Thousands of US chemical facilities rely on badly outdated cybersecurity guidance, making them vulnerable to hacking attacks that could not only cause economic damage but also chemical leaks or explosions, a Government Accountability Office (GAO) audit has found.

3300 chemical facilities in the US are classed as high-risk, meaning they use at least one of the 300 chemicals of interest. Included on this list are toxic and explosive compounds such as chlorine and cyclopropane, but also chemicals that might not be immediately dangerous if released but could be converted into weapons if stolen.

Most chemical companies, including high-risk ones, have internet-connected devices as part of their process control systems. This allows, for example, instrument manufacturers to service their devices remotely. But as convenient as it might be, ‘a direct connection is not just for the vendor, it would be for everyone’, says cybersecurity expert Lori Ross O’Neil from the Pacific Northwest National Laboratory in the US. Hackers taking control of the systems that operate a chemical plant could have catastrophic consequences, as an incident at an oil refinery in Saudi Arabia has shown.

Deadly intent

The 2017 incident in Saudi Arabia was not the first time hackers have ever targeted an industrial plant’s operational safety system. However, unlike the 2019 ransomware attacks on three chemical firms that attempted to extort money, this attack was likely meant to trigger an explosion.

Malware, which looked like a legitimate manufacturer file, infiltrated the refinery’s emergency shutdown control system. The only thing preventing a major accident was the hacker’s own faulty code, which inadvertently shut down the entire plant.

‘Nobody knows for sure who was behind it, but it’s generally accepted within the community that it was probably a nation state attack, most likely Iran,’ says Patrick Coyle who has 20 years of experience in the chemical process industry and writes a daily chemical facilities security blog. In 2018, the cybersecurity firm FireEye concluded that a Russian government-owned research institute most likely built the tools for the attack.

The Saudi Arabia attack is far from the first time hackers have tried to hijack chemical facilities’ networks. In 2010, the Stuxnet virus infiltrated an Iranian nuclear facility, bringing uranium enrichment to a standstill. At the time, experts thought that isolating control systems from the internet meant they were invulnerable – but Stuxnet was likely brought into the facility on an infected USB stick.

Companies started implementing ‘separate safety control systems that would safely shut down a chemical process – and those were supposed to be protected from any external access’, says Coyle. But the Saudi Arabia attack targeting just those safety systems proved that this was no longer true either.

‘The current mythology in the chemical and process industry is that the systems that we employ to control operations are so complex that they would take a great deal of expertise, time and money to effect a coordinated attack that would have serious consequences,’ says Coyle. But making an attack hard doesn’t stop it, he adds.

Out of date

In the US, chemical companies follow the cybersecurity guidance released by the Chemical Facility Anti-Terrorism Standards (CFATS) programme – a document that has not been updated in more than a decade. This means that ‘in an ever-evolving threat landscape, there’s very little assurance that facilities are, in fact, secured’, says Nathan Anderson, who directed the GAO audit.

While age doesn’t mean the guidelines are wrong, it does make them incomplete, says Coyle. ‘One of the most prevalent methods of attacking a cybersystem today are phishing attacks. But there’s no mention of phishing in the guidance, because when it was written in 2008, phishing was not a thing,’ he notes.

‘There has to be a process in place so that if all of a sudden the cyberlandscape changes, and there is some additional suite of tools that malicious actors can utilise, the guidance has to also be that nimble,’ says Anderson.

But simply updating the guidance might not be enough. The report also highlights that the 136 inspectors tasked with ensuring facilities comply with CFATS regulations might not have the knowledge needed to spot insufficient cybersecurity. The GAO recommends a host of training and tracking measures to ensure inspectors are up to date on the issue.

Warnings going unheeded

The GAO report is not the first time cybersecurity – or the lack thereof – has been highlighted. Since as far back as 2015, security experts have been urging chemical plants to update their cyberdefences. But facilities might not see an immediate need to do so. ‘We’ve not had a terrorist attack on a chemical facility in the United States, ever,’ says Coyle. ‘Some people would point to that and say: “We don’t need to spend all this money.”’

According to the US Department of Homeland Security, the number of cybersecurity incidents at industrial facilities has been on the rise: 290 in 2016 up from only 41 in 2010. However, only four were within the chemicals sector, and their nature remains unclear.

One of the most important measures chemical facilities should take to protect operational technology is to separate it from business systems like email, says O’Neil. She also points to other guidance, like the National Institute of Standards and Technology’s, the American Chemistry Council’s or the ISO 27001 series.

Often the problem is that ‘IT people have an idea of how things should work, and they don’t understand what the engineers who are running the plant are dealing with’, O’Neil points out. In her role on the board of the cybersecurity professional organisation ISC2, she hopes to help chemical engineers or plant operators to become more cyber aware – ‘perhaps get a cybersecurity certification’. The industry, O’Neil says, would certainly benefit from more people bridging the divide.