The expanding use of digitalization tools at chemical process industries (CPI) facilities, coupled with the ongoing convergence of operational technology (OT) systems with traditional computer information technology (IT) systems, has increased plant cybersecurity risks. All plant personnel play a role in preventing negative impacts from cyberattacks. This one-page reference* aims to increase cybersecurity awareness among those without day-to-day cyberdefense roles.
Primary cyberthreat actors
CPI facilities should be concerned primarily with cybersecurity threats from three groups.
- Cybercriminals: These individuals or groups aim to exploit vulnerabilities for financial gain, often through ransomware attacks or theft of intellectual property
- Hacktivists: Hacktivists pursue ideological or political motives and may attempt to disrupt operations or damage an organization’s reputation to further their cause
- Nation-state actors: State-sponsored hackers may engage in cyber-espionage, sabotage or disruptive attacks targeting critical infrastructure for strategic and political purposes
Common cyberattack types
The following summarizes common classes of cyberattacks:
- Spear-phishing: Targeted phishing emails aimed at specific individuals or departments to trick them into revealing sensitive information or clicking on malicious links
- Ransomware: Malware that encrypts a victim’s data, making it inaccessible until a ransom is paid to the attackers
- Distributed denial of service (DDoS): Overwhelming a target system or network with a flood of traffic to disrupt its normal operation
- Insider threats: Malicious actions or unintentional mistakes by employees or contractors that compromise the organization’s security
- Man-in-the-middle (MITM) attacks: Intercepting and altering communications between two parties to gain unauthorized access or manipulate information
- Zero-day exploits: Exploiting undisclosed vulnerabilities in software before a patch is available
- Supply-chain attacks: Targeting vulnerabilities in a company’s supply chain to gain access to the organization’s systems
Cyberdefense strategies
CPI facilities can follow these cyber-defense strategies to enhance their cybersecurity posture:
- Risk assessment: Perform regular risk assessments to identify vulnerabilities, threats and critical assets to prioritize security efforts effectively
- Security training: Provide comprehensive cybersecurity training to all personnel to raise awareness and build a security-conscious culture
- Network segmentation: Implement proper network segmentation to limit the lateral movement of attackers within the network and contain potential breaches
- Patch management: Maintain a robust patch-management process to address known vulnerabilities promptly
- Access control: Enforce strict access controls, including strong authentication mechanisms, to limit sensitive systems and data access
- Incident response plan: Develop and practice a well-defined incident response plan to respond swiftly and effectively to cyber-incidents
- Continuous monitoring: Implement continuous monitoring solutions to detect anomalies and potential threats in real time
Lessons from previous attacks
The following are key lessons learned from previous cyberattack incidents:
- Proactive planning: Proactively developing and regularly testing incident response plans is crucial for minimizing cyberattacks’ impact
- Employee training: Well-informed and trained employees are a critical line of defense against social engineering attacks and can help detect threats early
- Vendor management: Engaging with vendors prioritizing cybersecurity and providing regular updates and patches is essential to reducing third-party risks
- Regular assessments: Conducting regular security assessments and penetration testing can help identify weaknesses and improve overall resilience
- Information sharing: Collaborating with industry peers and information-sharing forums can help plant personnel stay informed about emerging threats and effective defense strategies
Cyber-incident response
Robust cyber-incident response plans should include the following elements:
- Preparedness: Proactive planning and risk assessments help to identify potential cybersecurity threats and vulnerabilities
- Detection: Continuous monitoring and early detection of security incidents will minimize their impact
- Containment: Isolate and contain the incident to prevent further spread and damage
- Eradication: Identify and eliminate the incident’s root cause to prevent reoccurrence
- Recovery: Restore affected systems and data to normal operation safely
- Communication: Clear and timely communication with stakeholders, including employees, customers, and regulatory authorities
- Lessons learned: Conduct a thorough post-incident analysis to identify areas for improvement and update response plans accordingly
- Legal and regulatory compliance: Ensure compliance with relevant laws and regulations, reporting incidents when required
*Editor’s note: The information for this column was provided by Charlie Souza, the functional safety and industrial control system cybersecurity lead at AcuTech Consulting Group (Tysons Corner, Va.; www.acutech-consulting.com), and board member at the Chemical and Petroleum Industries Division of the International Society of Automation (Research Triangle Park, N.C.; www.isa.org).