Malicious cyberattacks are on the rise. It isn’t personal. Cyber criminals simply see your company’s data as a commodity – a resource to be leveraged for their profit. And they are good. So good, in fact, that most chemical companies are out-matched completely in their ability to combat attacks from organizations like the Syrian Electronic Army, North Korea’s Bureau 121, or Russia’s Sandstorm Crew. Whether it is from criminals from outside a company or within, businesses are losing as much as $400 billion a year globally to cyberattacks with experts predicting the costs could reach $90 trillion by 2030 (Cybersecurity Market Report, 2015).
The most common motive for hackers is cybercrime in which an outside organization illegally accesses data and harvests the information for identity theft, supply chain manipulation, credit card fraud or customer account access. However, outside hackers also engage in cyber terrorism and cyber espionage. According to vAmour, once a cybercriminal gains access to a company’s systems, they dwell undetected for an average of 146 days, doing whatever they like with your hardware, software and proprietary information.
The threat is real and growing every day. CEOs that don’t think their companies are big enough or important enough to be targets, should think again. Ransomware, where malware encrypts files and only releases them after a ransom has been paid, is becoming common place. Also a simple phishing mail can have a tremendous impact. Three years ago attackers got into the Saudi Aramco IT systems because an employee clicked on a link in a spear-phishing email. The subsequently installed malware partially wiped or totally destroyed the hard drives of 35,000 Aramco computers. Saudi Aramco employees first noticed something was wrong on Aug. 15, 2012, as files disappeared and computers started to fail. A group calling itself the Cutting Sword of Justice claimed responsibility for the attack, which lasted just a few hours, citing the company's support of Saudi Arabia's royal family.
Although national governments are trying to protect private businesses, the truth is that chemical companies must take matters into their own hands and proactively protect themselves again cyber threats.
Chemical manufacturers have always been concerned about security and protecting their plants. This is because if outside hackers gained unauthorized access to systems, the damage could be devastating. The idea that hackers could inject malicious code to then physically control machinery became a reality in 2010 when Stuxnet, the infamous cyber-weapon, brought an Iranian nuclear facility to a standstill during a sustained two year attack. To prevent this type of takeover, many chemical manufacturers use air gap control systems, in which a secure computer network is physically isolated from unsecured networks such as the Internet. However, this inhibits machine-to-machine communication – a main benefit of the Internet of Things.
In the long run, chemical companies need a secure end-to-end solution where data is collected from the edge and securely transmitted to a protected technology platform. The main goals are to prevent the corruption of data throughout the cybersecurity framework and stop unauthorized access. Of course, maintaining a secure environment is extremely difficult, especially considering it is not usually a company’s primary area of expertise. To prevent unauthorized access, experts agree that the first place to start is to hack your own organization. This will uncover areas of vulnerability that then can be fortified. Next, it is important to have a communication plan in place should a cyberattack occur. Another best practice is to evaluate vendors and third-party partners who have access to your network. Make sure they have appropriate security measures in place and verify that components used to build products are clean.
In order to keep corrupt data from permeating your network, you must protect the edge. Unfortunately, machines that communicate with other machines often have been developed by manufacturers not familiar with security best practices. As a result, often the software is vulnerable to security breaches and malware can be inserted at any stage of the development process. Pulling together as an industry to protect the machines and the edge of the network is critical. There are many other steps that can be taken to protect the integrity of the data including adding multiple firewalls and not allowing systems that access the Internet to write back to the control systems.
On the technology side, the security advancements needed for a more secure network should focus on:
- technologies used to prevent unauthorized users from accessing data on the end devices;
- technologies that can identify, contain and mitigate attacks on data centers, platforms or applications, including scanning ERP systems and threat modeling exercises; and
- technologies that help prevent hijacked edge devices to corrupt data and pass it along to the infrastructure.
In many cases, using available cloud-based products and services may be a good strategy. These companies are in the business of providing security and support, which is why widespread adoption of cloud applications and services is accelerating. It is estimated that by 2019, 86 percent of workloads will be processed by cloud data centers (Cisco Global Cloud Index). While some have said that the Internet of Things makes companies more susceptible to cyberattacks, the remarkable visibility connected systems will provide to users in the next few years may actually make it easier to detect and prevent cyber threats.
As the number of cyberattacks continues to increase, taking action before an attack happens is imperative. Sitting back and hoping it won’t happen to you simply is not an option. Investment in cyber security is a new business reality that should be budgeted for like any other line item. Companies in the chemical industry that collaborate with supply chain partners and government agencies will be able to reduce cybersecurity risks while still enjoying the benefits of the new digital economy.
Stefan Guertzgen is the Senior Director of Global Industry Marketing for Chemicals, SAP, and John Harrison is the Director, SAP