NOTE: The sponsor of this content may contact you with more information on this topic. Click here to opt out of sharing your email address with this sponsor. (This link will not unsubscribe you from any other BIC email list).
Chemical plants have long operated under strict guidelines to mitigate their capacity for harm.
Per OSHA, highly hazardous chemicals (HHCs) — which include flammable materials and select toxic and reactive chemicals — must be stored and handled in accordance with Recognized and Generally Accepted Good Engineering Practices and federal regulations.
These efforts have successfully reduced the risk of explosions, contamination or other environmental risks that, in some instances, could be caused by human or equipment errors. Most facilities know how to handle this type of emergencies. These physical events pose immediate threats to the safety and well-being of workers and the environment, pushing organizations to have clear procedures in place for shutting down and opening up operations.
However, the risks associated with the business have changed over the past few years as bad actors around the world have set their sights on critical infrastructure disruptions. The cyber physical attacks have been taking center stage due to their ability to take control of and manipulate industrial control systems (ICS), from gaining access to the facility’s systems that handles HHCs or pharmaceutical manufacturers, for example, from leaking harmful chemicals, contaminating products or causing other disasters that threaten lives, to stopping gas pipelines.
Hackers have been demonstrating their abilities to use cyber to create real-world impacts, now more than ever, and chemical plants — which often lack regulations explicitly designed to protect against cyber threats — are becoming increasingly attractive targets.
The lack of maturity in cyberspace and the slow transition to bring the OT legacy equipment where they need to be to face today’s challenges, expands the attack surfaces, leaving digital doors open to bad actors. This gap in protections is the natural result of the rapid push toward connectivity in environments that were not designed with this kind of infrastructure in mind.
Now, operators and cybersecurity specialists must work together to strengthen existing safeguards to protect the facilities from these new threats.
Contextualizing cyber risk in the chemical sector
Attacks like those on Siegfried, Brenntag and Symrise in 2021, causing significant production interruptions and large ransom payouts, show the real effects of a cyber physical attack, something relatively new for chemical processors.
Explosions, chemical spills and other disasters could always happen, even without interference from cyber attackers. The only real difference now is the catalyst for the hazardous event. As such, the level of cyber risk within these facilities is directly correlated with the risks already on most operators’ radars.
That also means that, with the right adjustments, existing equipment and processes designed to facilitate safe daily operations — like those related to administrative functions, safety instrumented systems and mechanical protection devices — can help operators manage their cyber risk. They just need to take appropriate steps to ensure their understanding of their facilities’ level of exposure to cyber initiated attacks.
To gain this insight, organizations can leverage existing risk assessment frameworks in new ways and review the findings with a team of internal or third-party experts in operational technology (OT) cybersecurity and operations. Informed by their diverse experience in OT environments, this team can take the following steps to contextualize a facility’s risk:
1. Review or compile IT/OT asset inventory and network architectures. Any risk assessment starts with a comprehensive review of the environment that needs protection — both digital and physical. This asset inventory should include all equipment in the facility, its relative importance to daily operations and safety measures and whether it’s connected to a network of any kind. It’s impossible to secure what you don’t know; that’s why it’s critical to know your assets and protect the work you put into defining them and the risk associated with them by documenting changes effectively.
2. Review or conduct hazard assessments. Chemical plants must regularly conduct:
- Process hazard analyses (PHAs) to identify potential causes of chemical leaks or other equipment failures and evaluate the consequences when one occurs.
- Layer of protection analyses (LOPAs) to gain a detailed and quantitative view of the layers of protection in place to mitigate hazard scenarios.
Both assessments can yield insights into known risks within the environment and the kind of damage a bad actor could do when they gain access to different equipment.
3. Conduct a systematic evaluation of each critical scenario. The team should identify the safety critical functions or critical systems that are cyber enabled and cross reference the engineered safeguards in each system to determine whether a cyber initiated event could cause:
- Each hazard event noted in current and past PHAs and LOPAs.
- A degradation or removal of an existing safeguard
Understanding whether certain events can be caused through a cyber physical attack will help the team figure out how connected systems fit into their holistic risk profile.
4. Develop an asset risk profile. Based on all of the above, the team can compile a risk asset profile that ranks scenarios by their relative risk levels and notes the associated consequences of each, including the findings from the systematic evaluation. This profile can be used to compare each scenario to the facility’s baseline risk, which provides insight into appropriate next steps.
5. Prepare an action plan. The team’s final task is to use what they’ve learned to develop a comprehensive action plan, outlining any additional cyber or engineered safeguards the company may need to take to mitigate identified hazards as well as the organization’s timeline for making these improvements.
Not-so-risky business
Chemical processing and manufacturing have always been risky undertakings. Working with chemicals, hazardous or otherwise, can leave little room for error —and lead to big consequences when an error occurs. Operators that understand the risks associated with developing more connected facilities likely understand that no organization or sector is immune. Those that take swift action to address the situation will be better prepared when — not if — a cyber attacker comes knocking.
This might mean that organizations need a more comprehensive approach to strengthen their cyber posture. The good news is that they can get started right now by putting existing safeguards and assessments to work in new ways.
For more information, visit abs-group.com.
