Chemical companies are high-value targets for cybercriminals, but strong foundational security controls can help prevent or limit the damage from an array of cyberattacks
Companies in the chemical process industries (CPI) face an ever-evolving cybersecurity threat landscape. Malicious actors, be they nation states, business rivals or cybercriminals intent on blackmail, are deploying a range of tools to exploit vulnerabilities resulting from increased interconnectedness between operational technology (OT) and information technology (IT) systems, and, increasingly, remote connectivity in the wake of Covid-19. Strong foundational security controls and a well-implemented reference architecture can mitigate this threat and protect intellectual property, technology licenses and high-risk substance production.
The stakes are high. A recent U.K. government study estimated that cyberattacks cost the chemicals industry in general £1.3 billion a year. These threats range from generic “white noise” attacks that impact both IT and OT systems to custom malware created solely to infiltrate a specific target environment.
Industrial espionage — stealing valuable intellectual property, which is then sold by cybercriminals to a competitor — is arguably the number one cybersecurity threat facing the CPI. This is followed by ransomware, whereby malicious actors encrypt systems or information, or in the recent case of the Colonial Pipeline in the U.S., shut production down, in order to gain money by extortion.
Criminals see the chemicals sector as a high-value target precisely because of the potential cost, both financial and reputational, to the operator should production stop or sensitive data be stolen. Chemicals companies may not even be aware that a cybercriminal has infiltrated their networks or that an attack has taken place until some years later when a competing product enters the market. Then, there is also the “insider risk,” whereby someone joins an organization with the intention to steal proprietary information. This silent threat may take additional time and resources to resolve, and the organization may subsequently add additional security controls beyond the foundational level.
Build on strong foundations
The threats outlined above can be prevented or their damage limited by implementing effective foundational security controls, beginning with a threat assessment to understand the individual operation’s cybersecurity risk. What is the likelihood of a cyberattack? If someone targeted your chemical plant without your knowledge, what would be the impact on the business?
When we talk about foundational cybersecurity, we mean central controls that all industrial systems should have in place to prevent a cyberattack or limit its damage. These include patching, malware protection, system backups, an up-to-date anti-virus system and other options, such as application whitelisting and asset inventory. Basic security controls help companies to understand their system setup and the potential threat, identify where vulnerabilities exist and assess their risk exposure.
The impacts of cybersecurity attacks can be grave, but the methods cybercriminals use to infiltrate industrial networks are often very simple. They may gain access to a plant through an insecure remote login software by exploiting publicly disclosed vulnerabilities in the software, or through phishing emails to employees who read their emails on a system also connected to the plant network. Once in the system, attackers have gone so far as to access the ladder logic used to program programmable logic controllers (PLCs), so they can replicate those processes in their own chemical plant.
In cybersecurity jargon, using tools already on the system for malicious purposes instead of how they are intended is known as “living off the land.” Attackers may take control of the mouse on an individual machine and carry out they plan undetected in the guise of a control system engineer. This type of threat is hard to detect, and may require behavioral analytics to identify a member of staff is acting suspiciously — logging into the system outside of work hours, for example.
Increased interconnectedness between IT and OT systems can also create vulnerability. Consider a “flat” IT network (one where all devices are on the same network separated from the internet by a firewall), an aging distributed control system (DCS) and legacy Windows machines. Combined, these entities and their inherent vulnerabilities make it much easier for an attacker to find the company and infiltrate it without sophisticated methodology.
It is important, therefore, that cybersecurity is part of an organization’s wider digital transformation. Industry experts advise users to first look at their system architecture, asking themselves several key questions. How can the attacker see you on the internet? What remote connections do you have that they can exploit?
Once that assessment is done, security controls, such as segmentation, can be put in place, whereby critical processes or data in the chemical plant can be separated from the rest of the system and protected. Strong foundational security controls and a well-implemented reference architecture also ensure compliance with international best practice and standards, such as 62443, the NIST cybersecurity framework in the U.S., and operational guidance (OG) 86 set by the U.K. Health and Safety Executive.
In addition, if a chemical company is bound by the U.K. Control of Major Accident Hazards (COMAH) regulations, they must, by law, implement foundational security controls and demonstrate that those measures mitigate cybersecurity risk. These mandates cover many process considerations, such as the storage of high-hazard substances, for example.
The digital journey
Industry talks a lot about people, processes and technology, but finding the right cyber expertise and choosing the appropriate controls based on a secure architecture is crucial. A sophisticated firewall is one thing, but without the right people to install, configure and maintain that solution, it’s just a switch.
As with all industrial digitalization projects, partnering with a trusted cybersecurity provider that has proven domain expertise at the earliest possible stage in a design of an operation is key to success.
Industry technology vendors should impress upon every user the need think of cybersecurity both in terms of short-term gain — ensuring that if they were targeted tomorrow, they have foundational security controls in place to protect their assets — but also a five-year implementation and management plan and service contract to keep security controls, patching, backups and anti-virus systems up to date.
If a client has 50 sites located around the world, the initial risk assessment will gauge the potential severity of an attack on each site and its impact be on safety and the business. That allows technology providers to quickly narrow down those 50 sites to the five or six most critical sites with the highest risk profiles.
Those risks are then measured against the client’s regulatory compliance requirements in terms of international standards and industry best practice. Cybersecurity technology vendors can then start to work with the client to design, implement and maintain the correct security controls, and assess project costs and return on investment (ROI).
Seatbelts and airbags
A sound cybersecurity strategy is based around two main elements: integration of security controls, and detection capability and security operations. Once system backups, patches and malware have been implemented, the strategy should look at how those security controls can be effectively monitored. Who will implement the backup and how often, for example? What will get backed up, and what is the process to follow should the backup system need to be restored as part of the disaster recovery process?
The field of security operations is about getting information about events within a client’s network that can then be analyzed to look for malicious activity, identifying a clandestine cyberattack and mitigating it.
Every new cybersecurity system should include a default set of minimum foundational security requirements – that can be thought of as the “seatbelts and airbags” – which are essential for any industrial system. That is a good place to begin on any chemical company’s cybersecurity journey.
In the past 12 months, there has been a drive toward industrial digitalization and harnessing data for additional insights that add real value. Covid-19 and the associated lockdowns have accelerated the uptake of digital solutions, including in the realm of cybersecurity. For example, service engineers have been able to carry out assessments remotely and use dedicated platforms to improve interaction between remote experts and field personnel.
Chemical companies that do not prioritize cybersecurity risk the theft of their intellectual property and potentially disastrous shutdowns that can result in serious financial and reputational damage.
An integrated, operation-wide cybersecurity solution with solid foundational controls and a secure DCS at the heart is key to identifying threats, automating compliance and frustrating cyberattacks. ♦
Edited by Mary Page Bailey
Ben Dickinson ([email protected]) is the global program manager for cybersecurity in ABB’s Energy Industries business. He joined ABB in 2018 from the U.K.’s National Cyber Security Centre (NCSC), part of GCHQ, a world leader in the field of cybersecurity, where he spent advising owners and operators of the U.K.’s Critical National Infrastructure (CNI) by in preparing for, detecting, responding and recovering from cyberattacks. Dickinson specializes in understanding the unique challenges posed in detecting attacks and implementing security controls in industrial automation and control systems. He holds a M.S. degree in computer security from the University of Liverpool and has also attended many specialist courses covering industrial control and cybersecurity.