December 2019


Executive Viewpoint: Succeeding against cyber attacks

No doubt exists that the added connectivity that modern control and automation systems deliver offers a myriad of benefits. By embedding computing within the process and utilizing edge and cloud technologies, it can provide greater visibility. It creates a digital thread for the plant and allows both equipment and the processes to be analyzed, as well as giving prescriptive advice.

No doubt exists that the added connectivity that modern control and automation systems deliver offers a myriad of benefits. By embedding computing within the process and utilizing edge and cloud technologies, it can provide greater visibility. It creates a digital thread for the plant and allows both equipment and the processes to be analyzed, as well as giving prescriptive advice.

However, as connectivity both within the plant and externally increases, the risk of cyberattacks grows. The challenges that face chemical companies are threefold. Firstly, they need to remediate the security risks in legacy operational technology (OT) systems. These legacy systems are still prevalent in brownfield sites. In committing resources towards upgrading either the hardware or software, operators must balance the return on investment against the reduction in risk.

Secondly, operators must efficiently address the concept of “secure by design” for automation, safety and control systems in greenfield facilities. Finally, when it comes to digital transformation, operators need to create scalable reference security architectures for edge and cloud use cases.

Growing awareness, but lack of compliance

A far greater awareness exists of cyber threats than in the past. If anything, there is significant fatigue with vendors using fear, uncertainty and doubt to sell their products and services. A recent survey carried out by CXP Group questioned 320 professionals worldwide with decision-making power on OT/industrial control systems (ICS) cybersecurity, along with 12 expert interviews.1 According to the findings, more than 75% of companies believe that cybersecurity is a major priority and that they are likely to become the target of a cyberattack. However, even armed with such beliefs, only 23% are compliant with minimal mandatory industry or government guidance and regulations around cybersecurity of ICS.

When it comes to protection against cyberattacks, however, the chemical industry has made some progress. From my experience, around half of all industry operators have completed assessments and understand where their risks lie, with about half of their sites moved to address baseline risks that line up to highest risk security controls and locations.

We are also seeing more chemical companies looking at some critical points on how to effectively scale with regards to items such as reference architectures, a standardized security technology stack and sustained structures to maintain security controls. Chemical companies are also changing their thinking when it comes to security by adopting a mentality of zero trust.

Developing an in-depth strategy

FIG. 1. Six pillars to address cybersecurity.
FIG. 1. Six pillars to address cybersecurity.

For our company, cybersecurity is a six-step process that we characterize as: identify, protect, detect, respond, recover, and consult. This scenario follows the entire lifecycle of cybersecurity, from initial awareness beginning with identifying the risk, before moving on to protection with strategies such as malware protection, system hardening, security patch updates and network segmentation. With protection in place, chemical operators can screen for attacks by monitoring the network with anomaly detection, security log collection and security event correlation.

Control and automation systems need to build in resilience to enable them to recover in the event of a cyberattack. Staff require training on incident response with cyber drills, and a strategy must be in place to restore the system, if necessary. Finally, the system must be maintained by continually monitoring the latest cyber solutions.

When it comes to making chemical operations more secure, it is all about people, process and technology. Operators need to think of their investments in these three crucial areas as comparable to managing a portfolio.

Getting active with cyber defense

The digital transformation is delivering technologies that can bolster many of the traditional cybersecurity tactics. The increased adoption of artificial intelligence and machine learning is enhancing many passive monitoring techniques, enabling operators to understand network latency, asset IDs and asset performance management (APM). This adoption is leading to more integrated security capabilities that are becoming standardized, much like seat belts in cars—which were once optional but are now widely used in many countries.

New tools and technologies are emerging that can be vital components in any cybersecurity portfolios. Traditional antivirus solutions depend on file signatures, but signatureless antivirus solutions rely on behavior, reputation, trust level and other file characteristics. Another tactic is whitelisting that explicitly allows some identified entities access to defined privilege, service, mobility, access or recognition.

To date, most cybersecurity strategies are based on a passive defensive approach, but with threat levels escalating, it may no longer be enough, and a move to more active defense may be required. By adopting an active defense, strategy operators will be able to confront and defeat attackers in real time by combining threat intelligence and analytics resources.

One exciting tactic within the active defense toolbox is the honeypot. This strategy may seem counterintuitive in an era based on layered defense solutions, but this strategy, rather than blocking attacks, actively invites them. In its simplest terms, a honeypot is a system that impersonates a possible target of a cyberattack. It serves a dual purpose of deflecting attacks from their real goal, as well as enabling cyber defense teams to gain information about how cybercriminals operate.

Another option is security information and event management (SIEM). This methodology is a combination of security information management (SIM) and security event management (SEM). SIEM collects and pools data from multiple sources to enable the system to identify any deviations from normal process operations.

Culture and recruitment

Not only technology and process improvements will support thwarting this growing threat. People are, and will continue to be, fundamental. Generally, it is the human element that is the weak link, enabling cyber criminals’ access to vulnerabilities within systems. The most common routes for delivering attacks remain phishing emails or social engineering of mass email campaigns. Many employees do not realize that many security measures can be bypassed by them simply bringing personal devices into a control system.

For a security strategy to succeed, it must be embedded into organizational culture. Each and every employee and team member must have buy-in to their respective role and accompanying responsibilities, so that they become second nature. As with any significant new initiative, employee awareness training, open communication and a drive for understanding the implications of individual actions are necessary. Everyone working in an industrial environment has a part to play in securing organizational systems.

Chemical operators also need to start thinking about how they can support talent generation and create good career paths for existing employees to move into structured, sustainable security teams.

Cybersecurity has a numbers problem, because there are so many empty jobs. Recruiting ICS cybersecurity employees with the right skills and competencies can be a major challenge. Companies must be ready to support team members willing to move into new career paths and tackle the challenges and nuances that the convergence of information technology (IT) and OT present within the industrial cybersecurity landscape.

Ultimately, a top-down approach is needed, with boards and CEOs integral to setting the security policies and procedures for chemical companies. Such a successful top-down approach necessitates working with personnel—including existing IT and security teams—to understand where risk lies. This is measured by identifying what is most valuable to the business, where there are safety risks and gaps, and which risks are acceptable. HP


  1. Schwab, W. and M. Poujol, “The state of industrial cybersecurity 2018,” CXP Group, June 2018.

The Author

From the Archive



{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}