Not all cybersecurity risk is created equal. Case in point: when Sony was hacked, information was stolen, systems were wiped, and society was temporarily deprived of a Seth Rogan movie. These were mostly bad outcomes, and Sony certainly suffered a significant financial loss.
Now, imagine a similar attack on an oil refinery where compromised systems include the proprietary industrial control systems that manage volatile processes. When I say volatile, I'm referring to processes where a boiler is heating oil by hundreds of degrees separating molecules to produce gasoline and other products. With appropriate access, a bad actor can change how hot that boiler is configured to run. If you combine that with disabled safety systems, production, environments — even lives — can be severely affected. A German steel mill experienced this in 2014 when a boiler exploded after an industrial control system attack; and 225,000 Ukrainians lost power in December 2015 when a hacker group shut down substation systems.
I don't want to diminish the impact that malicious attacks have on our financial industry and others. However, chemical, oil and gas, and power generation attacks can have much graver outcomes — yet, surprisingly, these industries are in some ways the most vulnerable. If you examine cybersecurity within a typical industrial process company, you find many of the same protections you find in any other company — antivirus software, firewalls, application whitelisting, and more. These security controls are focused on protecting workstations, servers, routers, and other IT-based technology. In other words, they protect the flow of information.
But systems that move and manipulate molecules (for example, oil separating into constituent parts) are not nearly as secure. Why? Because many of these systems were built and deployed before cybersecurity was even a thing. Industrial facilities rely primarily on layered defenses in front of industrial control systems, security by obscurity (think complex systems on which it takes years to become an expert), and air gapping (physical isolation from other networks).
The reality is that layered defenses and air gapping can be bypassed. Industrial facilities, for instance, periodically have turnarounds where they perform maintenance or switch production output. This requires hundreds of engineers — many of them third-party ones — working multiple shifts to get production back online. They are authorized users who could accidentally (or intentionally) introduce malicious code or configuration changes into a control system.
Relying on obscurity as a strategy only has limited effect. With the rise of nation-sponsored cyber warfare, the capability of manipulating complex control systems is also on the rise. The Ukrainian power attack, for instance, included malicious firmware updates that were believed to have been developed and tested on the hacking group's own industrial control equipment. Heck, you can even buy a programmable logic controller (a type of industrial control system) on eBay.
The Obama administration's Commission on Enhancing National Cybersecurity report was released in early December. There were some good recommendations in the report, particularly around having a security rating system for Internet of Things devices. What I found disturbing was that the report stated the distinction between critical infrastructure systems (found in the industries highlighted in this post plus others, such as transportation, that also rely on industrial control systems) and other devices is becoming impractical. The point is that in a connected world, everything is vulnerable and attacks can come from any quarter. It's a fair point, but this idea diminishes the importance of impact, which is essential to driving priority, policy, and investment decisions. Protecting the systems that manipulate molecules must have priority and, in some cases, have precedence over the ones that maintain information.
So, where do you start? Where should investment flow? Most companies need to start at the beginning and simply begin to track the cyber assets they have in an industrial facility. Another fun fact: many don't track that data today, or do so in a highly manual way, which means there are data gaps and errors. Without visibility into the cyber assets in a plant, you can't effectively secure them.
And when we talk about cyber assets, any credible inventory plan must include the controllers, smart field instruments, and other systems that manage the volatile processes we've discussed (these systems, by the way, make up 80% of the cyber assets you find in an industrial facility). This can't happen in a spreadsheet, but it must happen through automation software that can pull data from the many disparate, proprietary systems that can exist in a single facility.
With an automated, detailed inventory that is updated regularly, companies can begin to do the things they know are important for securing any system — they can monitor for unauthorized changes, set security policies, and more. Doing so allows companies not only to secure information, but also secure the molecules — the lifeblood of an industrial process company.