Cyber security attacks continue to be widely reported in the media. Among one of the latest high-profile cases is the Colonial Pipeline ransomware attack, one of the largest on the US energy system in history. However, regardless of size, any business is susceptible to cyber security breaches, and it is the responsibility of business leaders to ensure that appropriate measures are in place to reduce the threat.
Cyber-attacks can result in industrial liabilities due to loss of life, damage to the environment and loss of production, as well as direct costs such as those arising from technical fixes, loss of customers and those associated with dealing with media and press enquiries. In some cases, criminal proceedings can be brought against businesses or individuals. The Chemical and Downstream Oil Industries Guidance, produced jointly by industry and the UK Health and Safety Executive (HSE) Cyber Security for Senior Managers reports the following quote from a business subject to a cyber event:
“The initial months of response were all consuming for many employees but what cannot be underestimated is the slow burn over the next two years and the years to come. Articles are written, presentations are made by people without the full knowledge, that must be replied to, to maintain product and company integrity”
Regardless of local, national and international regulations, managing cyber security risks is good business now and is becoming of more relevance as we look to the future. And with threats coming from many different sources, including nation states, criminals or even a company’s own employees, it is critical that organizations understand how they may be at risk and the sources of those risks.
Understanding your computer systems and networks
Computer systems form an integral part of any organization, providing essential business functions ranging from email and accounting to control and automation systems which manage plant and process. Understanding the nature of these systems and their inter-connectivity is key. They may reside on servers within the organization, with third party providers, or may even be cloud based. And it is for business leaders to ensure that these systems are protected.
Before implementing any security measures, it must be first determined what is to be protected, or indeed defended, along with the connectivity between each system as well as system access rights, both physical and digital. For control and automation systems, a useful resource in the UK is provided by the Health and Safety Executive’s Operational Guidance (OG86) ‘Cyber Security for Industrial Automation and Control Systems’. This represents an excellent reference point for organizations wishing to answer these crucial questions.
Managing the risks
Senior leaders are responsible for the people, processes and the technology necessary to protect against cyber threats:
- People – ensuring that there is sufficient resource, competency and communication with their staff
- Process – ensuring corporate risk registers are maintained with cyber threats and management systems are in place to manage those threats
- Technology – ensuring that appropriate technology is deployed and regularly updated
Business leaders should also ensure that appropriate key performance indicators (KPIs) are established and reported. These should include both lagging indicators – such as the number of unauthorised access attempts – and leading indicators – such as intrusion detection system effectiveness. However, KPIs only measure predetermined parameters – things we know about – and with cyber threats continually evolving, it is also key to have access to speculative information such as media reports.
In addition to ensuring sufficient resources and measuring the performance of the business, focus should be placed on fostering a healthy vision and business culture. A strong organizational culture would include ensuring that there are no barriers to reporting concerns, that incidents and near misses are recorded and reviewed in a timely manner, and that teams responsible for Operational Technology (OT) (i.e. email servers) and Information Technology (IT) (i.e. control systems) communicate effectively to share knowledge and best practice. Most crucially, existing business practices may need to change to accommodate ever evolving cyber security threats. Decision makers will need to be able to react quickly and ensure that communication between management teams and technical specialists is clear, concise and fast.
Competency and vetting
As with all critical operations, it is important to ensure that people are competent to carry out the tasks that are assigned to them. Most businesses will already have a comprehensive Competency Management System (CMS) in place. However, the existing CMS is unlikely to cover all the aspects required for cyber security and will need to be updated to include:
- the IT and OT tasks that may cause a cyber security risk
- the IT and OT tasks that are required to implement the Cyber security measures
- competencies required to carry out these tasks
- how cyber security threats are reviewed in order to update competencies (Cyber security is rapidly evolving so the CMS should be updated accordingly)
- where cyber security roles are external to the business, how to maintain intelligent customer capability
General awareness of cyber risks should also be provided to all employees and contractors with access to systems.
To provide protection against internally initiated attacks, appropriate levels of vetting must also be carried out. This means that vetting should be proportionate to the role that the individual is being tasked to do and should cover new staff, the movement of staff within the business, and contractors. It should also be carried out on an ad-hoc basis triggered, for example, by a change in behavior. However, vetting alone may not provide protection for highly sensitive areas. For this reason, consideration should be given to sharing critical roles, so that key tasks present with both a requester and approver.
Policies and procedures
As with all aspects of a business, the management team should ensure that there is an appropriate cyber security management system in place covering:
- Management of security risks
- Protection against cyber attack
- Detection of cyber security events
- Minimisation of the impacts of cyber security incidents
Interfaces to existing management systems, such as those for competency and process safety, should also be considered.
As part of the cyber security management system, auditing processes are also critical. The audit will need to ensure that the cyber security management system is used as intended and is appropriate for use. It should also consider providing evidence of the existence of vulnerabilities and the verification of any countermeasures.
In the UK, the National Cyber Security Centre, established in 2016, provides a Cyber Assessment Framework (CAF) that allows organizations assess the extent to which cyber risks to essential functions are being managed.
Vulnerabilities to IT and OT systems may originate from on-site or off-site access. On-site controls are often easier to implement but businesses should also consider how they can manage potential threats from third parties visiting the site to carry out work (for example an automation contractor visiting site to carry out upgrade work). These additional measures could include:
- defining and managing access control (e.g. passes/fobs)
- implementing systems to ensure malware is not introduced
- Restrictions on the use of contractor’s own equipment
- Control of the integrity of software update mechanisms – software patches/virus definitions
- how communication with vendors and third parties should take place, for example to avoid phishing emails
Many businesses also rely on third party services hosted in the cloud, such as email, document management and accounting services. While these services offer extensive benefits, they need to be balanced against the risks that may be introduced. Businesses should therefore ensure the robustness of security measures put in place by the provider (e.g. to prevent unauthorized remote access) and that only those systems that need remote access, have remote access. With cloud-based systems a high-value target for attackers, appropriate provision should also be made in the event of loss of the services to the business.
Managing cyber security can be complex. It is therefore essential to understand what equipment and systems you have, how it can be accessed, and by who. Only then can the appropriate controls be put in place.
When planning these controls, it is important to remember that regardless of local, national and international regulations, managing cyber risks is good business. With all businesses at risk from a number of sources, and against ever-evolving cyber threats, failure to act could result in significant industrial liabilities and costs.
In this context, the UK’s Chemical and Downstream Oil Industries Forum (CDOIF), a collaborative venture between industry, regulators, trade associations and other professional bodies to share the best information, guidance and best practice available, has recently published a useful guidance on cyber security for senior managers. The guidance highlights the risks of cyber security to the safety of the chemical and downstream oil industry while providing practical advice for senior managers to ensure that risks are being managed and minimized.
The Tank Storage Association (TSA) represents the interests of over 60 member companies engaged in bulk storage, energy infrastructure and the provision of products and services to the wider sector. TSA’s members provide and support an essential interface between sea, road, rail and pipeline logistics for many different substances including transport and heating fuels, chemicals, animal feed and foodstuffs. As a community, TSA members seek to establish connections and facilitate solutions in safety, health, environmental and technical matters by sharing learnings, experience, new products, and innovations to enhance and optimise the delivery of services to the sector.
TSA works closely with regulators on a range of critical issues for the sector and plays a leading role in the Chemical and Downstream Oil Industries Forum (CDOIF) and COMAH Strategic Forum (CSF), a high level joint chemical industry and regulator forum working to improve major accident hazard management and raise standards across industry. While the TSA is a UK based organization, the information exchanged, and guidance produced are relevant to high hazard businesses globally.
For more information visit tankstorage.org.uk