Digital Defenses

Cyber security has become crucial across all industries, ethanol production being no exception. Experts in the space offer advice on how to improve security, back up data, remediate risk and avoid becoming a victim of cyber crime.
By Katie Schroeder | August 18, 2022

Cyber security for ethanol producers is increasingly important. Threats like ransomware and leakware can result in operational disruption, loss of data and theft of proprietary information. Recovering from a cyber breach can be as time- and labor-intensive as repairing physical damage to a facility after an industrial accident or storm.

“If a hurricane hits your plant, it might be down for several days to clean up and get everything back together, and you might lose some things,” says Eric Newell, CEO of Stoneridge Software. “A ransomware attack is kind of similar to that in that you’re down for several days, it could impact some of your internal systems, it could impact some of the controls that you have on your manufacturing equipment. So, it could end up really shutting you down for a considerable period of time.”

The ethanol industry’s potential susceptibility to cybercrime is partially due to the use of outdated technology and an emphasis on uptime, explains Joe Henderson, IT director for Direct Technologies. Outdated technology is a perfect recipe for a cyber criminal. “We’ve got an industry that, you know, runs 24/7, runs on outdated hardware and doesn’t update themselves,” he says.

Brandon Bohle, endpoint security team lead for Interstates, explains that avoiding cyber security problems helps increase uptime and decrease the potential for unexpected downtime. “We realize that uptime is critical for these organizations, they’ve got to make that product and get it out to consumers in order for them to make money,” Bohle says. “We want to ensure high uptime and availability at these facilities, and by avoiding different cyber security issues, that’s how we’re really helping them keep up in processing.”

Ransomware is a major financial risk and can be very disruptive to a producer’s operation. This happens when a cyber criminal gains access to a network and holds files and information, not allowing the owners to have access unless they give them large sums of money. Bohle explains that ransomware is currently one of the biggest threats in the cyber world. Although there is no “silver bullet” for stopping cyber attacks, Bohle explains that Interstates takes a layered approach, looking at the many different aspects which go into an ethanol plant’s cyber security.

Assessing Vulnerabilities
A key step to begin the process of improving cyber security is assessing a plant’s strengths and weaknesses. Every ethanol plant has its own unique set of vulnerabilities, which need to be remediated to improve security. Henderson suggests that producers start improving their cyber security with a vulnerability audit scan. “One, it’s a great way to find out your inventory,” Henderson says. “Sometimes systems get so large that you don’t even know what’s on the network, right, or the plant might not even know what’s on the network, or they thought they were going to retire something, and it never got retired.”

Newell agrees, suggesting an assessment followed by a penetration test, where a hired professional attempts to hack your system. “That can expose a lot of wrinkles, or it could tell you that you’re generally pretty safe and as long as you don’t give away the passwords and phones, you’ll probably be okay,” he says. “But that’s the best thing to do; we do a fair number of them.”

Doug Davidson, director and department head of external-facing IT services with GBQ Partners, suggests starting with a Critical Security Framework assessment from the National Institute of Science and Technology to identify valuable assets, ways to protect them, as well as how to “detect, respond and recover” if those assets are attacked. “The second step would be to do a risk assessment to understand what assets you have—whether IT or OT assets—and how they’re exposed. And then, based on how likely an attack might impact those systems, let’s put a plan together to remediate or close this hole,” Davidson says.

Uneducated end users are the producer’s greatest vulnerability since they may fall prey to a phishing email and grant a cyber criminal access, according to Henderson. While uneducated end users can be a major vulnerability, they can also be a your “biggest defense.” Other vulnerabilities include outdated or end-of-life operating systems, such as XP or Windows 7; default usernames, default passwords and weak passwords; active usernames for employees who no longer work there; and internet access for devices which are on the operation technology (OT) network.

Remediation Solutions
One of the ways producers can protect their data and avoid unanticipated downtime is by having backups. Bohle explains that backups are the best way to avoid falling prey to ransomware and being forced to pay possibly millions of dollars to get your data back. “If we have a good backup procedure and one of our systems gets compromised with ransomware, rather than contemplating paying the ransom, we can just use our backups and restore our systems,” he says. “It’s usually cheaper and it’s a lot quicker, but you’ve … got to [bear] that upfront cost.”

Newell recommends having a minimum of two backups, one in the cloud and one physical backup. For cloud storage he recommends OneDrive and Azure. “And then if you’re on premise (i.e., your IT infrastructure is hosted on site) the most common solution that we recommend is called Veeam, that’s a really strong backup software that will organize your backups for you and give you options to backup digital, cloud, all that kind of stuff, so that’s kind of the best in the industry on that,” Newell says. 

Determining the importance of the information is key to understanding how frequently information needs to be backed up and how much money to invest in backups, Bohle explains. “This would give us an understanding of how frequently we need to do backups on our systems, or do we need to do live backups,” he says. “Generally, the shorter amount of time [between backups] … the more expensive a system is. So, you kind of [need] that balance between the two.”

Educating End Users
Henderson recommends three different cheap and simple methods which can help turn end users into the first line of defense instead of a vulnerability. First, educate end users on what a phishing email is and how to recognize it. Second, teach them how to have strong passwords and implement a strong password policy. Finally, both Henderson and Newell suggest that producers invest in multi-factored identification, so that a hacker would not be able to access accounts or systems if they steal a user’s password.

There are multiple different education options to assist with these steps. Henderson recommends asking a Direct Technologies representative or another “cyber security guru” to come in and give a 45-minute presentation to educate employees on safe usage. Newell recommends using training from cyber security company KnowBe4. Davidson agrees with that recommendation and describes how GBQ utilizes their training. “We use the tool to raise awareness about what bad things might happen, and to raise awareness about what we expect an employee to do in that environment, and then kind of in a learning mode, we self-phish the organization,” he says.

“Self-phishing” is conducted by sending out phishing messages to every member of the company’s inbox. If employees report the email to IT, they will get a message congratulating them on responding correctly, Davidson explains. However, if they click on the link, they will get a message telling them that clicking was not the right response and giving them information on what to look for in the future to recognize a phishing email. 

Bohle explains that Interstates tailors its end user training to the team member’s role within the organization. The average plant worker will be encouraged to speak up if they notice the system is not working normally. For employees who work at a security officer level, Interstates goes over response options, limiting exposure once compromised and responding to ransomware. Other decisionmakers, such as plant managers, executives and board members, may receive education on the importance of early implementation of cyber security, Bohle says. “It is an upfront cost that really doesn’t have a direct ROI, but in the long run—by preventing some of these downtimes or reducing the time that a system is down in these events—they can get up and be producing again in a quicker fashion,” he explains.

Network Separation and Protecting Critical Assets
One of the biggest problem spots in cyber security, aside from end-user missteps, is having the operation technology network accessible via the business network. Bohle explains that separating the business or office network at the operation technology network allows for less damage to the organization as a whole if one area gets hacked. “We want to limit what sort of traffic can go to different areas,” he says. “This is where we like to do segmentation. If there’s an office environment, we like to separate that from the controls or the production environment.”

Henderson agrees, “A lot of plants that we’ve seen get compromised, it always starts with a business office network and then from that business office network they’re able to gain access to their OT network,” he says. “So, having that business office network segregated or separated through, for instance,  a firewall is pretty critical along with any other networks that hit the world wide web. With those segregated off, which could still leave a back door or some type of loophole, it’s going to take longer for those cyber criminals to find and maybe mitigate or shut down before it is exposed.”

Identifying “mission critical assets” is vital, Bohle explains. Mission critical assets include any communication paths or systems which will shut down the whole process if they fail or become non-responsive. “We might look at having redundant systems that are running concurrently, we could have redundant power supplies for some of the systems or we could even have redundant switches in place. If something goes down, it could shut you down, so we need to figure out how we create redundancy there,” Bohle says.

Insurance Investment
Investing in cyber security insurance is an important safety measure that could end up saving you money in the long run. Newell compares purchasing cyber security insurance to purchasing insurance for tornados or thunderstorms, it helps you cover some of the cost for damages. “There’s cyber security insurance that you can buy with ransomware protection, and that will help offset some of the costs you have if you are hit,” he says.

Henderson explains that though cyber security insurance may cost somewhere from $8,000 to $20,000, the price pales in comparison to ransomware costs, which can be millions of dollars. While backups are helpful, Henderson reminds producers that they’re not necessarily a guarantee for a quick comeback. “Backups will save you probably 95 times out of a hundred,” he says. “Chances are, if you’re down for three days … [backups] will take care of your data. But if for some reason we need to strip that network and rebuild it, you’re down for a week, and how much does that cost you?”

Author: Katie Schroeder
Contact: [email protected]