When surveyed at the Black Hat USA 2017 information security event in July in Las Vegas, 60% of attendees said they believe a successful cyber attack on U.S. critical infrastructure will occur in the next two years. More than two-thirds reckon their own organizations will have to respond to a major security breach in the next 12 months.
Chemical companies, understandably, don’t want to reveal the cyber-security steps they are taking. For instance, Dow Chemical, Midland, Mich., and Eli Lilly, Indianapolis, Ind., wouldn’t comment for this story. Lubrizol, Wickliffe, Ohio, did say that it totally prohibits the use of USB flash drives on its control systems. Lanxess, Pittsburgh, Pa., ensures the safety of employees, customers and local communities with a wide array of site security measures, in compliance with Department of Homeland Security requirements, notes president and CEO Antonis Papadourakis.
Cyber-security breaches often result not from remote attacks but instead from local actions such as staff or contractors using infected USB flash drives and laptops or from physical incursions, experts note. Fortunately, rapid advances in technology — from malware detection and remediation to perimeter protection — are giving plants better tools to address these threats.
The infected USB flash drive remains an ongoing threat for introducing malware, mostly as a result of activities by unknowing, untrained or unconcerned employees or contractors, stresses Galina Antova, co-founder and chief business development officer of Claroty, New York City. So, ongoing training and awareness campaigns still are important, bolstered by technology controlling the use of USB ports on the plant floor.
“While the USB threat remains an issue, it is diminished, in relative terms, to the risk of the extended attack surface that has resulted from the rapid convergence between business and industrial networks. Third parties such as contractors and industrial control system (ICS) equipment vendors — together with employees not located at the plant or working from home remotely — connect to the plant network via a VPN [virtual private network] that typically terminates to a ‘jump box.’ From there, the employees or contractors have unfettered access to any of the equipment in the environment,” she explains.
Following extensive consultations with customers, including chemical companies, Claroty has developed Secure Remote Access (SRA) to tackle this. It works by dictating which assets employees or third parties can access or see. It also enforces company authentication policies.
The remote access session is recorded for auditability. Also, importantly, an administrator, such as a security team member, network manager or plant engineer, can watch exactly what is being done — getting a virtual “over the shoulder” view of the session.
“In addition to auditability for security and compliance purposes, the session view and recording helps prevent a big issue that asset owners have with third parties saying they will be doing certain changes and then making other changes that were not previously authorized and possibly endangering process reliability, safety and security,” adds Antova.
This approach boasts two key differentiators, she says. First, it leverages the company’s background in and deep understanding of ICS protocols and the hazards posed to chemical companies by poorly designed information technology (IT) centric technologies. Second, SRA is integrated into Claroty’s Continuous Threat Detection product — giving security and plant floor teams a consolidated picture of potential risks.
“With Continuous Threat Detection, chemical customers have often identified multiple network configuration (network security hygiene) issues and were able to fix them before they served as an attack vector. The chemical teams also commented that the ability to control and monitor third parties has helped improve security and resolved the issue with third parties going ‘off script’ when making remote changes to the environment without being monitored or reviewed,” she notes.
Ratcheting Up Response
Achieving a cohesive security strategy requires investing in threat detection, remediation and response, counsels Moreno Carullo, CTO of Nozomi Networks, San Francisco.