April 3, 2023 Mitigating Cyber-Physical Risks for Chemical Processors

How existing safeguards can help chemical processors overcome emerging cyber-physical risks.

By Blake Benson, Senior Cyber Advisor at ABS Group

Chemical plants have long operated under strict guidelines to mitigate their capacity for harm. Per the Occupational Safety and Health Administration (OSHA), highly hazardous chemicals (HHCs)—which include flammable materials and select toxic and reactive chemicals—must be stored and handled in accordance with Recognized and Generally Accepted Good Engineering Practices (RAGAGEPs) and federal regulations.

These efforts have successfully reduced the risk of explosions, contamination or other environmental risks that may result from human or equipment errors for some time. However, the risk associated with the business has changed over the past few years as bad actors around the world have set their sights on critical infrastructure disruptions.

Chemical plants—which often lack regulations explicitly designed to protect against cyber threats—are becoming increasingly enticing targets. Their relative immaturity in the space and legacy equipment often expands attack surfaces, leaving digital doors open to bad actors.

This gap in protections is often not the fault of operators. It’s the natural result of the rapid push toward connectivity in environments that were not designed with this kind of infrastructure in mind. Now, operators and cybersecurity specialists must work together to strengthen existing safeguards to protect these facilities from a new kind of threat.

Contextualizing Cyber Risk in the Chemical Sector

Because the threat of cyber-physical attacks that damage plants and communities is relatively new for chemical processors, the severity and type of access hackers can achieve is only now becoming known. Attacks like those on Siegfried, Brenntag, and Symrise in 2021 led to significant production interruptions and large ransom payouts. However, there’s little stopping hackers that do gain access to the systems of a facility that handles HHCs or pharmaceutical manufacturers, for example, from leaking harmful chemicals, contaminating products or causing other disasters that threaten lives.

Nevertheless, explosions, chemical spills and other disasters could always happen, even without interference from cyber attackers. The only real difference now is the catalyst for the hazardous event. As such, the level of cyber risk within these facilities is directly correlated with the risks already on most operators’ radars.

That also means that, with the right adjustments, existing equipment and processes designed to facilitate safe daily operations—like those related to administrative functions, safety instrumented systems, and mechanical protection devices—can help operators manage their cyber risk. They just need to take appropriate steps to ensure their understanding of their facilities’ level of exposure to cyber initiated attacks.

To gain this insight, organizations can leverage existing risk assessment frameworks in new ways and review the findings with a team of (internal or third-party) experts in operational technology (OT) cybersecurity and operations. Informed by their diverse experience in OT environments, this team can take the following steps to contextualize a facility’s risk:

1. Review or compile IT/OT asset inventory and network architectures. Any risk assessment starts with a comprehensive review of the environment that needs protection—both digital and physical. This asset inventory should include all equipment in the facility, its relative importance to daily operations and safety measures and whether it’s connected to a network of any kind.
2. Review or conduct hazard assessments. Chemical plants must regularly conduct:
   • Process hazard analyses (PHAs) to identify potential causes of chemical leaks or other equipment failures and evaluate the consequences should one occur.
   • Layer of protection analyses (LOPAs) to gain a detailed and quantitative view of the layers of protection in place to mitigate hazard scenarios.

Both assessments can yield insights into known risks within the environment and the kind of damage a bad actor could do should they gain access to different equipment.

3. Conduct a systematic evaluation of each critical scenario. The team should identify the safety critical functions or critical systems that are cyber enabled and cross reference the engineered safeguards in each system to determine whether a cyber initiated event could cause:
   • Each hazard event noted in current and past PHAs and LOPAs.
   • A degradation or removal of an existing safeguard

Understanding whether certain events can be caused through a cyber-physical attack will help the team figure out how connected systems fit into their holistic risk profile.

4. Develop an asset risk profile. Based on all of the above, the team can compile a risk asset profile that ranks scenarios by their relative risk levels and notes the associated consequences of each, including the findings from the systematic evaluation. This profile can be used to compare each scenario to the facility’s baseline risk, which provides insight into appropriate next steps.
5. Prepare an action plan. The team’s final task is to use what they’ve learned to develop a comprehensive action plan, outlining any additional cyber or engineered safeguards the company may need to take to mitigate identified hazards as well as the organization’s timeline for making these improvements.

Not-So-Risky Business

Chemical processing and manufacturing have always been risky undertakings. Working with chemicals, hazardous or otherwise, can leave little room for error—and lead to big consequences should an error occur. Operators that understand the risks associated with developing more connected facilities likely understand that no organization or sector is immune. Those that take swift action to address the situation will be better prepared when—not if—a cyber attacker comes knocking.

The good news is that they can get started right now by putting existing safeguards and assessments to work in new ways.

Blake Benson is Senior Cyber Advisor, Global Government Services at ABS Group. 

ABS Group is a leading industrial cybersecurity and risk management consulting provider serving critical infrastructure sectors globally specializing in marine and offshore, oil, gas and chemical, government, power and energy and industrial sectors. They work with organizations and legislators to conduct vulnerability assessments, technical inspections and provide recommendations for securing operational technology.

Subscribe to Industry Today