In recent news, we’ve learned that a former Georgia-Pacific IT specialist is now facing prison time and significant fines following the cyber attack he waged upon his ex-employer – an attack which occurred just days after he was fired by the company. He caused disruption at the Port Hudson paper mill targeting the distributed control system (DCS) and quality control system for the machinery used to produce paper. It took Georgia-Pacific personnel significant time to evaluate and understand all changes made to the plant’s control systems’ programs.
This story really touches a nerve for me as a deliberate attack from a past or present colleague is personal. This wasn’t the first time a disgruntled employee tried to harm his former employer, and it won’t be the last. The stakes are certainly higher now, but this is unfortunately the world in which we live. Challenging economic times, such as the current oil and gas downturn, are causing employees to lose their jobs, which can generate ill will towards former employers.
Our own conversations with Chief Information Security Officers (CISOs) demonstrate that the disgruntled employee is a growing concern and is in fact part of an even greater corporate cybersecurity concern that rises to the Board of Directors level. The U.S. Federal Bureau of Investigation has reported annual losses of more than $800 million dollars in the U.S. due to cyber crime. Beyond the financial impact, companies risk lost production time, regulatory penalties, brand equity impacts, director-level liability, and safety and environmental losses.
Keep in mind also that existing employees, those meaning no harm, also present a risk. I have worked in the industrial control space for the past 20 years. During that time, I have seen numerous unintentional changes to control systems that have caused similar damage as the Georgia Pacific cyber incident. Good configuration management from field instrumentation through the HMI visualization layer including execution logic is critical to having safe and secure operations regardless of the intentions of the individual making changes to those systems.
We speak regularly on these topics with customers and at conferences, and it’s important to consider mitigation steps in the face of the ongoing affects that the global oil and gas market downturn and potential future layoffs will continue to have. Based on industry lessons learned, two things must be considered:
- Detection: Part of a holistic change management process is early identification of these unauthorized changes. If these changes were not part of a managed process, site personnel should be alerted immediately. Early detection would have been key for Georgia-Pacific and many others.
- Recovery: Beyond detection, monitoring policy violations and automating workflow-driven responses are needed. It took a significant amount of time for Georgia-Pacific resources to identify each aspect of damage sustained from the attack and additional time to correct the problems. Identifying exactly what changed and how it was configured before the attack takes just minutes with change management automation. This is the key to a quick recovery.
It’s much more exciting to talk and write about external threats from rogue states and terrorist organizations who threaten to take control of our critical infrastructure compared to some control engineer (with or without malice) making a change that takes down the same critical infrastructure. When all the hype is over, what do you think has the greatest potential risk and probability of happening at your site?