Cyberattacks are on the rise—and they’re not only IT’s problem anymore.
A recent ThoughtLab study involving 1,200 large organizations across 14 sectors and 16 countries revealed the number of material breaches respondents suffered increased by 20.5% from 2020 to 2021, and cyberattacks impact more than just computer systems, as highlighted by high-profile ransomware assaults on the Colonial Pipeline and JBS Foods that threatened to disrupt the nation’s fuel and food supply chains.
“The cyber-physical convergence is real. It’s upon us,” said Kelly Murray, the associate director for chemical security with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
“The physical actors have cyber intentions, and cyber-attacks impact physical activities, so we need to be talking the same language … or it’s going to hurt us in the end.”
At the same time, Fortinet’s recent report examining the cybersecurity skills gap found that 80% of organizations suffered one or more breaches they could attribute to a lack of cybersecurity skills or awareness, and 67% agreed a shortage of qualified cybersecurity candidates is creating additional risk for their operations. So, to help members of the petrochemical supply chain better protect themselves, the International Liquid Terminals Association enlisted Murray, and cybersecurity engineers Doug Morill and Anirban “Sunny” Ghosh to present cybersecurity best practices during the 2022 International Operating Conference in Houston.
In the two-part session, “Cybersecurity of Terminals and Other Critical Infrastructure, A National Priority,” the security experts discussed the interconnection of traditional physical security and evolving cybersecurity efforts, CISA programs that help regulated and non-regulated companies fortify their facilities against attacks, cybersecurity strategies based on the Transportation Security Administration’s recently revised pipeline security directive, and the critical role of “meatware” in an effective cybersecurity program.
“We all know about hardware and software vulnerabilities, but most of these vulnerabilities are exploited when a human interacts with the system,” Ghosh explained.
Coming together
Are your physical safety and security folks flabbergasted by cybersecurity terms and tasks? They shouldn’t be, Murray said. “Cyber isn’t that different from physical security,” she argued. “It’s just done in the cyber realm.” And intrusion detection, emergency response, and other critical physical security efforts all have cyber analogs, she continued. “Throw the cyber word in front of any of your physical words and it’s the same thing. So that’s how you can start those conversations.”
Morill said it’s helpful to develop basic cybersecurity fluency, starting with how computers communicate, using switches, routers, and firewalls. Put simply, fiber, copper, and wireless connections transmit “packets” of information, ethernet switches connect multiple devices that create local networks, routers allow for connections between networks, and firewalls, like the windows and doors on a building, protect what’s inside the system. “Firewalls essentially control what ports and services go through it,” Morill explained. And because of their growing importance, Morill suggested using a “next-gen” firewall with integrated intrusion defense, application awareness and control, and threat intelligence collection.
Cyber incident reporting
CISA already requires facilities covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program to establish protocols for identifying and reporting “significant” cyber incidents to appropriate facility personnel, local law enforcement, and the agency (at [email protected]). CISA’s Risk-Based Performance Standards 8 and 15 provide “flexible and tailorable” guidance for cyber reporting, Murray said, but it’s critical for facilities to first identify what constitutes a cyber incident, and at what point reporting to CISA is warranted. More information is available at cisa.gov/cfats-cyber-reporting.
Murray also highlighted CISA’s “Shields Up” program launched in February in response to Russia’s invasion of Ukraine to urge companies to adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets. “The intelligence out there is warranting us paying attention to the cyber threat,” Murray said. “It is out there, it is real, and we need to make sure we’re all doing our best to keep our shields ups.”
Diving in
To protect your systems from cyber actors, start by identifying the hardware and software, how it’s connected, and the impact a compromised system could have on critical assets, Murray advised. Also inspect physical security systems, including access control, intrusion detection, and cameras; business systems, like inventory management, shipping, and ordering programs; and those “ever-important” process and control systems. “How are those systems connected? Do you have them completely segmented?” she asked. “Can you access them remotely? These are the questions you want to start asking your cyber folks, so they can explain what protections they’ve put in place and other protections you may want to consider.”
CISA resources can help with developing cybersecurity policies and incident response plans, strengthening access control, improving network security, and simplifying configuration management, Murray said. To reward regulated companies that identity their systems in their cyber site security plans, CISA will serve as a “watchdog,” Murray said, delivering “cyber vulnerability notifications” that identify threat relevance, patches and remediation, and potential impacts to chemical interests, and offer recommendations.
The agency also offers “Cyber Hygiene Services” for regulated and non-regulated companies. The program provides no-cost vulnerability scanning to help monitor and evaluate the external network posture from the perspective of an attacker. The program is fully customizable, allowing users to determine what CISA does and doesn’t look at, and how often, includes a cyber “report card,” and ensures prioritization for additional advanced cyber services offered by CISA, Murray said. “We’ve heard from industry members who have used it that it’s better than most of what folks are selling out there,” she said. Visit cisa.gov/cyber-hygiene-services for more information.
Cyber Hygiene recommendations:
- Defend against ransomware: Practice network segmentation, maintain cyber incident response plans, refrain from paying a ransom
- Updated unsupported operating systems: Maintain a complete software asset inventory, reduce the use of unsupported operating systems, implement mitigating controls
- Improve patch management: Prioritize remediation of vulnerabilities using a risk-based approach, and patching vulnerabilities with known exploits
- Secure potentially risky service: Evaluate the business need for exposing services online, disable unnecessary services, operate with proper configurations and security features enabled, such as multi-factor authentication
Intelligent threat defense
In addition to the rapidly escalating pace of ransomware attacks on operational technology (OT), and the shortage of cybersecurity professionals, Morill pointed to multi-vendor industrial control and operations systems, pandemic-accelerated digital transformation, and internal and regulatory compliance as challenges. To overcome them, he suggested building a cybersecurity plan around available frameworks and standards, like those in TSA’s Pipeline Security Guidelines for natural gas and hazardous liquid transmission systems.
The guidelines include establishing a corporate security plan, conducting risk analysis, evaluating criticality—which is a new requirement—implementing facility and cyber asset security measures, and using DHS’s National Terrorism Advisory System (NTAS), which disseminates threat information via bulletins and alerts. A supplement issued in July 2021 digs deeper into cybersecurity topics, covering digital identity protection via multi-factor authentication, OT network segmentation and protocol restriction, anti-virus and patch management, implementing a “zero-trust” white-listing policy, and contingency and response planning; and sets a requirement for annual DHS or third-party reviews of system architecture.
As with vaccines, computer virus defense only is as good as the last system “booster,” so regularly updating software is critically important, Morill said. “Anti-virus works by continually updating its large inventory of things it knows are bad, and shutting them down if they happen to your computer,” he explained. Application white-listing, as offered by VMWare’s Carbon Black next-gen endpoint security platform, prevents ICSA and OT system access by unrecognized users, helping stop advanced “zero-day” attacks.
An effective zero-trust policy also should cover USB drives, which can function as recording devices, virus delivery vehicles, or homing beacons, Morill cautioned.
Intrusion detection works like anti-virus software, but it searches for known threats in all network traffic, rather than one computer. Morill recommended Snort, an Open-Source Intrusion Prevention System (IPS) that “sucks up” packets, scans for threats, and sends alerts. Network management tools help users better manage complex systems without IT’s help. Companies like Nozomi provide network configuration, firewall, IP address, and switch port management; bandwidth analysis; and storage monitoring.
Morill also advocated for IT “virtualization” by utilizing multiple “virtual” systems operating in a cloud environment that is hosted on one, highly secure physical server. “I am a huge proponent of virtualization,” he said. “If one computer fails, the next one is still up.” Virtualization provides greater IT efficiencies, reduced operating costs, increased performance and server availability, and accelerated disaster recovery, he maintained.
Finally, an effective cybersecurity system must include a means of collecting threat intelligence that doesn’t overwhelm security operations centers. “To really collect threat intelligence correctly, you need that SIEM, or Security Information and Event Management, as the grand conductor,” Morill said. “It looks at all the firewalls, and all the anti-virus, and the NIDS and the HIDS, and all these other systems, and says, ‘If this happens, this is a problem.’ That is all part of what you need for the technologies to build a corporate security plan that is going to be able to handle the threats that are coming at you today.
“It’s not if, it’s when. But with the right tools, when you get hit with a cyberattack, you’ll find out about it, you’ll mediate it—and business will go on.”
The human vulnerability
Ghosh, who stepped in for former ABS group expert Kyle Tobias, specializes in enhancing security in end-user systems, so he focuses on the people accessing the computers, and how to mitigate the human element, or “meatware,” in every operating system. Ghosh attributed the threat to insufficient knowledge, and the fact that people generally “want to be helpful,” which can lead to threats being introduced into control or IT systems.
The key is to understand the security issues, examine our own behaviors, identify deficiencies, and “eliminate ignorance,” Ghosh said. “If you know you are lacking in some area, then you can actually do something about it.” He also said people tend to ignore IT problems they know exist if they think someone else will handle it. Then the issue isn’t properly reported and grows worse. “That’s especially true with computer control systems,” he cautioned.
Some employees may need extra convincing to get with the program. Buy-in from every C-suite executive helps, Ghosh advised. So does the involvement of the entire team and third parties like OEMs, contractors, and vendors. And when convert cyber skeptics, they become the greatest “influencers, advocates, and champions” for more secure practices. “It’s not just an IT problem, it’s a people problem,” Ghosh said.
Techniques to change human behavior include team exercises, incident response and business continuity drills, using incidents as teaching moments, and finding fun ways to develop a cybersecurity culture that’s based on maintaining an “unfrozen” mindset, like offering rewards for the most un-hackable passwords. It’s also important to transfer and reinforce knowledge through mentorships, and tailoring training programs, not only for specific roles, but for new hires, experienced employees, and executives.
To establish a cybersecurity program, start with awareness and training, Ghosh said. Educate all employees on the broader risks, roles and responsibilities, then assess specific risks to controls systems, their vulnerabilities, measures needed to mitigate risk and improve security, and update policies and procedures to include cybersecurity controls. Then different groups came convene to discuss business cases, and budget for the appropriate and beneficial controls.
Finally, measure the impact of your training program on human behavior and knowledge through apprentice and mentor feedback, and internal and external behavioral change assessments, document the lessons learned, and make sure it’s relayed to everyone.
“Just because it’s difficult or hard to implement doesn’t mean that it’s impossible,” Ghosh concluded. “It is possible to change a culture over time, especially when people understand the benefits.”