Although I would like to take credit for displaying stellar planning skills, it’s actually through serendipity that this issue features two articles on cybersecurity. The articles, which focus specifically on the security of industrial control systems (ICSs), had already been edited when the WannaCry ransomware attack began on May 12. It was quite nerve-rattling to follow the breaking news of that global cyberattack while I was working on the layouts of those articles.
It appears that the attack affected primarily computers connected to corporate IT networks — which are distinct from process control system networks. Earlier attacks, including the Stuxnet worm that destroyed nuclear centrifuges in Iran in 2010 and a remote takeover of breakers at three electric power distribution companies in Ukraine by external actors in December 2015, targeted ICSs. Fortunately, chemical process industries (CPI) facilities seem to have been spared this time.
To protect against future attacks, all organizations, at a minimum, should implement basic IT best practices: Keep your operating system, security software, and other software up-to-date. Schedule your anti-virus and anti-malware software to automatically conduct regular scans. Scan incoming and outgoing email for threats; do not open email attachments from anyone you don’t know, and be especially wary of any that ask you to enable macros to view their content. Back up important data frequently, and store backup copies off-line.
In its report about the Ukrainian incident, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) offered these ICS-specific tips: Develop and exercise contingency plans that allow for the safe operation or shutdown of processes in the event that your ICS is breached. Isolate ICS networks from any untrusted networks, especially the Internet. Lock down all unused ports and turn off all unused services. Limit remote access functionality wherever possible; remote access should be operator-controlled, time-limited, and procedurally similar to lock-out/tag-out.
David Burg and Sean Joyce, cybersecurity advisors with Pricewaterhouse-Coopers, advise: “In the same way that you have developed advance plans for floods, fires, and other emergencies, prepare for cyberattacks before they occur. The plans should specify how you will respond if there is an attack and who will be accountable for which aspect,” they say.
What can you do? In our first article (pp. 26–29), Michael Firstenberg of Waterfall Security Solutions explains a matrix-based approach to identify the combinations of potential attack scenarios, consequences, and risks that require mitigation and the ones you are willing to accept. In the second article (pp. 30–33), Ursula Malczewski and Amy Theis of Fauske & Associates present prevention and mitigation strategies and offer recommendations for incorporating industrial cybersecurity into an existing process safety management program.
The Center for Chemical Process Safety (CCPS) is considering a project on cybersecurity. If you would like to provide input on this topic, urge your employer to become a member of CCPS if it is not already. If it is, let your organization’s representative to the CCPS Technical Steering Committee know that you think this is an important topic to work on.
The U.S. Dept. of Homeland Security (DHS) and the Chemical Sector Coordinating Council (SCC) are co-sponsoring the 11th annual Chemical Sector Security Summit the week of July 17 in Houston, TX. For information, visit www.dhs.gov/chemical-sector-security-summit or contact email@example.com.
Would you like to reuse content from CEP Magazine? It’s easy to request permission to reuse content. Simply click here to connect instantly to licensing services, where you can choose from a list of options regarding how you would like to reuse the desired content and complete the transaction.