The chemical sector encompasses more than 70,000 diverse products that are critical to the modern global infrastructure. Several thousand chemical facilities ship, manufacture, deliver, or store these products every day in the US alone. Security in this sector becomes imperative to public safety because of the potential safety and storage issues associated with dangerous chemical products.
The advancement of tech and the proliferation of IoT has swept over this sector. Automation has been folded in to make production and containment faster, easier, and safer for employees, but security upgrades haven’t kept up with the advancements. The sector touches many other critical infrastructure sectors like agricultural, water and wastewater, government facilities, nuclear, and more.
The deeper we get into critical infrastructure sectors, the more apparent it becomes that they’re all interwoven and interconnected. If one falls, the whole structure suffers and could be threatened with collapse.
70% of chemical organizations rely on operational technology (OT) systems between 6-20 years old, with 30% between 11-20 years old. A whopping 74% say that their OT / ICS environments are accessible from corporate networks, leaving them increasingly vulnerable to cyberattacks. Furthermore, these systems are rarely updated with firmware or other security advancements, making the lack of foresight look almost negligent.
Chemical companies follow the cybersecurity guidance released by the Chemical Facility Anti-Terrorism Standards (CFATS) program in the US. Unfortunately, these regulations haven’t been updated since 2008. In an ever-evolving threat landscape, having a system that is over a decade old makes them incredibly vulnerable and an attractive target for cyberattacks. The fact that thousands of US chemical facilities rely on badly outdated cybersecurity guidance leaves the public vulnerable to attacks that could cause chemical leaks or explosions and financial and economic repercussions for the public.
What are the risks of leaving things as-is?
Cybersecurity risk management is never a one-and-done sort of thing. Instead, it requires active management, adjustments, and education about the newest and latest threats. Although the chemical sector has more experience and a long history of creating a culture of safety and conscientiousness, this culture is mainly enforced by regulatory requirements. Some apply security risk management strategies outside of regulatory requirements through the collaborative efforts of professional and industry trade associations, individual chemical companies, and national laboratories, but they are not the majority.
The biggest threats in this sector come from a few critical situations and vulnerabilities.
Firstly, insider threats. There is a lack of situational awareness and cyber-forward thinking, and cyberculture leaves chemical companies exposed to all kinds of threats. The damage done doesn’t even have to be intentional with internal threats. It could be an employee accidentally clicking on a phishing link or connecting an outside computer to the system that gives bad actors a chance to infiltrate the system.
Secondly, cyber threats. With a regulatory guide over a decade old, cyber systems in the chemical sector face various risks. Most chemical companies have internet-connected devices as part of their process control systems. This allows instrument manufacturers to service their devices remotely and allows for further automation of tasks. Although convenient to most plant management, it leaves the system open for hackers to infiltrate through instrument updates or weak security practices. Bad actors taking control of the systems that operate a chemical plant could have catastrophic consequences, as an incident at an oil refinery in Saudi Arabia has shown.
An oil refinery in Saudi Arabia had a malware attack from an unknown entity. Unfortunately, the file that an employee downloaded looked legitimate, and it managed to infiltrate the refinery’s emergency shutdown processes. Luckily, the entity made their own mistakes in the code, which shut down the entire plant instead of causing an explosion like it was intended to do.
Thirdly, natural Disasters and extreme weather. Many oil refineries and other chemical refineries are located in hurricane or disaster-prone areas. Hurricane Harvey hit many in 2017 when the storm rocked the southeast coast of the US, causing oil and gas spikes, loss of production, and loss of equipment. Power outages are common in storms which may affect employees and production for weeks or even months.
So what can the chemical sector do moving forward to manage the new and ever-evolving threats coming their way proactively?
The solution is simple
While age doesn’t necessarily mean the current CFATS guide is unusable, it lacks a lot of crucial information for modern threat management that leaves chemical companies in the dark when it comes to recent threats. For example, when it was created in 2008, phishing wasn’t a concern for most. But in 2021, it is one of the most prevalent attacks across all sectors. There are no guidelines in CFATS to help manage phishing attacks on an employee or company level.
It’s no secret that critical infrastructure updates move at a snail’s pace (although the new Biden Executive Order is trying to address that), there needs to be a more modern way of dealing with threats that can guide vulnerable refineries. Security experts have been recommending chemical plants to update their cyber risk management plans since 2015. But these sorts of updates require a considerable investment from companies, and many are reluctant to take on the costs. There hasn’t been a terrorist or deliberate attack on a chemical facility in the US, yet, and many are unwilling to invest the money into updates because there hasn’t been a precedent set.
However, even then, that might not be enough. For example, 136 inspectors were tasked with ensuring facilities comply with regulations, but it’s the blind leading the blind as there’s not enough awareness, education, or opportunity for the inspectors to point out critical failings in cyber risk management. In addition, the inspectors need more training to help guide chemical facilities into a more modern age of defending against cyber threats.
It’s also been recommended that chemical plants separate their OT and IT systems so if one fails, it doesn’t affect the other and cause a cascading failure. Furthermore, chemical companies can use frameworks like NIST or ISO 27001 to further defend their systems against attack. This could also encourage plant engineers to bridge the gap with IT professionals. For example, suppose more communication happened between departments, even with a systems divide. In that case, security professionals could better understand the daily threats associated with running the plant. Likewise, the engineers could better understand the outside threats they all must face together.
If a vulnerability exists, it will be exploited. It’s impossible to predict every threat or vulnerability in a global market, but taking a risk-first approach to cybersecurity and participating in a sector-wide cyberattack information database can go a long way in mitigating further significant attacks in this sector. In addition, there needs to be more attention to updating practically ancient OT and IT systems to avoid more disastrous attacks that could threaten the public’s safety.