Cybersecurity in the Chemical Industry: From Operations to IT, Collaboration is Key
Seated on the ballroom stage in an Orlando hotel were cybersecurity experts representing three petroleum and chemical industry heavyweights. The panelists helped kick off the opening day of the ARC Industry Leadership Forum on Feb. 6 with a candid discussion about the cybersecurity challenges their organizations face and the strategies they’re deploying to protect themselves.
Several themes emerged from the nearly 90-minute discussion, including the need to balance cybersecurity with digitalization goals, develop a clear IT governance structure and increase IT/OT collaboration. For chemical manufacturers, cybersecurity is much more than a financial consideration. It’s a safety issue. And safety is a core component of operational excellence.
“Most companies have some form of operational excellence philosophy, program, some established way that they measure their excellence against both their competitors and internally, and I think one of the most important things you can do in this space is to make sure that security is part of that excellence metric,” Kenny Mesker, enterprise OT cybersecurity architect at Chevron Corp., told ARC forum attendees.
In a 2021 IndustryWeek technology survey, cybersecurity — along with artificial intelligence/machine learning, enterprise software, e-commerce and the internet of things (IoT) — ranked among the top technologies that benefit manufacturers’ businesses the most financially.
But technology is only one element of an effective cybersecurity strategy. Adapting to evolving threats requires a team approach built on governance, policies, training and cross-departmental collaboration.
First Step is Accepting Cyber Risks
Historically, the chemical sector lags behind other industries when it comes to digitalization, but that trend is changing. In 2022, 30% of chemical companies indicated the digital transformation would be “disruptive,” and 35% said it would be “revolutionary” in the next three years, up from 10% and 33%, respectively, in 2020, according to Ernst & Young’s (E&Y) DigiChem 2022 survey.
When asked what challenges they face related to implementation, security concerns nearly tied technical infrastructure as the top barrier, E&Y reports. The chemical industry has reason to worry. If hazardous chemicals get into the hands of the wrong people or safety systems are compromised, they face potentially disastrous consequences.
Consider the 2021 Colonial Pipeline ransomware attack.
"We don’t want to go too cyber secure where we erode the value of the business opportunity — so that balance of what’s the fit-for-purpose/fit-for-risk approach is something that we’re continuously evaluating, and we utilize our governance capabilities to make sure that we’re acting on informed decisions.” – Richard Eckhart, industrial IT cybersecurity manager at Exxon Mobil Corp.
Hackers gained access to the company’s system on April 30, 2021. They lurked inside the network for 10 days — more than enough time to put safety systems at risk, steal 100 gigabytes of data and demand a $4.4 million ransom, Klint Walker, a cybersecurity adviser for Region IV of the Cybersecurity and Infrastructure Security Agency (CISA) explained during the ARC forum. The breach also rippled through the supply chain, leaving airplanes and emergency vehicles without fuel and diverting hazmat drivers from the chemical and industrial sectors to deliver gasoline. This cascade of misfortune has reputational consequences for manufacturers, which should motivate leaders to prioritize cybersecurity as a strategic imperative.
Considering what’s at stake, you can’t blame executives for wanting some guarantees that their systems are safe. But in the Industry 4.0 era (or, now, Industry 5.0) of hyper-connected operations, that’s not possible. In his role, Chevron’s Mesker says he has spent the past five years refocusing conversations with executives around cyber risks rather than assurances. “What's keeping them up at night is usually some sort of impact picture, some sort of catastrophic event,” he explains. “Some sort of reputational impacting event, some sort of financial impacting event. And I've had this conversation time and time again – that's not risk. That's just the impact part. That will never go away. You can spend a trillion dollars on cybersecurity, and that picture won't go away.”
Patrik Boo, commercial portfolio manager for cybersecurity services at ABB Energy Industries, agrees, saying “zero risk is never going to happen. It doesn’t matter how much money you throw at the problem.”
Instead, chemical manufacturers need to ask what risks they are willing to accept and conduct scenario planning, Boo explains. For example, a breach that puts a less-critical system out of service for a short time might be more acceptable than an attack that leads to an extended plantwide shutdown.
Cybersecurity experts, engineers and business leaders need to collaborate during the digitalization planning process to balance results with security, Richard Eckhart, industrial IT cybersecurity manager at Exxon Mobil Corp., told ARC attendees.
“We don’t want to go too cyber secure where we erode the value of the business opportunity — so that balance of what’s the fit-for-purpose/fit-for-risk approach is something that we’re continuously evaluating and we utilize our governance capabilities to make sure that we’re acting on informed decisions,” he explains.
At Exxon Mobil the engineering, operations and IT organizations are all part of the company’s cybersecurity governance process, which specifies accountability within an organization for mitigating risks, Eckhart says.
Know What You’re Protecting
A chemical plant's complexity poses challenges for identifying critical assets and systems that need protection. Industrial plants need to know all of their operational technology (OT) assets, says Eric Byres, chief technology officer with aDolus Technology Inc., a provider of solutions for monitoring software risks in OT supply chains. “This applies to every single OT device that contains a chip or software: What is the model and version and where on the network is it located?” Byres notes.
The second part is knowing what type of software or firmware the assets use, including the open-source components bundled in by the developer, Byers shares. “If you don't know what's in your OT equipment, the bad guys will figure it out for you,” he cautions. “They're going to pick a package or an open-source component, like Log4j, that they know is poorly secured and try to see if your company uses it. They don’t need to map your entire network, though they might try. Instead, they're going to look for what's vulnerable and exploit that.”
While that process may seem self-evident, many industrial companies lack a sufficient understanding of their asset inventory and connectivity level, says Nathalie Marcotte, a senior vice president at Schneider and the company’s president of process automation. “I mean, it's still quite surprising how many are still at the asset inventory level and trying to understand their OT assets and ‘what is my asset inventory’ before they even go further with cybersecurity,” Marcotte says.
The Defensible Architecture
Digital policy frameworks should help organizations implement new technologies without sacrificing security, Glenn Aydell, BASF’s team lead for industrial networking and automation security told ARC forum participants. “Create a defensible architecture, and evaluate whether the new whatever it is going to put that defensible architecture at risk, and in most cases, you can find a solution that does not increase the risk to your environment,” Aydell advises.
ISA/IEC 62443 is a security standard for process plants that serves as a foundation for defensible architectures, notes Byres. The standard includes a concept called zones and conduits, which specifies that plants should divide their facility into operational zones and then decide how they’re going to connect them. This model helps prevent a single infected device from shutting down the entire plant.
“Some companies have a few large switches that connect absolutely everything in the process,” Byres says. “That is a bad strategy because there is no segregation of operation. If an attacker or malware manages to get access to even one unimportant computer anywhere in the plant, then they soon have access to everything.”
Instead, a zone model prevents uncontrolled access by segmenting parts of the plant. A common configuration might include separate switches going to each zone with a firewall between them to monitor and control the traffic flow, Byres suggests.
ISA/IEC 62443 and similar architectures, such as the Purdue Model, can serve as a security guideline for manufacturers embarking on a digital transformation, says Carlos Sanchez, senior director of operational technology for cybersecurity solutions provider Fortinet Inc. The standard includes a series of architecture models on how to tier a network, create micro segmentation and how to enable password security, he says.
ISA/IEC 62443 also includes maturity levels. Ideally, industrial organizations should strive to reach at least Level 2, stresses Dee Kimata, director, cybersecurity offer management, Schneider Electric. At that level, “some of the core controls include things like patch management, hardening, backup and restore, endpoint protection, asset inventory, and those sort of basic controls that you hear a lot about,” she adds.
Exxon Mobil uses elements of ISA/IEC 62443 and combines them with the company’s overall corporate security and control policy, Eckhart says. The company’s operations business, engineering department and IT all partner to maintain that standard across the organization, he divulges.
Similarly, BASF aligned its OT cybersecurity policy directly with ISA/IEC 62443 about 10 years ago, Aydell says. About five years ago, the company moved ownership of the policy to a corporate center, so it applies across the board to both IT and OT, he adds. “So that's an attempt to bring that stuff together under one organization as opposed to the tension between the various organizations when it comes to the actual policy,” he explains.
As part of its digital transformation, Chevron created the Chevron Technology Center, which brings together IT, OT and engineering, reveals Mesker. “[We’ve] literally fused the silos together. And at that point, the collaboration opportunities are ridiculous. And there is so much that both groups can learn from together,” says Mesker.
3 Keys to Evaluating Cybersecurity Gaps
While understanding basic cybersecurity defenses is essential, chemical manufacturers will likely need to invest in some additional security technologies to close security gaps. But before implementing any new security technologies, it’s important to conduct an assessment.
1. Ask vendors for help: Schneider Electric first looks at what a client is trying to optimize with their digital investments and then works on a roadmap using input from the cybersecurity team, says Dee Kimata, director, cybersecurity offer management, Schneider Electric.
2. Check for dependencies: Evaluate how systems interact with each other to determine the impact on operations if something is compromised, says Eric Byres, chief technology officer with aDolus Technology Inc. “To be secure, chemical facilities need to have determined in advance what would happen to other systems if a security event impacts a single system,” Byres says.
3. Look for site-specific risks: Exxon Mobil assesses risk based on the type of facility, says Richard Eckhart, industrial IT cybersecurity manager at Exxon Mobil Corp. For example, the company’s unconventional upstream business in a populated area will have different risk factors to consider than an offshore oil platform, he says.
Don’t Fail Cybersecurity 101
It’s easy for organizations to get infatuated with the latest high-tech cybersecurity offerings on the market to address security gaps, but those technologies don’t necessarily provide value for manufacturers.
“This industry is phenomenal at managing risk and accepting risk, but we also can, sometimes when it comes to cybersecurity, get focused on deploying too many widgets, deploying too many capabilities,” Eckhart warns. “Now, that increases cost and complexity, and it may not be reducing actual risk. It may feel better, but it may not actually be producing, so just be cautious.”
Cybersecurity doesn’t have to be overly complex, Boo emphasizes. He cites antivirus or malware protection, installing a backup system that’s separate from the company network, and prohibiting employees from downloading applications on business computers as some basic measures chemical companies can take to protect themselves.
In the case of Colonial Pipeline, multifactor authentication could have helped prevent that incident, Walker elaborates. The attackers stole a password from a former employee who was using the same code to gain access to Colonial Pipeline’s VPN. It’s also important to limit physical access to control systems, adds Sanchez.
“In some instances, and I have done this myself, [you can] walk into a chemical or a manufacturing plant, and they just let you in,” he says. “There’s all the network gear; it’s there on a cabinet. They open the cabinet, and it’s not locked, so physical security is still an issue, believe it or not.”
Cybersecurity Workforce Readiness
Technologies are evolving to help manufacturers monitor and evaluate their risk exposure. In recent years, vendors have introduced platforms or services that streamline visibility.
But technologies and policies rely on people to ensure they are effective. Many experts say unwieldy solutions will likely discourage use, putting the company at risk. “You can spend millions of dollars on security, identity management, two-factor authentication, firewalls, switches and all that… and then you find a guy that doesn’t like the way you told him to do it, and he’ll find a way around it,” warns Sanchez. “Find the laziest person in the bunch, and he’ll figure out a way to make it easy on themselves.”
To combat this issue, Schneider Electric’s staff undergo rigorous training before they’re allowed to touch any customers’ systems, Marcotte says. “And if you’re not trained or you didn’t do your certification, you no longer have access to your computer,” she adds.
Cybersecurity often comes down to basic awareness of acceptable workplace behaviors, and organizations can use technology as a reinforcement tool.
“For example, these systems can warn you that your console room is now talking to a football website on the internet,” Byres illustrates. The culprit, says Byres, could be a plant worker checking football scores on a factory-floor console.
It’s basic security, but surprisingly many people still don’t understand what’s acceptable, cautions Marcotte.
“We have new employees coming in by the hundreds, so every year we do reinforcement; we retrain our people,” she explains. “But that has to happen at our customer, as well. It’s something that I think is really key, and it’s a never-ending story, unfortunately."