Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Features
Industrial Cyber Attacks
Malware, Phishing & Ransomware
Regulation, Standards and Compliance
Threat Landscape

Chemical companies set to outline cybersecurity posture, as OT and ICS threats continue to prevail

November 06, 2022
Chemical companies set to outline cybersecurity posture, as OT and ICS threats continue to prevail

Following the rollout of the Chemical Action Plan by the U.S. administration, chemical companies are set to chalk out a strategy that pushes for higher cybersecurity standards across the sector, while also improving visibility and threat detection for ICS (industrial control systems). Securing chemical companies in an evolving threat environment requires cross-collaboration between facility owners and operators, industry, law enforcement, community members, and all levels of government. It also requires information sharing between the government and the private sector, in addition to collaboration with sector owners and operators.

The initiative will serve as a roadmap to guide the sector’s assessment of their current cybersecurity practices over the next 100 days, building on the lessons learned and best practices of the previously launched action plans for the electric, pipeline, and water sectors to meet the needs of this sector.

Over the course of the next three months, the Cybersecurity and Infrastructure Security Agency (CISA) and the Chemical Sector Coordinating Council, made up of a group of 15 chemical industry groups, are set to form a new task force to discuss ways to implement and solicit feedback on issues that arise. Additionally, the agency and coordinating council will also collaborate to encourage more chemical companies to adopt cybersecurity monitoring tools, which help companies detect unusual activity on the systems that actually run their physical machinery.

The security agency, also the sector risk management agency for the chemical sector, will work with the chemical sector to create a mechanism to foster more threat information-sharing between the agency and the sector. The agency further plans to explore creating new incentives for the industry as a means of encouraging operators to participate in the voluntary program. 

Jen Easterly, CISA director, commended at the 2022 Chemical Security Summit in August that the chemical sector’s performance standards for addressing IT and OT (operational technology) are managed by ICS. “It was really telling to me that even back in 2009, how robust the standards were, laid out for both physical security but also cyber security,” she said. “It was before cyber was really a thing that this community really understood the importance of a collective approach.”

Last September, the CISA released new guidelines to help chemical facilities know when to report cyber incidents. The directives emphasized that the Risk-Based Performance Standard (RBPS) 8 – Cyber and RBPS 15 – Reporting of Significant Security Incidents will now call upon chemical facilities covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program. The move will help establish protocols for identifying and reporting significant cyber incidents to appropriate facility personnel, local law enforcement, and the CISA.

Data released last month by industrial cybersecurity firm Dragos revealed that during the third quarter of this year, the chemical sector was targeted with one percent or one ransomware incident. Additionally, it disclosed that Lockbit 3.0 is the only group that targeted chemicals, drilling, industrial supplies, and interior design.

Industrial Cyber reached out to industrial cybersecurity experts to assess the unique challenges faced by the chemical sector compared to other critical infrastructure sectors that the Chemical Action Plan will likely address. They also throw light on how much of a bearing these factors typically have on the sector’s ability to secure and safeguard its OT/ICS environments.

Roya Gordon, security research evangelist at Nozomi Networks
Roya Gordon, security research evangelist at Nozomi Networks

“The chemical industry is one of the most critical infrastructure sectors in the United States. Like other critical infrastructure sectors, it uses legacy Industrial Control Systems (ICS) that are highly vulnerable to cyber-attacks,” Roya Gordon, security research evangelist at Nozomi Networks, told Industrial Cyber. “However, what makes this sector particularly different is that a cyber-attack can have major catastrophic effects. Any alterations to chemical mixtures could result in not just loss of revenue due to process disruption, but explosions leading to damaged equipment and possible loss of life.” 

Gordon added that the chemical sector is also integrated into other industries, such as products, food, and energy. “If a cyber-attack were to occur, it could potentially have cascading effects on these other industries. This is why it’s so important for chemicals companies to implement cybersecurity measures that not only prevent attacks from happening but also ensure that if an attack does occur, it can be contained quickly and effectively.”

Don Ward, senior vice president for global services at Mission Secure, told Industrial Cyber that the industry has diametrically opposing goals, ranging from the need for more cybersecurity controls to address an exponentially growing threat landscape, to in parallel maintaining resilience across complex and sensitive systems that track a large number of IoT connected telemetry elements.  

Don Ward, senior vice president for global services at Mission Secure
Don Ward, senior vice president for global services at Mission Secure

“The lack of collaboration on both fronts is not helped with the majority of chemical companies being private,” Ward said. “This is an ongoing concern to properly secure chemical facilities from cyberattacks, biohazards, insider threats, theft, and diverting chemicals into explosive weapons. The environmental impacts of this sector involve climate change, conservation, biodiversity, groundwater and soil contamination, natural resources, waste management, noise, and air pollution just to name a few.  This sector has a litany of quality audits and recalls, and is amplified by continuing shortages of skilled laborers.”

Ward pointed out that the Chemical Action Plan should help by driving both awareness and regulatory compliance requirements to go deeper into assessing the OT cybersecurity posture of these facilities through asset inventory visibility, vulnerability discovery reporting, and identifying unauthorized network connectivity flows. “This process will identify holes or blind spots to be filled with mitigating cyber protection controls. The chemical industry impacts daily lives on a massive scale with global economic consequences.” 

“One could argue that the chemical sector should require the strongest cybersecurity monitoring, detection, and protection technologies,” according to Ward. “However, aging infrastructure and lack of budgets to update/upgrade/replace or overlay cybersecurity technology to mitigate risk may be the biggest factor in this sector’s ability to safeguard its OT/ICS environments.”

Dino Busalachi, chief technology officer and co-founder at Velta Technology, said that “when I think of critical infrastructure, I think of ICS performing delivery functions such as water, wastewater, power, fuel, transportation, etc. To me, a refinery is a chemical plant, compared to pipeline that delivers fuel.”

Dino Busalachi, chief technology officer and co-founder at Velta Technology
Dino Busalachi, chief technology officer and co-founder at Velta Technology

“The chemical industry is more condensed regarding their technology asset (ICS) footprint compared to critical infrastructure. Critical infrastructure typically has a larger geographical footprint of technology assets that are spread across the geo landscape. In essence, the chemical sector has less ground to secure,” according to Busalachi. “I would also say critical infrastructure belongs to sovereign entities, based on the nation which they operate within.”

He also highlighted that chemical companies are part of the global corporate cabal. “Fractured responsibilities based on geographic location, managed or governed by nations and local governments, operating with different cultures under different rules and regulations, makes governance harder with global players,” Busalachi told Industrial Cyber. “At some point, an OSHA style regulatory review process may be required for Chemical companies to demonstrate digital safety, similar to what we have today for physical safety.”

Keeping these challenges in mind, it is important to work out the cybersecurity changes that the Chemical Action Plan delivers across the chemical sector. Additionally, as most chemical companies are privately owned, it becomes critical to assess if chemical owners and operators have the ability to comply with requirements like network segmentation and patching firmware.

The Chemical Action Plan “will take 100 days to review the security posture of the chemical sector, so those findings will help us determine the ability of companies to comply,” Gordon said.

Ward expects the Chemical Action Plan to likely mandate that chemical companies audit and risk assess all life- and environmental-impacting ICS/OT systems within their environments, and provide proof of documented remediation plans to bring systems and their respective networks into compliance. “Mandated compliance will be required sooner for specific chemical companies deemed high-risk for significant chemical release hazards, or that could impact chemical production continuity critical to the national and economic security of the United States,” he adds. 

“Many chemical companies in lower profit margin businesses–or businesses that have a higher occurrence of accidents, controversies, and liability case–will likely have a harder time complying with cybersecurity requirements like ongoing assessments, protections/segmentation, and patching,” according to Mission Secure’s Ward.

The chemical sector has the ability to deliver digital safety measures to secure and protect ICS assets, Busalachi said. “They can segment their networks and patch ICS where they can, without having to rip and replace equipment. At this point, from a pure ICS perspective, all sectors have the ability to comply to digital safety measures. The question is, will they?”

He pointed out that they have the same problem all other sectors have including resource constraints, budget/capital needs, skills gaps, and a lack of knowledge and experience internally and externally in the right places within the organization. “Relying 100% on IT to protect & secure ICS is not the right answer. The OT ICS Digital Safety platforms are designed to provide (90+%) of the features, functionality and data represented in the ICS environment,” Busalachi adds.

“What exactly is IT’s role to remediate and mitigate OT vulnerabilities, exposures and improve process integrity? It is unclear exactly what IT should be doing, and what their role should be,” according to Busalachi. “The OT ecosystem of ICS technology suppliers is weak in this area and not providing much help holistically. A few automation technology providers exist, but they cannot solve the problem on a broad scale. They only have so many resources and not everyone uses their automation technology products even within one site. The industry faces a shortage of talent and expertise in order to provide digital safety for ICS equipment.”

Addressing how capable are organizations within the chemical sector in enabling visibility and threat detection for industrial control systems, Nozomi’s Gordon said that “the Chemicals Action Plan will provide a strategy to ensure that chemical facilities have the resources they need to protect themselves against cyber-attacks.”

The plan will also help them mitigate the impact of cyber threats by providing best practices and tools that can be used to reduce risk, she adds.

Ward said that high-profit margin chemical companies will likely have sufficient budgets and resources to enable OT/ICS network and systems visibility and threat detection – either deployed and supported themselves, or through a managed service. “Qualified OT/ICS cybersecurity resources are still in tight supply industry-wide and require significant OPEX to employ full-time across all critical infrastructure sectors, and hence many companies are seeking security-as-a-service offerings for 24/7 OT/ICS security monitoring, detection, protection, threat research, and incident response,” he adds.

“One of the key challenges is that if OT is not budgeting to enable visibility and threat detection,” Velta’s Busalachi said. “If the entire effort is being driven by IT, it’s not enough visibility and threat detection. Quite frankly, large portions of the plant OT assets are not being monitored by IDS tools supplied by IT. In many cases the tools chosen by IT are incompatible with OT protocols and are often disruptive, i.e. scanning OT ICS networks and devices which can knock out production.”

The Chemical Action Plan released by the U.S. administration calls for a focus on high-risk chemical facilities that present significant chemical release hazards with the ultimate goal of supporting enhanced ICS cybersecurity across the entire chemical sector. 

It also seeks to drive information sharing and analytical coordination between the Federal Government and the chemical sector, and foster collaboration with the sector owners and operators to facilitate and encourage the deployment of appropriate technologies based on each chemical facility’s own risk assessment and cybersecurity posture. The initiative also looks to support the continuity of chemical production critical to the national and economic security of the nation.

It becomes imperative to determine the competency within the chemical industry to foster collaboration with the sector owners and operators to facilitate and encourage the deployment of appropriate technologies based on each chemical facility’s risk assessment and cybersecurity posture.

“The chemical sector is very capable of fostering collaboration in order to deploy necessary technology to meet the Chemical Action Plan objectives. This can be done by leveraging the power of existing OT/IoT vendors who provide asset discovery, inventory management, threat detection, and more,” Gordon said. “During the 100 days, chemical sector executives should first identify a scope by looking at what tools they already have available as well as what new tools they will need before moving forward. They should also ask the following questions: What are we trying to achieve? What resources will we need? What can we learn from the previous Action Plans for other industries? Which parts of it will work best for us?”

Ward says it’s ​​really too hard to have one answer given how large the chemical industry is global with over 14,000 companies. “Many companies are scrambling to meet stated objectives for emissions reductions to meet 2030 compliance goals. The global impacts of supply chain inflation also weigh heavily on many of the smaller to midsize producers. Larger mega-cap companies are already addressing these issues in terms of sustainability, innovation, transforming portfolios, supply chain structures, and deployment of digital technologies for efficiencies and competitive advantages.  

“The bigger and more profitable the industry is, the more competent they will be to foster needed collaboration and drive the deployment of appropriate OT/ICS cybersecurity technology and services solutions,” according to Ward.

Busalachi said he would venture to say that most major chemical companies have checked the box and performed assessments in some fashion. “The people in place, process, and the current state ‘at the time of the assessment’ all play a role in the outcome of that effort. The unfortunate reality with ‘snapshot in time’ assessments is that they’re outdated as soon as they’re completed. Fortunately, we’re seeing budgets growing in 2023 specifically for OT cybersecurity/digital safety.”

“The Chemical sector is very competent, again they do not know what they do not know,” according to Busalachi. “At a minimum, they should demonstrate duty of care – meaning they should be collecting real-time accurate asset inventories, know what their CVEs are, and determine if they have any malware lurking in their ICS systems, including backups. As we always say at Velta Technology, ‘you can’t protect what you can’t see,’’ he concludes.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems