Cyber Security Management in the Chemical Processing Industry

Published by Graham Foss on
Asset Guardian provide a range of services that meet the needs of the Oil and Gas and Utilities Industry.

What is Cyber Security?

Cyber security is the term used to collect together the processes, practices and procedures that are required to protect a company’s cyber assets (such as computer networks and integrated devices) from data corruption, unauthorised access, and cyber attack.

Cyber security must be considered in all industrial sectors that use computer technology for automation, control, and information storage. Local and international regulations exist to advise, monitor and in some cases, police, the adherence of companies to the standards required to operate within their region.

Different disciplines, such as Information Technology, Cryptography and Criminology feed into the planning and application of Cyber Security, with the simple goal of securing networks and facilities from the threat of cyber attack.

What is a Cyber Attack?

Broadly, a cyber attack is an unauthorised attempt to access a computer network using malware, viruses, or social engineering to cause damage, slow or inhibit users, inconvenience or embarrass companies, or steal information.

Social engineering techniques such as phishing (stealing personal information via legitimate looking e-mails), catfishing (using a fake identity to fool other personnel) or any other form of trickery are the most common and insidious forms of attack. Indeed, for most people, even in their private lives, receiving a suspicious e-mail is a daily event.

These types of threat can be launched from anywhere in the world, but cyber-attacks may also include local concerns, such as site access, unsecured connections (such as USB, Wi-Fi and Bluetooth), unintended employee actions, physical theft or sabotage.

Dangers in the Chemical Industry

As technological interconnectivity increases and terms such as the ‘Internet of Things’ and the ‘Fourth Industrial Revolution’ become more realised, the benefits from such intricate networks increase, but so do the risks.

The chemical industry, as it becomes more computer controlled and automated is far from immune from cyber attack, and in many ways a prime target for those that want to steal, damage or cause mayhem. Cyber attacks may not simply expose information or affect production but may also corrupt or influence computer systems to push equipment out of safety limits, causing physical damage to equipment, or even people. The inherent danger in many chemicals themselves also increase the risk to life.

At a less immediately dangerous level, cyber attacks may cause the leaking of sensitive data or client information, or the unwitting violation of safety and environmental standards. Although less harmful, such attacks could still mean the closure of a facility, through lack of customer trust or regulation breach, just as easily as an explosion or leak could.

Studies have shown that some of the danger arise from many facilities having a mixture old and new equipment, with modifications having been made incrementally, and not always with an overview as to how a change made in one area affects the others. Getting an overview of all the equipment in a facility and how it connects to everything else can be a vast challenge if it has never been done comprehensively before. With control software being potentially in desk drawers, fire safes and offsite storage, and with disparate system knowledge being held in various electronic or paper methods, or indeed not at all, responding to a cyber attack in an appropriate and timely manner becomes all but impossible.

The scale of the problem is vast, and the chemical industry possesses some unique dangers. For example, over 3000 facilities in the US are considered to be at ‘high-risk’, which means they use at least one ‘chemical of interest’, this includes toxic, explosive or other potentially weaponizable compounds.

One of the most well-known cyber attacks on the chemical industry occurred in 2017, when a petrochemical facility in Saudi Arabia was attacked. The attackers accessed a critical safety system with malware known as ‘Triton’, that exploited a bug in the Windows operating system. It was detected and no harm was done, but the potential for disaster was so big it became known as “the world’s most murderous malware.”

It should not be forgotten though, that other systems besides the most critical or dramatic are targets for cyber attack. Non-safety systems such as HVAC (Heating, Ventilation and Air Conditioning) or Business networks may also be targets, and while there may be less immediate consequences, there can still be a serious loss to reputation and revenue.

Combating Cyber Attack

An effective CSMS should be designed in a way that protects the entire Industrial Automation and Control System software processes.

The existing physical protection of a chemical facility, the chain-link fences, the lockable doors, and security cameras can be considered part of the protection against cyber attack as the relationship between physical security and cyber security is very interlinked. One protects the other, and without a lock on the server room door, for instance, the best cyber security in the world becomes worthless.

It is not enough to protect only one part of the facility, as a defence strategy is only as strong as its weakest link. It is vital to understand potential risks, and how to prevent or control them, and to create policies and processes suited to the requirements of particular areas.

A system of multiple detection and preventative measures, with layers of protection complementing each other providing defence in depth, and clear plans and contingencies, increasing resilience from cyber attack is the aim of a good cyber security plan, whatever the industry.

All this can take a lot of time and money, but there are some quick wins available, such as taking, storing, and regularly testing backups as part of a Disaster Recovery plan.

In any facility that uses networks and computer-controlled machinery, Cyber Security should become a standard concern in any risk management strategy meeting.

Governments, Organisations and Standards

Standards such as ISA 62443 lay out cyber security plans, processes, and procedures for securing and defending industrial plants from cyber attack. ISA 62443 is not specifically tailored to the chemical industry but does offer an approach that can be adopted to create a comprehensive cyber security management system (CSMS).

Chemical companies in the US follow the CFATS (Chemical Facility Anti-Terrorism Standards) guidance for cyber security. This standard has evolved over time, via legislation and executive order to include not just physical attacks from terrorists, but also cyberattacks by anyone.

Slow to adapt at first, US Industry experts have realised that the CFATS must define a process that can be put in place to meet new and unexpected threats. The CFATS is also adapting to consider the continuous changes in technology that provide gaps that can be exploited by cyber criminals.

Some recent reports, such as from the GAO (Government Accountability Office) in 2015 have been fairly scathing of the lack of preparedness in US chemical plants. This complacency becomes more dangerous as the world becomes more interconnected and the incident level of cyber attack increases.

In addition, US Chemical companies that are members of the ACC (American Chemistry Council) are required to identify cybersecurity threats, implement plans to counter them and to train employees where training is needed.

In Europe, the European Union General Data Protection Regulation (GDPR), while primarily aimed at protecting EU citizens, also contains regulations on protecting industry from cyberattack.

The GDPR puts the onus on companies to protect themselves and notify authorities in the event of cyber attack. This is to increase transparency and so that breaches cannot be hidden by a company attempting to limit reputational damage.

In the United Kingdom, the HSE (Health and Safety Executive) has recently released new guidance on the Operational Guidelines for IACS (Industrial Automation and Control Systems), which combined with on-site audits aim to combat the increase in cyber attack.

The HSE recognise that while the chemical industry is fully onboard, there are significant actions still to be carried out to get UK plants compliant with the guidelines, and updates to the guidance is expected. In addition, such government initiatives as the Cyber Security Information Sharing Partnership (CISP), have been created to encourage UK industry to work together.

How things changed in 2020

In many countries, the chemical industry is seen as an essential part of national infrastructure, equal in importance to the energy, water, and food sectors. The link between the chemical and pharmaceuticals sector makes the protection of plants even more important while the world works as quickly as possible to create vaccines against the global pandemic.

Almost everyone that works, now works in a different way from how they worked in 2019. Many employees that were previously office-based now work at home, creating the need for increased security around logging in, password protection and authentication. Many industrial workers must still work at their plants, but the additional infrastructure required to keep people safe from COVID-19 infection is an extra burden that must be assessed, controlled, and managed.

How Asset Guardian can help

Cyber threats to the Chemical Industry are on the increase leading to the requirement for increasingly sophisticated defences.

Standards such as ISA 62443 require that a facility at risk from a cyber attack is protected by a set of principles, processes, procedures, and tools collectively known as a CSMS (Cyber Security Management System).

Cyber attacks come in many forms, and while recent ransomware attacks have been more newsworthy and spectacular, more common, and insidious forms of attack such as phishing and pretexting are just as dangerous. These can be countered through rigorous authorisation and authentication systems and through user awareness training.

Another key defence against cyber attack is the use of a Disaster Resilience and Recovery plan, and a key part of the recovery plan is to ensure that verified backups are stored regularly in a secure location isolated from the live system.

Asset Guardian: Cyber Security Management System

The use of an integrated solution is recommended for organisations that face cyber security threats as these threats rarely occur in isolation. A solution that also records and tracks all other aspects of the industrial complex, such as configuration and obsolescence management will ensure not only compliance to industry standards, but aid in disaster recovery, user management, auditing and many other activities associated with the countering of cybersecurity threats.

For more information on the Asset Guardian solutions, please email enquiries@assetguardian.com

 

 

Written by Graham Foss. As one of AGSL’s team of Technical Consultants, Graham Foss is responsible for implementing the company’s product development and technology strategy. Before joining AGSL in 2016, Graham was employed for 12 years as a lead software engineer at Aker Solutions Subsea Ltd, where he worked on projects in the North Sea, North Atlantic and Norway. Graham holds a degree in Computing from Edinburgh’s Napier University in Edinburgh, where he graduated with distinction. A Chartered Engineer, he is a member of the Institution ofEngineering and Technology (IET).