Industrial Refrigeration Faces Significant Cybersecurity Risks
The use of technology in the industrial refrigeration industry continues to increase, and automation and internet control of facilities are becoming commonplace. The benefits of automation and control are massive, but there is also a downside. The systems can be vulnerable to attack, making cybersecurity measures essential to protect against cyber threats.
“Large refrigeration facilities do critical work, but a lot of them are underprepared from a cybersecurity standpoint,” said Josh Symonds, lead information security engineer at CrossnoKaye and author of the technical paper Cybersecurity in Automated Industrial Systems. “The digital automation revolution is coming for us, but unfortunately we’re not ready yet.”
In today’s operating environment, plants and grids that previously required manual oversight and teams of skilled engineers can now be controlled from hundreds of miles away by individuals or even automated systems. The concern is that bad actors will suborn industrial facilities and the processes used to control them, just as they do other Internet-connected applications.
THE TYPES OF THREATS
Cybersecurity threats in the industrial refrigeration industry can take various forms, including hacking, malware attacks, phishing, and ransomware. The consequences of such attacks can be severe, leading to financial loss, damage to reputation, and even safety hazards.
Symonds said classes of attacks that were formerly exclusively the purview of Internet applications, such as Facebook or Twitter, could become commonplace in industrial infrastructure. “A lot of companies have poor cybersecurity. It is low-hanging fruit for attacks,” he said. Mike Lettman, cybersecurity advisor, Region IX, for the Cybersecurity and Infrastructure Security Agency, an agency of the United States Department of Homeland Security, said other countries pay people to launch cyberattacks. “They do it for data, information, trade secrets or they just hate you. The fab four are Russia, China, Iran, and North Korea,” he said. “This is what your IT team is against, which is why it is difficult.”
Multi-billion-dollar companies in the industrial sector have already experienced ransomware attacks on oil processing facilities, spear phishing on operators of electrical grids, and malware on industrial computer systems.
“The most obvious risk is losing money in some form or another. You lose control of your plant or your facility and they prevent refrigeration from happening and all of your food spoils,” Symonds said. “There is personal information that can be leaked—addresses, phone numbers, social security numbers.”
Losses due to cybersecurity breaches can be costly. Compromises of business emails cost about $3.5 billion every year and ransomware costs businesses about $7.5 billion annually. “You get malware on your computer that locks up your files and asks for money but there is no guarantee you’ll get your files back even if you pay the ransom,” Lettman said. There are also overlooked costs due to business interruptions and lost revenue and opportunity costs. Attacks can also damage a company’s brands. “People remember ransomware incidents and the media loves them,” Symonds said. Damages can even be devastating and about 65% of small businesses fail after a breach, Lettman said.
SECURITY MEASURES
Controls in the industrial refrigeration space continue to move into computerization and people want to control all their hardware in one place, but there is no unifying vision for how controls should look. “Usually, the control vendor would sell software to control things in the facility. That was good enough for a long time because the computers weren’t connected to the internet,” Symonds said.
Multi-billion-dollar companies in the industrial sector have already experienced ransomware attacks on oil processing facilities, spear phishing on operators of electrical grids, and malware on
industrial computer systems.
That method—called air gap—is being circumvented more and more and it wasn’t that secure in the first place, Symonds explained.
Several privacy, control, and cybersecurity frameworks exist that are applicable to industrial refrigeration. Symonds recommends companies review the National Institute of Standards and Technologies Cybersecurity Framework. “It is long, but it covers all the bases,” he said.
Other frameworks include NIST 800- 53, IEC 62443, ISO 27001, SOC 2, and Purdue Enterprise Reference Architecture.
While there are no regulatory bodies specifically focused on compliance in industrial refrigeration systems, ever evolving threats and a changing legal landscape mean following published cybersecurity, privacy, and control frameworks is the safest path forward, Symonds said.
It is also important to ensure that all devices connected to the networks are properly secured. These include not only computers and servers but also sensors, controllers, and monitoring systems. One concern is that attacks will become more prevalent and system and software updates will have to happen sooner. “You’ll want to make sure your facilities are using the most current versions,” Symonds said. “Make sure you have a security team responsible for these types of things.”
To be incident-ready, companies should also develop a response plan and create scenarios for common problems. “The pandemic was a great outage scenario. What happens if you can’t get into the office? There should be plans in place. Have these things as policy,” Symonds said.
Secure your internet connections. Use multi-factor authentication. If you have multifactor in place, the odds of them getting around it are harder.
While cybersecurity may seem daunting, there are steps companies can take to mitigate risk. “There are positive things we can do,” Lettman said, adding that CISA has free resources available on CISA. gov. “Secure your internet connections. Use multi-factor authentication. If you have multifactor in place, the odds of them getting around it are harder.”
Companies should also create backups of data that hackers can’t alter or change. “Store them offsite at a cloud provider or a geographically different location,” Symonds said. “If something gets ransomed, you’ll lose all the data between the last backup and now, but you won’t lose everything.”
Symonds also suggests not reusing passwords, getting a password manager, and coming up with strong unique passwords. “People are, really, really bad at coming up with good passwords,” he said, adding that the word ‘password’ is one of the most common passwords used in 2022.
Lettman said educating employees on how to identify and report suspicious emails and teaching them to avoid clicking on unknown links is critical. CISA offers a free tool for companies that want to run a phishing campaign that will get employees to try to click on links.
As an added safety step, Symonds suggests not loading email programs onto computers that don’t need them. Other essential best practices include implementing regular security audits and vulnerability assessments to identify potential weaknesses in the system.
CISA also offers Cyber Resilience Review (CRR), an interview-based assessment to evaluate an organization’s operational resilience and cybersecurity practices. “It looks at where you are running cyber risks,” Lettman said.
CREATE AWARENESS
Everyone in the company, including technicians, should be aware of cybersecurity risks, even in their personal lives, Symonds said. “Doing just the basics will get you far and you can keep doing more and more,” Symonds explained. “Most of the people who are likely to target you are doing it because it is easy and not because you were their particular target. Luckily for you, attackers are lazy. Don’t be the low-hanging fruit.”