Protecting Chemical Infrastructure: Navigating the Cyber-Threat Landscape

As cyber threats grow, engineers must integrate cybersecurity with process safety. To secure the future, chemical plants need a proactive, resilient approach. Black & Veatch’s Martine Chlela looks at what that entails

WHILE cybersecurity has always been a vital concern for critical infrastructure, today the stakes are higher than ever – nowhere more so than in the chemical sector.

These facilities, integral to producing, refining, and transporting hazardous chemicals, have become prime targets for increasingly sophisticated cyber-attacks. The reliance on operational technology (OT) to manage and control complex industrial processes creates an intricate web of risks that threaten physical safety and digital security. 

Cyber incidents in the chemical sector can have devastating consequences. In 2017, a sophisticated cyber-attack targeted a petrochemical facility in Saudi Arabia intending to compromise safety controls and trigger an explosion. While the attack was thwarted, the incident underscored the real danger of cyber-attacks causing physical destruction of critical infrastructure.

The expanding threat landscape

Chemical plants increasingly face a broad spectrum of cyber threats that, while not exclusive to the industry, carry particularly severe consequences due to the critical nature of their OT systems.

Ransomware has been one of the most pervasive threats, targeting OT systems and causing disruptions that could halt production, disrupt supply chains or even manipulate hazardous processes leading to catastrophic outcomes.

Even more insidious, the stealthy, prolonged attacks known as advanced persistent threats (APTs) are designed to infiltrate systems and remain undetected for extended periods, gathering intelligence on operations. APTs sit within the system, gathering information and building a network map to understand how a chemical plant operates, which enables targeted attacks to launch with devastating precision.

And once attackers understand the environment, they can launch precise, harmful strikes to manipulate processes, disable safety systems or compromise critical infrastructure. While less common than ransomware, the impact of APTs on chemical plants can be catastrophic, turning a cyber intrusion into a matter of life or death.

Beyond these purely technical threats, phishing and social engineering attacks remain effective and pervasive. All it takes is a single employee to click on a malicious link to trigger a chain reaction of cyber destruction.

Insider threats – both intentional and unintentional – pose an added layer of risk. Even an uninformed employee’s mistake can serve as a foothold for attackers, enabling an escalation of threats and disastrous consequences.

Each of these threat vectors requires a tailored response and the complexity increases when considering the integration of OT and IT systems.

The double-edged sword of digitisation

Meanwhile, chemical plants are adopting digital technologies and integrating physical and cyber systems to streamline operations and unlock new growth opportunities. However, these initiatives – including upgrading legacy systems, deploying automation, and incorporating data analytics, bring their own set of challenges.

As companies digitise, they also open more points of potential access, both physical and digital. The upshot is that every connected device, whether it’s a physical input or a network port, becomes a potential target for malicious actors. Indeed, with an interconnected network of devices and automated systems, a cyber-attack can send shockwaves throughout the entire system, compromising everything from facility safety to product quality and integrity.

In short, while digitisation holds the promise of operational efficiency and growth, chemical plants must carefully weigh these advantages against the growing vulnerabilities in their systems. Chemical plants must adopt robust cybersecurity measures as a critical component of their digital transformation strategy.

Proactive vigilance: The key to preventing cyber-attacks

Early detection of a breach is critical to mitigating the impact of any attack. For engineers working in chemical plants, identifying anomalies and investigating deviations from standard operations must become second nature.

When intruders attempted to adjust pH levels at a Florida water treatment facility to dangerous extremes, in 2021, a plant operator fortunately noticed his mouse was autonomously clicking through the water treatment plant’s controls. The attackers intended to change the water supply’s levels of sodium hydroxide, which at high levels would pose a danger to human health. Although not a chemical plant, the incident underscored how vigilant monitoring of system behaviour can provide the critical early warning needed to stop a breach before it escalates.

Engineers must constantly ask themselves whether commands are functioning as expected. Are systems behaving abnormally? Is there anything that deviates from standard operation? Are commands failing to execute as expected? Are systems over-spinning, or processes deviating from standard parameters. All are early indicators of a potential breach and should be investigated immediately.

That proactive mindset is key to securing chemical plants, particularly when addressing the distinct needs of brownfield (existing) and greenfield (new) facilities. In brownfield plants, repetitive cybersecurity assessments are essential since legacy systems, which are common features in older facilities, often lack built-in security features. In greenfield projects, the concept of security by design must be top-of-mind.

By embedding cybersecurity measures at every stage of development – from hardware selection to process workflows – engineers can create robust systems that are resilient to modern threats. This forward-thinking approach ensures vulnerabilities are addressed proactively, rather than reactively.

Moreover, fostering a culture of cybersecurity awareness across the organisation is essential. But that won’t succeed if cybersecurity remains siloed within IT departments. It must be integrated into every level of operations so that engineers, operators and management alike understand their role in maintaining the security and safety of the facility.

Balancing OT and IT integration

The integration of OT and IT systems presents no shortage of challenges for chemical plants given how OT systems are designed for reliability and uptime, while IT systems prioritise security updates and adaptability. In safety-critical environments, downtime is not an option. But the task of fostering seamless systems integration can be fraught due to the differing priorities and operational requirements with each department focused on their priorities.

Effective integration begins with collaboration. For chemical plants, making alignment between these teams is essential. Both groups must share a unified understanding of the plant’s safety-critical nature, emphasising cybersecurity as a fundamental, unified aspect of the plant’s operational safety.

To facilitate this collaboration, real-time monitoring tools are indispensable. These systems provide operators with visibility across both IT and OT environments, enabling the detection of threats without compromising safety or disrupting operations. Segmentation is another proven strategy, ensuring IT and OT systems remain isolated while maintaining oversight to prevent vulnerabilities from spreading.

Given the high stakes in chemical plants, adopting a zero-trust approach to network architecture is non-negotiable. This means verifying the identity of every device and user attempting to access the network, ensuring they meet strict security standards. Updates and patches must be implemented carefully to address vulnerabilities without introducing risks. This sounds like a lot of work, but the payoff is worth the extra effort as the approach minimises the potential for compromise while ensuring operational continuity.

Emerging technologies like industrial internet of things (IIoT), artificial intelligence (AI), and digital twins also offer new opportunities for improving IT-OT integration. IIoT devices, for example, can enhance performance and efficiency, but they must be secured to avoid introducing vulnerabilities. What’s more, AI can support predictive maintenance and streamline operations but must be deployed cautiously to avoid creating unforeseen risks.

Similarly, digital twins – a virtual replica of the plant’s physical systems – provide a promising solution for chemical plants. These replicas can simulate real-world scenarios, such as testing cybersecurity measures and attack responses, without risking actual systems. However, access to digital twins must be tightly controlled to prevent malicious actors from gaining insight into plant operations.

Building a resilient future: integrating cybersecurity with process safety

The inherent risks in high-hazard environments mean that process safety isn’t just a priority – it’s the bedrock upon which everything else is built. Risk assessment methods like Layers of Protection Analysis (LOPA) have long been employed to evaluate potential safety risks, putting in place layers of control that serve as barriers to prevent catastrophic incidents. These measures have kept facilities running safely, but as the industry undergoes a digital transformation, cybersecurity, though not traditionally part of the safety equation, now is even of more vital importance to any organisation.

By integrating these two domains, chemical plants can forge a robust, multi-faceted defence that not only addresses physical risks but also digital vulnerabilities, a practice that needs to become fundamental.

The key lies in rethinking how safety and cybersecurity work together. Engineers can start by identifying how cyber threats might impact safety-critical systems – those systems that, if compromised, could lead to disastrous outcomes. Integrating established cybersecurity standards, like NIST or IEC 62443 into the process safety evaluation ensures that every potential risk is scrutinised, from physical failures to cyber disruptions.

Integration doesn’t stop at evaluation; it must extend into continuous vigilance. Conducting continuous monitoring, vulnerability assessments alongside traditional safety assessments helps create a multi-layered defence strategy that addresses both physical and cyber risks simultaneously.

Safety-critical systems are inherently cyber-critical in today’s world and treating them as such guarantees that the plant’s operations are fortified against all angles. When process safety and cybersecurity work in tandem, chemical plants can truly safeguard both their physical and digital infrastructures, ensuring not just safety, but a future-proof, resilient operation.

A call to action

The threats facing chemical plants are real and increasingly sophisticated. However, with the right strategies and proactive cybersecurity measures, the sector can defend itself and set a global standard for cybersecurity excellence in critical infrastructure. By embedding cybersecurity into every layer of operation – whether in legacy systems or new projects – chemical plants can build resilient infrastructures that protect against both cyber and physical risks, ensuring a secure and sustainable future.

Reference

1. ISA/IEC 62443 Series of Standards: https://bit.ly/44mSgjj