This is an extended version of the editorial that appeared in the November 2019 issue of CEP
When a chemical engineer thinks about risk in a plant or facility, the first few things that come to mind may be chemical releases, overpressure and explosion, runaway reactions, natural disasters, or human error. Cyberattack may not even make the top ten considerations (even though it can actually cause several of these safety incidents). As the frequency and severity of cyberattacks grow, cybersecurity is taking center stage.
Companies in the chemical process industries (CPI) are recognizing the critical need for robust cybersecurity programs. “Cybersecurity affects every aspect of our life,” says Katerina Goseva-Popstojanova, a computer science professor at West Virginia Univ. (WVU). “From banking to shopping to social media, even physical infrastructure such as water pipes and the power grid — it’s all on the network. Raising awareness is important because people still fall for engineered attacks as small as email scams.”
This month’s Critical Issues article on pp. 35–39 makes a case for more-comprehensive cybersecurity training for both students and chemical engineering professionals. The article addresses some of the programs and organizations that are closing the immense talent gap in this field.
Although cybersecurity incidents can feel somewhat abstract to engineers who are not accustomed to dealing with IT systems, it is critical for every employee of an organization to have some cybersecurity training.
AIChE has an established IT workstation policy that is widely available to employees through our company intranet. One of the goals of the policy is to minimize security risks by managing the IT operating environment. For example, to ensure protection from malware and viruses, employees are forbidden from installing new software on workstations without IT approval and involvement. The policy warns employees not to insert storage media (e.g., USB drives, CD, etc.) of unknown origin into an AIChE computer.
The IT department frequently holds best practice conversations at all-staff meetings. One recent topic of discussion is the mandatory upgrade of all AIChE workstations from the Windows 7 operating system to Windows 10. “Cybercrime is on the rise and even one vulnerable system puts the entire organization at risk. Windows 7 will stop receiving security updates and become vulnerable after Jan. 14, 2020, so we are encouraging colleagues to prioritize upgrading their workstation to Windows 10,” says Amit Gupta, Chief Information Officer of AIChE.
Without regular security updates, systems running Windows 7 will be easy targets for hackers. Although this may be disheartening to those people who have become accustomed to the user interface offered by Windows 7 — which has been around for more than a decade — it is hardly a surprise. Microsoft has been encouraging its Windows 7 users to upgrade to Windows 10 for years; after all, Windows 10 launched back in 2015.
“Windows 7 was the version of Windows most widely affected by WannaCry, which locked up around 300,000 PCs in May 2017. Without patches, Windows 7 will in the future be vulnerable to bugs like the recently disclosed ‘wormable’ BlueKeep bug and several more that Microsoft patched in August,” writes Liam Tung in an article on ZDnet.com.
Recent reports from Netmarketshare suggest that Windows 7 is still being used on more than 35% of all PCs. That translates to millions of computers. The continued widespread use of Windows 7 is concerning, and experts predict that another attack on the scale of WannaCry is looming for those that do not heed the call to upgrade.
The AIChE IT Dept. has an established process for upgrading all staff computers and they are set to have all workstations upgraded by the January deadline. Fortunately, CEP staff primarily work on MacBooks (which are better suited for manipulating figures and layouts), so we haven’t been affected directly by the mandatory upgrade process.
Chances are, some of you reading this are still using a PC running Windows 7. Just as chemical companies are now taking cybersecurity more seriously, it’s time that we as individuals take cybersecurity more seriously. That begins with setting and updating longer and more-complex passwords, recognizing the signs of social engineering, and thinking twice before downloading or opening suspicious email attachments.
And, for those of you still on Windows 7, you may want to think about an upgrade.
Emily Petruzzelli, Managing Editor
Would you like to reuse content from CEP Magazine? It’s easy to request permission to reuse content. Simply click here to connect instantly to licensing services, where you can choose from a list of options regarding how you would like to reuse the desired content and complete the transaction.