Minimising cybersecurity risk for the chemical sector

Paul Boughton

Sean McDonagh outlines the importance of safeguarding chemical manufacturing control systems from unwanted attacks and adopting a multi-layered strategic approach to minimise risk

The growing number of industrial cybersecurity attacks now being reported, together with Government initiatives such as the formation of the Cyber Security Information Sharing Partnership (CISP), has put the protection of industrial control systems firmly in the spotlight.

Late in 2013, the Rt Hon Francis Maude MP delivered the second of two reports regarding the UK’s ‘Cyber Security Strategy’ following an initial report three years earlier.The initial report set out the UK Government’s strategy and vision of ‘a vibrant, resilient and secure cyberspace’, providing a framework to guide our actions to “enhance prosperity, national security and a strong society”.

The strategy set out four clear objectives:

* To make the UK one of the most secure places in the world to do business in cyberspace; 

* To make the UK more resilient to cyber-attack and better able to protect our interests in cyberspace; 

* To help shape an open, vibrant and stable cyberspace that supports open societies; 

* To build the UK’s cyber security knowledge, skills and capability.

The second report looked back at these original objectives to ensure they were still relevant in a rapidly changing technology and threat landscape. Francis Maude also went on in this report to make some significant new announcements on policy, progress and forward-looking plans for the UK.

The heightened visibility of such dangers are also wholly applicable to the industrial world with key manufacturing sectors such as the UK chemical industry needing to ensure it does not fall victim to potentially devastating industrial cyber security breaches and protects itself from attack.

The growing cyber-attack threat is real and present for chemical manufacturers. At a gathering of manufacturers hosted by Siemens, a poll among delegates showed that nearly a third had been the subject of a deliberate breach of industrial security. While 83% believed there is a growing threat around industrial security issues for their business.

Such anecdotal evidence is important, especially when backed by industry experts. Leaders in this field say there has been a 600% increase in industrial control system vulnerability disclosures in just the past couple of years.

The threats are magnified in terms of source, ranging from nation state sponsored attackers working within companies to seek out vulnerabilities, to hackers using cloud computing, as well as internal and third party accidental attacks that can still cause major disruption.

Reported incidents include attacks upon the energy sector with the electrical infrastructure having to be shut down, as well as unauthorised recipe changes which have led to significant and expensive product loss. It is now widely accepted that industrial cyber security needs to be addressed and adopt relevant standards that can provide the guidance in developing secure products, architectures and solutions.

The consequences of cyber security incidents are diverse but nonetheless highly impactful. For chemical manufacturers they can range from production interruption, reputation loss, the expense of retrofitting security after an incident, as well as supply chain impact. Symantec announced that between July and September 2013, hackers sought to collect intellectual property from a number of chemical firms, including design documents, formulas, and manufacturing processes.

"The purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage," according to Symantec, which nicknamed the attack campaign Nitro.

This is a clear indication that professional hackers; either for illegal gain or on behalf of unscrupulous countries, are actively targeting companies and their intellectual property. It disclosed that at least 12 of the infected chemical companies were based in the US, five in the UK, and two in Denmark.

In the case of industry, many companies have in the past, considered their automation systems to be immune from attack.The trend had been for companies to use proprietary, one-of-a-kind security systems, which have been specifically built for purpose, meaning that hacking into the systems has been a complex task.

However, more recently companies have adopted commercial off-the-shelf-technologies (COTS) such as Windows and Ethernet based solutions for their plant control. Although there are many advantages to such systems, security is something that proves to be a constant problem; as such ‘standard’ systems are easier to attack.

The hackers have the detailed knowledge to focus their attack using standard techniques and technology widely available from the Internet for a few dollars. In the past few years nuclear power plants, oil platforms and water treatment works have all been ‘cyber-attacked’ causing plant downtime which could have led to more serious incidents if they had not been detected in the early stages of the attack taking place. Monitoring of the industrial network for such attacks will become the norm for chemical companies as the urge to integrate more and more of the automation plant into the overall business system gathers pace.

Moreover, this need to continually access data and the integration of controls systems with the business network, has led to an increased use of wireless technologies, enabling remote access for employees. It also conversely makes systems potentially more vulnerable without the correct procedures, processes and products being correctly identified and implemented. BOYD (Bring Your Own Devices) is a trend that is here to stay as businesses and employees accept this instant access to data and information.

With such requirements, the complexity of modern automation systems and the importance of making sure operations are not interrupted by the unexpected, it is vital that chemical manufacturers protect their systems.  But how can this be achieved?

Protecting operations

Any system that secures plant assets should use a defence in depth strategy, one that takes a multi-layered approach to cyber security. No single security measure is good enough to prevent intrusions. ISA 62443 offers an approach that the chemical industry can adopt as it looks at the lifecycle of a product, plant solution and processes.

The approach is something that would not frighten engineers as it is very similar to the approach used with safety systems and safety function design.

It provides a methodology for carrying out Vulnerability Risk Assessments, implementation of a solution dependant on the SL (Security Level) requirement and finally validation and continuous monitoring of the network infrastructure and installation to complete the lifecycle approach principle of the plant. The standard allows engineers to have a structured approach to the overall system design ensuring that (AIC) Availability, Integrity and Confidentiality are fully implemented within the overall system approach. 

ISASecure SSA and EDSA

ISASecure System Security Assurance (SSA) is a certification program for systems consisting of multiple devices with the target to offer a compliance program for the ISA 62443 series of standards. A further consideration should be Embedded Device Security Assurance (EDSA) which focuses on the security of embedded devices and addresses device characteristics and supplier development practices for those devices. There are already certified products listed in EDSA and this will grow, providing end users with the peace of mind that they are using products that have been tested against known vulnerabilities.

The EDSA consists of:

* Functional Security Assessment (FSA) to review the security functions like authentication;

* Software Development Security Assessment (SDSA) to review the security lifecycle of the product;

* Communication Robustness Testing (CRT) to identify unknown vulnerabilities.

ISASecure SSA is also a lifecycle based approach designed to bring security in solutions by evaluating the security lifecycle as an extension of the product lifecycle;

In the context of using security tools, the System Robustness Testing (SRT) should provide the assurances that end users need regarding the solution and architecture of their plant.

The SRT consists of:

* A Vulnerability Identification Test (VIT) to identify known vulnerabilities;

* Communication Robustness Testing (CRT) is identical to EDSA-CRT; 

* Network Stress Testing (NST) to see how a device / solution behaves under abnormal high loads.

As an example, the VIT is a detailed description of how to configure a continuous monitoring vulnerability scanner and helps to conclude which known vulnerabilities are present in a product or solution. Such a VIT scan can be performed periodically during development to be sure that no new vulnerabilities are present or introduced in the product (release). It is recommended to perform at least one known vulnerability scan before releasing a new product (version) into the market.

Siemens ProductCERT is currently developing an appliance called SiESTA (Siemens Extensible Security Testing Appliance) to automate and simplify security testing within Siemens. SiESTA already has the ISASecure SSA VIT on board.

Taking action

Firstly, a system should always be protected from unwelcome visitors accessing it. A strict user management procedure should be in place. Users and computers should follow the principle of minimal rights, which means users should be granted the minimum set of access rights to carry out their job properly. This will mean that if an individual’s account is hacked, only minimal information will be compromised.Furthermore, computers should also work to the same principle so that each system serves its purpose but does not allow access to areas which are not necessary.

Moreover, it is recommended that a single sign on and password is given for each user to access everything they need. This limits the amount of information that can be misplaced, thus limiting the opportunity for a hacker to gain this information and use it to infiltrate a security system.

Even if a system has the best user access security, it is important to protect the system from attack in case a hacker does manage to access the network. A network can be divided up into security zones known as secure architectures. Each component within a secure architecture has the same level of trust and all traffic into and out of an individual zone can be monitored.

Additionally, a network can be divided up into demilitarised zones. Using firewalls, the network is split into segments that are separate from the Process Control Network. These individual segments are then used to communicate data from the distributed control system to the outside world, meaning there is no direct connection between the Process Control Network and anyone outside the building.

Furthermore, it is important to make sure firewalls are used in the correct manner for them to be effective. Used to separate and protect the control system network from outside networks, to be effective firewalls must be configured properly, ensuring only necessary traffic gets through them. This means only the specific protocols, IP addresses, and port numbers needed by the process control should be allowed to pass.

If a network needs to be accessed from two separate locations, virtual private networks and data encryption is a secure way to do so. Both ends of communication must be trustworthy sources so the network is not compromised and data encryption must be used carefully to make sure encrypted messages are not analysed by virus scanners.

Often hackers will use a network to release a virus into the system. For this reason it is vital to ensure virus scanners are kept up-to-date. They should be installed on a system at all of its access points and updated regularly.

Additionally, modern automation control systems tend to be made up of a number of layers of components. These components are common targets for hackers so it is imperative security is kept up-to-date. Manufacturers such as Siemens is continually releasing updated patches, designed to make sure a system is secure. Siemens has dedicated laboratories to test patches, to ensure they are compatible with the individual process system. These have to be implemented as quickly as reasonably possible to ensure protection is maintained.

A final way in which a manufacturing process network can be made more secure is by IP hardening. Often commercially available PCs contain a number of programs as standard which are unnecessary for a process system. Software such as Outlook, Internet Explorer and Media Player often come as standard on a commercial PC but are obsolete when it comes to a process system. These are also among the easiest programs to write a virus against and so are popular for hackers to use to gain access to a network.

A proven solution

Siemens has worked with a number of companies to establish a risk reduction strategy underpinning the ‘defence in depth’ approach.  It covers three stages: industrial security services, security management and products and systems.  The combination of all three ensures risks are minimised through a comprehensive cyber security concept.

Industrial security services offer consultant-led support across all areas to initiate the means to identify and minimise cyber risk to a manufacturer. It covers stages of risk and vulnerability assessment, how to then protect the business and how to manage it going forward through lifecycle phases. This is backed by security management support which can set up internal security policies and coordinate measures for protection, as well as the concluding stage that ensures products and systems are utilising secure PCs, controllers and networks and that all products in place are certified and conform to required security standards. A prime example is the security integrated functionality seen in Siemens’ TIA Portal and SIMATIC S7-1500 controllers.

Industrial security is not only a topic for technical implementation, but starts from security awareness across all layers of management and employees. Security is an ongoing risk and must be continually managed through the lifecycles of any manufacturer. By adopting a holistic approach to a ‘defence in depth’ cybersecurity strategy, the process of strengthening protection against those that would seek to disrupt activities can begin. 

Sean McDonagh is Business Manager, Chemical, Siemens UK & Ireland