Cyberterrorism, Cyberespionage, Cyber attack. No matter how you describe the recent attacks against Sony Pictures, management was not ready. No target is every ready, cybersecurity but industry is defensible with aggressive, proactive, close cooperation with the U.S. Government.
No doubt cyber attacks against the United States will become more prevalent. Individuals, groups or countries that do not have the means to attack us physically will turn to the Internet as an alternative. Attacks are easy to deny and pinpointing responsible parties is extremely difficult. Was North Korea retaliating for Sony’s scheduled release of a political satire film or was it an internal job? Sony is a recent best-known target, cronicadearagon but over the last several years there have been others.
In 2012, more than 30,000 Saudi Aramco computers were destroyed by a wiper virus. Other recent victims have included chemical firms, Anthem, eBay, Criminal Affair the Montana Health Department and even Domino’s Pizza:
Anthem: Hackers gained access to the private data of 80 million former and current members of the nation’s second-largest health insurer. The breach exposed Social Security numbers, income data, birthdays, and street and e-mail addresses. Investigators suspect Chinese hackers (2015).
Domino’s Pizza: Hacking group Rex Mundi held the pizza chain to ransom over 600,000 Belgian and French custom records. Mundi demanded $40,000 from the chain (2014).
P.F. Chang’s: Thousands of stolen credit and debit cards used at the restaurant chain went up for sale on-line (2014).
Montana Health Department: Data breach compromised up to 1.3 million insured with sensitive information sold on the black market (2014).
eBay: Hackers stole personal records of 233 million users.
Saudi Aramco: Computer virus erased data on three-quarters of Aramco’s corporate PC’s – documents, e-mails, spreadsheets – replacing all of it with an image of a burning American flag (2012).
Chemical firms in the USA, UK and Bangladesh: Nitro virus targeted primarily private companies involved in research, development, and manufacturing of chemicals and advanced materials. The goal of the attacks appeared to be to collect intellectual property, design and manufacturing processes (2012).
Our current approach to cyber defense is obsolete against sophisticated, tenacious intrusions. Fortunately, no cyber attack on chemical facilities so far has resulted in releases of toxic chemicals. With recent intrusions in mind and considering the types of chemicals manufactured and stored at chemical plants, Medical clinic like chlorine, it is critical that the Government and industry work closely together and invest in infrastructure with cybersecurity in mind.
The American Chemistry Council (ACC), our nation’s oldest trade association, represents companies engaged in the business of chemistry. It recognizes the call to arms! For example, all ACC member companies, as part of their commitment under the Responsible Care® Security Code, assess cybersecurity vulnerabilities, implement security details, and train employees. Responsible Care companies are leaders in chemical security and work closely with federal, state and local intelligence agencies to keep communities safe. Best practices to prepare and respond to intrusions, and drive information sharing between members, are also tested through member-company participation in the Department of Homeland Security’s Cyber Storm exercise series. Each Cyber Storm effort, conducted biennially, builds on lessons learned from prior real world intrusions, making sure that participants recognize, and take corrective action, to latest threats.
Unlike many other critical infrastructure sectors, the federal government regulates cybersecurity for chemicals. Under the CFATS (Chemical Facility Anti-Terrorism Standards) program, the government identifies and regulates high-risk chemical facilities to ensure that they have security in place to reduce risks associated with these chemicals. In 2014, the President signed legislation that provided a basis for the continuation and refinement of the program to address the protection of business networks and process control systems.
Aggressive steps must continue so that we can defend ourselves from cyber attack. Corporations must understand the vulnerability of their networks. Chemical industry participants and governments must work closely together, mindful of necessary intellectual protection requirements. Cybersecurity, or lack of it, impacts us all. A hacking intrusion knows no borders. International cooperation should be strengthened to give the public assurance that everything that can be done, is being done.