White House announces 100-day cyber sprint for chemical sector

Written by

The chemical industry is the next sector to take up President Biden’s 100-day cybersecurity sprint, the administration announced Wednesday, an effort designed to sharpen operators’ focus on the most significant risks from a digital attack such as gas leaks and other contaminations.

The sprint also aims to improve information sharing and “analytical coordination” between the public and private sector and encourage chemical manufacturers to deploy threat detection on control systems.

The sprints were first launched as a pilot with the electric sector in April 2021 and followed up with the pipeline, water and railway sectors. Biden’s memorandum on improving critical infrastructure control systems codified the exercises and amounted to a rare moment for the White House to acknowledge industrial control cybersecurity.

The fact sheet released by the Biden administration noted that the chemical sector sprint would incorporate lessons learned from previous sprints.

A CISA official told Axios, which first reported the announcement, that the Cybersecurity and Infrastructure Security Agency and the Chemical Sector Coordinating Council will set up new task force to implement the sprint. CISA is the sector risk management agency for the chemical sector.

The 100-day grid cybersecurity sprint led to over 150 utilities deploying new technologies to improve cybersecurity defenses, according to a DOE press release.

CISA and the Environmental Protection Agency, which is the sector risk management agency for the water and wastewater sector, have also developed a roadmap aimed at addressing the varying levels of cyber defenses within the water sector as a result of the 100-day sprint, according to a source familiar with the situation. The roadmap aims at helping water utilities assess their own level of cybersecurity to guide them to the level needed to deploy ICS monitoring technology.

The sprint comes as the Department of Homeland Security and the National Institute of Standards and Technology, among other agencies, are expected to soon announce voluntary cybersecurity performance goals for critical infrastructure.

The announcement also comes as CISA is asking for industry feedback on the new cyber incident reporting law.