Security & Protection Are your Chemical Plants Safe from Cyberattacks?
Cyberattacks have been increasing across the globe and the chemical industry has not been spared either. As more chemical companies are adopting the ‘digital transformation’ concept due to its numerous benefits, it has also exposed them to notorious cyberattacks which can have devastating consequences on its operations. The article offers useful tips on developing a secure cybersecurity strategy along with insights on the different measures that can be undertaken to reduce the risks of cyberattacks on chemical plants.
Operational downtime, loss of money and reputation, and maybe even a plant explosion which puts innocent lives in danger and damages critical infrastructure is the direct result of deadly cyberattacks being carried out on industrial plants today. The motive behind these attacks is usually to make money and therefore, ransomware attacks are carried out in which the hackers block the firm’s access to their sensitive information and threaten to leak their data publicly or they may even steal the firm’s intellectual property and sell it to others. In some cases, these hackers may also be politically motivated thus, leading them to cause maximum damage to a firm’s assets such as valuable data and physical plants.
Cyberattack on chemical firms
The chemical industry has also been a victim of these attacks. In 2019, chemical companies Hexion and Momentive Performance Materials witnessed cyberattacks which prevented them to access certain Information Technology (IT) systems as well as data. However, with timely action the firms were able to contain the ‘network security incidents’ and resume normal operations. In recent times, there may even be other chemical firms hit with cyberattacks but such incidents are kept well under wraps as the reputation of the firms are at stake.
In this background, it becomes extremely important to safeguard the company’s assets and this is where cybersecurity comes in. According to market research firm Statista, the global size of the cybersecurity market is projected to grow from 240.27 billion dollars in 2022 to 345.4 billion dollars by 2026. The reasons behind this significant market growth: growing number of cyberattacks across industries along with the rise of digitalization, state experts.
Digital transformation leads to increase in cybersecurity demand
This holds true as the demand for cybersecurity will surely pick up as more chemical plants transition towards digitalization. Tobias Nitzsche, Global Cyber Security Practice Lead, ABB Energy Industries explains, “Digital transformation has led to an increase in the use of direct or indirect internet-connected devices and systems in chemical plants, which can potentially be exploited by cyber criminals.”
Adding to this, Gert Thoonen, Principal Architect OT, Rockwell Automation says, “Digital transformation has created a new dynamic environment of intense competition between companies and agile organizations who adopt these new technologies will get the upper hand by providing new products, services and better customer experience. But connecting all assets together in an enterprise also increases the enterprise’s susceptibility to attack which disrupts the business continuity.”
Michael Metzler, Vice President Horizontal Management Cybersecurity for Digital Industries, Siemens also mentions, “Chemical plants are currently undergoing digital transformation across the globe, with more and more companies converging their operational field machinery with their company IT to improve efficiency, reduce cost and gain a competitive edge. However, with increased use of IT standards in OT (Operation Technology) systems, such as Ethernet and virtualization, chemical plants have become more vulnerable to cyberattacks.”
He continues that one major reason for this is that IT systems are designed to be open and interconnected, while OT systems are typically designed to be closed and isolated. This makes it easier for cyber criminals to gain access to OT systems through IT systems. Cybersecurity is therefore becoming increasingly important for chemical companies to adopt in their plants. This overall development has led to the creation of industry-wide standards such as IEC 62443 which deals with operational technology security in automation and control systems.
Developing a secure cybersecurity strategy
Developing a strong cybersecurity strategy becomes vital in this scenario as it can go a long way to protect chemical plants. Thoonen emphasis, “Having a clear strategy for OT which is not a copy of the IT strategy is a very important start. The key point in creating a winning strategy is to create awareness at the leadership level and have cross-sectional stakeholder buy-in. Restructuring of IT and OT departments is important to ensure unified alignment because both parties have valuable information to secure the full enterprise.”
He continues that the Chief Information Officer (CIO) and Chief Operating Officer (COO) should have overlapping goals and responsibilities and targets, which would force them to work as a team to secure the infrastructure. A coordinated joint task force with members from IT, control engineers, operators, security experts, HSE, management and the OEM control manufacturer should share their domain knowledge and expertise to evaluate and mitigate risks in a chemical plant.
On this, Nitzsche elaborates, “A cyber security strategy should focus on value delivery, based on continuous improvement. The effective utilization of available resources is a key factor for success, especially given actual OT cyber security resource shortages. As soon as you have a plan (your strategy) to achieve the defined objectives, the next step within the development of a security program (the roadmap) would be a gap analysis which could include multiple topics, for example, review of previous strategy, policies, standards, guidelines, risk assessments, audits, and regulatory requirements. Another aspect for a good cyber strategy is a cyber security program where you have measurable performance improvements.”
There is one more aspect that is often discussed when firms speak about the idea of adopting cybersecurity systems in their chemical plants and that’s ROI (Return on Investments).
ROI for cybersecurity systems
ROIs are usually considered for defining the profitability of an investment, however, Metzler opines that when it comes to cybersecurity systems in chemical plants, the ROI can be difficult to quantify, as it can be hard to measure the costs and benefits of preventing a cyberattack that may never happen. “Cybersecurity is an important consideration for the continuity of business operations, and the potential costs of a cyberattack can be significant, including financial losses, damage to reputation and loss of trust, and even physical harm to people and the environment. The cost of implementing cybersecurity systems and measures is relatively low as compared to the impact of cyberattacks, this makes it imperative for chemical plants to invest in cybersecurity,” shares Metzler.
Agreeing with him, Thoonen says that cybersecurity does not produce direct ROI but the benefits associated are intangible and can be measured in terms of efficiency and effectiveness for the company. In conclusion, cybersecurity can help better manage Total Cost of Ownership.
“To get a better understanding of the ROI for cyber security investments, organizations should conduct a risk assessment, understand the costs and benefits of various cyber security solutions, map it to a business impact analysis and establish a system for measuring the effectiveness of their cyber security efforts over time,” explains Nitzsche. “In many plants this doesn’t always mean starting from scratch, there might be already existing Hazop Studies and Lopa Analyses available that can be utilized as valuable input for impact analysis.”
Reducing the risks of cyberattacks
To reduce the risks of cyberattacks on chemical plants, companies should adopt a defense in depth approach, which involves implementing multiple layers of security to protect the plant's networks and systems, Metzler elaborates that this can include:
Plant security: Plant security employs various methods to prevent unauthorized persons from physically accessing critical components, ranging from conventional building access to the securing of sensitive areas by means of key cards. Furthermore, it should encompass processes and guidelines for comprehensive plant protection. These range from risk analysis to the implementation and monitoring of suitable measures, all the way to regular updates.
Network security: This involves protecting the plant's networks from unauthorized access and attacks. This can include measures such as firewalls, intrusion detection systems, and other security technologies to protect the plant's networks and systems. To protect the automation network in a chemical plant against unauthorized access, network security monitors all the interfaces between the office network and plant network as well as remote maintenance accesses with the aid of network access protection, network segmentation, encrypted communication, and Zero Trust principles.
System integrity: This involves ensuring that the plant's systems are configured and maintained in a secure manner, and that they are running the latest software and security updates. This can include measures such as security controls to protect the plant's Industrial Control Systems (ICS) and Operational Technology (OT). Regularly conducting penetration testing and vulnerability assessments to identify and address vulnerabilities is important to maintain the system integrity. Automation systems have to be protected against access and manipulation attempts. Communication within the systems, program code, and intellectual property are particularly in need of protection.
Non-technical measures such as providing cybersecurity training to employees, developing incident response plans to respond quickly and effectively to cyber incidents, creating a culture of cybersecurity awareness throughout the organization, and collaborating with other organizations and agencies to share information and intelligence about potential threats are also important to ensure the overall security of the chemical plant.
With the many positive aspects of cybersecurity, one thing is for sure that chemical companies will have to incorporate this technology if they want to safeguard their operations and remain competitive in the market. After all, cybersecurity is here to stay and if chemical firms do not implement it, they will wither away.