A Google search for “cybersecurity wake-up call” turns up more than 2 million hits; adding “industrial controls systems” narrows the search to a bit under 300,000 hits. So I hesitated when I wrote that headline, because I don’t want to come across as crying wolf. But it truly does convey the message I want to get across.
After editing two articles on cybersecurity and writing a related editorial for the June 2017 issue, I have remained interested in this topic. Several events within a recent two-week period piqued my interest further.
In this issue’s Profile column (p. 18), Steve Elwart, director of systems engineering at Ergon Refining, shares his thoughts on the changing landscape of automation. A disadvantage of the technological growth in refining is that companies are now at greater risk of cyberattacks. Many of today’s control systems were installed years ago, when cybersecurity risks to industrial control systems (ICS) were not as widely recognized. “The challenge is to secure these systems,” he says. “Now, a cyber breach causes economic damage, not physical damage,” says Elwart. “This is changing, though, and we are entering a time when a cyberattack could put people and equipment at risk.”
As I began writing this editorial, The New York Times ran two stories (on the same day) that I found particularly unsettling. One reported on an alert issued by the U.S. Dept. of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) about Russian government cyber activity targeting energy and other critical infrastructure sectors, including nuclear power plants and water and electric systems. The alert characterizes the activity as a multistage intrusion campaign against commercial facilities’ networks through which the intruders staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, they conducted network reconnaissance and collected information pertaining to the industrial control systems.
The other story reported that in August, “a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyberassault … meant to sabotage the firm’s operations and trigger an explosion.” The paper said that investigators have been tight-lipped about the attack and still won’t identify the company or the country where it is based, but I did a little online research and turned up an article on Foreign Policy magazine’s website that named Saudi Aramco as the victim.
Dragos, Inc., an industrial cyber threat consultancy, recently issued three research reports on ICS threats and vulnerabilities. It says the August attack, known as TRISIS, was a specifically targeted program designed to upload new ladder logic within the memory of a particular safety instrumented system (SIS). “By targeting SIS, an adversary can achieve multiple, potentially dangerous impacts, ranging from extensive physical system downtime to false safety alarms, physical damage, and destruction.” Although TRISIS itself is not directly applicable to other systems, it has “created a blueprint for adversaries to follow concerning SIS attacks. This is not bound to any specific vendor” and other vendors “maturely and rightfully stated that similar styled attacks could equally impact their products. Furthermore, the very extension of ICS network attack to SIS devices sets a worrying precedent as these critical systems now become an item for adversary targeting,” the Dragos report states.
Coincidentally, while I was researching this topic, AIChE Fellow Joeseph Touhill just happened to call me to discuss the book he coauthored (with his son Greg), Cybersecurity for Executives: A Practical Guide (which is published by the AIChE/Wiley imprint). This is a good starting point for not only C-suite executives, but also others with leadership and managerial responsibilities. It explains how to recognize and act upon cybersecurity threats, how to manage risk, and how to recover when a cyber incident occurs.
You can learn more about cybersecurity at the 2018 AIChE Spring Meeting and Global Congress on Process Safety. Andrew Lenzen, a special agent with the Federal Bureau of Investigation, kicks off the cybersecurity events as the luncheon keynote speaker on Monday, April 23. That’s followed by three sessions in the technical program: educating the chemical engineering workforce on cybersecurity (Monday, 1:30–3:00 pm); facility security (Tuesday, 1:30–3:00 pm); and a panel discussion on cybersecurity (Tuesday, 3:30–5:00 pm). I hope to see you there.
Would you like to reuse content from CEP Magazine? It’s easy to request permission to reuse content. Simply click here to connect instantly to licensing services, where you can choose from a list of options regarding how you would like to reuse the desired content and complete the transaction.