Over the past two years, incidents of ransomware have increased by over 500%. In fact, within ABB, we predict that a substantial number of our customers globally will face an attack in one form or another. Of those that have already been attacked, a high percentage could have prevented the incursion with foundational cyber control. Indeed, a few years back the question asked was, “if you will be attacked” whereas now it is more a case of asking, “when will you be attacked?”.
You don’t have to go back too far to see a high-profile example of this type of attack. The May 2021 Colonial Pipeline incident saw the company’s IT system frozen out, completely crippling fuel deliveries up and down the east coast of the USA. Although the company acted quickly to try and segregate the malicious code, the damage had already been done and, once publicized, hoarding and panic buying started.
Colonial took the decision to pay the ransom – some $5 million (some of which has been recovered) – almost immediately, with CEO Joseph Blount Jr. explaining to a senate committee that he wanted “to have every tool available to swiftly get the pipeline back up and running,” before adding that “it was one of the toughest decisions of my life.” Conversely, in 2019 Norsk Hydro suffered a similar ransomware attack, but bravely chose not to pay in an attempt to set an example. It took at least three weeks, with the support of cyber security experts, to repair to a functional level and an even longer time to recover to an ‘as was before’ state.
Even more recently was the highly sophisticated attack on Kaseya, one of the biggest attacks to date. Hackers supposedly gained access to a desktop management tool and then pushed an update that infected thousands of businesses, including Sweden’s Coop grocery chain, which had to close all 800 stores as it could not use its checkout terminals. Such was the impact of this attack and the issue of such a wide customer base that U.S. President Joe Biden got involved and directed U.S. intelligence agencies to find out who was behind the attack.
So, how does this affect the pulp and paper industry? If you are a commercial company with a profit flow, you can guarantee that you are interesting enough. It really is as simple as that. The chances are you might not even be singled out nor individually targeted.
One just needs to think back to the recent ransomware attack at the second-largest U.S. packaging company. Quick to admit that it was a victim, the company swiftly put systems in place to ensure business continuity and minimize customer impact. However, following a shutdown of certain critical systems in what it described as “an abundance of caution”, the company subsequently announced a drop in mill production that was 85,000 tons lower than plan.
The entire mill IT/automation infrastructure is only as strong as the weakest link. It could be through a USB key, an email link, or an unsecured hotspot, but once compromised only one mission system needs to be taken out to impact the entire enterprise. The Colonial Pipeline incursion was believed to be via a legacy VPN profile, which was not protected by two-factor authentication.
To put this issue in perspective, one must only look at the recent lumber supply issue in the US, which was driven by a perfect storm of Canadian tariffs, a sudden upsurge in demand for remodeling during the pandemic and issues with the supply chain. Although the market is recovering, it shows how susceptible it is to external stimuli and all it would need is for one or two major mills to be taken out of action due to malware and it starts all over again.
The pulp and paper sector traditionally holds a very low inventory, given there is no value in keeping a year’s worth of tissue/boxes. With paper being a critical infrastructure to the US economy, hacking just one tissue supplier could take out 22 percent of the capacity. Small failures could see huge effects on everything from facemasks, through to pizza and Amazon boxes, and onto building supplies.
Security over and above standards
The pulp and paper industry has by no means escaped it so far. We know of other companies in the wider industry that have been victims of an attack but have managed to keep it under the radar and, one presumes, are either weathering the effects or simply paid the ransom to maintain operations.
National and international cyber security legislation and standards are in place, such as the ISA/IEC 62443 series of standards, developed by the ISA99 committee and adopted by the International Electrotechnical Commission (IEC), provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems. But these standards should only be considered as the foundation of any security system. A more holistic approach is required, coupled with a real understanding of what is behind this legislation, especially how systems should be configured, deployed, and maintained.
There is a big difference between best practice and what you actually need to do; a single standard cannot prescribe solutions for such a diverse range of target industries. Process industries customers, and not just those in pulp and paper, are always asking us how they can comply, recognizing that the legislation is not prescriptive enough. Cyber resilience is the ability to plan, respond and recover from cyber-attacks and data breaches, while continuing to work effectively.