All critical infrastructure segments are at risk for cyberattacks, but the unique integration of the chemical manufacturing sector into the global supply chain makes it an especially ripe target
Defined by the U.S. Department of Homeland Security (DHS), critical infrastructure (CI) sectors are industries that are deemed so vital that their "incapacitation or destruction" would have debilitating effects on the country. We understand that critical infrastructure powers our homes, cleans the water we drink and provides the systems to communicate with family and friends, but, in reality, all critical infrastructure sectors are so interwoven that crippling just one sector could have debilitating effects that ripple across all sectors (Figure 1).
FIGURE 1. Critical infrastructure sectors are intrinsically linked through a global supply chain that depends on the raw materials manufactured by the CPI. This interconnectivity increases the reach of potential cyberattacks
For example, the chemical process industries (CPI) provide core raw materials to the energy, manufacturing and healthcare sectors; the energy sector fuels the government, defense and manufacturing sectors; while the information technology (IT) and communications sectors work to ensure that all of these sectors can seamlessly communicate and coordinate with one another.
Unfortunately, the potential to incapacitate one of these sectors – whether through physical threats or cyber action – is growing. Cybersecurity threats in particular are causing government officials to demand action, including former U.S. Secretary of Homeland Security Janet Napolitano, who called out cybersecurity as one of the top three threats that the DHS can and must confront [ 1]. In fact, according to a report from the World Economic Forum (Cologny, Switzerland, www.weforum.org), cyberattacks causing disruption to operations and critical infrastructure ranks among the top five global risks for 2019 [ 2].
Napolitano's comments should come as no surprise, as daily headlines now feature stories of yet another attack that has resulted in the loss of time, effort and revenue, as well as damaged brand reputation for the victim. The idea of attackers sitting behind a screen, collecting data, stealing information and gaining financially from their exploits is an alarming reality, but it is nothing compared to the wide-ranging impact an attack could have if one of these critical infrastructure sectors were to be successfully compromised.
While cyber-criminals have set their sights across the CI spectrum, they are increasingly targeting the chemical manufacturing sector because of its deep integration and connection to so many diverse industries. And yet, despite these potential threats, the chemical sector remains far too vulnerable to a wide range of advanced threats. To ensure continued prosperity, we must take immediate action in order to harden the chemical sector's security and resiliency, which starts by understanding the totality of the risk landscape.
A prologue to targeted attacks
Ten years ago, the world got its first taste of how a highly targeted industrial attack could wreak havoc on critical infrastructure with the disclosure of Stuxnet, a sophisticated malware worm that was unleashed inside an Iranian nuclear enrichment site, setting their nuclear aspirations back several years while demonstrating the potential vulnerability of all critical infrastructure assets.
Stuxnet was unique in a few key ways. For one, it was likely the handiwork of a nation-state actor and was designed specifically to target supervisory control and data acquisition (SCADA) systems, which are configured to control and monitor a variety of supervisory operations, such as temperature sensors and control valves. First-generation SCADA systems were designed as monolithic, standalone systems that were effectively isolated from other hardware and software resources. Today, third- and fourth-generation SCADA systems are networked and web-based, which make them easier to maintain and integrate with other systems, but this increased connectivity also opens doors into the network that previously did not exist.
Stuxnet was also noteworthy for what it did not do – if a designated target was not running a specific vendor's software, it would go dormant, allowing it to gain persistence on the network and evade detection until the right conditions were met. Since Stuxnet, other malware entities targeting industrial systems have emerged – including Duqu, Triton and Flame – suggesting that threat actors will continue to refine their industrial attack vectors.
Rising risk of attack in the CPI
As criminals seek high-value targets with perceived lax security controls where they might better exploit known vulnerabilities, they are increasingly targeting the chemical sector – either directly or indirectly via supply-chain attacks (Figure 2). Most recently, two major U.S. chemical companies were hit with a targeted attack in March 2019 involving the LockerGoga ransomware that caused potentially catastrophic disruptions [ 3]. It has been suspected that because the two chemical companies that were targeted were owned by the same investor group, that the group behind the attack might have compromised one via the other.
FIGURE 2. Cyber-criminals are increasingly seeking out vulnerabilities in different critical infrastructure sectors that can be exploited to cause maximum damage
In July 2019, Reuters reported that several chemical companies had been hit with a variation of the Winnti malware, which was designed for longterm data exfiltration and was suspected to have been perpetrated by a group possibly working for the Chinese government [ 4].
From nation-state threat actors seeking to gain insider knowledge on intellectual property to the various criminal syndicates who have deployed ransomware attacks on CI targets for financial gain, there is no shortage of motivations for criminals. The reality is that it is hard to pin down exactly what drives criminals to target chemical producers except for the common thread that the chemical sector is deeply interwoven throughout the economy. In fact, the chemical industry is responsible for contributing in excess of $226 billion to the U.S. gross domestic product (GDP), demonstrating the scale of the industry and its crucial role in delivering services and goods across multiple markets.
Recognizing this threat, the U.S. government has made it a priority to raise awareness of the potential risks to the chemical sector through the creation of the DHS Chemical Facility Anti-Terrorism Standards (CFATS) program. As a result, 4,023 high-risk facilities have undergone authorization inspections, 4,990 have undergone compliance inspections and 5,539 have had compliance-assistance visits. However, as the name of the program suggests, its charter is focused primarily on the threat of manmade disasters, which includes cyberattacks, but it mainly emphasizes physical acts of terrorism [ 5].
Despite the expanded focus on risk reduction, the threat of attacks targeting the CPI still remains, as criminals accelerate both the complexity and frequency of their attacks against vulnerabilities within the sector.
ICS vulnerabilities
It can be said that an industrial control system (ICS) is the frontal cortex of a mission-critical environment. According to a 2018 survey conducted by the Ponemon Institute, 90% of professionals in ICS and operational technology (OT) environments reported that their organizations had been negatively impacted by at least one cyberattack in the past two years [ 6]. This issue was heightened through the convergence between information technology (IT) and formerly isolated OT networks and devices coming online together, as well as the advancement of the industrial internet of things (IIoT). Compounding the issue, many chemical companies today have deployed IoT sensors and cloud-based software to improve operational efficiencies in petroleum refineries, manufacturing facilities and distribution centers, broadening their potential exposure to external threats.
While these technologies can enhance efficiencies and reduce costs, they have also embedded vulnerabilities, as the added nodes of connectivity increase the available attack surface. According to reporting by cybersecurity firm Kaspersky Lab (Woburn, Mass.; usa.kaspersky.com), nearly half of all industrial systems have recorded evidence that hackers have attempted some sort of malicious activity [ 7].
Supply-chain attacks on the rise
Another opportunity that attackers are exploiting is the interconnectivity of the chemical sector with the global supply chain. Everything from petrochemical manufacturers to pharmaceuticals to chemical distributors, use, manufacture, store and transport chemicals along a complex worldwide supply chain. But, unfortunately, every link in the supply chain creates new opportunities for infiltration.
Concerns for the security of the supply chain are nothing new. However, ensuring that supply-chain partners abide by industry-defined best practices can be especially challenging. Borderless supply chains lack unified cybersecurity rules and regulations with which vendors can comply. Compounding the issue, many suppliers rely on outdated controls and infrastructure systems that are too costly to update, and consequently become vulnerable to targeted attacks. This is precisely what happened in 2017 when the devastating WannaCry ransomware wormed its way across the globe via older, unpatched versions of Microsoft's Server Message Block (SMB) networking protocol [ 8]. In one study on supply-chain risk, 71% of the organizations surveyed believe they do not hold external suppliers to the same security and risk standards as their own [ 9]. In short, any vulnerabilities in your supply chain are also your own vulnerabilities, which is why a sound supply-management strategy – one that provides broad visibility across the supply chain and a "Zero Trust" approach to all layers of the ICS and enterprise network – is a requirement to secure a modern interconnected enterprise environment (Figure 3).
FIGURE 3. To improve supplychain cybersecurity, all parties should begin to adopt unified practices and encourage open communication and visibility
Training and awareness mitigate risks
It is easy to conflate the function of training and the concept of awareness, as both contribute to the end goal of improving an organization's overall security preparedness. However, it is worth distinguishing between the two. When we talk about "awareness" in the context of cybersecurity, it is imperative that an organization's senior management team does not simply just "buy into" it as part of their annual tactical planning exercise. Rather, it should be showcased as a guiding principle and positioned as a core pillar among management's key strategic priorities. While training should be infused across various constituents at every level of the enterprise, effective cybersecurity practices have the greatest impact when the executive leadership team shows that they have truly invested in creating a lasting culture of cybersecurity excellence.
This is especially important to recognize, given that attacks are not coming just from external emails and devices, but from internal sources as well, such as careless contractors, remote workers connecting from unsecured connections or even from a seemingly benign USB device.
There are many resources for chemical companies seeking to improve their cybersecurity posture. The DHS published a Chemical Sector Cybersecurity Framework Implementation Guide, and the American Chemistry Council (ACC; Washington, D.C.; www.americanchemistry.com) also offers resources and news updates about cybersecurity in the industry [ 10, 11].
But the best security practices often come down to building discipline in both training and awareness. Kaspersky surveyed 282 industrial companies across the globe, nearly half of which were in the oil, gas or chemical industry, and found that 48% had plans to invest in more training. However, training is not a one-off event that can be checked off – it must instead be continuous. In fact, the report stated that many security managers noted that employees fell back into their "old, dangerous patterns of behavior" in six to nine months after completing a security awareness training course.
Chemical companies can no longer simply go through the basic motions and treat cybersecurity as an afterthought. Simply maintaining the rudimentary antivirus technologies and basic awareness is not enough to maintain control and ensure security. All employees – be they executives, engineers or accountants – must develop a deeper appreciation of the fact that any interaction with technology can open a door to a potential cyberattack.
Organizations must educate all employees and stakeholders that no matter their role, every person plays an important part in protecting mission-critical infrastructure. The following are several proactive steps chemical companies can take to improve their security posture and mitigate the growing risks of cyberattack:
Conduct an internal cybersecurity audit to define a baseline from which to measure future progress and evaluate where knowledge gaps exist across all layers of the organization
Prioritize practical, hands-on cybersecurity workforce training instead of just relying on concepts and theories, which can be difficult to comprehend and internalize. Just as you might prepare for a hazardous-material incident, you should likewise schedule simulated cybersecurity incident-response drills
Establish the proper incentives, training, processes, procedures and performance management to ingrain the cultural changes and mindset needed
Invest in training chemical engineering professionals in the right processes and technologies that improve cybersecurity across all levels of the organization
Lead by example by having all executives and managers across departments take cybersecurity training courses to become knowledgeable in the risks, and to better understand how to communicate that information to everyone in their respective departments
Embracing a prevention mindset
So much emphasis of late has been placed on implementing strong detection capabilities. While this is an important facet of building a resilient security posture in general, it represents just a single component. It is imperative that every stakeholder across an organization also appreciates the equally significant role that usability, automation and prevention play in keeping a network safe. Emphasizing this mindset of prevention can help to foster a culture of accountability.
If a process is not user-friendly, personnel will all too often sacrifice security for the sake of productivity. Security leaders need to think as much about the usability of a given solution as they do about its core capabilities. Automating manual processes, such as network access controls and entitlement policies, can also go a long way toward avoiding nightmare scenarios of ex-employees gone rogue. Instilling a prevention mindset across your organization is just as much about people and processes as it is about the technologies and tools.
Protecting chemical facilities and operations against cyberattacks is a multi-pronged and continuous effort that requires organizations to have zero trust in their networks, files, devices and users. We must establish stronger protections, better incident-response plans, and security protocols that are not just resilient but also user-friendly.
This calls for ultimately changing the way everyone in the organization thinks about cybersecurity. The success of CI cybersecurity will rely on the steps taken by the workforce to mitigate the risks, and the conceit that humans should no longer be a last line of defense, but rather one of the first. The question is not whether you can afford to train every stakeholder in cybersecurity but whether you can afford to not train them. ■
Edited by Mary Page Bailey
References
1. Miller, M., Former Homeland Security secretaries call for action to address cybersecurity threats, The Hill, September 9, 2019.
2. World Economic Forum, The Global Risks Report 2019, 14th Ed., www.weforum.org/docs/wef_global_risks_report_2019.pdf.
3. Kovacs, E., Major U.S. chemical firms hit by cyberattack, Security Week, March 25, 2019.
4. Schuetze, A., BASF, Siemens, Henkel, Roche target of cyber attacks, Reuters, July 24, 2019.
5. U.S. Dept. of Homeland Security, Chemical Facility Anti-Terrorism Standards, www.dhs.gov/cisa/chemical-facility-anti-terrorism-standards
6. Tenable, Inc. and the Ponemon Institute, Cybersecurity in Operational Technology: Seven Insights You Need to Know, March 2019, lookbook.tenable.com/ponemonotreport/ponemon-OT-report
7. Kaspersky Lab, Threat Landscape for Industrial Automation Systems in H2 2018, March 27, 2019.
8. Kerner, S.M., WannaCry Ransomware Attack Hits Victims With Microsoft SMB Exploit, eWeek, May 12, 2017.
9. Bradley, T., Supply Chain Attacks Increase As Cybercriminals Focus On Exploiting Weak Links, Forbes, August 1, 2018.
10. U.S. Dept. of Homeland Security, Chemical Sector Cybersecurity Framework Implementation Guidance, 2015, www.dhs.gov/sites/default/files/publications/chemical-cybersecurity-framework-implementation-guide-2015-508.pdf.
11. American Chemistry Council, Cybersecurity and the Chemical Industry, October 2018, www.americanchemistry.com/policy/security/cybersecurity-october-2018-update.pdf.
12. ARC Advisory Group and Kasperky Lab, The State of Industrial Cybersecurity, July 2019, ics.kaspersky.com/media/2019_kaspersky_arc_ics_report.pdf.
Author
Taeil Goh is chief technology officer at OPSWAT (398 Kansas Street, San Francisco, CA 94103; Phone: 1-415-590-7300; Email: mediarelations@opswat.com). He has over 12 years of software engineering experience primarily in cybersecurity, delivering enterprise products to high-security industries, such as government, military, critical infrastructure and finance. His main focus is on leading the engineering team, but he is also in charge of IT infrastructure, business analytics, information security and cloud operations. His current cybersecurity focus is on building content disarm and reconstruction (CDR) and static analysis. He holds a B.S. in computer science from San Francisco State University.