An Ounce of Prevention - Cybersecurity and The CPI
An Ounce of Prevention - Cybersecurity and The CPI
An Ounce of Prevention - Cybersecurity and The CPI
An Ounce of Prevention:
Cybersecurity and the CPI
As the frequency and sophistication of industrial cyberattacks continue to rise,
chemical companies can follow guidance from industry and government directives to
help define their organization’s specific cyber-risk profile
C
Matthew Baker
and Rachel ybersecurity risk is a key topic for also result in the theft of proprietary infor-
Ehlers all companies, due, in part, to re- mation, such as chemical formulations,
Baker Botts, L.L.P. cent high-profile incidents and a customer data or personal information, and
heightened focus from regulatory ultimately cause significant damage — sys-
agencies. This is of particular importance tem damage, reputational damage or even
to industrial sectors that use technology for physical damage or safety risks, depending
automation, control and information storage. on the process. Threat actors see CPI or-
IN BRIEF Critical infrastructure sectors have increas- ganizations as high-value targets precisely
THE RISE OF ingly become the targets of cyberattacks because of the potential cost, both financial
CYBERSECURITY and cyber espionage, and it is now even and reputational, to the owner or operator
CONCERNS more imperative for organizations in the should production stop or sensitive data
chemical process industries (CPI) to identify be stolen.
SPECIFIC RISK PROFILES
individualized cyber-risk profiles and ensure Furthermore, although cyber incidents are
FOR THE CPI
appropriate safeguards are in place relative becoming more sophisticated, the tools and
CYBERATTACKS IN THE to those risks. As the saying goes: an ounce tactics that attackers use to access sys-
CPI of [cyber] prevention is worth a pound of tems remain relatively constant. Some of the
INDUSTRY LAWS AND [cyber] cure. most common attack vectors include: social
STANDARDS engineering attacks, such as email phish-
The rise of cybersecurity concerns ing; exploiting unpatched software vulner-
THE OUNCE OF
Though all industries face some degree abilities; and compromising remote desktop
PREVENTION
of cyber risk, the chemicals sector carries protocols or other external-facing network
KEY TAKEAWAYS unique vulnerabilities. Computer-based au- ports. Nevertheless, a few troubling trends
tomated industrial control systems (ICS) are are emerging. For example, upon gaining ac-
widely used by chemical plant owners and cess to a system, threat actors often spend
operators to manage and run their facili- considerable time dormant and undetected,
ties. Malicious actors, be they nation states, often gaining intelligence on system architec-
business rivals or cy-
bercriminals intent on
blackmail, are deploying
a range of tools — both
new and old, common
and extraordinary — to
exploit vulnerabilities re-
sulting from increased
i n t e rc o n n e c t e d n e s s
between operational
technology (OT) and
information technology
(IT) systems (Figure 1).
Successful exploita-
tion of these vulner-
abilities can create
business disruptions
and inhibit the use of FIGURE 1. The increasingly interconnected nature of CPI facilities and global enterprises
equipment. They can can introduce potential vulnerabilities for cyber threats
32 CHEMICAL ENGINEERING WWW.CHEMENGONLINE.COM JUNE 2022
ture and preparing sensitive data for
exfiltration. In recent incidents, threat
actors have sold stolen data outright
to competitors. In other cases, the
threat actors use the data as lever-
age for a ransom payment.
At the same time, the current reg-
ulatory framework intended to sup-
port the CPI against cyberthreats is
under question. Critics argue that
the Chemical Facility Anti-Terrorism
Standards (CFATS), the federal regu-
lations specific to the chemicals sec-
tor (which have not been updated
since their adoption in 2007), do
not adequately reflect the current
risk landscape.
For example, there is nothing in FIGURE 2. Chemical companies can be attractive targets for cyberattacks because of the potential for
the CFATS addressing email phish- high-value ransom demands, including the threat of production disruption or sensitive data exposure
ing campaigns. In fact, a 2020 audit
by the U.S. Government Account- assets and smart supply chains). functions at the plant level, includ-
ability Office (GAO) found that chem- Computer-based, automated ICS ing service engineering, are now
ical facilities are more vulnerable to are widely used by chemical com- routinely done remotely through
cyberattacks simply because they panies to manage and operate their applications that are at risk of
are relying on the outdated regula- facilities. Most CPI companies have being compromised.
tory guidance [1]. A key issue iden- internet-connected devices as part Despite these continued risks, or-
tified by the audit is the lack of an of their process-control systems to ganizations are also being asked to
actual process or structure to rou- allow, among other things, instru- cut costs because of the economic
tinely review the guidance and up- ment manufacturers to service de- downturn that has resulted from the
date to reflect the current threat vices remotely. These remote access pandemic. These cuts can have a
landscape. Relatedly, a key compo- points are a popular way for threat substantial impact on operations,
nent of the CFATS program is third- actors to gain access to a system. often requiring companies to choose
party inspection and oversight, but An added risk is the mixture of old between new initiatives to fund,
the GAO similarly found that inspec- and new equipment, which is com- potentially thwarting investment in
tors did not have adequate cyber mon in CPI facilities. However, these preventative security.
expertise or training to properly technological modifications are often
identify deficiencies. made incrementally, and there is Cyberattacks in the CPI
not always a clear understanding In 2017, one of the most well-known
Specific risk profiles for the CPI of how updates in one area may attacks in the CPI occurred, when a
The chemicals sector is an essential affect other areas, which can lead petrochemical facility in Saudi Ara-
part of the nation’s infrastructure. As to vulnerabilities. bia was attacked. The safety control
a result, owners and operators are Finally, the COVID-19 pandemic systems that were in place to prevent
a high priority for threat actors be- has created new cyber challenges a cyber intrusion were thought to be
cause of the perceived leverage in for the sector. With the shift towards impenetrable. Fortunately, the attack
ransom demands due to high costs remote work and a distributed work- was detected early, and the threat
of production disruption or theft of force across home networks and actor was unable to cause serious
sensitive data (Figure 2). Additionally, hot spots, company networks are damage. Nevertheless, the potential
these types of attacks receive higher spread wider than they have ever for disaster was so great that the at-
attention, which promotes the “Ran- been, creating a host of vulnerabili- tack has been dubbed “the world’s
somware as a Service” business ties. As a result, there has been a most murderous malware” because
model that essentially sells malware correlative uptick in electronic mes- experts believe the attack was de-
to other groups. saging, which has led to an increase signed by a nation state actor (prob-
In addition, CPI enterprises are be- of phishing messages designed to ably Iran) to trigger an explosion at
coming more automated, computer- look like official communications to the facility.
dependent and interconnected. The persuade people to click on mali- In 2019, three large chemical
sector has traditionally been slow to cious links or enter credentials. Ad- manufacturers — Norsk Hydro, Mo-
adopt new technological innovations, ditionally, there are more platforms mentive and Hexion — were victims
but digitalization measures are be- to allow interaction between remote of ransomware attacks [2, 3]. As a
coming more popular (for instance, experts and field personnel. And, result of the attacks, the Norway-
digital twins of physical production as noted previously, some essential based global aluminum producer,