The White House is adding the chemical sector to a program launched last year to improve cybersecurity capabilities within America’s critical infrastructure industries.
The addition makes chemical facilities and manufacturers the fourth sector under the Biden Administration’s Industrial Control Systems (ICS) Cybersecurity Initiative, which rolled out in July 2021 following the ransomware attack on Colonial Pipeline that disrupted oil distribution primarily in the southeastern United States.
Jen Easterly, director of Homeland Security’s Cybersecurity and Infrastructure Security Agency, suggested at a CISA-hosted Chemical Security Summit in August that the chemical industry was next up for the program.
At the time the ICS cybersecurity program was announced last year, the White House said it wanted to bolster protections in 16 such sectors over time, and has since addressed IT defenses in electric, oil and gas, and water. The program’s creation was a nod to the growing risk from criminal hackers and foreign agents targeting key infrastructure. Weeks after the Colonial Pipeline snafu, global meat supplier JBS Foods said it also was attacked by extortionists, disrupting operations in North America and elsewhere.
JBS later admitted to paying a $11 million ransom.
Operation technology (OT) security vendor Dragos said in a report this week that ransomware continues to be a growing global threat to industrial organizations – including those in the chemical sector – and said it tracks the activities for 48 ransomware gangs that prey on such organizations and infrastructures.
Dragos also noted the rise of a number of new ransomware groups – such as Sparta Blog, Bianlian, Donuts, Onyx, and Yanluowang – that are focusing their efforts on industrial entities. There was a rise in ransomware attempts taking advantage of this year’s geopolitical turmoil, such as Russia’s invasion of Ukraine, political tensions in Iran and Albania, and concerns over energy supplies and prices.
Ragnar Locker, AlphaV, and possibly other ransomware fiends seemed to have lately turned their sights to energy sectors, Abdulrahman H. Alamri, senior threat analyst at Dragos, wrote in the report.
The Biden administration wants to encourage companies in the chemical field to adopt technologies for their ICS installations that can detect and block threats on the network and in equipment, and to work together to thwart attacks. In outlining its plan for shoring up IT protections in the chemical sector, the White House noted that because most chemical companies are privately owned, a government-private sector collaboration is needed.
CISA is taking the lead for the US government while a panel representing 15 chemical industry groups will go through a 100-day sprint to create a plan for the industry that will focus on high-risk chemical facilities and drive information sharing and coordination between the federal government and industry organizations.
In addition, CISA and industry groups will encourage coordination between owners and operators in the chemical industry to deploy the necessary technology to defend critical computer systems, based on the risk assessment and cybersecurity posture in that industry.
If it’s not clear enough yet: this federal program is all about discussion, proposals, and planning with CISA ways in which industrial sectors can improve their internal computer security, and how that will be deployed over a reasonable amount of time, rather than hard and fast rules from day one.
The White House in its announcement stressed the role the chemical sector plays today, saying it “produces and manufactures chemicals that are used directly or as building blocks in the everyday lives of Americans, from fertilizers and disinfectants to personal care products and energy sources.”
About time, too
Taking a look at cybersecurity in the chemical sector is overdue. The US Government Accountability Office (GAO) in a report in May 2020 noted the Chemical Facility Anti-Terrorism Standards (CFATS) program within the Department of Homeland Security includes reviews and inspections of cybersecurity efforts at 3,300 high-risk chemical facilities covered by CFATS.
However, the 58-page report found this guidance hadn’t been updated in more than 10 years. And so, this latest drive by President Biden to better protect the chemical sector’s computer systems may introduce fresh rules and guidelines to defend against intruders’ latest techniques, exploits, and malware.
In its report, Dragos said that in the third quarter of 2022, it observed 128 ransomware incidents in the industrial field, compared with 125 in Q2, and that the LockBit gang accounted for a third of the attacks in each quarter.
Forty-six of the observed infections were in the US, compared with 42 in Europe, and 28 in Asia. Manufacturing was the number-one target of the ransomware operators, accounting for 88 of the attacks. The sector that included the chemicals industry had one ransomware attack during the quarter, according to the report.
The threat against chemical industry companies is a global issue.
In April, Symantec said the notorious North Korean-linked cybercrime group Lazarus in January began focusing on chemical companies, initially in South Korea, stealing as much information as it could.
Flavor and fragrance developer Symrise, drug manufacturer Siegfried, and chemical distributor Brenntag all were targets of ransomware intrusions in late 2020 and early 2021, and in 2019 US-based chemical companies Hexion and Momentive both were victims of cyberattacks.
In 2021, a UK government study said cyberattacks cost companies in the chemical industry £1.3 billion ($1.5 billion) a year. ®