In this list

FEATURE: Steel mills have unique challenges, vulnerabilities to cyberattacks (Part 2 of 3)

Energy | Coal | Thermal Coal | LNG | Natural Gas | Natural Gas Risk | Oil | Crude Oil | Refined Products | Shipping | Tankers

Spotlight shifts to Asia as EU ban on Russian crude comes into force

Metals | Steel

Platts Steel Raw Materials Monthly

Energy | Natural Gas | Oil | Crude Oil

Advocacy firm teaches legacy energy to challenge the climate narrative

Energy | Natural Gas | LNG | Electric Power | Metals | Electricity | Non-Ferrous

Milder-than-forecast cyclone season still affects Southeast US power demand, prices

Agriculture | Biofuels | Electric Power | Electricity | Energy | Energy Transition | LNG | Metals | Non-Ferrous

Commodity Tracker: 4 charts to watch this week

For full access to real-time updates, breaking news, analysis, pricing and data visualization subscribe today.

Subscribe Now

FEATURE: Steel mills have unique challenges, vulnerabilities to cyberattacks (Part 2 of 3)

  • Author
  • Ingrid Lexova
  • Editor
  • Tom Balcerek
  • Commodity
  • Metals

Pittsburgh — Note: Part 2 of 3

Not registered?

Receive daily email alerts, subscriber notes & personalize your experience.

Register Now

Historically, critical infrastructure systems like steel mills have had distinct vulnerabilities due to being purpose-built systems, designed to run with very little variation, according to Mark Fabro, president and chief security scientist at Lofty Perch, a consulting firm focused specifically on operational technology and industrial controls systems for cybersecurity.

In the past, cybersecurity was not a component of the build specifications or the procurement process. The risk of an attack was limited to anyone with physical access to the plant, creating opportunity for physical damage, malicious operation of the system or the introduction of malware via removable media, according to Fabro.

Part 1: Manufacturing faces distinct challenges in cyber risk mitigation

Part 3: Cyber-informed engineering perspective needed for cyber-defense

"Fast forward to where we are now, and those systems that were traditionally protected through isolation are now connected to back office, to the supply chain, to the vendors," Fabro said. "Those systems are now networked to a wide range of external systems, making it hard to delineate the extent of the interconnected systems. The challenge becomes accurately defining and securing the extent of the business-critical information infrastructure, and this is where new attack vectors can originate."

While cybersecurity measures can be implemented by steel mills, the older systems can pose additional problems. The last new blast furnace in the US was built more than half century ago.

A steel industry chief information security officer (CISO) said threat actors will look for "vulnerabilities in the software and work to exploit them. The manufacturing industry is often dealing with extremely expensive control systems that were either not designed with security in mind or are difficult to keep updated due to operating schedules."

The end goal will always be mitigating all vulnerability but that can be untenable, so asset owners need to think about consequence-based analysis, according to Fabro.

"Understanding the realistic cyber risk of manufacturing infrastructure needs to be done from the perspective of cyber-informed engineering, in order to understand how the uniqueness of manufacturing environments change the attacker's landscape of opportunity," he added.

The manufacturing industry has been slow to adopt appropriate cybersecurity measures, according to the steel industry CISO: "Financial organizations, for example, have had regulations for years requiring a focus on securing their data and systems, whereas in manufacturing it has been a choice to secure their systems."