An Ounce of Prevention

FROM THE FEBRUARY ISSUE: With a global rise in cyber threats—including within the ethanol industry—experts offer security tips and best practices.
By Matt Thompson | January 20, 2020

It’s the stuff of action movies and suspense novels: Criminals are holding something or somebody for ransom. What was once a far-fetched story line is now an increasingly real concern: ransomware. In these incidents, malicious software is installed on a computer or computer system, preventing users from accessing data unless a ransom is paid to the hackers.

Melissa DeDonder, senior associate at Kcoe Isom, says, “I would say, just a general statement, all industries have experienced an uptick in cyberattacks, and it’s going to continue to be an uptick unless those companies begin to do something to protect their data and their customer data.” She adds that several of the company’s ethanol plant clients have had a cyberattack of some sort in the past year or so.

And those attacks can have a big impact on an ethanol plant. Lyle Schlyer, president of Calgren Renewable Fuels, which operates a plant in California and one in Kansas, says both of the company’s plants have been victims of ransomware. “I think they’ve tried to hit us—I have no idea whether it’s multiple groups or the same group—twice at each facility,” he says. And, unfortunately, preparing for and responding to such attacks has become the cost of doing business. “No reasonable amount is too much to pay to have the latest and greatest firewalls and the like, but yet we still get hit,” Schlyer says.

And once a company has been breached, DeDonder says, that company is more likely to be breached again. “For these clients that have already had ransomware, word’s going to get around that that was paid, and those bad guys are going to know how to hit you again,” she says. Schlyer agrees and says the company fully expects to be hit again.

Full Protection
Schlyer says since the breaches, the company has made changes to try to prevent future attacks. He says access to the plants’ distributed control systems is limited. “We do not allow anybody to touch the systems that actually run the plants,” he says. “We have DCS systems, and they are not connected.”

And while the systems aren’t connected to the internet, there are still threats to the system plant managers should be aware of, according to Carson Merkwan, business development manager for Direct Automation. He says many plants hold to the philosophy that because the DCS isn’t connected directly to the network, it’s protected from hackers. “That isn’t true because what will happen is that invariably, you’re going to end up with a vendor that wants to have data pulled in from one of their PLC scans. … And we’ve seen that happen several times—people bypass a firewall to get something in and, if they leave that set up where the firewall’s bypassed, within a few days they’ll probably have something like crypto locker on their system.”

He adds that seemingly innocent acts, like plugging in a USB drive or charging a cell phone through a computer’s USB port can be potential sources of breaches. “These things are kind of sneaky, but not only that, you have to get updates once in a while,” Merkwan says. “If you’re sitting there with a DCS that’s been isolated for five years and then you expose yourself for one second, there are so many things out there that could hurt a system that hasn’t been updated in that long. It wouldn’t take long for it to do a lot of damage.”

Up to Speed
Because there are so many potential avenues for hackers to access a system, DeDonder and Merkwan agree that training employees in cyber security is one of the most important factors in preventing breaches. “You’ve got to train managers and operators and everybody,” Merkwan says. “We don’t want to be stringing cable across networks, across firewalls and bypassing firewalls. We don’t want to be plugging in USB sticks into the networks that are supposed to be isolated. We’re going to make sure those are locked down and secure.”

DeDonder agrees. “Anybody that has any type of email, internet access, anything, needs to be trained as to what a phishing attack would look like,” she says. “People are your biggest risk. They’re also your biggest safeguard, so I think that is one of the most important things.”

She also suggests regular tests to make sure those employees stay up to date on cyber security techniques. “Test those people,” she says. “Make sure you have a phishing email go out once a quarter or once a month or whatever it might be to make sure that it comes through and they really are trained appropriately.”

Some tips for recognizing phishing or hazardous emails include verifying any links embedded in emails to make sure they’re directing to the correct sites. “If there’s something that you want to go to, just go to a browser and type it in yourself,” DeDonder says. “If it comes from a source that you know, but it seems a little odd, just try to think critically about it,” she says. She also says to be wary of emails from known sources that ask you to act quickly. “Anything that’s urgent usually should raise a red flag. And if it’s something like that, reach out to that person directly and say, ‘Hey, did you send this?’ before you actually just jump on it.”

DeDonder and Merkwan also suggest inventorying all a plant’s IT assets. DeDonder says it’s important for plant managers to know exactly what pieces of IT equipment a plant owns, how those assets are connected to the network, and what their potential vulnerabilities are.

“The first thing we do when we go to a plant is take an inventory of what they have for firewall, switches, are they managed or unmanaged,” Merkwan says.

Outside Assistance
Working with a company to help secure firewalls, network connections and backup data is also important. DeDonder says Kcoe ISG, a joint venture between Kcoe Isom and ISG Technologies, offers a network health check, as do several other IT companies. “We basically go in and our software will crawl around your system and figure out what you actually have,” DeDonder says. “Once we figure that out, we can go in and create a roadmap that says these are the vulnerabilities and these are the things that we recommend you do to make sure the data and the customer data is safe.”

Direct Automation also offers a service that monitors a plant’s networks at all times. “This firmware and software can not only alert us and call us and tell us something’s happening, but also shut it down automatically,” Merkwan says. That’s important, he adds, as not all cyber security breaches are as visible as a ransomware attack is. “If it’s somebody that’s coming in hacking your system, you might not even know for a whole year,” he says. “In that type of situation, you’re going to want to have something installed on your system that’s monitoring for weird traffic and there’s not a whole lot of ethanol plants that have that.”

But despite a plant’s best efforts, breaches will still happen, the experts say, and when they do, there are several ways the situation could play out.

Merkwan says it’s important to have contingency plans in place in the event of a breach. “Hopefully they have a plan in place before that happens. They’ve taken images of their system so worst-case scenario—you can’t dig out that virus, you can’t find it—you can always go back to the latest image. So hopefully they’re doing that frequently and completely. And we always do that with our clients. We make sure, worst-case scenario, hopefully we can just reboot to the last best version and usually it’s only a couple days old, at most.”

But, Schyler says, backups may not always offer data protection. He says in one incident, the hackers were able to locate and encrypt the plant’s backup data. “We have the cyber insurance for that sort of thing, subject to deductibles,” he says. “We immediately reached out to our carrier and asked for their advice, because obviously we’re going to keep them on the hook. And surprisingly, they suggested we pay the ransom.” He adds that, although he was skeptical, after paying the ransom, the hackers provided the key to unlock and access the plant’s data.

DeDonder says that’s the position some insurance companies take, but she doesn’t necessarily agree with it. “If you pay it, you’re now increasing your odds of getting hacked again because everybody knows that you paid it. If you pay it, you don’t necessarily know that they’re going to give you that key.” Instead, they could ask for more money, she says. “You don’t really know what’s going to happen if you pay it.”

But, as in Calgren’s case, there may be no other options. “If they don’t have a backup, they’ve lost all their files, unless they pay that Bitcoin,” Merkwan says. “So they have to do a little internal evaluation of ‘Are those files worth whatever the hacker’s asking for?’”

And Schlyer says the risk of a cyber security breach is something all ethanol plant managers should be aware of. “You only have to get hit by these things once to understand that this is a real issue and you have to be prepared for it,” he says.

Author: Matt Thompson
Associate Editor, Ethanol Producer Magazine