out for the day, technology takes us to the office, school or to visit family in the cars, trains and other forms of transportation that are far superior than the ones our parents used at our age.  And when we reach our destination, technology awaits us.  According to the Bureau of Labor Statistics of the United States Department of Labor, two out of five employed people are connecting to the Internet or using e-mail on the job[1].

Slide 2
Regardless of where you live or work, technology has an enormous impact on our lives as individuals and a society.  It improves our ability to communicate with others, despite the distance that separates us.  It enables us to go where we need to using safe and reliable modes of transportation.  It entertains us with more electronic gadgets and gizmos than we can ever hope to master.  In more ways than we can imagine, technology is a common thread that improves our quality of life.

Slide 3
In fact, sometimes we can’t imagine the way technology improves our lives.  We only understand its impact when a disruptive event allows us to experience its loss.

When the Northeast power grid went down a few months ago, people’s live and businesses were impacted.  Society went quickly from “unassuming enjoyment” of the electricity to a focus on prevention of future disruptive events.

Slide 4
Where we are today is a direct result of centuries of technological advances.  Each new technology enabled people to accomplish something new, reaching beyond their wildest expectations to do something they never thought possible.  They also brought obstacles and risk.  “For before long, problems began to crop up along the frontier, compromising the commerce that has already emerged and threatening its long-term development.”[2] It is with great responsibility that we have historically been able to overcome these problems and flourish in a further state of progress than we already knew. 

When it comes to Information Technology (IT), our needs our clear.  Just like electricity, we need solutions that are widely available, easy to use and most importantly, secure.  We need our suppliers to be good stewards of the products and services they provide.  And in order to continue making progress, it is essential that we take a diligent approach to secure our systems and keep those that threaten them at bay. 

Slide 5 —  Pioneers and Pirates – Yesterday and Today
Advancements in technology have been the foundation of progress long before Simon, the world’s first personal computer, was introduced in 1950.  “Cyberspace is indeed a brave new world, but it’s not the only new world.  There have been other moments in time that undoubtedly felt very much like the present era, other moments when technology raced faster than governments, and called forth whole new markets and social structures.”[3]

Journey back into your history books to the 15^th century and you’ll find this is truly the case. When Christopher Columbus set sail from Spain in search of the Far East in 1492, he still used a method of navigation called dead reckoning, which is dependent on continuous measurement of course and distance sailed from a known location even though new techniques such as celestial navigation were emerging. 

Over the next 100 years, a series of navigational technologies matured allowing explorers like Columbus to more effectively navigate the open seas.  The quadrant – a metal plate in the shape of a quarter-circle with a weight on a string that crossed the opposite edge of the circle – allowed navigators to plot the North Star’s angle above the horizon, which in celestial navigation, indicates the ship’s latitude.  The discovery of magnetic north – the actual direction of the earth’s magnetic currents  – enabled navigators to more accurately plot their course, compensating for the deviation between true north and magnetic north depending on their location.  It also impacted how navigators used their compass, understanding that the compass was directing them in relation to magnetic north, as opposed to true north.

Slide 6
However, a common theme throughout history is that progress generally brings with it obstacles to overcome, and this certainly holds true on the oceans of yesteryear.  The advancements in 15^th century navigational technology allowed explorers to find the New World and eventually enabled the establishment of commerce between Europe and America.  As the seas became a playground for the emergence of global commerce, a very real menace threatened to stifle the progress that was made.  The Golden Age of Piracy from 1680-1730 saw large numbers of mariners engaging in piracy on the Atlantic Ocean.  Many sailors found themselves out of work during peacetime in 17^th century Europe and the riches piracy could provide was a natural lure.  In many ways, countries like England also condoned the practice, employing merchant ships to wage war on others to supplement their meager naval fleets.  By the mid-1700’s, with an increased naval presence to protect the seas, heavier consequences for captured pirates and other advances in navigational technology led to a decline in pirate activity.  This was followed by an acceleratedperiod of growth and commerce on the seas as ships advanced in speed and reliability.

Though the players may be a bit different, progress looks much the same today as it did in the prime of the maritime industry.  The pioneers exploring the newly discovered America encountered the same types of obstacles as those who developed the first computer chip, the first search engine or the first wireless computing device.  And the pirates of the open seas attacked innocent merchant crews just as hackers today prey on innocent people and companies.

With the advent of the Internet, we truly saw commerce take a leap to a new level.  The Internet brings a wealth of information to the desktop of anyone who takes the time to seek it, allows people to shop from the comfort of their own homes and provides a new avenue for businesses to reach out to customers.  But as with all great measures of progress, this new technology comes with its own set of vulnerabilities and threats. 

Slide 7
My talk today is about protecting the I/T and communications assets we have all worked so hard to develop.  To do this, we must first agree on the nature of technology so we can better protect it.

From there, we can build on the concept of “secure computing” and the changes in behavior that are required so that we can continue to enjoy the progress we have become accustom to.

Slide 8
Most of the internet growth has been defined by two laws that explain its geometric growth.  Moore’s Law that has predicted with regularity that the power of computer chips double every 18 months, and Metcalf’s Law that says the value of a network to the users scales to the square of those connected.

I am suggesting that there is a limiting law, the “Law of Unintended Consequences” that says, once society perceives that the risks of new technology are greater than the rewards, they limit its adoption.  

Slide 9 — The Crossroads of Progress
Most people have a love-hate relationship with technology.  Think back to your last big technology purchase, maybe it was a new computer or your first PDA.  When you brought your new electronic toy home, you were probably enthralled with all the new things it could do.  But the more proficient and dependent you became at using it,the more frustrated you undoubtedly became with its limitationsand flaws.

The Law of Unintended Consequences is what can happen even when we plan carefully, but as we become more dependent, we stop investing because of perceived potential backlash and even disaster.

The crossroads that ultimately surround technology stem from the fact that human progress and the pace of innovation meet for only a short period of time during the technological life cycle before consequences are understood.  Consider our navigators of the 15^th century.  It wasn’t until navigational technology became sophisticated enough to allow sailors to travel a planned course across the Atlantic that innovation met the needs of the people – reaching a point that shifted navigation from exploration to commerce. 

The “point of enablement” is followed by a period where technology continues to satisfy the expectations of the users.  However, eventually, most people reach a point when their concern overloss is greater than the gain.

In the case of navigation, the ”point of unintended consequence” came when technology failed to protect the ships from the pirates that threatened them.  IT seems to be at this crossroad today, as hackers and pirates threaten our systems daily, and the economic impact is alarming. 

Slide 10
The most enabling technologies are those that become the most pervasive.  Technologies that everyone can afford, and which other technologies can be built on. 

Clocks were at first very expensive and where used primarily in navigation.  Today, “clocks are free” and offered as features in many products and services.  Just think about how many you have to reset when daylight savings time rolls around.  But how could we run our scheduled life today without them?

All these technologies face a “crossroads in progress” where the need for reliability becomes a society concern.

Slide 11
The National Strategy for the Protection of Critical Infrastructures and Key Assets defines the 13 key industries – industries that are all pervasive and furthermore, they are all highly interdependent.  Which industry is the most pervasive and enabling?

Slide 12
From my vantage point, I would say chemistry.  It is so pervasive in so many industries – from personal care to medicine to electronics to entertainment.  My test is which comes first?  I can’t imagine that we could do very advanced computing if we were manufacturing computers with wood or iron!  Of course, this is a chemical engineer talking, so you may have a different view.

My real point is that chemistry, while a mature science, still sees innovation occurring in a broad set of industries.  The chemical industry has been at several “crossroads” where it has had to balance innovation and risk management.

Slide 13
The IT industry is now at a similar crossroad.  It has experienced great growth, but is starting to see the unintended consequences that have lead to a situation where the security and reliability issues are starting to limit the growth. 

Slide 14
In January 2003, nearly 20,000 digital attacks, including worms and viruses, surpassed previously recorded levels and caused more than $8 million in damages worldwide.[4] But that doesn’t even compare to the impact that awaits just eight months later, when worldwide economic impact caused by hacker attacks as well as virus and worm infections – most notably Blaster and Sobig – were calculated at $32.8 billion, making August 2003 the worst month for digital damage in history.4

Industry, companies and individuals are left with the daunting task to close this gap anda diligent approach must be taken to maintaining the safety and security of Information Systems.

Slide 15
The IT industry has enjoyed excellent growth and is now an essential element of modern life.  However, just as the chemical industry had to mature once it became pervasive, now it’s the IT industry’s turn.  In order to continue adding value to society, it is essential that the IT industry develop an inexpensive network computing capability that is, above all else, safe and secure.  The IT industry can learn from the experience of the chemical industry to provide reliable, secure supply, proactively manage risks and be good product stewards from cradle to grave.

Slides 16/17 —  Secure Computing: An Industry, Company and Individual Guide
There are steps that can be taken at the industry, company and individual level to ensure safe computing.  At the foundation is an understanding of the premise of secure computing, that is, to provide a reliable and secure supply by focusing on the benefits of technology in relation to the potential risks.  Secure computing requires companies to develop processes for addressing anti-terrorism, product stewardship, hackers, improper design, implementation and use, and human behavior.

Slide 18
A critical component of secure computing is coordination between technology providers and industry.  In order for industry to elevate the safety and security of its information systems, suppliers must approach the industry with an eye toward both sales and stewardship and perhaps more importantly, hold themselves accountable for delivering secure solutions. 

Suppliers of IT products and services are best positioned to address issues within the solutions they create.  They know the technology better than anyone and have a responsibility to test and enhance product security before releasing it in the marketplace.  They also have the tools available to correct known vulnerabilities before they can be exploited.  By taking the extra step in product stewardship, technology providers can help the industry stay one step ahead of the law of unexpected consequences. 

Slide 19
Each company and industry must also understand the dependency they have on IT, the trends and impacts their technology has on industry and their interdependency with other industries.  For example, the security and reliability of the chemical industry benefits other critical infrastructure industries – many of which rely on the secure delivery of chemicals to serve the nation’s security and defense, as well as the public’s welfare.  Once industry’s understand their impact on others, they will be able to take the next step in the crucial journey toward safe computing – determining how best to leverage industry teamwork to create economic solutions that help anticipate and respond to future risks.

Slide 20
Finally, industry must understand that one person or company can not truly elevate the safety of its computing environment on its own.  On the contrary, each industry must take a proactive and coordinated approach to addressing security, recognizing that physical and cybersecurity are highly interdependent and as such, must be addressed in tandem to define the most effective solutions and achieve the best results.  By working together both within an organization and with industry counterparts, industry can successfully secure its information and manufacturing systems, protecting the reliability, operational performance and financial performance of its systems, in addition to guarding against cyberterrorism and maintaining business continuity.

Slide 21 — Understanding and Mitigating Risk
Regardless of the number of practices, standards and security technologies implemented, there will always be risks. Once we recognize this, the next challenge is to understand the nature of the risk, and how to manage it.  A formula has been created to help industry participants evaluate each of these scenarios to determine their level of risk, and what they need to do about it.

Before industry can mitigate risk, it is important to evaluate the risk based on three elements: vulnerability, threat and consequence.  By combining these three criteria, industry can better understand the risk and take steps to reduce the risk. 

Consider once again our seafaring navigators from the 15^th and 16^th centuries.  The vulnerability lies in the fact that shipping by its very nature extends beyond the safety of the ports, into the wide open seas.  The threat is that pirates and terrorists can attack ships in open waters.  And, if the vulnerability and threat are not addressed, economic impact and loss of life for seafarers are the consequences for the shipping industry.  Combine those three criteria, and you quickly realize the grave nature of the risk and the need for some sort of mitigation.  But often when theconsequences are very low, less attention is spent onmitigation.

The same formula can apply to the IT industry.  In its case, the vulnerability rests in the high dependency of nearly all industries on information technology.  The threat comes as no surprise –  hackers, terrorists, pirates, poorly designed systems disrupt network availability and cost companies millions to restore their systems and in lost productivity.  Impact to the economy and public safety are the consequence and when you multiply that by the threat and the vulnerability, it is clear that action must be taken.

Slide 22
Once the risk is identified, the next step is to understand how to mitigate the risk.  A successful risk mitigation strategy is comprised of three main elements: improved technology, operating discipline and information sharing.  This strategy can be applied to any advancement along the technological frontier and if managed appropriately, can yield secure results.

When you think of maritime piracy, some of the names that may come to mind are Blackbeard, Captain Kidd and Black Barty.  But piracy is alive and well in the 21^st century, in fact, it’s a $16 billion industry.  In the first half of 2003, 234 ships were attacked, 64 of which were on the dangerous Indonesian waters.  During the attacks, 16 seafarers were killed and 20 were reported missing.[5] Clearly the risk has come back 250 years after the Golden Age of Piracy.

Slide 23
So why is piracy back?  The three main elements of risk mitigation have not been appropriately applied to protect the shipping industry.  Consider technology.  The modern capabilities of merchant ships today require smaller crews to manage the on-board operations, which is positive from a fleet perspective but is a vulnerability in respect to the ability to protect the ship from harm.  Furthermore, technological advances have improved the pirate’s ability to quickly attack and escape undetected.

A lack of operating discipline also contributes to the ever-present risk.  A lack of regulations coupled with reduced naval forces leave merchant vessels virtually unprotected in dangerous waters. 

Finally, until the International Marine Bureau was founded in 1981, few channels existed to inform and aid attacked crews.  This lack of information sharing made it difficult for crews to anticipate and prepare for potential attacks.

Slide 24
I believe that the chemical industry’s safety record is a good example of how risks are effectively mitigated.  Dow Chemical, for example, has reduced its injury/illness rate by 75 percent over the 1994 baseline.  It is ten times safer to work at Dow than the industry average.

This was done by improving technology, yes, but in addition, a significant effort was placed on operating discipline, behavior change and information sharing.

Slide 25
Cybersecurity requires a balanced approach to risk mitigation, encompassing all of the three elements described above.  Each element has a number of facets.  Improved technology includes the detection and prevention of risks, as well as reliable computing.  Standards, policy and regulation, along with behavioral systems and assessment comprise operating discipline.  And information sharing should include strategic, tactical and operational information.

Slide 26 — The Chemical Industry’s Approach to Cybersecurity
The security of physical, information and manufacturing systems has long been a priority for the chemical industry and other critical infrastructure industries.  For more than 10 years, Responsible Care has provided chemical companies with a framework for voluntarily securing their physical assets.  As technology is increasingly integrated into day-to-day operations, companies are challenged to place equal emphasis on securing their information systems as they historically have on physical security. 

Early last year, the industry came together as it has many times in the past to expand cybersecurity efforts already underway in the industry to further safeguard information and maintain safe operations with the creation of the Chemical Sector Cybersecurity Information Sharing Forum.  Comprised of senior-level representatives of 10 trade associations representing more than 2,000 companies from key chemical industry segments,  the Forum is charged with improving the level of cybersecurity throughout the industry. 

The Forum’s first order of business was to charter a taskforce to develop the U.S. Chemical Sector Cybersecurity Strategy which provides a compass for improving the level of cybersecurity across the chemical sector.  The strategy also provides the framework for a comprehensive sector-wide program that leverages technology, processes and people to help protect communities, facilitate safe operations, shield proprietary information and enable business continuity throughout the global industry.

To accomplish implementation of the Cybersecurity Strategy, the Program leverages three proven sector initiatives, the Forum, the Chemical Industry Data Exchange (CIDX) and the Chemical Sector ISAC.

Slide 27
The Chemical Sector Cybersecurity Program established in September 2002 focuses on risk management and reduction to provide open, secure information and process control systems that help protect communities and facilitate business operations. Consistent with the Strategy, the Program is focused on five key initiatives for enhancing cybersecurity within the chemical sector:

• Fostering involvement and commitment across the sector
• Establishing a cybersecurity public affairs program
• Encouraging the development of risk-based sector practices and standards
• Establishing an information sharing network
• Encouraging acceleration of improved cybersecurity technology

Slide 28
If you want to learn more about these programs, please visit their websites at www.chemicalcybersecurity.com and www.cidx.org.  I encourage all companies that are part of or supply the chemical industry to join the Program and CIDX.

Slide 29 — Secure Computing – Everyone’s Responsibility

Responsibility falls on the shoulders of every individual, company and industry to elevate the security of our information systems, protecting them from penetration, misuse and financial or operational loss.

At the corporate level, there are a variety of things you can do to protect the mother ship from risk.   First and foremost, bring members of your company’s manufacturing, R&D and IT organizations together and open a discussion about the impact each system has on one another.  In nearly every industry, these highly interconnected networks facilitate integrated manufacturing and product development and in doing so, employ open system technologies that enable greater efficiencies, improved productivity, easier communications and lower costs.  However, their unique applications create the potential for risks, if their common security needs are not addressed.

Conducting periodic risk assessments is another necessary step to achieve a higher level of secure computing.  First, apply the industry standard methodologies for understanding and mitigating risk to your systems so you have a firm grasp on what potential issues you may be dealing with.  Then take it to the next level, identifying potential vulnerabilities and defining solutions for addressing these vulnerabilities.

We must all collectively raise our expectations of suppliers, requiring security improvements in the solutions they provide to industry.  Over the last year, many software companies have refocused their efforts, testing and enhancing product security before providing solutions to customers.  We must continue to encourage and work with our technology partners to develop secure products and services.

And finally, company support of industry initiatives is critical to enhance our computing environment.  Like the chemical industry, nine other critical infrastructures have developed cybersecurity strategies and are in the implementation process.  Among the actions called for within these strategies are the development and implementation of cybersecurity standards and practices and increased information sharing.  Company support and participation in standards development and membership in industry information sharing capabilities are simple steps that companies can take to increase the level of cybersecurity now.

Slide 30 — Safe Computing Starts with You

Industry and companies have responsibilities, but so does each person who handles information, uses a computer or manages a network.  It doesn’t have to be complicated.  If you use common sense and think like a kindergartner, you will have the ammunition you need to contribute to a safer, more secure cyberspace. 

Don’t talk to strangers.  We were told repeatedly as children, don’t talk to strangers, don’t take candy from strangers, and tell someone you trust if a stranger tries to talk to you.  The rule hasn’t changed.  We receive hundreds of e-mail messages a day from unknown senders and visit just as many websites created by unknown developers.  If you don’t know the source, don’t accept messages, open files or download programs.  By pressing delete or venturing to a new URL, you can save yourself a lot of headaches.

Follow directions.  Our parents have been trying to get us to follow directions practically since birth.  In this case, the directions are found in your company’s information security policy.  As with all directions, they exist for a reason so once you understand the rules and begin to follow them, you should be well on your way to a gold star for good listening.

Don’t lose your keys.  The first time you were given a key to the house, you were probably also told quite pointedly, “don’t lose it.”  Your key was the ticket to all your worldly possessions, and you knew that it needed to be protected.  When it comes to computing, your key is your password.  You wouldn’t walk around handing out keys to your house or car and the same concept applies to your password.  This rule is simple.  Don’t share your password with anyone, period.

Just because you know the ABCs, doesn’t mean you can read.  We sometimes tend to confuse knowledge with skill.  It took several years after we first sang the ABCs to identify letters, put them together into coherent sentences and then be able to read them.  Computers require the same learning curve.  Nearly everyone can use a computer to some degree, but that doesn’t mean you can implement solutions and fix problems.  Rather than make matters worse, ask for help from your IT department when you are experiencing an issue.

Slide 31
The capabilities of IT are just now starting to be leveraged.  Not just the automation of the old, but the evolution of new concepts and capabilities that will forever change and progress the human experience.  By nature, IT will overcome the current set of unintended consequences, just as the navigators and the many other technology innovators of the last five centuries have.  The question is how quickly will we adjust our sails to avoid the pirates of the Internet.

---

[1] Bureau of Labor Statistics, United States Department of Labor. Computer and Internet Use at Work in 2001.
[2] Spar, Debora L. Ruling the Waves.  New York: Harcourt, Inc., 2001.
[3] Spar, Debora L. Ruling the Waves.  New York: Harcourt, Inc., 2001.
[4] Mi2g, Ltd.
[5] International Marine Bureau