INSIGHT: Chemical industry faces up to cybercrime spike amid cost-cutting pressures

LONDON (ICIS)–Several chemical firms are contending with cyber attacks on networks or infrastructure amid a gold rush for hackers seeking to capitalise on the dramatic increase in home working and uncertainty brought on by the coronavirus pandemic.

There has been a substantial increase in attacks on chemical industry information technology and production assets amid a wider spike in malicious activity as hackers seek to exploit new vulnerabilities created by shifts in work habits since the onset of the coronavirus pandemic.

SHIFTING HABITS
The move to more widespread home working in a compressed timeline as a result of lockdown and social distancing measures imposed during the coronavirus pandemic has spread company networks wider than they have ever been, which has created a host of vulnerabilities that hackers are looking to exploit.

Pandemic disruptions such as widespread employee furloughs and direct contact between governments and citizens to amplify response measures to the crisis has also led to an increase in malicious actors sending fake messages designed to look like government communiques as a means of persuading people to click on fraudulent links.

A live cyber attack at a press conference in Germany, November 2019 RONALD WITTEK/EPA-EFE/Shutterstock

“I personally know of at least six firms in the energy value chain from the wellhead to an end product, whether it’s petrochemical, polymers and plastics, with ransomware-related incidents that appear to have come in through phasing exercises, and that’s a real problem,” said Jim Guinn, head of cybersecurity at Accenture for the energy, utilities, chemicals and mining industries.

The spread of the virus has led to a cottage industry of web domains established to exploit public concern and confusion about the virus, according to Guinn.

“There are up to 6,000 new servers on the internet that have a domain name related to Covid and we know that well over a third of them are being managed, run or hosted by nefarious actors,” he said.

The bulk of new attacks are based around phishing and ransomware attacks designed to either uncover or extort financial information or pay-outs by businesses and households, according to Guinn.

“There has been a significant verifiable spike in phishing campaigns, malware attacks, and ransomware hitting numerous clients who have vulnerabilities in their cybersecurity infrastructure,” he said.

While the bulk of attacks are from individuals and entities related to organised crime, state actors have also been involved in more sophisticated attacks, with an eye to obtaining intellectual property, whether for production processes or for research on Covid-19 treatments.

“Both state and non-state actors are using Covid-19 as an opportunity to take advantage when peoples’ guard may be down,” said Paul Harnick, global head of chemicals for KPMG.

“There are ransomware attacks, people purporting to have solutions and things that can help with Covid-19, targeting both IT and OT [operational technology] to get access to infrastructure or get access to IP and technology. It really is right across the board”, Harnick said.

DIGITISATION
Chemical firms tend to be more conservative than industries such as financial services to adopt new information technology innovations, but digitlisation measures have been gathering steam in the sector for several years.

The concept for measures such as digital twins of physical production assets and smart supply chains have existed in principle for much longer but the increase in processing power over the past decade has made them far more feasible.

Those steps, along with increases in intellectual property stored in the cloud  and the use of artificial intelligence in developing new materials, have made businesses far more agile, but the flipside of those advances is the increase in accessibility points for malicious actors to steal or tamper with assets or lock them down until a ransom is paid.

Home working and measures to increase customer responsiveness by allowing direct orders from specific plants all add to a situation where investment in cybersecurity needs to run in tandem with the increasing digitalisation of the sector.

“The reality is when you have a central workforce and now it’s distributed across hotspots and home networks, your attack surface increases dramatically, and you have an increase of threat actors taking advantage of a very bad situation, which is a terrible cybersecurity storm,” Guinn said.

“There are various reports of proxies with nefarious nation states that try to raise money via ransomware attack. However the vast majority is organised crime or organised criminals that are trying to exfiltrate money in the midst of a global pandemic,” he added.

BUDGET CUTS
The increase in cyber attacks comes at a point when managers are having to weigh up what qualifies as essential spending amid pressure to cut costs across organisations to shore up reserves in the face of the pandemic and ensuing downturn.

Numerous companies across the sector have announced plans to cut costs by double-digit percentages this year and to accelerate efficiency programmes to increase resilience and drive profitability amid weak margins.

Spending cuts at those levels result in painful judgement calls on where the axe can fall, particularly as the current economic collapse differs from the 2008-9 financial crisis in that companies are facing substantial disruption after what had already been a series of lean years, instead of the goldrush years early in the new millennium.

While petrochemicals demand is expected to be more resilient than for many sectors, aside from firms with significant exposures to the most damaged end markets such as automotive and aerospace, the fact that efficiencies have been used as a driver of profitability in the face of sluggish economic growth means there is much less fat to cut.

The International Energy Agency (IEA) recently made this point about the oil and gas sector, where cuts made during the 2014 oil price crash mean that the latest round of belt-tightening is going to have a substantial impact on operations, to the point where supply could be constrained five years into the future by decisions made today.

Similar effects could be seen in the chemical sector, where projected long periods of oversupply into the future, potentially exacerbated by the pandemic, have led to pauses on greenfield construction work. These projects have a long tail, and such decisions could lead to shortages in future in the event of significant unexpected shifts in supply or demand.

Amid the brutal calculus of these spending cut decisions, it could be tempting to reduce the focus on expensive preventative measures where the benefit is not immediately tangible, but the potential impact of a successful attack means that firms should be wary, according to Harnick.

“One of the things we’re saying to business”, he said, “and particularly to chemicals and oil and gas businesses where production is critical, is: yes, maybe look to reduce spending, but unless you absolutely have to, it would be very risky to reduce your cybersecurity spending.”

“Companies that I do know that have had an incident in the past have not slowed down their cyber activities in their plants because they have experienced the worst part of it,” added Guinn.

While armouring company assets against cyberattacks can be expensive and complex, often the key vulnerability can be as simple as an employee being taken in by a malicious email, and bolstering understanding of the risks and how to avoid them can be as important as a firewall.

“There are two things that companies need to double down on right now. They need to educate and potentially restrict external emails if they are not from a verified source. Educate and restrict,” said Guinn.

INSIGHT by Tom Brown