Back to newsroom

Firewall against cyber attacks

Key success factors for the setup of an information security management system in chemical companies

For years now, cybercrime with its many aspects of digital sabotage and espionage has been one of the greatest risks to German industrial companies. Sectors such as the chemical industry, in particular, are targeted by hackers with high level sophisticated attacks. Hence, it is all the more important to establish and expand an active information security management system to protect IT infrastructures.

The hacker collective, "Wicked Panda", presumed to be based in China, is an example that showed how treacherous and devastating a successful cyber-attack can be. Their malware toolkit “Winnti” is based on freely available tools, with which the hackers managed to infect the networks of numerous companies by first attacking their weak points and then move towards the actual target undetected. A Winnti attack has been uncovered in at least six companies listed on the German stock exchange to date, which shows that the attackers are obviously targeting  the chemical and pharmaceutical industries.

30% of chemical companies have already been victims of a cyberattack. ⁽²⁾

In fact, Winnti is just the tip of the iceberg. Already five years ago, 68% of chemical and pharmaceutical companies reported being hit by cybercrime (1). According to a survey by GDV (the German Insurance Association), almost one in three small or medium-sized chemical companies also suffered losses due to cyberattacks in recent years (2).

Almost 70% of chemical companies do not comply with IT standards. ⁽²⁾

Three fields of action for IT security

Market studies on attacks and the amount of damage ensure that the topic remains present in the public discussion and that companies are well aware of the pressure to take action. However, a strong and successful IT security cannot usually be achieved at high speed or by using individual tools. There is a need for a suitable strategic framework which, for example, specifies measures and technologies for operational implementation in a roadmap. This takes time and follows different objectives depending on the company needs.

Experiences from our projects show there are certain actions that are generally important for effective short- and long-term protection of IT and OT (operational technology) infrastructures.

The following three actions are particularly valuable as initial guidance:

• Increasing the maturity level of IT security technologies. Advances in digitization and automation continue to provide new points of attack where company networks can be infected with malware. Some examples are machine maintenance in remote access or connected production lines to IoT platforms. Investments in IT security technologies should be based strictly on the maturity level of the existing IT systems. This starts with basic protection and the fundamental revision of IT standards but does not end with the selection and use of new and future-oriented tools such as AI-supported anomaly detection.

• Sharpening employees' risk perception. As a rule, hackers cannot directly access information of business-critical importance any more than the control of systems or machines in the production process. Even in the case of systems with only basic protection, hackers, after the initial break-in, usually have to overcome further security zones within the networks, which are ideally segmented. This makes it all the more important to have a comprehensive "first line of defense" against the introduction of malware. Those responsible for risk management, IT security and data protection should align to identify what this mandatory line of defense should be and where the weak points are. A valuable outcome is, for example, a "map" of risk zones, showing the physical weak points (access to rooms and machines) along with the digital ones (phishing e-mails, VPN services, conference software, etc.). To this end, a process must be established for constantly sharpening employees' risk perception at these points of entry.

• Ensuring compliance. The more sites and players are involved in the network, the more complex and comprehensive the implementation of compliance requirements such as PCI-DSS, PSD2 and other guidelines for network security and data protection becomes. The Coronavirus pandemic has made this even more challenging, with the set-up of home office workstations under great time pressure. In order to create transparency and identify risks, IT managers, for example, should be familiar with all applications that manage customer data. Automation tools can provide support here by locating this data and showing the respective interactions. In this way, applications can also be classified based on the regulations that apply. In addition, awareness training should sensitize the relevant employees with customer contact to be able to meet the requirements of the GDPR.

Protection of systems and components

There are plenty of "sweet spots", i.e. attractive points of attack for cyber criminals, in the value chains of the chemical industry. Two examples whose protection should be highest priority are given below. 

1. IT security sweet spot: production

Quality control systems in IT & OT networks

• Create a map of weak points and risks. Common weak points can occur at the interface of Manufacturing Execution Systems (MES) with other systems. Risks exist, for example, in the case of remote maintenance/remote access.
• Use industry standards such as CVSSv3 scores (Common Vulnerability Scoring System) in the assessment. This allows you to derive a critically measure from the key features of a security gap.

2. IT security sweet spot: storage and distribution

Systems for securing the cold chain

• In an attack vector analysis, map the attack options that can be carried out against the infrastructure and devices – for example in the architecture, design and configuration of the networks as well as the firewalls.
• Use the cyber-security standard IEC 62443 as a point of reference, for example to identify possible points of attack in VPN connections from systems, remote stations, and transport vehicles.

 Active management of critical points

A professional information security management system should be used to uncover weak points in the above mentioned as well as other areas and thus protecting the company against cyber-attacks. In our experience, it can be set up in six to eight months, although the timeframe varies according to the level of maturity and the IT security objectives. The key steps along the way are:

• Scoping: The main focus at this point is on engaging the stakeholders (e.g., C-level management, IT management, digitalization management), as well as identifying the systems and components that require special protection. In addition to defining the scope, the usability of specific industry standards ranging from IT basic protection to ISO 27001 and specific standards such as IEC 62443, should be reviewed.
• Analysis: At this stage, standards need to be aligned with scoping. Looking inside also helps to assess the risk potential: How are the internal processes running? Where are open access from the outside/to the outside? Which employee areas and systems are already protected today and how? In addition, a GAP analysis & action planning, project planning and resource estimation are key elements in this step.
• Implementation: To ensure that the results of the first two phases take effect in everyday work, employees' sensitivity to IT security topics and clearly defined processes (e.g., in risk management) must be taken into account as factors for success.

Using these points of reference, it is easier to set up an information security management system. Once established, chemical companies benefit in multiple ways. Secure and robust protective measures ensure strong business processes – and keep attackers like "Wicked Panda" away from intellectual property.

Sources

(1) Bitkom (Wirtschaftsschutz 2015) in CHEMIE TECHNIK, March 2017

(2) Forsa and GDV, the German Insurance Association (Cyber Safe), February 2020