Cyber security threats within the process industries are constantly adapting, becoming increasingly more intelligent and are multiplying in number.
Such is the scope of these threats, the UK government released data last year that suggests the average cost of a serious cyber security attack is almost £1.5 million – more than double the cost in 2014.
“Any process plant should first and foremost ensure they have a management system that protects their process control systems from unwanted users, applying the principle of ‘minimal rights’"
Likewise, the US Department of Homeland Security’s Industrial Control System Emergency Response Team (ICS-CERT) has reported a 25% rise in cyber security incidents in the industrial sector since 2011.
Tekena Fubara, concept engineer at oil and gas production firm Shell, says the level of damage caused by an attack depends largely on the vulnerabilities within a process plant’s systems, the skills of the attacker and the level of intent the hacker possesses in causing widespread damage.
Fubara says cyber-attacks could come from a wide variety of sources, including: corporate industrial competitors, foreign intelligence services, hackers driven by the desire to make money and even disgruntled employees subverted by criminals, external contractors or vendors.
He says often the capabilities of hackers can be classified as either ‘commodity’ or ‘bespoke’.
“Commodity capability covers the use of easily available tools and techniques, which are simple to use, such as the Remote Access Tool (RAT), ‘Poison Ivy’.”
The Poison Ivy RAT is a backdoor piece of malware that has the ability to bypass security mechanisms. Once past security, Poison Ivy can control the infected computer, its programs or its network.
Once executed, Poison Ivy can view, suspend or kills a computer’s active processes, as well as give the hacker the ability to view and control services on the computer.
Bespoke capabilities are somewhat different, Fubara says.
“They involve the use of more sophisticated tools and techniques for specific purposes, with a more specialist knowledge required for deployment,” he says.
“This includes the use of a specially-written code that takes advantage of a bug in the automation and control system that has not yet been recognised – known as zero-day exploits - or an undocumented software capability.”
Fundamentally, however, bespoke capabilities must constantly evolve, otherwise they become commodity capabilities as they become “known” when they are discovered, Fubara suggests.
According to Fubara, older plants could be most at risk from the constantly evolving threat landscape.
“Within ageing plants, simple secure coding approaches such as ActiveX are not available, or else cannot be stood by the automation and control system as they seem to crash on security scans being run,” Fubara says.
He also claims many plants are known to have back-door admin passwords that are not totally controlled, and have no timeout options.
This allows hackers to use brute force login attempts to gain access to a system, Fubara says.
“Once the system is owned by the hacker, they could implement a new ladder logic which could change the Human Machine Interface (HMI) so the operator has no visibility on plant conditions.
“The consequences of these are real and dangerous, and could be a hazard to finance and humans.”
Fubara says process operators have a number of tools at their disposal to stay one step ahead of hackers.
“Any process plant should first and foremost ensure they have a management system that protects their process control systems from unwanted users, applying the principle of ‘minimal rights’.
“This should apply to both user accounts and to access between different computers such that users only have access to what they require to discharge their specific duty,” he says.
Plant operators should also protect their process networks by dividing them into security zones, Fubara suggests.
In that instance, each zone would have the same level of security so that traffic can be monitored across each zone within the network, he adds.
“As much as possible, the direct connection between the Process Control Network (PCN) and any other system outside of the plant, such as real-time monitoring systems, should be segmented using firewalls, such that communication to the PCN is no longer direct, but via these segments or demilitarised zones,” Fubara says.
“It is essentially important that these firewalls are properly configured to allow only trusted addresses and protocols, as well as the fact that they are updated regularly.”
Cyber threats can also be challenged if security is applied at the embedded device layer within a plant – such as on electronic plant transmitters that send analogue signals to distributed control systems (DCS) without security checks, Fubara suggests.
Plant operators may wish to consider this measure because if there is a virus on a USB stick, for example, the system will send an alarm that highlights the fact a “wrong packet” was being transmitted, he says.
On top of these measures, plant operators can benefit from automation standards designed to help protect assets.
“The ISA/IEC-62443 is a series of technical reports, standards and general information,” Fubara says.
“It covers procedures that can be used for ensuring an electronically secure industrial automation and control system and is a very good reference for asset owners to refer to in managing their plant control and automation system’s security.”
The move towards advanced integration could have a major impact on system management however.
The Internet of Things (IoT) is effectively an environment that provides objects with unique identifiers, with each having the ability to transfer data over a network without the need for either humanto- human or human-to-computer interaction, Fubara says.
“The IoT implies that several industrial plants can then now be connected together or with other systems without the acknowledgement of any of the process plants themselves.
“With about one million Supervisory Control and Data Acquisition/Industrial Control System systems currently connected to the internet all having unique IPs, and about 2000-8000 being added to this per day, this poses a great threat to process safety where cyber security threats are being considered,” he says.
JOB TITLE: Concept Engineer, Shell
EDUCATION: 2003 BSc Chemical Engineering, specialising in environmental engineering and petroleum engineering, University of Lagos
2008 MSc Process and Environmental Systems Engineering, University of Surrey
CAREER: 2002 Completed an Internship at Shell as part of degree, working within the waste management team.
2003 Lectured at the Department of Polymer Technology, Federal Polytechnic, Auchi, Nigeria.
2007 Completed stints at a petrochemical refinery and precious metal refinery before completing MSc.
2008 Joined Centrica, focusing on oil and gas production from offshore through to onshore processing, conditioning and export.
2013 Joins Shell as a Senior Process Engineer within its exploration and production business.
2015 Promoted to Concept Engineer to look at safe and profitable production from offshore oil and gas assets.