US petrochemical cyber security must be increased amid growing threats: analyst
U.S. petrochemical and energy companies need to include cyber security in their risk management strategy amid growing IT/OT threats, an industry analyst told Petrochemical Update.
“Everyone is at risk of cyber-attack. There are untargeted threats not directed toward you that can propagate wildly and targeted threats that are directed toward you. Because of the importance of this industry and its health and wellbeing, I believe it is at risk,” said Greg Conti, Director of Security Research at IronNet Cybersecurity.
The business of chemistry is nearly an $800 billion enterprise supporting nearly 20% of the U.S. GDP and accounting for 14% of U.S. exports, according to the American Chemistry Council. Chemicals are the largest exporter in the U.S., accounting for $184 billion in 2015.
Image: American Chemistry Council
Meanwhile, the world is racing to digitize everything, and while this creates efficiency, it is also a double-edged sword. Additional digital technology makes the industry more vulnerable for hackers to invade the industry’s supply chain and energy infrastructure.
“The supply chain is large and vulnerable. There is a myriad of examples of cyber-attacks targeting the supply chain. Malicious software can be found on products shrink wrapped from the factory for example,” Conti said. “We must work together and protect the commons collectively.”
Since late 2015, a group called Dragonfly has been targeting the European and North American energy sectors with “a new wave of cyberattacks that could provide attackers with the means to severely disrupt affected operations,” said Symantec IT security firm.
In addition, security firm FireEye identified four breaches in 2014, potentially giving Dragonfly access to targets such as power grid systems and manufacturing plants.
After an apparent two-year hiatus of sorts, Dragonfly appears ready for round two. Symantec has been able to track the group’s activity to organizations in the U.S., Turkey and Switzerland.
“The Dragonfly group appears to be interested in learning how energy facilities operate and gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to,” Symantec said.
The energy sector has become an area of increased interest to cyber attackers over the past two years.
Disruptions to Ukraine’s power system in 2015 and 2016 were attributed to a cyber-attack and led to power outages affecting hundreds of thousands of people.
In recent months, there have been attempted attacks on the electricity grids in some European countries, as well as reports of companies that manage nuclear facilities in the U.S. being compromised by hackers.
“With mounting evidence of preparatory attacks against the energy sector, owners and operators of critical infrastructure cannot solely rely on governments to protect them — even though there is much that governments can and must do,” said Michael Bahar, the U.S. lead of the global Cybersecurity and Privacy team at Eversheds Sutherland law firm.
“Organizations within the energy sector must be more vigilant than ever if hacking groups like Dragonfly are to be kept out of both IT and industrial control systems.”
Companies must understand the threat environment to mitigate risk and include cyber security as a priority in risk management strategy planning, Conti said.
“If petrochemical and energy companies do not have an effective risk strategy, they are going to get caught by threats they did not prepare for. A strategy will help them make better choices,” Conti said. “I assume big players have an effective risk strategy in place. But the hope is that cyber security is linked to this strategy.”
The Center for Internet Security (CIS) lists a top 20 list of prioritized actions to protect organizations and datas from known cyber-attack vectors.
Image: Center for Internet Security
“If you don’t have the basic 20, you are at severe risk and need to begin now,” Conti said. “If you do these you have protected yourself from roughly 80% of the threats. The remaining 20% requires more specialty work such as isolating networks, employing tools to detech anomalous behaviors on networks, and conducting background checks on employees,” Conti said. “
Today's threats to an organization is much more evolved than a virus to a personal computer and requires that extra 20% Conti mentioned.
That 20% comes from behavioral analytics, understanding key security assumptions from an adversarial mindset, manual overrides, hiring the right security people, due diligence with new systems, and working together with others in the industry, Conti said.
“If I am doing something malicious, I will likely jump through a series of networked machines so we are measuring this type of movement with our analytics platform,” Conti said. “If the control system to an energy plant is hacked into, or an insider threat sets up a covert back door, we have systems in place to identify this suspicious activity."
Collectively protecting the commons the industry depends upon to thrive is an important piece to the puzzle. Conti and IronNet are currently working with four major energy companies to create a collaborative defense strategy. If one is being attacked, the other ones know and can prepare.
“We underestimate the potential of our nation’s threats. We are not paranoid enough. We need to study systems with an adversarial mindset,” Conti said. “A security conscious home owner can tell you how to break into their house because they know where the weak links are. This is your house so use an adversarial mindset and consider where your company is weak and where the threat would come in.”
Greg Conti will discuss cyber security risk management strategies at the Petrochemical Supply Chain and Logistics Event in Houston in December.
By Heather Doyle