Cyberattacks are on the rise—and they’re not only IT’s problem anymore.
A recent ThoughtLab study involving 1,200 large organizations across 14 sectors and 16 countries revealed the number of material breaches respondents suffered increased by 20.5% from 2020 to 2021, and cyberattacks impact more than just computer systems, as highlighted by high-profile ransomware assaults on the Colonial Pipeline and JBS Foods that threatened to disrupt the nation’s fuel and food supply chains.
“The cyber-physical convergence is real. It’s upon us,” said Kelly Murray, the associate director for chemical security with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
“The physical actors have cyber intentions, and cyberattacks impact physical activities, so we need to be talking the same language … or it’s going to hurt us in the end.”
At the same time, Fortinet’s recent report examining the cybersecurity skills gap found that 80% of organizations suffered one or more breaches they could attribute to a lack of cybersecurity skills or awareness, and 67% agreed a shortage of qualified cybersecurity candidates is creating additional risk for their operations. So, to help members of the petrochemical supply chain better protect themselves, the International Liquid Terminals Association enlisted Murray, and cybersecurity engineers Doug Morill and Anirban “Sunny” Ghosh to present cybersecurity best practices during the 2022 International Operating Conference in Houston.
In the two-part session, “Cybersecurity of Terminals and Other Critical Infrastructure, A National Priority,” the security experts discussed the interconnection of traditional physical security and evolving cybersecurity efforts, CISA programs that help regulated and non-regulated companies fortify their facilities against attacks, cybersecurity strategies based on the Transportation Security Administration’s recently revised pipeline security directive, and the critical role of “meatware” in an effective cybersecurity program.
“We all know about hardware and software vulnerabilities, but most of these vulnerabilities are exploited when a human interacts with the system,” Ghosh explained.
Coming together
Are your physical safety and security folks flabbergasted by cybersecurity terms and tasks? They shouldn’t be, Murray said. “Cyber isn’t that different from physical security,” she argued. “It’s just done in the cyber realm.” And intrusion detection, emergency response, and other critical physical security efforts all have cyber analogs, she continued. “Throw the cyber word in front of any of your physical words and it’s the same thing. So that’s how you can start those conversations.”
See also: Cybersecurity: 'White hats' offer tips to help execs head off hackers
Morill said it’s helpful to develop basic cybersecurity fluency, starting with how computers communicate, using switches, routers, and firewalls. Put simply, fiber, copper, and wireless connections transmit “packets” of information, ethernet switches connect multiple devices that create local networks, routers allow for connections between networks, and firewalls, like the windows and doors on a building, protect what’s inside the system. “Firewalls essentially control what ports and services go through it,” Morill explained. And because of their growing importance, Morill suggested using a “next-gen” firewall with integrated intrusion defense, application awareness and control, and threat intelligence collection.
Cyber incident reporting
CISA already requires facilities covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program to establish protocols for identifying and reporting “significant” cyber incidents to appropriate facility personnel, local law enforcement, and the agency. CISA’s Risk-Based Performance Standards 8 and 15 provide “flexible and tailorable” guidance for cyber reporting, Murray said, but it’s critical for facilities to first identify what constitutes a cyber incident, and at what point reporting to CISA is warranted.
In addition, expanded cyber incident reporting is coming for all critical infrastructure owners and operators after President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law in March in response to the Colonial Pipeline and other recent ransomware attacks. “It’s not a requirement yet,” Murray said. “We’re getting there. It is a rulemaking process. The legislation gave CISA 24 months to issue a notice of proposed rulemaking, so you’ve got at least two years before you’re going to see much action.” The process began in earnest in September with a series of 10 listening sessions to collect public input on proposed regulations for cyber incident and ransom payment reporting, concluding with a November session in Kansas City, Missouri.
Murray also highlighted CISA’s “Shields Up” program launched in February in response to Russia’s invasion of Ukraine to urge companies to adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets. “The intelligence out there is warranting us paying attention to the cyber threat,” Murray said. “It is out there, it is real, and we need to make sure we’re all doing our best to keep our shields ups.”
Protecting your systems
To protect your systems from cyber actors, start by identifying the hardware and software, how it’s connected, and the impact a compromised system could have on critical assets, Murray advised. Also inspect physical security systems, including access control, intrusion detection, and cameras; business systems, like inventory management, shipping, and ordering programs; and those “ever-important” process and control systems. “How are those systems connected? Do you have them completely segmented?” she asked. “Can you access them remotely? These are the questions you want to start asking your cyber folks, so they can explain what protections they’ve put in place and other protections you may want to consider.”
CISA resources can help with developing cybersecurity policies and incident response plans, strengthening access control, improving network security, and simplifying configuration management, Murray said. To reward regulated companies that identity their systems in their cyber site security plans, CISA will serve as a “watchdog,” Murray said, delivering “cyber vulnerability notifications” that identify threat relevance, patches and remediation, and potential impacts to chemical interests, and offer recommendations.
The agency also offers “Cyber Hygiene Services” for regulated and non-regulated companies. The program provides no-cost vulnerability scanning to help monitor and evaluate the external network posture from the perspective of an attacker. The program is fully customizable, allowing users to determine what CISA does and doesn’t look at, and how often, includes a cyber “report card,” and ensures prioritization for additional advanced cyber services offered by CISA, Murray said. “We’ve heard from industry members who have used it that it’s better than most of what folks are selling out there,” she said.
Cyber Hygiene recommendations:
- Defend against ransomware: Practice network segmentation, maintain cyber incident response plans, refrain from paying a ransom
- Updated unsupported operating systems: Maintain a complete software asset inventory, reduce the use of unsupported operating systems, implement mitigating controls
- Improve patch management: Prioritize remediation of vulnerabilities using a risk-based approach, and patching vulnerabilities with known exploits
- Secure potentially risky service: Evaluate the business need for exposing services online, disable unnecessary services, operate with proper configurations and security features enabled, such as multi-factor authentication
“We all know the click from an employee is the scariest thing that’s going on,” Murray concluded. “Employees are not necessarily properly trained or they’re not thinking in the moment, and they click on the wrong thing, so how can you protect yourself against those types of things?”
See also: Zero trust: Chaos creates cybercriminal opportunities
Human vulnerability
Ghosh, who specializes in enhancing security in end-user systems, focuses on the people accessing the computers, and how to mitigate the human element, or “meatware,” in every operating system. Ghosh attributed the threat to insufficient knowledge, and the fact that people generally “want to be helpful,” which can lead to threats being introduced into control or IT systems.
The key is to understand the security issues, examine our own behaviors, identify deficiencies, and “eliminate ignorance,” Ghosh said. “If you know you are lacking in some area, then you can actually do something about it.” He also said people tend to ignore IT problems they know exist if they think someone else will handle it. Then the issue isn’t properly reported and grows worse. “That’s especially true with computer control systems,” he cautioned.
One solution is to hire more cybersecurity professionals. But that’s easier said than done across numerous industries. So companies must correct the “known unknowns” through internal training and personal growth, and the “unknown unknowns” through self-awareness, and being receptive to modifying mindsets, he argued. “Frankly, everybody should have cybersecurity responsibilities in their job descriptions,” Ghosh said. And when it comes to training, general is good, but role-specific training is more effective. “It’s really easy to leverage existing policies, programs, and trainings to include cybersecurity,” he said.
Some employees may need extra convincing to get with the program. Buy-in from every C-suite executive helps, Ghosh advised. So does the involvement of the entire team and third parties like OEMs, contractors, and vendors. And when convert cyber skeptics, they become the greatest “influencers, advocates, and champions” for more secure practices. “It’s not just an IT problem, it’s a people problem,” Ghosh said.
Techniques to change human behavior include team exercises, incident response and business continuity drills, using incidents as teaching moments, and finding fun ways to develop a cybersecurity culture that’s based on maintaining an “unfrozen” mindset, like offering rewards for the most un-hackable passwords. It’s also important to transfer and reinforce knowledge through mentorships, and tailoring training programs, not only for specific roles, but for new hires, experienced employees, and executives.
To establish a cybersecurity program, start with awareness and training, Ghosh said. Educate all employees on the broader risks, roles and responsibilities, then assess specific risks to controls systems, their vulnerabilities, measures needed to mitigate risk and improve security, and update policies and procedures to include cybersecurity controls. Then different groups came convene to discuss business cases, and budget for the appropriate and beneficial controls.
Finally, measure the impact of your training program on human behavior and knowledge through apprentice and mentor feedback, and internal and external behavioral change assessments, document the lessons learned, and make sure it’s relayed to everyone.
This article originally appeared in its entirety on Bulk Transporter, one of FleetOwner's sister sites within Endeavor's Commercial Vehicle Group.