On Wednesday, the White House announced plans to expand its public-private cybersecurity partnership to include the chemical sector. The Industrial Control Systems (ICS) Cybersecurity Initiative is being expanded to include a fourth sector – the chemical sector.
The announced Chemical Action Plan brings CISA and major U.S. chemical companies together to develop and implement plans for higher cybersecurity standards across the sector, including improving visibility and threat detection for industrial control systems. The plan will focus on “high-risk chemical facilities that present significant chemical release hazards.”
The plan sets a 100-day timeline for chemical sector companies to assess their current cybersecurity practices in accordance with known best practices, following similar initiatives in the electricity, pipeline, water industries.
With so much U.S. Critical Infrastructure owned and operated by the private sector, what’s become abundantly clear is that free market forces alone are not working. As cyber criminals and U.S. adversaries are showing an increasing brazenness to cause impacts to public safety through digital attacks against cyber-physical systems, increasing connectivity is driving up societal risk exponentially.
While the White House actions are warranted, the previous sprints have been oriented predominantly on monitoring. We have and will continue to urge the U.S. Government to ensure the sprints care for the target-rich cyber-poor entities that are struggling with the basics of protecting their infrastructure – such as implementing strong authentication, establishing a baseline understanding of their OT assets. We need to ensure the at-risk sectors are sprinting in a direction that will optimise the risk buy down for their efforts.
Many Industrial Control Systems (ICS) were not built or developed with security as a consideration, however, attacks on ICS systems are extremely rare for a multitude of reasons.
Attackers need significant in-depth knowledge of the policies, processes, and procedures about the company that they are targeting. Where do the networks reside with ICS systems attached? What is the layout of said network? What is the make, model, and versions of software running on the ICS systems? Who has access? When are these systems normally accessed? How are these systems updated?
ICS systems are often not internet connected and reside on a local air-gapped network. The systems connected to these air-gapped networks still require recurring updates which requires someone to download the updates from an internet connected system and transfer those updates to the air-gapped network, often via thumb drive.
For attackers to develop malicious tools and exploits for ICS systems, in most cases, they need an exact or near exact replica of the ICS system, make, model, and versions of software running. The challenges attackers face is acquiring said systems to replicate, requiring a colossal budget and resources, to develop the tools and exploits required to infect or attack an ICS system. An insider threat, someone who has access to information and/or systems, can often aid attackers in subverting the ICS systems. At any point in time during development of the tools and exploits, should the target company update their ICS system or software, an attacker needs to have knowledge that an update happened, acquire the new system and/or software, change direction with their tools and exploits, or completely start from scratch on new tools and exploits.
The advantages that attackers have are that a copious number of companies with ICS systems controlling critical infrastructure have deficient policies, processes, and procedures. A well-funded attacker only needs to locate one company with inadequate security measures, and they have all the time in the world to develop capabilities against them. Therefore, the Cybersecurity and Infrastructure Agency (CISA)’s effort to collaborate with the private sector about security practices and promoting a higher standard of cybersecurity across the critical infrastructure sectors has been long overdue and is a highly welcomed addition to their initiatives.
With industrial control systems, availability and human safety is a priority concern, with cybersecurity often being an afterthought in initial design and implementation, and equipment and processes being expensive to modernize. In recent years, this mentality is shifting with hardware manufacturers and government agencies realizing the risk of not properly securing and monitoring these systems against modern threats. While the cost of implementation can be high, but the urgency is also high.