How existing safeguards can help chemical processors overcome emerging cyber-physical risks.
By Blake Benson, Senior Cyber Advisor at ABS Group
Chemical plants have long operated under strict guidelines to mitigate their capacity for harm. Per the Occupational Safety and Health Administration (OSHA), highly hazardous chemicals (HHCs)—which include flammable materials and select toxic and reactive chemicals—must be stored and handled in accordance with Recognized and Generally Accepted Good Engineering Practices (RAGAGEPs) and federal regulations.
These efforts have successfully reduced the risk of explosions, contamination or other environmental risks that may result from human or equipment errors for some time. However, the risk associated with the business has changed over the past few years as bad actors around the world have set their sights on critical infrastructure disruptions.
Chemical plants—which often lack regulations explicitly designed to protect against cyber threats—are becoming increasingly enticing targets. Their relative immaturity in the space and legacy equipment often expands attack surfaces, leaving digital doors open to bad actors.
This gap in protections is often not the fault of operators. It’s the natural result of the rapid push toward connectivity in environments that were not designed with this kind of infrastructure in mind. Now, operators and cybersecurity specialists must work together to strengthen existing safeguards to protect these facilities from a new kind of threat.
Because the threat of cyber-physical attacks that damage plants and communities is relatively new for chemical processors, the severity and type of access hackers can achieve is only now becoming known. Attacks like those on Siegfried, Brenntag, and Symrise in 2021 led to significant production interruptions and large ransom payouts. However, there’s little stopping hackers that do gain access to the systems of a facility that handles HHCs or pharmaceutical manufacturers, for example, from leaking harmful chemicals, contaminating products or causing other disasters that threaten lives.
Nevertheless, explosions, chemical spills and other disasters could always happen, even without interference from cyber attackers. The only real difference now is the catalyst for the hazardous event. As such, the level of cyber risk within these facilities is directly correlated with the risks already on most operators’ radars.
That also means that, with the right adjustments, existing equipment and processes designed to facilitate safe daily operations—like those related to administrative functions, safety instrumented systems, and mechanical protection devices—can help operators manage their cyber risk. They just need to take appropriate steps to ensure their understanding of their facilities’ level of exposure to cyber initiated attacks.
To gain this insight, organizations can leverage existing risk assessment frameworks in new ways and review the findings with a team of (internal or third-party) experts in operational technology (OT) cybersecurity and operations. Informed by their diverse experience in OT environments, this team can take the following steps to contextualize a facility’s risk:
Both assessments can yield insights into known risks within the environment and the kind of damage a bad actor could do should they gain access to different equipment.
Understanding whether certain events can be caused through a cyber-physical attack will help the team figure out how connected systems fit into their holistic risk profile.
Chemical processing and manufacturing have always been risky undertakings. Working with chemicals, hazardous or otherwise, can leave little room for error—and lead to big consequences should an error occur. Operators that understand the risks associated with developing more connected facilities likely understand that no organization or sector is immune. Those that take swift action to address the situation will be better prepared when—not if—a cyber attacker comes knocking.
The good news is that they can get started right now by putting existing safeguards and assessments to work in new ways.
Blake Benson is Senior Cyber Advisor, Global Government Services at ABS Group.
ABS Group is a leading industrial cybersecurity and risk management consulting provider serving critical infrastructure sectors globally specializing in marine and offshore, oil, gas and chemical, government, power and energy and industrial sectors. They work with organizations and legislators to conduct vulnerability assessments, technical inspections and provide recommendations for securing operational technology.
Tune in to hear from Chris Brown, Vice President of Sales at CADDi, a leading manufacturing solution provider. We delve into Chris’ role of expanding the reach of CADDi Drawer which uses advanced AI to centralize and analyze essential production data to help manufacturers improve efficiency and quality.