“Cyber security awareness is increasing, but many basic steps are still needed in the sector”

Good cyber hygiene is essential to maintain the security of vital digital systems. Fortunately, attention to cyber security is also increasing in the chemical sector. Marieke Klaver, program manager at TNO, told more about this during the LabSafety event on May 10, 2022.

By: Dimitri Reijerman

The subject of cyber security includes a large number of sub-themes, often with a technical component. However, that does not cover the entire load, says Klaver: “The focus is often mainly on the technical component. But it is about a combination of measures in the field of processes, people and technology. You need these three factors. In the chemical industry, you see that procedures are so important and safety is such an important aspect that cyber security is now extremely important to include. Traditionally, there is a lot of attention for safety in laboratories, but precisely because of the complexity in the sector and the intertwining of IT with OT, you see that new vulnerabilities and attack paths are emerging there. Because it is also a vital sector, as the hacking incident of Colonial Pipelines showed last year, an attack can also have an enormous social impact.”

Klaver gives another example of a recent incident: “In February, we had attacks on large oil terminals in Belgium, the Netherlands and Germany. These terminals were temporarily out of operation as a result. At TNO, we keep records of such incidents. Precisely to learn that if something happens at location A, we should also defend ourselves against it here. Because cybercriminals almost always try to strike at location B. There are no or hardly any boundaries for carrying out cyber attacks.”

It is therefore important for a company or institution to start at the basics. Informed employees are vital, says the TNO expert: “You can prevent successful cyber attacks with a number of basic measures and employee awareness. I completely agree with the statement that employees are a very important link in making organizations more resilient. Don't let them click on that cheerful-looking link in an email or connect private equipment to the company network. But also think about how you deal with suppliers, for example. Make sure that there are procedures for that.”

Publication of trade secrets

In addition to the now widely used ransomware, cybercriminals are also carrying out additional actions: “You see that in combination with ransomware, information is increasingly being stolen and published. That is also a point of attention for labs, because in addition to commercial information, it can also involve personal or sensitive information. Attackers want to put organizations under further pressure to pay ransom.”

According to Klaver, international conflicts can also be a reason to pay extra attention: “The NCSC (National Cyber Security Center) is currently monitoring all developments around Ukraine. They have also investigated whether the attacks on the aforementioned oil platforms came from the Russian side. According to the NCSC, it seems to be okay so far. But the chemical sector can be a specific target. You have seen that before in the Middle East, for example.”

Anyone can be a target

During her lecture, Klaver wants to emphasize that every company, from large to small, is at risk: “Sometimes you notice that companies think 'oh, I'm not that interesting'. Then we always look at the data from ransomware attacks. Those lists include companies from very small to very large. So don't think you're safe because you're hard to find. For example, the attack on the municipality of Hof van Twente is not at the top of everyone's list. People are also wary of the technical complexity and the costs. Then they think 'they'll just pass my door'.”

Klaver wants to emphasize that the first steps on the road to cyber security are the most important: “We see that many companies experience the subject of cyber security as overwhelming. But with a number of basic steps and creating awareness, you can already make very big steps. So don't immediately aim for heavy technological solutions, but know which systems you have in-house and where the vulnerabilities are. The DTC (Digital Trust Center) has useful tips, especially for SMEs, to start small and take the first steps.”