But what if the disruption was not caused by sudden changes in demand but by something more sinister? What if that disruption could break a supply chain and leave it broken for an extended period? This could be the case with a cybersecurity attack. 

An extended disruption to the supply chain would have financial consequences for all entities in that chain. Some companies might not be able to handle such a financial setback for an extended time. For this reason, cybersecurity in the lubricants supply chain is essential. Base oil producers in particular are a fundamental part of the lubricants industry supply chain, since virtually no lubricants can be made without base stocks.

There are multiple reasons why a hacker might target your plant, ranging from financial to political gain and a host of other reasons. They could be vengeful ex-employees or thrill-seekers.

Supply chains are particularly tempting to hackers because any chain will have a weak point that could be an easy target. Further, one incident can have consequences all along the chain.

Hackers typically don’t go after large manufacturers, as they know those companies are more likely to have up-to-date cybersecurity protocols. Instead, they target the weakest link. This could be a small supplier with one or two locations that is dependent upon its industrial control system to keep everything working.

Hacking into a small supplier’s ICS and bringing it to a halt might have significant consequences for that supplier, but it won’t disrupt the supply chain very much. The hacker will have their eyes on a larger prize.

The small supplier has, through its slack cybersecurity and risk management protocols, allowed the hacker access to its own suppliers and customers. Using the stolen credentials from its original victim, the hacker now has carte blanche to access more areas of the supply chain. 

For example, many networks today use what is known as single sign-on software. SSO is an authentication scheme that allows a user to log in with a single username and password to any of several related yet independent software systems. Thus, a hacker could use one password to access multiple areas of a network.

The hacker can then work through the supply chain, using more companies whose cybersecurity protocols are outdated or non-existent, until they find their optimal mark. At this point, the hacker will launch their weapon. 

Areas of opportunity for hackers include transportation of product, scheduling of supplies, product mixture ratios, process control data reports, communications and even physical areas such as flaring. A weapon of choice for many is ransomware, which forces the company to pay to get access to its data or to have the malware removed from its system. Suddenly, everything comes to a halt.

Members of the American Fuel and Petrochemical Manufacturers’ Cybersecurity Committee point out one example specific to base oils.

Base oils are manufactured in customized batches that are not very large. For transportation of base oils via tanker truck, the protocol in the past was for the driver to wait for the laboratory analysis of the batch of base oils. When that analysis was completed and the certification was printed, the trucker would get on the road.

Today’s protocol usually involves a “load-and-go” method, whereby the trucker leaves the facility and then receives confirmation of the blend from the facility’s lab by fax or email.

If a hacker were to access the blending procedures of the facility, they could disrupt the blend ratios or provide false information on the blends. A hacker could also access lab analysis files. These files could be erased or changed to include false information on the label.

As many base oil manufacturing facilities work with “just-in-time” inventory, any of these strategies would quickly affect product shipments. With the load-and-go method of shipping, misleading blends or labels would probably not be noticed until they were delivered to the customer.

Once a manufacturer knows that its supply chain is compromised, it must figure out where that compromise originated. The supply chain must be examined like old Christmas lights that won’t light up: going through the entire string to see which bulb needs replacing. This hunt takes time and money. The company probably will have to hire an outside firm to help. In the meantime, orders are backing up, materials are not coming in, and no one wants to answer those calls and emails from customers.

When the industry finds out that the supply chain crashed because your company allowed hackers access, your company’s reputation will be considerably marred. You will lose customers.

There are some steps you can take to shield your company from this scenario.

First, make sure your company’s cybersecurity protocols are up to date and in place. Never settle for someone in the information technology department or someone who handles the ICS saying that everything is ok. Have them prove that everything is okay. 

There is no such thing as being too small to be of interest to a cybersecurity hacker. Hackers equate smaller companies with less security.

Familiarize yourself with how a hacker can gain access to your system. For example, the United States-based Independent Lubricant Manufacturers Association’s June “Scam of the Month” highlighted a phishing email campaign that appears to come from the Coronavirus Research Center of Johns Hopkins University, a well-known medical center in Baltimore, Maryland. An attached Microsoft Excel file includes a piece of malware called NetSupport Manager that allows remote access to the host computer. Cybercriminals can then steal sensitive data, install more malicious software or use the machine for other criminal activities.

Demand—don’t ask—that any supplier on which your company depends is current in their cybersecurity and risk management protocols. Put this in your contracts. You don’t want your company exposed due to the lack of cybersecurity protocols in any of your suppliers.

Listen to your IT and ICS personnel. They are your subject matter experts. Strongly encourage them to go to training. It might be expensive, but it’s a good investment in your company. Talk to them about the systems’ needs, both in IT and in ICS. Question them, but try not to second-guess them. You hired them to be your experts when it comes to cybersecurity.

If they see a need to increase the cybersecurity budget, it is fine to inquire why, but don’t assume that nothing will happen in the future since nothing has happened in the past. While you can afford to be frugal with your cybersecurity budget, you can’t afford to be cheap. Think of the cybersecurity budget line in the same way you think about insurance.

Assume nothing. A contractor could link their laptop to your network for a legitimate purpose, but that same laptop might have malware that could affect your network. Ensure that your system has software that will allow contractors and other third-party entities to access only those areas you want them to access and only for a set period. You’d be surprised how many contractors can still access the refinery’s networks remotely long after the completion of a turnaround.

Make sure all staff has training in cybersecurity. It is not a stretch to say that cybersecurity should become as important as safety at your company.

In 2020, any company in a supply chain, whether it is base oils or toilet paper, must realize the importance of cybersecurity. You can’t see an attack coming, and you won’t hear it, but it will disrupt your business in ways you probably could not imagine. If needed, find a contractor that can help your company be proactive about cybersecurity.

I’ll close with this story: An IT manager was trying to get the CEO and others to let him have a larger budget for cybersecurity. The CEO was stonewalling, saying that cybersecurity was not a priority, and its budget was too large already. The IT manager finally got frustrated and said to the CEO, “If someone hacks into our ICS system and causes a catastrophic event, it won’t be me whom Congress and the shareholders call upon to explain why this happened.”

He got his budget approved.   

Dan Strachan is the principal and owner of Loyal Dog Consulting LLC in Annapolis, Maryland. He previously served as director on industrial relations at AFPM, where he handled issues related to cybersecurity and to base oil. Contact him at djs@loyaldogconsulting.net.