The Cyber Mistakes Chemical Manufacturers Can’t Afford to Make
Chemical processors are no strangers to assessing and ameliorating risk, but the emerging connectivity of today’s facilities is exacerbating the issue. While regulators and operators’ efforts to mitigate risk in chemical businesses have successfully reduced the frequency and severity of physical hazards, the chemical industry still lacks tailored and comprehensive guidance on the growing threat posed by industrial cyber attacks.
At present, many facilities rely on additions to legacy equipment to achieve connectivity rather than employing new environments and assets specifically designed for networked operations. At the same time, traditional information technology (IT) teams were not built to contend with cybersecurity events that have physical consequences, nor were the risk assessments they use.
All the above come together to foster misunderstandings about what it really means to protect chemical processing facilities and threats from supply chains. And this confusion can lead to mistakes, such as:
1. Equating IT and OT: Operational technology (OT) security teams cannot just layer IT controls onto OT networks and consider them secure. When most people think of cybersecurity failures, they picture information leaks that expose customer information or proprietary data. This is not a desirable outcome, but it just isn’t the same as an explosion or a tainted batch of chemicals. As such, the approach to developing and applying cyber controls in OT environments should reflect that reality.
For example, enterprise platforms often have more redundancy than industrial systems, making full system outages a common tactic during malware remediation efforts. The response may be a costly last resort, but it is an option for enterprise systems. The same can’t be said for chemical operations, which typically must remain online to keep the physical or chemical process stable. In these cases, ceasing operations is not an option, even if a breach occurs.
While this is a rare example of the most extreme response, it illustrates an oft overlooked or misunderstood truth: What works for IT does not always work for OT. Cybersecurity programs for operational systems must be built to support the plant’s critical functions.
Understanding the process of a plant or facility is a key point to being able to deliver a cybersecurity program in a way that does not interfere with operations or put safety at risk.
2. Viewing cyber teams in isolation: Many operators see “cyber” as an isolated field that complements other parts of operations but doesn’t affect them (and vice versa). That’s generally not the case. Delivering effective, non-intrusive OT cybersecurity controls for chemical plants relies on a deep understanding of each facility’s operations and assets and their effects on processes and safety. Teams developing cybersecurity programs for chemical facilities should be cross-functional and multidisciplinary, with members from operations, risk management, engineering and more. Each group has a unique view of the facility’s functions and the hazards in the space. It’s only by bringing these pieces together that teams can see the full picture.
3. Assuming they’re not a target: The profile of vulnerable businesses is changing. Thirteen years ago when Stuxnet was first discovered, $1 billion corporations with valuable data were the primary targets for cyber attackers. Because of this perception, many chemical processors—particularly smaller outfits—assume they are not desirable targets.
That’s a dangerous belief to hold in a post-Colonial Pipeline world. While the attack was not an OT-centric event planned for OT systems, the lack of segmentation between the OT and IT network caused an “incidental impact” that cost the company—and the nation—billions.
That means every storage facility, transporter or processor that works with hazardous chemicals or materials designed for human consumption is now at risk of targeted or incidental contact from cyber attacks. Ignoring that truth opens the industry at large at risk, and it’s no longer a practice we can afford.
What Now?
While regulators at the international, federal and local levels may outline regulations on cyber practices in the future, the chemical industry should not wait to enact sound cybersecurity controls on their own terms. The first step is integrating cybersecurity considerations into existing management procedures by creating an OT-specific inventory and incident response plan. This can help managers develop a baseline understanding of the current system and to grow organizational knowledge about connections beyond that facility’s walls.
When conducting process hazard analyses and layer of protection analyses, managers should note equipment and assets that could be leveraged as part of a cybersecurity incident. Process safety management guidance in chemical facilities should also include language related to cyber incidents and how the organization will respond in these situations.