Incorporate Cybersecurity into Your PSM Program

June
,
2017

This article is based on a poster presented at the 2017 AIChE Spring Meeting and 13th Global Congress on Process Safety, San Antonio, TX, March 2017.

Here are some prevention and mitigation strategies for three common types of industrial incidents — a network breach, an insider attack, and infection via a portable device — and recommendations for incorporating industrial cybersecurity into an existing process safety management (PSM) program.

Cybersecurity has been in the headlines a lot recently, and breaches have affected everything from credit card data and personal health information to national elections. An analysis of cyberattack and incident data found that in 2015, manufacturing was the second-most-targeted industry (Figure 1); within manufacturing, chemical manufacturers were the second-most-targeted subcategory. Almost half of the security incidents involved unauthorized access (Figure 2) (1).

images

Figure 1. Manufacturing was the second-most-attacked sector in 2015. Source: Adapted from (1).

images

Figure 2. Unauthorized access accounted for almost half of the cybersecurity incidents reported in 2015. Source: Adapted from (1).

The U.S. Dept. of Homeland Security (DHS) regulates security at chemical facilities through the Chemical Facility Anti-Terrorism Standards (CFATS) and the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (2). DHS has so far identified more than 37,000 facilities with chemicals of interest (COI) that will be assessed further for security — including cybersecurity — vulnerabilities (3). Facilities ranked as high risk are required to evaluate, and if necessary improve, their security and will be subject to periodic inspection.

Process plants need to ensure that adequate safeguards are in place for a variety of upset conditions, including cybersecurity attacks that can result in loss of product, damage to equipment, downtime, and potential safety and environmental disasters (1). A cyberattack can infiltrate a process plant and wreak havoc on an industrial control system (ICS) — taking over the handling of hazardous chemicals, changing setpoints, disabling interlocks or cooling, etc., any of which could have serious, even catastrophic, consequences. Some attacks are designed to commit commercial fraud — for example, to compromise meters and cause them to register incorrect product transfers (i.e., more of less product, depending on which party is intended to benefit). Security breaches are also carried out for corporate sabotage to cause a competitor to lose money — by stealing intellectual property, causing unscheduled downtime and loss of product, or creating bad publicity and tarnishing a company’s public image (4).

This article examines three industrial incidents that employed common means of attack — a network breach, an insider attack, and a portable storage device. It discusses corresponding mitigation strategies and recommends next steps for incorporating industrial cybersecurity into an existing process safety management (PSM) program.

Network breach

The German Federal Office for Information Security investigated a 2014 cybersecurity attack on a German steel mill in which extremely skilled hackers used spear phishing and social engineering techniques to target employees via email. Social engineering refers to psychological manipulation to get people to perform an action or divulge confidential information. Spear phishing is one social engineering technique whereby highly customized emails are sent to a few individuals.

Once the attackers had penetrated the facility’s office network, they were able to gain access to the plant’s ICS network and caused several...

Author Bios: 

Ursula Malczewski

Ursula Malczewski is a process safety engineer at Fauske & Associates, LLC (FAI; Burr Ridge, IL; Email: malczewski@fauske.com). Her responsibilities include consulting for a variety of process safety hazards involving combustible dusts, flammable materials, toxic substances. and/or reactive chemicals. Her experience includes facilitating and supporting process hazard analyses (PHAs), performing combustible dust hazard analyses (DHAs), and providing risk reduction strategies tailored for each specific customer’s needs. She received her BS in...Read more

Amy E. Theis, P.E.

Amy E. Theis, P.E., is the Director of Onsite Safety Services at Fauske & Associates, LLC (FAI; Burr Ridge, IL; Email: theis@fauske.com). In her current role, she is responsible for coordinating all onsite risk management projects for a variety of safety hazards, such as combustible dust, flammability, chemical process safety, and reactive chemicals. Her areas of expertise include facilitating and supporting PHAs, performing dust hazard analyses (DHAs) according to relevant National Fire Protection Association (NFPA) standards, and managing the...Read more

Would you like to access the complete CEP Article?

No problem. You just have to complete the following steps.

You have completed 0 of 2 steps.

  1. Log in

    You must be logged in to view this content. Log in now.

  2. AIChE Membership

    You must be an AIChE member to view this article. Join now.

Copyright Permissions: 

Would you like to reuse content from CEP Magazine? It’s easy to request permission to reuse content. Simply click here to connect instantly to licensing services, where you can choose from a list of options regarding how you would like to reuse the desired content and complete the transaction.