The dynamics behind the cyber risks and cyber governance vary from industry to industry. It is unique in its way and so is how each organization handles the risks they are exposed to. This is one of the main reasons why there is a need to execute cyber security with deep analysis. The nature of cyber security in the Petrochemical industry is extensive in nature, starting from the core source of supply from the oil pipelines through the refineries to the point of sales at gas stations. The kind of risks faced throughout this process are high-level risks that can cause the functioning of the company to collapse completely. It is also referred to as “Enterprise risk”. So how to achieve the objective of cyber resilience in such a situation…?
Read through to gain a comprehensive insight into the risks faced by the Petrochemical industry, sources of cyber threats, current industry-specific guidelines prescribed for cyber security, and best practices to achieve better cyber resilience.
Current challenges faced by the industry
A quick look into previous incidents of the data breach: a few events reported in the past:
- 1.  May 2021, USA: It is known as the hack that took down Colonial pipeline company, the largest fuel pipeline of the US, leading to a shortage across the East coast due to a single compromised password. A ransom note demanding cryptocurrency appeared on computer screens and was spotted by employees.
- 2.  July 2020, USA: The National security agency and the Cybersecurity and infrastructure security agency of the US alerted the world about cybercriminals hacking into critical infrastructure across the country.
- 3.  Feb 2020, USA: A pipeline company was attacked. HMI was affected resulting in the forced shutdown of a gas-compression facility station and other upstream-downstream facilities, for two full days.
- 4.  2017, the Middle East: The notorious Triton virus attacked the controls and security of a petrochemical company resulting in multiple shutdowns and halted operations over several months. The Triton still affects a lot of systems.
- 5.  2019, Mexico: Pemix, Mexico’s state-owned oil company was attacked by ransomware resulting in the forced shutdown of systems across the country. The perpetrators demanded a ransom of a Bitcoin worth five million to unencrypt the systems.
- 6.  2017, Ukraine: The Not Petya attack on a Ukrainian facility resulted in the shutdown of the country’s power grid.
- 7.  201
- 0, Iran: Stuxnet is used in damaging an Iranian nuclear facility. Responsibilities have risen for the energy sector’s top executives and Board members to navigate the big challenge of cyber security.
Analysis of various factors creating vulnerabilities:
Surface attacks due to the nature of systems:  Attackers take advantage of any openings that are available to them. The systems in the Petrochemical industry are such that it requires increased availability of data for better efficiency of operations and for gaining from situational awareness. This, in turn, increases the surface area of attacks and potential exposure to vulnerabilities. So, systems are available to them and attackers are opportunistic.
Attacks due to technological advancements:  The large and ever-increasing numbers of mobile phones, tablets, and all the other devices with access to operational systems for input, payments in the gas stations, and other ease of operations at various stages of production. These are all possible entry points for attackers. Other technological advancements like the Internet-of-things, metering infrastructure will keep on arriving on the scene and creating vulnerabilities for newer cybercrime. Technological advancements also mean cybercrime advancements.
Attacks due to human error in operations:  IBM research suggests that 27% of cyber-attacks in the industry are a result of human error. Thus, when it comes to tactics against data and privacy breaches, it must include employee and staff training, clear well-established practices and policies, and fixing employee roles & responsibilities. Owners should establish cyber-security roles and these employees/individuals must develop and educate other employees on policies and procedures.
Cyber-security and safety policies must integrate human elements with the control system especially in system usage, maintenance, updates, etc. The policies must also address personal devices since misconfigured devices are vulnerabilities and easy targets.
Attacks due to ease of access:  When it comes to the Oil and Natural gas industry, the physical aspect plays a major role. Networks must be segregated from the area of active operations and access has to be separate. For example, it is best practice to keep IT, operations, and security separate from the rest of the production unit. Access to the whole system should not be made available to all and sundry at a time. Even if the area of production is infiltrated or compromised, the whole system should not be exposed. Another common trap for operators is that of forgotten control systems which are at risk of attacks.
Attacks due to the nature of authority in the industry:  Despite increasing and diverse risks in the Petrochemical industry, awareness, and stakes, the majority of the management and executives still believe that they are not directly responsible for security. It is mistakenly believed that cyber safety is the responsibility of a separate department, they see it as an aspect that is separate from the main functions. Or that the threats are unavoidable due to the nature of the industry. There can also be a belief that it is not possible to counter the diverse threats, that there is not enough expertise, tools, or charters to counteract the attacks. This can lead to complacency among non-IT stakeholders, making the job of the IT team more difficult and also creating blind spots which can be exploited. Cyber-security must be regarded as a shared responsibility of all stakeholders, especially all employees in a company, from top-level executives to front-desks.
Existing guidelines and standards for cyber security:
The industry’s standard-setting bodies are- Department of Commerce’s National institute of standards and technology (NIST), the Department of Energy (DOE), and other U.S. and international standards-setting bodies. Programs such as the ISA/IEC 62443 Series of Standards on IACS Security and the DOE Cybersecurity Capability Maturity Model (C2M2) in association with the above-mentioned bodies help organizations in implementing the standards. Some of the standards are -
- 1. ISO 270001
- 2. API 1164
- 3. API Standard 1164
- 4. Department Of Energy Cybersecurity Capability Maturity Model
- 5. International Electrotechnical Commission’s IEC 62443
- 6. International Organization For Standardization ISO 27000
- 7. Content unique to pipelines not covered by NIST CSF and IEC 62443 is being currently updated.
Strengthening cyber security:
- Segmentation of control systems architecture:  Compartmentalizing lessens the access and prevents baring the whole system to attackers. Keeping critical infrastructure and business systems on different networks is essential for minimizing risk. Additional segmentation can also be considered to protect critical assets. The key concern here is not allowing access to the whole system when one area is attacked or compromised.
- Continuous evaluation and enhancement:  Policies, procedures, and control systems have to be consistently and continuously evaluated and improved. Training must also be evaluated and enhanced regularly. Constant vigilance is a key to protecting against internal and employee errors. It is easier for timely detection and correction.
- Professional analysis of systems and their impacts:    The following factors have to be considered, namely
- The company’s policy framework towards cyber-threat i.e is it a policy of transfer of risks or a policy of mitigation or a policy of acceptance,
- Investment areas,
- Funds allocation,
- Technological infrastructure and
- Expertise is available.
The analysis must be made not only in the initial stage but companies must keep routinely analyzing, keep adapting, and building on technological advancement and complexity.
- Computer control systems and computer security are not tangential:  Control systems and security systems must always be considered in tandem. Consider cyber-system controls and cybersecurity in tandem. Cyber-security and cyber-resilience are best achieved when implemented across the entire system design and planning process.
- Control systems are considered as assets:  Systems are just as important as other tangible or intangible assets like pumps, pipelines, equipment, brand, etc. that require routine maintenance, replacement, improvements, and audit/evaluation.
- Being part of guilds/groups:  As of now, there is the Oil and Natural gas Information Sharing and Analysis Centre. It is an industry group of private intelligence sharing regarding cyber-threats.
- Awareness:  Staying alert and aware cannot be emphasized enough. There are many resources available like the website of the US Department of homeland security which actively publishes about various vulnerabilities. Owners must stay ahead and address the emerging and diverse concerns before cyber-criminals take advantage of them.
- Following standards:  The generally accepted practices and frameworks have to be implemented and followed meticulously. Some of them are ISA 62443, NIST 800-82, and the cyber security framework of the American Petroleum Institute.
- Compartmentalize and segment control system network architecture:  This lessens access and keeps business systems on a different network than critical infrastructure. Consider additional segmentation to protect critical assets and prevent hackers from accessing the whole system if they find a way into one area.
Overview of the cyber resilience principles by WEF :
Cyber resilience principles for the oil and gas infrastructure companies, as outlined by The World economic forum are as follows:
- Cyber resilience governance –  policies and systems must be planned and implemented beginning at the governance level, since security counts on organization-wide participation from the management to the grassroots level. Aligning all the efforts and fixing accountability is fundamental to the success of the system.
- Resilience by design –  Cyber-security need not be a separate department to be individually planned and implemented. It can be included as a design parameter and as part of the corporate culture. It will significantly improve the outcomes and effectiveness of the security system.
- Corporate responsibility for resilience –  Recognizing and accepting that diverse, frequent, and ever-advancing threats cannot be prevented and that they will continue to occur or at times escalate to a huge threat is helpful, since it enables companies to be proactive and take responsibility and initiative. It is the first step in managing risks.
- Holistic risk management approach –  as is the case of any risk management, cyber resilience and management require a mandate, funds, resources, and accountability. In this sector, it is important to mitigate risks to all parts of the value chain so that one weak link doesn’t bring production to a halt.
- Ecosystem-wide collaboration –  Weak points in defense security may lie outside an organization too. Efforts to share cyber threat information, use of best practices, and improve cybersecurity maturity across the whole sector help industry-wide stability.
Ecosystem-wide cyber resilience plans –  As mentioned earlier, recognizing that cyber-attacks will continue to occur, organizations should build resilience plans to help mitigate damage from those organizations that have succeeded. Regular cybersecurity exercises enable them to test and improve defenses – including how they will cooperate with other industry partners.