Trish And Traci Podcast Hero 63404513a18df

Podcast: Cyber Security: It's not if you'll be hacked -- it's when.

Nov. 11, 2019
How are you taking care of operating systems, and is it enough in terms of cybersecurity? Senior Editor Traci Purdum asks Trish Kerin, director of IChemE Safety Centre, about how best to expose and resolve vulnerabilities.

This edition of Process Safety with Trish & Traci uncovers what can happen if you lose access to your entire enterprise system.

Transcript

Traci: Welcome to this edition of "Process Safety with Trish and Traci," the podcast that aims to share insights from current incidents to help avoid future events. I'm Traci Purdum, Senior Digital Editor with Chemical Processing. And as always, I'm joined by Trish Kerin, the Director of the Institution of Chemical Engineers Safety Centre. IChemE is based in the UK and Australia but its reach is global. Trish, you're also based in Australia and your reach is often global. Where are you calling in from today?

Trish: I'm actually at home today, which is unusual. I'm in Melbourne, Australia, but yesterday I was in our nation's capital in Canberra. I was there a weekend, and prior to that, I was in the U.S. for a couple of weeks.

No Time To Listen Now?

No worries! Subscribe and listen whenever, wherever. 

Traci: You've been all over the place.

Trish: I sure have.

Traci: Well, our topic for this episode is cybersecurity for industrial sites. There are many cybersecurity vulnerabilities everywhere, from lack of security policy and procedures, out of date antivirus software, incomplete or infrequent backup processes, or even Hollywood scenarios of evildoers hacking into systems. There are many infamous examples but I know that we're going to discuss a few of those today. But Trish, I want to get your feeling on how we are taking care of operating systems, and is it enough in terms of cybersecurity?

Trish: I think it's a really interesting question, Traci. We've seen some significant evidence over the last couple of decades of cybersecurity breaches that have resulted in significant issues occurring. There's been a lot of things going on. I think, one of the interesting quotes that I find about cybersecurity is quite chilling but it is, "I'm convinced that there are only two types of companies, those that have been hacked and those that will be.” And even they are converging into one category, companies that had been hacked and will be hacked again. And that's actually a quote from the former FBI Director Robert Mueller. And he said that back in 2012, and I think sadly it's very, very true.

[pullquote]

If we talk about some of the examples that we've seen of cybersecurity incidents, one of the most significant ones we actually saw was back in 2015 in December. And the Ukraine power grid was attacked by a cyber attack, and they would compromise the systems and disrupt electricity supply to customers in the Ukraine. Now, this is a very significant thing for Ukraine in December because it's very, very cold. So all of a sudden, we had 230,000 people without electricity for up to 6 hours in that particular instance.

Now, interestingly enough, the following December, the Ukraine power system was attacked again almost a year to the day later where they had another 225,000 people blacked out across the Ukraine in the middle of a cold Ukraine winter. So there's really significant impacts that can occur in our critical infrastructure systems, such as electricity, but also water supply.

I believe one of the first or thought to be one of the first successful cyber attacks actually occurred in Australia. And it was an instance where a disgruntled contractor managed to gain access to a sewage treatment facility. It was parked on the side of the road with a whole lot of WiFi-enabled equipment in his vehicle, this was back in 2001. And he was able to reverse the flow basically of the sewage system, which resulted in millions of liters of raw sewage spilling out into local parks, rivers, and even into the grounds of the Hyatt Regency Hotel. This was a significant not only public disruption health issue, but also significant environmental issue because of the damage that it actually caused to the environment and the animals.

And he was able to access into the security, the cyber system of that water treatment plant remotely off the side of the road using a WiFi network and wreak havoc in it. And in actual fact, he had infiltrated the system multiple times, he'd made at least 46 attempts to take control of it during March and April of 2000. Sorry, is that the correct year? He was actually subsequently found in the act on the side of the road with a car that was filled with all sorts of different equipment that the police thought was unusual. And he was jailed for two years following that attack. But you can see how our critical infrastructure systems can be at risk, and this is a really, really significant issue. We need to focus on understanding what our vulnerabilities and our operating systems are and how we can actually fix those vulnerabilities.

Traci: Well, that begs the question now, how do you uncover these vulnerabilities? You've got a guy on the side of the road, you've got Ukraine that gets hit twice in successive years, how can you uncover those vulnerabilities?

Trish: Part of that is making sure that at the very start, you need proper policies in place, at the very highest level of the organization on how to deal with cybersecurity. Just like we do with safety, we have these policies in place. They then cascade down into the management systems and processes in how we actually manage our businesses. Cybersecurity is similar in that way, we need those processes to be defined and then we actually need to obtain assurance that our systems are working. The best way to do that is actually through penetration testing where you go and get the white hats to break into your system, find the vulnerabilities so that if you know where they are then at least you can plug them at that point. If you don't know what the vulnerabilities and the gaps are, you can't find them, you can't plug them, someone else will find them and exploit them on you. So it's a really interesting focus.

Now, over the years we've seen, we've got quite sophisticated with our SCADA systems or our DCS systems, our PLCs. We focus on making sure that the air gap from the internet, we don't allow your space to be put into them so that we can actually maintain a safe system and that's really important. But where is the vulnerability in that? There will be people such as your own engineers, for example, that can remotely dial in from home to check on something on your DCS. It's not actually truly [inaudible 00:06:24]. These are some of the things that we need to take into account.

But one of the other factors, and we saw it with that sewage treatment plant issue with the WiFi network, our policies need to be functional. We need to make sure though that we're not trying to eliminate people getting access to our systems altogether. If we make it too hard, then people like our contractors and our equipment suppliers will find other ways around it. I have heard anecdotally of a situation where it was so hard to get the control systems configured so that the contractor could actually get sight of what their equipment was doing on a facility but they just started to install WiFi systems.

So you go into this plant and if you did a scan of WiFi, there were multiple WiFi networks that should not have been there, that should not have existed, but the contractor has found a way around it because they needed to deliver an outcome to you, but you were making it too hard for them to deliver their outcome. They got creative, they found other ways to do it. So we need to be very careful about minimizing the access that people can get but making sure the right people can get the right access. And I think that's one of the biggest challenges we have in the cybersecurity space.

Traci: Absolutely. Our operating system is the only weak link, though, it seems like there's other vulnerabilities just lurking everywhere.

Trish: Absolutely. We've had a lot of effort in cybersecurity space in terms of personal data and all those sorts of aspects, which is really important. But interestingly, we did also see a hack occur early this year where an organization's enterprise system was taken ransom. Now you might think, okay, well, that's inconvenient, that might disrupt production because we can't do our production planning, those sorts of things.

But think about what's in your enterprise system, and I think this is the new threat to process safety that we probably haven't really got our heads around yet. Where are your drawings kept for your facility? Where does your maintenance management system run from in terms of planning, scheduling, and giving instruction on how to maintain safety-critical equipment? Where are the set points recorded for that equipment? Where are you tracking all your management of change? Because you could then say, "Well, if we lose access to our current data, we can go back to the manufacturer and get factory resets." Yes, you can but what management of change have you done in the meantime that changed your factory resets?

If you lose access to your entire enterprise system, how resilient is your organization to be able to continue to operate safely? Or are you actually going to have to bring your facilities down until you can get that valuable data back again? And we've now moved into a lot of focus with storing things on the cloud, storing things with service providers, how secure are our service providers in terms of making sure that what we do have on their cloud is not vulnerable to attack? And that's a really concerning thing because we all have service providers that we use and we send them our data and they put it up on their cloud. And then the funny thing is that we pay them for access to our own information.

But I don't think we really thought about it that way, we're buying a service, but what we've actually done is we've given over our data, our important company information to someone else, and then we're going to pay for them to let us have it back when we need it. We want to be very sure that we can get it back precisely when we need it if they're the ones that are guarding it, not us.

Traci: Well, I was just thinking too, I mean are we inviting trouble by being so internet and cloud and wireless dependent? I have everything up on the cloud. If I lose that, I lose a lot.

Trish: I don't think we are inviting trouble by being too dependent on it. I mean, the fact is that technology continues to change and evolve and we need to recognize that and evolve with it. I don't think we can sit back in our little office and have everything on paper and we'll all be okay. There are other threats to security that can exist. I think we need to make sure that we have the right policies and processes in place that we audit and we make sure we get assurance and we get the penetration testing done and we take action on the results of the penetration testing.

And one of the interesting things to think about in that penetration testing of your systems, whether it is your DCS control systems or whether it is your enterprise systems, every few years you should be changing out your provider that's doing your penetration testing because you might find that a new provider will find a lot more than your old provider is finding. Making sure that you can keep on your toes with what's actually going on is really, really important.

Traci: Absolutely, due diligence and making sure that this is top of mind constantly rather than being lax and letting those breaches happen. Are there any great ways for backing up this information? If plants are taken offline, is there a good way to have backup?

Trish: Look, I think that's really going to be a question for the detailed cybersecurity IT experts. There will be a range of different ways that they may choose to do it. You may choose to have a remote backup system, you might have mirrored servers, you might have a server in your facility backing up what is on the cloud potentially. There's a range of different ways to do it and I think each organization really needs to understand their vulnerability and do their risk assessment on that vulnerability. What does it mean if they lose access to this information? And then what controls can you put in place to ensure you maintain the access you need? There will be some pieces of data that you can actually live without, but there will be some that you can't live without and continue to operate safely.

It really is around making sure you engage with the technical experts in this space, and you'll actually find the cybersecurity technical experts are typically different to your information systems experts that run your DCSs or your information systems experts that run your networks. It's a particular skill, you need to make sure you're engaging with the right person. It would be, like, you wouldn't go to an environmental person if you wanted to do personal monitoring on exposure to asbestos. You've got to pick the right professional to assist you with the work that you're doing, make sure the people you're using are competent in what they're doing for you.

Traci: Now obviously great advice right there, but chemical plants primarily have three main security concerns, protection of property, protection of lives, and how to achieve this on a limited budget. I know that there's probably some plants out there using hope and luck as strategies in terms of cybersecurity, what's your advice to them?

Trish: Understand your vulnerabilities. What is the hazard or hazards that you have on your facility and what is the worst consequence that could eventuate when you are attacked? And I do say when you are attacked because odds are, it will happen at some point in time, whether it is an unknown actor or whether it is a disgruntled employee, former employee, contractor, etc. So what is the worst thing that can be done to your facility and how can you cope with that?

Now there are actually insurance policies out for cyber attack, you can buy cyber insurance. If you buy cyber insurance, the insurance company is certainly going to want to make sure that you have all your systems and processes in place or they won't sell you the insurance in the first place. But understand the consequences and understand what you're willing to live with. And it then does become a business decision like any risk decision we take. Am I willing to invest the money that I need to invest to prevent or mitigate that incident? And if I'm not and the incident is significant enough then I think there's a very hard question to answer of, should I be in this business?

Otherwise, understand the risk, make a value judgment based on what you're trying to prevent or mitigate and go from there. It will then become obvious some of the steps you need to take. As I said in the extreme cases, it may be that a small facility actually cannot be run safely if, for example, it contains large amounts of chlorine and you've got nothing in place to actually prevent inappropriate use of that chlorine or the three side, but or other security issues. Maybe you shouldn't have chlorine. That sometimes the question and the discussion we need to have at facilities, otherwise, we do need to run them safely. If we can't afford to run them safely then maybe we should be in a different business but let's focus on trying to run them safely first.

Traci: Well, cybersecurity is certainly a complex topic. Hopefully, we've been able to untangle some of it for you. Unfortunate events happen all over the world and we will be here to discuss and learn from them. Trish, once again, thank you for your brilliant insight.

Trish: Thanks, Traci. Stay safe.

Check out all the episodes of Process Safety With Trish & Traci.

Want to be the first to know? Subscribe and listen to Process Safety With Trish & Traci on these platforms

Trish Kerin, director, IChemE Safety Centre, Institution of Chemical Engineers, spent several years working in design, project management, operational, safety and executive roles for the oil, gas and chemical industries. She currently sits on the board of the Australian National Offshore Petroleum Safety and Environmental Management Authority (NOPSEMA) and is a member of the Mary Kay O'Connor Process Safety Center steering committee. You can email her at [email protected].
Traci Purdum, an award-winning business journalist with extensive experience covering manufacturing and management issues, joined Chemical Processing as senior digital editor in 2008. Traci is a graduate of the Kent State University School of Journalism and Mass Communication, Kent, Ohio, and an alumnus of the Wharton Seminar for Business Journalists, Wharton School of Business, University of Pennsylvania, Philadelphia. You can email her at [email protected].
About the Author

Traci Purdum | Editor-in-Chief

Traci Purdum, an award-winning business journalist with extensive experience covering manufacturing and management issues, is a graduate of the Kent State University School of Journalism and Mass Communication, Kent, Ohio, and an alumnus of the Wharton Seminar for Business Journalists, Wharton School of Business, University of Pennsylvania, Philadelphia.

Sponsored Recommendations

Keys to Improving Safety in Chemical Processes (PDF)

Many facilities handle dangerous processes and products on a daily basis. Keeping everything under control demands well-trained people working with the best equipment.

Comprehensive Compressed Air Assessments: The 5-Step Process

A comprehensive compressed air audit will identify energy savings in an air system. This paper defines the 5 steps necessary for an effective air audit.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Managing and Reducing Methane Emission in Upstream Oil & Gas

Measurement Instrumentation for reducing emissions, improving efficiency and ensuring safety.