CYBERSECURITY IN PETROCHEMICAL IN COMPLIANCE TO IEC62443

Cyber security + Whitepapers admin todayAugust 6, 2024

Background
share close
Protecting Critical Infrastructure

CYBERSECURITY IN PETROCHEMICAL IN COMPLIANCE TO IEC62443

Using Comprehensive Approach of Multiple Standards

Download PDF

The petrochemical industry is a segment of the chemical industry that produces chemicals using petroleum and natural gas as raw materials. These chemicals, known as petrochemicals, are essential for manufacturing a wide range of products that are used in everyday life and various industrial applications. The industry encompasses a variety of processes, from the extraction of raw materials to the production and distribution of finished products.

Key Aspects of the Petrochemical Industry

1. Raw Materials

  • Crude Oil: A primary raw material, refined to produce various products including gasoline, diesel, and other fuels.
  • Natural Gas: Another essential raw material used to produce a range of chemicals.
2. Primary Petrochemicals

These are the basic building blocks produced from petroleum and natural gas. The three primary categories are:

  • Olefins: Includes ethylene, propylene, and butadiene. These are used in the production of plastics, synthetic rubber, and other chemicals.
  • Aromatics: Includes benzene, toluene, and xylene isomers. These are used in the production of dyes, synthetic detergents, and synthetic fibers.
  • Synthesis Gas (Syngas): A mixture of hydrogen and carbon monoxide used to produce ammonia, methanol, and other chemicals.

 

3. Production Processes

  • Cracking: The process of breaking down large hydrocarbon molecules into smaller ones, typically using heat (thermal cracking) or catalysts (catalytic cracking).
  • Reforming: A process that converts alkanes to aromatics.
  • Polymerization: A process where small molecules called monomers combine to form large chain-like molecules called polymers, used in making plastics and synthetic fibers.
4. End Products

Petrochemicals are used to manufacture a wide range of products, including:

  • Plastics: Used in packaging, containers, household goods, automotive parts, etc.
  • Synthetic Rubber: Used in tires, footwear, and industrial applications.
  • Fibers: Includes nylon, polyester, and acrylic, used in textiles and apparel.
  • Solvents, Fertilizers & Detergents etc.

 



Image Source:https://www.researchgate.net/figure/Diagram-of-the-full-integrated-refining-petrochemical-complex-IRPC_fig2_341647941

 

Importance of the Petrochemical Industry

  • Economic Contribution: The petrochemical industry is a significant contributor to the global economy, providing raw materials for countless products and industries.
  • Innovation and Development: Advances in petrochemical processes and products drive innovation in various sectors, from healthcare to construction.
  • Energy Efficiency: The industry plays a crucial role in developing energy-efficient materials and solutions, such as lightweight automotive components that reduce fuel consumption.

 

Challenges Facing the Petrochemical Industry

  • Environmental Impact: The industry faces scrutiny over its environmental footprint, including greenhouse gas emissions, plastic waste, and pollution.
  • Cybersecurity: As highlighted in previous discussions, the industry’s reliance on complex, interconnected systems makes it vulnerable to cyber-attacks.
  • Market Volatility: Fluctuations in crude oil and natural gas prices can significantly impact production costs and profitability.

 


Cyber Attack Targeting Railway Critical Infrastructure Timeline

check 2012: SAUDI ARAMCO: The Shamoon malware, also known as Disttrack, targeted Saudi Aramco, the world's largest oil company. The attack erased data on approximately 35,000 computers, replacing it with an image of a burning American flag.

check 2012: RasGas, a major natural gas company in Qatar, experienced a cyber-attack around the same time as the Saudi Aramco Shamoon attack. The attack also used the Shamoon malware.

check 2018: Petro Rabigh: The Triton malware, also known as Trisis, targeted the safety instrumented systems (SIS) of Petro Rabigh, a petrochemical plant in Saudi Arabia. This sophisticated attack aimed to disable safety systems, potentially causing physical damage or safety incidents.

check 2019: Marathon Petroleum, a major U.S. oil refining company, suffered a cyber-attack that disrupted operations. The specifics of the attack were not widely disclosed, but it underscored the industry's vulnerability.

check 2019: Petróleos Mexicanos (Pemex), the Mexican state-owned petroleum company, was hit by a ransomware attack that disrupted administrative operations. The DoppelPaymer ransomware was used in the attack.

check 2021: Colonial Pipeline: While primarily affecting the pipeline operations, the Colonial Pipeline ransomware attack also impacted the petrochemical supply chain. The DarkSide ransomware group attacked the pipeline, leading to a shutdown of the pipeline supplying gasoline and other fuels to the U.S. East Coast.

check 2023: Norsk Hydro, an industrial company with significant operations in the petrochemical sector, faced a ransomware attack in 2023. The attack affected their global operations, leading to widespread disruptions.


Applicable Standards


The petrochemical industry must adhere to a variety of cybersecurity standards to protect its critical infrastructure from cyber threats. Here are some of the key cybersecurity standards and frameworks applicable to the petrochemical sector:

  1. AMERCIAN PETROLEUM INSTITUTE (API) Standard 1164

Developed by the American Petroleum Institute (API), Standard 1164 provides cybersecurity guidance for pipeline SCADA (Supervisory Control and Data Acquisition) systems.

Key Features:

  • Focuses on protecting pipeline control systems from cyber threats.
  • Includes recommendations for securing communication networks and control systems.
  • Provides guidance on incident response and recovery.
Risk Management Framework API 1164 emphasizes a risk management approach, which includes:

  • Risk Assessment: Identifying and evaluating potential cybersecurity risks to SCADA systems.
  • Risk Mitigation: Implementing appropriate security controls and measures to mitigate identified risks.
  • Continuous Monitoring: Regularly monitoring and reassessing risks to adapt to evolving threats.
Security Controls and Measures
  • Access Control:
    • Implement access control measures to ensure that only authorized individuals can access IACS components and data.
    • Use role-based access control (RBAC) to assign access based on job functions.
  • User Authentication and Authorization:
    • Require strong authentication mechanisms for users and devices.
    • Use multi-factor authentication (MFA) where appropriate.
  • System Integrity:
    • Ensure the integrity of systems and data through measures like cryptographic checksums and digital signatures.
  • Data Confidentiality:
    • Protect sensitive data at rest and in transit using encryption and other confidentiality measures.
  • Restricted Data Flow:
    • Limit and control the flow of data between different segments of the IACS network.
  • Timely Response to Events:
    • Implement monitoring and logging mechanisms to detect and respond to security incidents promptly.
  • Patch Management:
    • Establish a patch management process to ensure that security updates are applied promptly.
  • Vulnerability Management:
    • Regularly identify, assess, and mitigate vulnerabilities in IACS components and systems.

 

[REPLIL INDUSTRIAL PATCH MANAGER] provides centralized visibility of OEM patches and tools to manage, deploy and report the missing, installed and vulnerable systems.

Physical Security ·       Ensuring that physical access to SCADA system components is restricted to authorized personnel only.

·       Implementing measures such as surveillance, access controls, and physical barriers to protect critical infrastructure.

Employee Training and Awareness ·       Conducting regular cybersecurity training and awareness programs for employees.

·       Ensuring that personnel are aware of their roles and responsibilities in maintaining SCADA system security.

·       Promoting a culture of cybersecurity awareness throughout the organization.

Vendor & Third-Party Management ·       Assessing the cybersecurity posture of vendors and third-party service providers.

·       Ensuring that third-party systems and services comply with the organization’s cybersecurity requirements.

·       Establishing contractual obligations for cybersecurity standards and practices with vendors.

Compliance and Auditing ·       Regularly auditing SCADA systems to ensure compliance with API 1164 and other relevant cybersecurity standards.

·       Conducting periodic reviews and assessments to identify and address gaps in security controls.

·       Documenting and reporting compliance status to relevant stakeholders.

  1. IEC 62443

ISA/IEC 62443 is a series of standards developed by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC) specifically for industrial automation and control systems (IACS).

Key Features:

  • Provides a comprehensive framework for securing IACS.
  • Addresses security vulnerabilities throughout the lifecycle of IACS.
  • Includes requirements for both technical and management processes.
General Security Program
  • Security Policy and Procedures:
    • Establish and maintain security policies, procedures, and practices.
  • Risk Assessment and Management:
    • Conduct regular risk assessments to identify and mitigate risks to IACS.
  • Personnel Security:
    • Ensure that personnel are screened, trained, and aware of cybersecurity policies and procedures.
Technical Security Controls
  • Access Control:
    • Implement access control measures to ensure that only authorized individuals can access IACS components and data.
    • Use role-based access control (RBAC) to assign access based on job functions.
  • User Authentication and Authorization:
    • Require strong authentication mechanisms for users and devices.
    • Use multi-factor authentication (MFA) where appropriate.
  • System Integrity:
    • Ensure the integrity of systems and data through measures like cryptographic checksums and digital signatures.
  • Data Confidentiality:
    • Protect sensitive data at rest and in transit using encryption and other confidentiality measures.
  • Restricted Data Flow:
    • Limit and control the flow of data between different segments of the IACS network.
  • Timely Response to Events:
    • Implement monitoring and logging mechanisms to detect and respond to security incidents promptly.
Network Security Controls
  • Network Segmentation:
    • Use network segmentation to isolate critical systems and limit the impact of potential security breaches.
  • Firewalls and Intrusion Detection/Prevention Systems:
    • Deploy firewalls and intrusion detection/prevention systems to protect IACS networks.
  • Secure Remote Access:
    • Ensure that remote access to IACS networks is secure and monitored.
System Development and Maintenance
  • Security by Design:
    • Incorporate security considerations into the design and development of IACS components and systems.
  • Patch Management:
    • Establish a patch management process to ensure that security updates are applied promptly.
  • Vulnerability Management:
    • Regularly identify, assess, and mitigate vulnerabilities in IACS components and systems.

 

[REPLIL INDUSTRIAL PATCH MANAGER] provides centralized visibility of OEM patches and tools to manage, deploy and report the missing, installed and vulnerable systems.

Physical Security Controls
  • Physical Access Control:
    • Implement measures to control physical access to IACS components and facilities.
  • Environmental Controls:
    • Ensure that environmental controls (e.g., temperature, humidity) are in place to protect IACS components.
Security Management and Governance
  • Security Leadership and Governance:
    • Establish leadership and governance structures to oversee the cybersecurity program.
  • Security Metrics and Reporting:
    • Develop metrics and reporting mechanisms to measure and communicate the effectiveness of the cybersecurity program.
  • Continuous Improvement:
    • Implement a continuous improvement process to enhance the cybersecurity posture of the IACS over time.
  1. NIST Cybersecurity Framework (NIST CSF)

Developed by the National Institute of Standards and Technology (NIST), the Cybersecurity Framework provides guidelines for managing and reducing cybersecurity risk.

Key Features:

  • Provides a common language for understanding, managing, and expressing cybersecurity risks.
  • Based on existing standards, guidelines, and practices.
  • Consists of five core functions: Identify, Protect, Detect, Respond, and Recover.
  1. CIS Critical Security Controls

The Center for Internet Security (CIS) Critical Security Controls are a set of best practices for cybersecurity.

Key Features:

  • Provides a prioritized set of actions to protect against the most pervasive cyber threats.
  • Includes controls specifically relevant to industrial environments, such as secure configurations for hardware and software.
  • Emphasizes practical and effective security measures.
  1. OG86 – Operational Technology (OT) Cybersecurity for the Oil & Gas Industry

OG86, developed by the Oil & Gas Cybersecurity Network (OGCN), is a framework specifically for the oil and gas sector, which includes the petrochemical industry.

Key Features:

  • Provides sector-specific guidance on securing OT environments.
  • Covers risk assessment, security controls, and incident response.
  • Aligns with broader industry standards and frameworks.

 

 

 

 

  1. IEC 61511

IEC 61511 is an international standard for the functional safety of safety instrumented systems (SIS) for the process industry sector.

Key Features:

  • Addresses the safety lifecycle and risk assessment for SIS.
  • Includes requirements for the security of SIS to protect against cyber threats.
  • Complements IEC 62443 for a holistic approach to industrial cybersecurity.
  1. EU Directive on Security of Network and Information Systems (NIS Directive)

The NIS Directive is a European Union directive focused on improving the cybersecurity of critical infrastructure, including the petrochemical sector.

Key Features:

  • Requires member states to develop national cybersecurity strategies.
  • Establishes requirements for the security of network and information systems.
  • Mandates incident reporting and cooperation among EU member states.

COMPREHENSIVE APPROCH INLINE TO MAJOR CYBERSECURITY STANDARDS

Risk Assessment and Management

Conducting thorough risk assessments to identify vulnerabilities and potential threats is the first step in enhancing OT cybersecurity. This involves:

  • Asset Inventory: Maintaining an up-to-date inventory of all OT assets, including hardware, software, and network components.
  • Threat Modeling: Understanding potential threat vectors and their implications.
  • Vulnerability Management: Regularly scanning for and addressing vulnerabilities in OT systems.

 

Segmentation and Network Security

Implementing robust network segmentation can limit the impact of a cyber-attack by containing it within a specific segment. Key practices include:

•                     Demilitarized Zones (DMZs): Creating DMZs between IT and OT networks to control data flow.

•                     Firewalls and Intrusion Detection Systems (IDS): Deploying firewalls and IDS to monitor and protect network traffic.

•                     Internal Logical / Physical Segmentation: Implement VLANs to limit the exposure of various zones and limit communication. VLANs alone is not enough and must supplement with IDS and Router on a Stick Concept.

Identity & Access Control:

Implementing robust identity and authentication mechanisms is crucial to ensure the security of the industrial control systems and the safety of critical infrastructure.

·       Centralized Authentication

·       Active Directory (AD): Active Directory (AD) is a widely used centralized authentication service developed by Microsoft. It enables administrators to manage permissions and access network resources efficiently. AD integrates well with Windows environments and can be extended to support various other applications and services.

·       AAA (Authentication, Authorization, Accounting) Servers

o   AAA servers are critical in managing access control within OT environments. They provide a framework for ensuring that only authorized users can access specific resources, monitor their activities, and ensure compliance with security policies. Examples include RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus).

·       Multi-Factor Authentication (MFA)

o   MFA enhances security by requiring users to provide two or more verification factors to gain access to a resource. This can include something they know (password), something they have (security token), and something they are (biometric verification).

·       Role-Based Access Control (RBAC)

o   RBAC restricts system access to authorized users based on their role within an organization. Roles are defined according to job responsibilities, and permissions are assigned to these roles rather than individual users.

 

·       Public Key Infrastructure (PKI)

o   PKI uses pairs of cryptographic keys to verify user identities and secure communications. Digital certificates issued by a trusted Certificate Authority (CA) are used to authenticate users and devices within the network.

Malware Protection

Implementing robust endpoint protection can limit the impact of potential exploits and unauthorized applications. Endpoint protection must provide a methodology (Lock Down) to cover the legacy assets.

·       Data Leakage Protection

·       Device Hardening

·       Application Whitelisting

·       Host Based IPS

Secure Remote Access

Remote access to OT systems should be tightly controlled and secured to prevent unauthorized access. Measures include:

  • Multi-Factor Authentication (MFA): Implementing MFA for all remote access.
  • VPNs and Encryption: Using Virtual Private Networks (VPNs) and encryption to secure remote connections.
Regular Patching and Updates

Keeping OT systems up to date with the latest patches and updates is crucial to mitigating vulnerabilities. This requires:

•                     Patch Management Policies: Establishing policies for timely application of patches and updates.

•                     Testing and Validation: Testing patches in a controlled environment before deployment to ensure compatibility and stability.

 

Learn How REPLIL can support your patch Management Journey

Incident Response and Recovery

Developing and maintaining a robust incident response plan is essential for minimizing the impact of cyber-attacks. This includes:

  • Incident Response Teams: Forming dedicated teams trained to respond to OT cybersecurity incidents.
  • Regular Drills and Simulations: Conducting regular drills and simulations to ensure preparedness.
  • Backup and Recovery Plans: Implementing comprehensive backup and recovery plans to restore normal operations quickly after an incident.
Training and Awareness

Enhancing cybersecurity awareness and training among employees is critical. Key initiatives include:

•                     Regular Training Programs: Providing ongoing cybersecurity training tailored to OT environments.

•                     Awareness Campaigns: Running campaigns to raise awareness about the importance of OT cybersecurity and safe practices.


REPLIL STRATEGY TO SECURE CRITICAL INFRASTRUCTURE USING IEC62443 “SL3” PRODUCTS


REPLIL INDUSTRIAL PATCH MANAGER (IPM) REPLIL OT PATCH SANDBOX (OPS)
Risk-Based Patch Prioritization

  • Criticality Assessment: Categorize patches based on the criticality and risk associated with each asset. Patches that address vulnerabilities in high-risk or high-value assets should be prioritized.
  • Impact Analysis: Evaluate the potential impact of deploying patches on operational continuity. Prioritize patches that fix critical vulnerabilities without significantly disrupting operations​​.

Scheduled Patch Deployment

  • Patch Scheduling: Develop a patching schedule that aligns with operational downtimes to minimize disruptions. Utilize maintenance windows or planned downtimes for deploying critical patches​.
  • Phased Rollouts: Implement patches in a phased manner, starting with less critical systems to observe any unforeseen impacts before deploying to critical systems.

Automated Patch Management

Continuous Monitoring:

·       Implement continuous monitoring to detect new vulnerabilities and assess the need for patches in real-time. Automated alerts can help promptly address critical vulnerabilities.

Testing and Validation

  • Pre-Deployment Testing: Test patches in a controlled environment that replicates the production setting to ensure compatibility and effectiveness. This step helps identify potential issues before full deployment​.
  • Post-Deployment Validation: Conduct thorough post-deployment checks to verify that patches have been successfully applied and that they do not negatively impact system functionality​.
  • Advance Test Cases: Automatically execute, test & validate (desktop / web) based critical applications expected state before & after the installation of a patch.

 

Written by: admin

Tagged as: , , .

Rate it
Previous post