Hacking in an industrial environment is serious business. The days of amateur pranksters playing in their basements have given way to sophisticated, organized cyber-criminal groups who are seeking big money or looking to cause physical harm.
Chemical Processing recently spoke with Eric Byres, Chief Technology Officer with aDolus Technology Inc., a company that provides solutions for monitoring software risks in OT supply chains. Byres specializes in industrial control systems and industrial Internet of Things cybersecurity and has testified in front of Congress on the security of industrial control systems in national critical infrastructures. Here’s what Byres had to say about some of the most important cybersecurity issues impacting the chemical industry.
What are the primary risks that chemical companies face when it comes to cybersecurity?
I think we're seeing an interesting switch in the cybersecurity risks faced by chemical companies - there are now two, maybe three, primary risks. In the past, what we saw were fairly amateurish attacks on systems. Now we’re seeing the commercialization of hacking, which is resulting in incidents like ransomware attacks. Holding a chemical company's process operations at ransom is profitable; it's good money for bad behavior. We saw that during the Colonial Pipeline ransomware incident back in 2021.
Chemical processing has a double risk because ransomware attackers could either threaten to shut down the process (like Colonial) or cause some sort of human or environmental impact. The scary thing is that the attackers don't have to succeed; they just have to show that they're inside the OT system and have a reasonable shot of causing an incident like a spill. So chemical companies are facing a bit more risk than say your average manufacturing business.
The other thing that we're seeing is the militarization of attacks on OT. For example, if a foreign attacker takes out natural gas storage and processing facilities in the U.S., they accelerate the problems we already have with the west’s energy policy toward say Russia. We see this weaponization of control systems with attacks like PipeDream, where an organization with a particular political or military agenda would benefit by having critical processes disrupted. This is particularly true for companies that make specialty chemicals that are under some sort of supply chain pressure.
Another threat that I have not seen directly in the chemical industry, but that I would be shocked if it isn't happening, is intellectual property theft. I know it's rampant in the food and beverage industry and consumer products industry. I was talking to a friend who was responsible for one of the big consumer products companies, and he was saying that they find exceptionally realistic counterfeit versions of their packaging showing up in Asia. Somebody is hacking into their packaging and design system and stealing that information. Many chemical processes are proprietary and stealing that information would be valuable to criminals as resellable information.
The good news is that hacking a chemical processing system is not trivial. You need subject matter expertise, so it’s something typically coming from a professional organization. As an OT cyber attacker, you need to be an expert on your target, and you will run your attacks against the targets of interest. OT hacking is not random.
So why is this happening? What are some of the vulnerabilities you're seeing in these organizations that are leaving them open to these attacks?
I think it's an unfortunate perfect storm. Three things have happened. First, process control systems have caught the attention of the world. If you think back to the days of Stuxnet, nobody outside the automation industry even knew what process control was. Nobody had heard of a PLC, including the bad guys. In the last decade, everybody, including the bad guys, are suddenly aware that there is a soft underbelly in large process companies — that underbelly is called the control system.
Second, when you look into risk modeling, there are a bunch of factors to consider, one of which is target attractiveness. If your facility is not a very attractive target because you have no money or because what you produce is not that interesting from a political or military point of view, then serious hackers will probably leave you alone, even if your security is crap. But the target attractiveness of the chemical industry and the OT marketplace has ramped up amazingly.
The third bit of bad news is that we've integrated IT, OT, and the cloud in ways we never expected 20 years ago. I look back to when I started in OT security and there'd be a single firewall or gateway – one link between the process control system and the IT system. Today there are hundreds of connections in most large operations. And when you look at the typical facility, many of those connections are cloud connections.
So, we have this connectivity between the cloud, the IT systems, and the plant floor that just didn't exist before. That gives the bad guys new opportunities. There are also dependencies between the plant floor and the IT systems that weren't there a few years ago.
A great example is Colonial Pipeline. Many people said that the pipeline control system was hacked. No, the control system was not hacked. The problem was that the pipeline's control systems were dependent on information from the IT system. Two things likely went wrong there. First Colonial had to shut down because the IT systems and the billing systems were not able to provide the data to the control systems that it needed to make the pipeline run well.
Second, out of an abundance of caution, Colonial’s management shut down all the control systems. I believe that management really didn't know whether the bad guys could get access to the control system and do even more damage so it was safer to shut it down to be certain. This goes back to what I said earlier about the bad guys not having to be successful at shutting down OT; they just have to look like they can be successful. Many companies don't have enough visibility into the potential impact if somebody takes over a portion of IT system that is connected to the control system.
The final part of the perfect storm is the supply chain issue. The bad guys have learned that it is far easier to attack a supplier and take advantage of a supplier's product vulnerabilities than to go after the intended victim directly. They just get into one OT supplier’s development system or software download site and replace the good software with malware. Then they allow the supplier to distribute the bad software to its customers. Now you have a multiplier effect where one poorly secured supplier gives the bad guys access to multiple victims.
So what are some of the strategies chemical companies can use to minimize their risk?
My first suggestion: don't try to boil the ocean. I see too many companies trying to do too many things and getting caught up in looking for perfect security hygiene and concepts like that. I think that there are a few things that are absolutely critical and need to be focused on.
First and foremost is to be able to have a good understanding of what you're protecting. In other words, what are your OT assets? For example, you should know the models and versions of all PLCs your facility uses and where they are located. This applies to every single OT device that contains a chip or software: what is the model and version and where on the network is it located?
Part two is knowing how you’re running those assets, and what software or firmware is actually running inside them, including the open-source components bundled in by the developer. If you don't know what's in your OT equipment, the bad guys will figure it out for you. They're going to pick a package or an open-source component (like Log4j) that they know is poorly secured and try to see if your company uses it. They don’t need to map your entire network (though they might try). Instead, they're going to look for what's vulnerable and exploit that.
How can chemical processing companies build defensible architectures?
There are two things that need to be considered. First are the networking interactions. In other words, is there a network connection from here to there in your OT system? And if so, what's it for? That's fairly basic - IEC standard 62443 is a security standard for process plants that helps you do that. In that standard is a concept called Zones and Conduits, which specifies that you divide up your facility into operational zones and then you decide how you're going to connect the zones.
Some companies have a few large switches that connect absolutely everything in the process. That is a bad strategy because there is no segregation of operation. If an attacker or malware manages to get access to even one unimportant computer anywhere in the plant, then they soon have access to everything. Instead, one needs to apply a zone model to prevent uncontrolled access. For example, if you have a network switch that's running one part of your plant (Zone 1 say) and a switch in another part of your plant (Zone 2), you might put a firewall between them to monitor and control the traffic flow between those two zones.
The second part is harder but equally critical: What are the dependencies between the cloud, IT, and operations and between different areas in operations? This goes back to the example of Colonial shutting down the pipeline: not because the control system was under attack, but because either they didn't know if they could run the pipeline without IT systems or they didn't know if it was secure from IT. To be secure, chemical facilities need to have determined in advance what would happen to other systems if a security event impacts a single system.
How do chemical plants ensure they have continuous visibility of their security status?
There are really good platforms out there that analyze traffic on your plant floor. These weren’t around 10 or 15 years ago, but they're widely available now. They analyze how your different systems are communicating to each other and the outside world. For example, these systems can warn you that your console room is now talking to a football website on the internet. Then you can ask, “Is that really a good idea? The plant floor guys should not be checking football scores on that HMI.” That information should be easy to capture, and a lot of companies are starting to have the visibility to understand what's leaving the plant and why and where it’s going. They also need the capability to understand the traffic inside the plant. With that, it becomes much harder for the bad guys to move from an initial beachhead to your process crown jewels and cause your operation serious harm.