Recent malware attacks have targeted supply chains, a strategy that has focused the cybersecurity efforts of the chemical industry, its vendors and even the U.S. government.
Chemical engineers must stay on top of a lot of things today, with the most important being to really understand their cybersecurity risks, stresses Eric Byres, founder and chief technology officer of cybersecurity company aDolus, Victoria, B.C.
“The problem here is that a lot of security systems are little more than check lists. They are all about compliance and nothing to do with risk reduction. So, the first thing chemical engineers need to do is get a handle on the big risks and what they can do to mitigate them. Of course, the biggest risk now is from ransomware attacks — often on supply chain systems with weak authentication and lousy access management,” he explains.
It’s also crucial to understand attackers’ motivations. China’s focus is on obtaining state secrets and intellectual property while North Korea aims primarily to steal cash and attack anyone who criticizes the regime there, he notes.
“It’s essential that the chemical industry knows and understands the motivations for these different actors, because your defenses will need to be adjust[ed] for the threat actor you are most likely to be exposed to,” Byres cautions.
aDolus’s own technology to tackle supply chain malware is its Framework for Analysis and Coordinated Trust (FACT), a software and firmware validation service. The idea here is companies that develop software or manufacture products containing software subscribe to the aDolus service. Then, users of these products can validate new software patches and upgrades before installing them in critical equipment.
In effect, vendors certified by aDolus pass digital fingerprints of their legitimate software and firmware to the FACT server (called the Trust Repository); fingerprints then go to an analysis engine to check the sub-components to determine if they contain any vulnerabilities or malware.
“So we ask two questions: is the digital fingerprint of the package correct, and are all the components in that package authentic and safe to use? The driving force here is that people don’t know if the software they are loading is safe. Even if it is legitimate, how can you be sure that it’s the right version and that it doesn’t contain any back doors? The challenge is to improve the trustworthiness of software they are loading,” Byres emphasizes.
Back in 2017, he realized that to do the trust analysis part of FACT would demand generating a software bill of materials (SBOM) — a technology that many today believe is critical to security following the 2020 SolarWinds attacks. Indeed, underscoring its importance, President Biden’s Executive Order (EO) 14028, “Improving the Nation's Cybersecurity,” now requires SBOMs for all U.S. government purchases of “critical software.” This has left suppliers scrambling to be able to produce SBOMs.
Figure 1. Trained and available personnel are key to maintaining cybersecurity protection levels. Source: Emerson.
“The EO has a specific mention about a standardized model for SBOMs and I think a number of standards will emerge which will then be implemented by industry, too,” says Byres.
As an example of how this process could work, he cites ongoing work with real-time-data-management company OSIsoft, San Leandro, Calif., now part of AVEVA.
“OSIsoft submits all its released software packages to FACT, where we generate SBOMs. We then analyze the components uncovered by the SBOMs for vulnerabilities, potential malware and code-signing issues. OSIsoft uses this data to ensure that they are shipping secure software to their customers. They also offer FACT as a way for their clients to validate all OSIsoft software before loading it into their ICS [internet connection sharing] servers.”
Nevertheless, a number of issues, including notifications, still require consideration, notes Byres. “Software needs continuous monitoring to make sure that it has the latest patches and versions, for example. A control valve is tested as part of its manufacturing process, but you don’t just leave it operating on the plant for years without ongoing monitoring and maintenance, would you?”
Unfortunately, things may get worse soon because ransomware attacks are where the money is now, he warns. “Having your ransomware distributed to tens of thousands of companies gives a colossal return on investment. I’m also really worried that ransomware supply-chain attackers will join up with security system attackers at some point, although the two currently operate independently. It’s essentially the cyber wild west out there.”
Taking A Fresh Look
Its spin-off from DuPont in July 2015 gave Chemours, Wilmington, Del., the opportunity to review its existing cybersecurity program and transform it with an eye to the future of the business and chemical manufacturing, according to chief information security officer Reginald Williams. “As our business has evolved, so has our cybersecurity posture, including how we’ve made changes to our environment to improve security and better enable remote work,” he says.
“For example, we’ve made a concerted effort to increase cybersecurity awareness among our employees and contractors. While we continually test their ability to identify potential attack vectors, last October we held a month of employee cybersecurity training that was very successful at driving engagement and building cyber awareness,” he adds.
Chemours participates with peers in forums such as the cybersecurity subgroup of the American Chemistry Council, Washington, D.C., to discuss common cybersecurity issues. “These conversations are somewhat anonymous and offer a safe, secure place to have a sounding board and learn from what others are experiencing,” notes Williams. The company also is looking to expand its partnership with the U.S. Department of Homeland Security.
So, for example, while Sunburst malware didn’t impact Chemours, this strategy allowed it to review how the attack happened and run scenarios to determine how the company would react and what the impacts would be.
“We took the lessons learned from analyzing the attack to improve our ability to monitor and detect threats within our environment. It also prompted a contract review to ensure our partners, vendors and suppliers are also taking the appropriate measures and have short notification timelines if they were to ever be impacted,” Williams remarks.
This goes hand-in-hand with use of undisclosed “best of breed” technologies to spot potential threats. Similarly, Williams is confident that Chemours already has in place or is adhering to most of the guidelines mentioned in the EO.
However, the term “digitalization” is becoming a nebulous concept, he cautions, so each enterprise must define what the term means for its own business: “Companies need to start working with their vendors in a way that brings them into that digitalization conversation and discussion as it relates to your cybersecurity strategy. Have your vendor share how they can help you achieve your goals.”
Figure 2. Saudi Aramco reportedly faces a $50-million ransom demand. Source: Saudi Aramco.
Additionally, companies must more closely monitor what their vendors or third parties are placing in their environments. “For example, an IoT [Internet of Things] vendor may install a device intended to support one function, but it could end up causing problems for you if you don’t know about it and don’t have the ability to monitor it,” he warns.
At the same time, basic cybersecurity steps, such as not leaving basic or default passwords in place, sometimes still are overlooked. To prevent attackers from using these and other basic controls as a foothold, he advocates adhering to the SANS Institute’s CIS Controls, plus regular audits to identify areas that need improvement in the face of emerging cyber threats.
A Key Alteration
What must change is how we view cybersecurity, stresses Alexandre Peixoto, product manager for DeltaV with responsibility for cybersecurity and network products, Emerson, Round Rock, Texas.
“The business needs to connect OT [operational technology] to IT [information technology] systems will not be going away, but we need to focus more on minimizing risk to operations and less on cybersecurity driven by convenience. For example, air-gapping seems easier to deploy and maintain, but it is simply not effective for today’s digitally enabled operating environment,” he warns.
The answer is to design security into the system architecture and maintain that security throughout the system’s lifecycle, he says.
As a minimum, designing for security typically means securely pushing data out to business systems, and restricting or highly scrutinizing what data need to come back into the operations environment.
“For many end users, the need to minimize operational risks comes as a corporate directive to ensure incidents like recent ransomware attacks do not happen, but these directives often do not come with sufficient funding. To address this and other cybersecurity issues, Emerson strives to educate end users on how they can improve their entire operational cybersecurity posture by using existing solutions more fully, and by understanding gaps in their operations,” Peixoto explains.
“At the same time, it’s become abundantly clear to everyone that end users need to validate their suppliers all the way to the original manufacturer in a full supply chain,” he adds.
One approach taken by Emerson is to incorporate industry guidelines such as ISASecure Secure Development Lifecycle Assurance (ISASecure SDLA), which is based on the IEC 62443-4-1 cybersecurity standard, into new product development for distributed control systems (DCSs).
“Standards bodies and third-party accreditation help ensure the strongest protections within our products, and this includes advanced strategies like threat modeling and mitigation techniques during the development processes,” he notes.
Highly visible malware incidents coupled with more information-sharing requirements and standards have significantly increased awareness beyond client cybersecurity teams to their corporate executives, he adds. “It feels like today the whole organization is considering cybersecurity in some way, shape or form.”
However, turning awareness into results requires investment, which has been slower to appear, Peixoto cautions.
“Organizations that do understand the difference between security as an essential feature and security as an investment are driving projects with cybersecurity in mind. These companies recognize that secure operations require technological advancements coupled with personnel training. With cybersecurity, overall protection is only as strong as the weakest link. In other words, having all cybersecurity products and solutions implemented but not managed by trained and available personnel will result in an overall low cybersecurity protection level [Figure 1],” he concludes.
Matt Malone, ICS cybersecurity consultant for Yokogawa, Houston, also sees upticks in both cybersecurity awareness and interest from chemical industry clients — and he anticipates they will continue to expand their current cyber-defense postures. For its part, Yokogawa is urging all its clients to continue building and improving their cybersecurity programs.
“When addressing attack vectors, it’s important to keep in mind than many of these sites use legacy systems. These systems were built to last decades and many have a patchwork of automation solutions that also span decades. This means that older attack vectors are still vulnerable until they have been addressed,” he explains.
One of the common strategies for industrial cybersecurity is to adopt the zero-trust model. If you take this strategy to its logical conclusion, then the operator should not trust a single technology, including air gapping, Malone points out.
“The defense-in-depth model for applying industrial cybersecurity applications goes hand-in-hand with the zero-trust strategy because the end user can have overlapping fields of protection by using multiple, and differing, types of cybersecurity solutions” he adds.
That’s why Yokogawa has adopted various cybersecurity applications within its portfolio, including reducing the risk of cyberattack within an industrial control system network by implementing several approaches tailored for any DCS or supervisory-control-and-data-acquisition system.
At the same time, the company has adopted a secure-by-design methodology for its automation equipment and submits its DCS and safety-instrumented-system equipment for third-party testing and certification. “These certifications provide bona fides to our clients that we take the integrity of their systems very seriously,” Malone notes. Moreover, they put Yokogawa ahead of the SBOM curve before the EO was released, he believes.
“An attestation of this, and our commitment to manage the security of our products through their lifecycles, is the 62443-4-1 SDLA security certification for both of our product development centers in Japan and Singapore, including internal process and procedures to manage each SBOM,” he explains.
Meanwhile, the cyber wild west, as Byres describes it, continues, with Saudi Aramco, Dhahran, Saudi Arabia, (Figure 2) becoming the latest victim as of press time. The company has confirmed an indirect release of a limited amount of company data that was held by third-party contractors; it says the release wasn’t due to a breach of its systems and didn’t impact its operations. The hackers reportedly are demanding a $50 million ransom for information they claim covers project specifications, unit prices, business agreements, company clients and invoices.