Petrochemical backup and recovery
Are Utilities Prepared for a Rise in Cybersecurity Attacks?
A recent Forbes article: U.S. Government Issues Powerful Cyberattack Warning As Gas Pipeline Forced Into Two Day Shut Down [1] describes an all too likely scenario where a cyberattack occurred due to an employee simply clicking on the wrong link, resulting in data-encrypting malware infiltrating the facility. According to a CISA alert [3], “a decision was made to implement a deliberate and controlled shutdown to operations.” This shutdown lasted two days and affected the entire gas pipeline.
PREVENTING THE ATTACK
According to Forbes, “The attack happened because the adversary was able to hop from the gas compression facility’s IT network onto the operational technology (OT) network when an employee mistakenly clicked on a malicious email link.”
As we discussed in our blog article: Manufacturing Cybersecurity: Are Your Industrial Control Systems REALLY Protected? [2] , internetworking, or business models related to the Internet of Things (IoT), has made manufacturers more vulnerable as both the industrial and business networks are interconnected to the internet and no longer separated, expanding the attack surface. This increased risk cannot be completely mitigated by network isolation alone, or hardware technologies such as data diodes, as there are many threat vectors. Rather than the employee clicking on a link while on the IT network, the malware could have been directly introduced to the OT network by an employee with a USB stick on a workstation (e.g. Stuxnet).
Protecting the devices on the OT network requires an integrated approach that includes commonly used products such as firewalls, networking monitoring, and an automation Change Management System (CMS). One of the most common, and dangerous, ways to attack a utility or manufacturing plant is to gain access to control systems that operate and/or automate industrial processes, such as programmable logic controllers (PLC.) To protect these processes, the data (configurations, logic, code, etc.) in the industrial control systems must be stored in a central location where there is a privileging system set-up to manage access to plant-floor devices. No USB should get anywhere near the OT network and workstation access should be authenticated by the CMS. Line-of-sight restrictions on which workstations can be used to edit certain device programs is also good safety practice, as well as managing workstation backups/images centrally through the CMS. Lastly, automation device manufacturers regularly update their firmware to address new threats. So, it is a major benefit if the CMS can track data such as firmware, software and CPU versions in automation devices throughout the facility so they can be compared against published threat reports. There is only one CMS that can do all of these and is developed in the U.S: MDT AutoSave.
Luckily, this gas utility attack did not impact any PLCs, so the facility did not lose control of operations [3] though recovery time is lengthened by not having recent workstation images/backups. However, this attack highlights the vulnerability of critical utilities, including power grids and water treatment operations, to cyber weapons that could cause severe financial, environmental and infrastructure harm.
AFTER THE ATTACK
In the past 6 months, more than a dozen U.S. utilities have been targeted in a wave of cyberattacks and the U.S. government has warned repeatedly that the nation’s electricity grid is an attractive target for overseas hackers.[4] Additionally, a 2018 study by financial services group KPMG found that nearly half of power and utility executives (48%) expect a cyberattack to be inevitable. So, while preventative measures must be undertaken, utilities clearly must also have a plan in place for what to do if preventative measures don’t block all attacks, as they become more sophisticated.
According to a survey of 1,726 utility professionals responsible for securing or overseeing cyber-risk, the majority of respondents state that “where past attacks primarily targeted data theft, current and future attacks can hijack control systems and logic controllers that operate critical infrastructure with the intent to cause physical damage and outages.” So, it stands to reason that a post-attack strategy must include the detection of changes to logic programs in the automation layer and a method for reversing a malicious change quickly. As stated previously, if an automated facility uses MDT AutoSave to manage all program configurations, AutoSave will authenticate users that have permission to make a change to the program. However, if a change is made outside of the AutoSave, it will also detect that change by comparing the latest approved program copy on file with the program running in each device and identify any differences and notify the appropriate personnel. In detecting a problematic program change quickly, the time it takes to mitigate damage is greatly reduced.
The next step in recovering from a cyber-attack is to restore operations, as disruption of services provided by a utility can have serious consequences. To restore operations, the latest approved program must be downloaded to the device very quickly. Maintaining an archive of all program revisions is vital for any type of facility using automated devices, whether it is a utility or manufacturing plant. For a plant to maintain uptime when faced with normal hazards, such as power outages, human error and equipment failure, this archive enables users to quickly retrieve the most current copy of the program and resume operations. When the change is malicious and unauthorized, this becomes even more important.
Evidence shows that utilities are going to continue to be a common target for cybersecurity attacks. Effective management of Industrial Control Systems must be part of the security plan for any utility operation.

_________________________________________________________________REFERENCES________________________________________________________________

Reference product: MDT AutoSave is a U.S. developed product that supports more industrial devices than any other CMS on the market. More information about MDT AutoSave’s cybersecurity protection and recovery solutions can be found at www.mdt-software.com/autosave-protection-and-recovery-solutions/.
[1] Kate O’Flaherty, “U.S. Government Issues Powerful Cyberattack Warning as Gas Pipeline Forced into Two Day Shut Down” FORBES Magazine, February 2020.
[2] Gary Gillespie, “Manufacturing Cybersecurity: Are Your Industrial Control Systems REALLY Protected?” Schneider Electric Blog, June 2018.
[3] Cybersecurity and Infrastructure Agency (CISA), “Alert (AA20-049A) Ransomware Impacting Pipeline Operations” February 2020.
[4] Matthew Stolle, “Cyberattacks Continue Against U.S. Utility Companies” Government Technology, November 2019.
[5] Siemens and Ponemon Institute Report “Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?” October 2019.