51 Seconds: When Cyberattacks Threaten Chemical Safety, Security
Key Highlights
Speed kills defenses: Attackers now break out of initial compromises in under an hour on average, with the fastest recorded at just 51 seconds—potentially faster than safety systems can respond.
Cloud connectivity creates new attack paths: As chemical companies adopt cloud-based analytics and remote monitoring, threat actors are pivoting from traditional IT infiltration to exploiting misconfigured cloud access and weak credential controls.
Visibility is the foundation: Organizations can't protect what they can't see—starting with comprehensive asset inventory and risk-based prioritization is more effective than trying to secure everything at once.
The transition to multi-cloud hybrid environments marks one of the most significant milestones in the history of business computing, but it comes with a high cost in terms of security risks.
That’s the conclusion reached in The State of Data Security: A Distributed Crisis, a report published by Rubrik Zero Labs in April.
The 41-page report says hybrid environments introduce unprecedented hazards, and IT leaders report challenges with system-wide data security, lack of visibility and the inability to establish centralized control. Threat actors are exploiting these weaknesses relentlessly and employing evolving techniques such as identity-based strategies, which now account for most attacks.
Of over 1,600 IT and security experts surveyed across 10 countries, 90% said their organizations had experienced cyberattacks targeting their cloud environments within the past year, with many facing repeated assaults.
The numbers are alarming: 86% of companies faced with extortion demands paid the ransom; 75% confirmed that attackers were able to breach and harm their data.
Data sprawl is a growing issue, with organizations increasing their utilization of cloud and Software as a Service (SaaS) services. Hybrid and multi-cloud strategies are becoming the norm, with 89% of organizations utilizing multiple cloud platforms.
The majority, 92%, of the IT and security leaders surveyed said they are using anywhere between two and five cloud and SaaS platforms for data storage, applications and services, while two-thirds said they are planning to shift toward using more cloud and SaaS-based services over the next year.
The Rubrik report includes data from CrowdStrike’s 2025 Global Threat Report, most notably the dramatic decrease in the time it takes for a threat actor to move from the area they initially compromised to other systems – also known as breakout time. This showed that the average breakout time for interactive eCrime intrusions fell to 48 minutes in 2024, down from 62 minutes the previous year. Alarmingly, the fastest breakout was recorded at just 51 seconds, meaning defenders may have less than a minute to detect and respond before attackers establish deeper control.
Growing Concerns
Should these figures concern the chemical industry?
“Absolutely,” said Steven Taylor, Global Senior Product Manager, Cybersecurity Services, Rockwell Automation.
“The Rubrik data cites a 26% increase in cloud intrusions and 79% malware-free attacks. It’s hitting chemical operations right where they’re most vulnerable. These environments are inherently high-risk and often operate with legacy equipment that wasn’t designed with cloud interconnectivity in mind,” he cautioned.
Nevertheless, critical infrastructure organizations, including chemical companies, have been increasingly adopting cloud-connected systems to stay competitive, such as analytics platforms, remote monitoring tools and supply chain management platforms.
So, threat actors have pivoted from traditional IT infiltration to abusing misconfigured cloud access, remote connections and weak credential controls.
“This is a massive operational risk, and it’s only continuing to accelerate. The assumption that cloud environments are secure by default is a dangerous one, especially when attackers are ‘logging in’ instead of ‘breaking in’,” Taylor added.
Another major concern is the breakout data.
“In a chemical plant, 51 seconds could be the difference between a controlled shutdown and a safety incident. Organizations need to understand these aren't just IT problems anymore. When attackers move laterally from compromised cloud credentials into operational networks, we're talking about potential impacts on safety systems and process control,” he said (Figure 1).
By necessity, cybersecurity regulatory regimes are also evolving. However, a constantly shifting landscape poses additional challenges. “It can be hard for manufacturers and critical infrastructure operators to keep up,” Taylor admitted.
In the U.S., customers are actively seeking help to explain how federal mandates such as Executive Orders (EOs) 14028 and 14144 apply to their day-to-day operations.
EO 14028, Improving the Nation’s Cybersecurity, was issued on May 12, 2021, and requires agencies to enhance cybersecurity and software supply chain integrity.
EO 14144 is less well-bedded in. Strengthening and Promoting Innovation in the Nation's Cybersecurity was issued on Jan. 16, 2025, in the last few days of Biden's presidency.
Although the outgoing and incoming regimes agreed on many aspects of cybersecurity, on June 6, 2025, President Trump issued EO Sustaining Select Efforts to Strengthen the Nation's Cybersecurity, which amended 14144 and the Obama-era 13694 Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.
According to a fact sheet from the White House on the amended EOs, the changes aim to reprioritize cybersecurity efforts, removing “problematic and distracting issues” in the original Biden EO. These include “imposing unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments” and “micromanaging technical cybersecurity decisions better handled at the department and agency level, where budget tradeoffs and innovative solutions can be more effectively evaluated and implemented.”
“Cybersecurity,” states the fact sheet, “is too important to be reduced to a mere political football.”
Meanwhile, the EU is updating its nine-year-old Network and Information Systems directive (NIS) with NIS 2. This highlights cloud service security as one of six major issues that the chemical industry needs to tackle. It also points out that complying with the directive could require significant investment by the industry.
The directive’s also causing problems for the chemical industry, and Taylor noted that many more calls are coming from manufacturers asking for help with NIS2 compliance — not just from companies based in the EU but also from multinational operations that have facilities in Europe.
“These companies aren’t just trying to check off a regulatory requirement. They're wrestling with real operational headaches: How do you secure third-party contractor access without slowing down maintenance work? How do you harden those cloud-based engineering platforms that everyone's using now without breaking existing workflows? And how do you meet all these data sovereignty and incident response requirements without grinding productivity to a halt?” he asked.
Many of these facilities run OT systems that predate today’s connectivity and compliance expectations.
“We help bridge that gap by working with companies to build governance and documentation frameworks that help demonstrate compliance while keeping operations safe and efficient. We’re enabling them to leverage existing standards like IEC 62443 and NIST to accelerate readiness, rather than starting from scratch,” said Taylor.
The International Society of Automation’s IEC 62443 standards define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems. These standards set best practices for security and provide a way to assess security performance.
The National Institute of Standards and Technology (NIST) cybersecurity framework (CSF) is a set of voluntary guidelines to help organizations manage and reduce cybersecurity risks.
“Globally, we’re seeing these different regulatory frameworks starting to converge around the same basic ideas. From the EU’s Cyber Resilience Act (CRA) and NIS2 to the Singapore Cybersecurity Act to the U.S. federal orders, the core principles align around secure-by-design development, supply chain transparency and rapid incident reporting. Our job is to stay ahead of these evolving frameworks so our customers can focus on running safe and resilient operations.”
Rising to the Challenge
Taylor noted that Rockwell Automation has worked with multiple chemical producers and critical manufacturers that have faced the challenge of expanding cloud connectivity without sufficient visibility or control over their OT assets.
He cites the example of a multi-site chemical manufacturer that adopted cloud-enabled operations but lacked a current asset inventory and understanding of associated risks.
A technology-enabled vulnerability assessment examined over 60 facilities, uncovering unmanaged assets, legacy systems and flat networks that could expose the OT environment to external threats.
“We centralized asset inventory, correlated configuration data and assessed network segmentation, uncovering high-risk paths from IT into OT that could have given access from a compromised cloud interface. From there, we implemented targeted mitigation steps, including secure remote access controls and network segmentation,” he explained.
In another example, a global chemical company with limited in-house cybersecurity resources brought the company in to support its transition toward better compliance with internal and external standards.
It deployed Rockwell’s centralized security platform across 500 sites, moving the company from manual, fragmented processes to automated patching, centralized alerting and improved endpoint visibility.
The improvements helped bolster defenses against a range of modern risks, including those associated with cloud-based services, remote access and identity management.
“Going beyond conventional IT approaches to maintain safe, uninterrupted production and regulatory compliance is critical. These case studies show how companies in the sector can significantly improve resiliency through enhancing visibility, standardizing response and applying risk-based prioritization. In these environments where cloud connectivity is increasing, that means pairing deep OT visibility with cloud-aware monitoring and response,” Taylor said.
Customers are now applying those same principles in many different types of manufacturing operations, he noted. “The ability to scale risk assessments and improve monitoring across distributed operations is what makes the difference between companies that get ahead of these threats and those that end up paying ransoms.”
Vendors Answer the Call
For example, in May, Emerson launched Project Beyond.
It’s a connected industrial technology platform designed to reduce the costly and complex technology integration required to move data across different OT systems and applications, helping customers deploy and scale new capabilities faster.
The company says that the new platform will help automation investments deliver value without adding complexity by leveraging innovations in software-defined control, data management, zero-trust cybersecurity and artificial intelligence.
Among the building blocks of Project Beyond is Zero-Trust Security Architecture, a security plane that secures every access, device, application, connection and data within the platform.
Then there’s SINEC Security Guard from Siemens. Marketed as intuitive cloud-based software for improving cybersecurity on the shop floor, it matches vulnerabilities to OT assets, prioritizes them and engages in mitigation measures.
As the Rubrik report highlighted, hackers are constantly discovering new security vulnerabilities and developing ways to exploit them, which can take seconds. SINEC Security Guard provides risk transparency, monitoring the visibility of threats to an OT network and then mitigating them accordingly.
In Rockwell’s case, it means taking a layered, NIST-aligned approach that starts with visibility and builds toward continuous protection and response.
Its offerings included vulnerability management and threat detection, secure remote access for third-party and internal use, segmentation and an industrial demilitarized zone (IDMZ) to act as a buffer between critical environments or production floor systems and the enterprise network, and the company’s security monitoring and response (SMR) service, which was launched in April this year.
“SMR, a 24/7 managed detection and response OT SOC (security operations center) service, is the most important of these,” Taylor said.
“It was built to address a very real and growing pain point: industrial organizations are overwhelmed by alerts, understaffed on cybersecurity talent and struggling to make sense of what’s actually happening across increasingly connected environments—including the cloud,” he added.
Taylor believes SMR differs from other vendors’ response services because of its OT-specific rules, automations and behavioral analytics that can wrap around a wide range of existing data sources such as firewalls, endpoint security tools and cloud telemetry.
“Our solutions have evolved to meet the modern threat landscape. Where it used to be about locking down the perimeter, it’s now about real-time insight across a distributed infrastructure. Looking ahead, industrial security needs to be faster and smarter. That means more automation, context-aware alerts and risk-based prioritization. We’re already embedding that into our SMR service, which not only detects anomalies but triages them and escalates actionable insights,” Taylor added.
Top Tips for Hybrid Happiness
Are you concerned about the investment needed to keep cloud service security effective? Taylor advises starting with visibility. Focus on the basics and think of cybersecurity as operational risk management, not just an IT expense.
“Visibility is the foundation of any good security program, as you can't protect what you can't see. From there, prioritize based on risk. Not every alert or system needs equal attention, but your critical assets and remote access points do.”
Begin with a cybersecurity preparedness assessment. From there, small investments in secure remote access, basic segmentation and managed monitoring can deliver a huge return — especially if you don’t have full-time cybersecurity staff.
“Remember: security isn’t a one-time project. It’s a process. But with the right partners and the right architecture, even small teams can deliver transformative results,” Taylor concluded. ⊕
About the Author
Seán Ottewell
Editor-at-Large
Seán Crevan Ottewell is Chemical Processing's Editor-at-Large. Seán earned his bachelor's of science degree in biochemistry at the University of Warwick and his master's in radiation biochemistry at the University of London. He served as Science Officer with the UK Department of Environment’s Chernobyl Monitoring Unit’s Food Science Radiation Unit, London. His editorial background includes assistant editor, news editor and then editor of The Chemical Engineer, the Institution of Chemical Engineers’ twice monthly technical journal. Prior to joining Chemical Processing in 2012 he was editor of European Chemical Engineer, European Process Engineer, International Power Engineer, and European Laboratory Scientist, with Setform Limited, London.
He is based in East Mayo, Republic of Ireland, where he and his wife Suzi (a maths, biology and chemistry teacher) host guests from all over the world at their holiday cottage in East Mayo.