React Less. Defend More.

SAFEGUARDING CHEMICAL PRODUCTION & STORAGE

We assist chemical production and storage industry to discover, assess, secure and govern all connected assets using a risk-based and outcome-focused approach.

GET FREE CONSULTATION

Chemical Industry

“The Chemicals industry is striving ahead, incorporating at speed digitalisation as part of the Industry 4.0 revolution. This drive for efficiency, scale and flexibility has further promoted the convergence of Operational Technology (OT) with Enterprise technologies (IT) and the Internet of Things (IoT).”

Chemical Industry Cyber Security Challenges

The Chemicals industry is experiencing digital transformation with technology convergence across IT, IoT and OT environments. Plants continue to connect physical infrastructure to the digital world, bringing new vulnerabilities. New attack vectors are now a real concern, where traditional security methods are no longer enough. Additional security barriers designed specifically for Operational Technology, are required.

Situational Awareness

Perception (What is happening?):

  • Complex and high-impact cyber attacks which target operational industries, such as Chemical manufacturing, are increasing. Many types of OT cyber attacks are being seen, from malware attacks targeting control and safety systems, to ransomware locking companies out of their core IT systems resulting in operational process shutdowns.
  • On top of dealing with increasing cyber attacks, other factors like systems obsolescence, increased enterprise connectivity and a general lack of OT cyber awareness amongst the workforce are compounding matters.
  • The pace of technological change, coupled with increased connectivity across operational environments, including the supply chain and third-party vendors, pose significant cyber-security challenges to chemical organisations. These challenges include turning to smart sensors and other interconnected IT and OT systems as a means of optimising research, development, manufacturing, storage, tracking and distribution processes. In doing so, organisations are also exposing vulnerable OT assets that weren’t designed with security in mind and creating a larger attack surface.
  • Regulatory compliance worldwide is increasing (e.g. UK OG-86, EU NIS2, IT-Sicherheitsgesetz, BSI-Gesetz).
  • Cyber security is a significant threat to health and safety and has been recognised by the United Kingdom – Health and Safety Executive (UK-HSE). The UK regulator has published its own operational guidance as OG86 – Cyber Security for Industrial Automation and Control Systems (IACs). The guidance aims to facilitate a consistent and credible approach to cyber security risk management and is the reference source UK-HSE inspectors are using to audit sites storing sufficient quantities of dangerous substances (COMAH rated site).

Comprehension (Why do I care?):

  • Threat actors could exploit vulnerabilities across a widening attack surface to gain unauthorised access to IT and OT environments resulting in the tampering of production systems and associated data. This could result in system availability and data integrity consequences that impact business operations.
  • Increasing regulatory cyber risk management and auditing requirements. Organisations are required to demonstrate risk management strategies are implemented and effective. The consequences of non-conformance can result in penalties that range from financial to revocation of operating license.

Chemical Risk Management

In the context of an organisation with no or limited OT cyber security risk management, OTIFYD recommends a holistic approach when defining an effective OT cyber security risk management strategy/programme.

The first step in this journey is to understand risk and consequences to the organisation. At a basic level, this means identifying the most critical OT functions essential to fulfilling the organisation’s business operations, and the potential consequences of a cyber attack against them. The knowledge of an organisation’s system custodians and engineers should be leveraged to identify methods an adversary could use to compromise critical OT functions. This valuable knowledge includes technical system architecture details, procedural and ways of working insights, like logical user access, third-party service provider scope, supply chain considerations, physical security etc. Real-world cyber scenarios seen across industries should be considered, of course, not all will be applicable, but to ensure completeness and due diligence they should be considered.

The ultimate aim of this initial analysis is to identify and prioritise risks that result in high-consequence events for the organisation. It also provides a high-level snapshot of current risk exposure and whether this exposure is within or out of organisational risk appetite/tolerance. Any subsequent OT cyber security strategy/programme and risk mitigations should be aligned accordingly with this analysis to ensure tangible risk reduction that is outcome focused. This approach helps organisations justify OT cyber security improvements and the associated costs by being armed with better information and understanding of “What, Why and How?”

The second stage in the journey sees the definition and establishment of an overarching OT Cyber Security Framework (OT-CSF) that delivers formalised policies, procedures, datasets, work instructions and best practice guidance designed for OT cyber security risk management. The OT-CSF should be aligned accordingly with guidance provided within industry frameworks such as:

The scope and depth of the OT-CSF must be realistic and defined based on factors such as plausible operational business risk and regulatory compliance requirements. An overburdensome OT-CSF may deliver perfect cyber security on paper, but in reality, will likely be ignored or worked around rendering it ineffective. At a minimum, an OT-CSF should include:

  • Formal governance model (assignment of accountable, responsible, supporting, consulted roles/parties)
  • Formal end-to-end operating model (visualisation of operations through to OT asset/system support)
  • Regulatory compliance requirements (locale/country dependant, e.g. UK/EU NIS, CISA etc)
  • Asset inventorisation/management (listing of OT assets that require run and maintain support)
  • Network architecture documentation (logical and physical diagrams representing as-is architecture and includes all north-south and east-west connectivity)
  • Incident response plan (based on real-world industry scenarios that pose the most risk)
  • Workforce development (minimum training curriculum and awareness for all OT users)
  • Applicable supporting OT cyber security procedural controls (e.g., access control, management of change, portable media management, backup and recovery etc)
  • Basic performance monitoring and reporting (e.g., management reviews and continuous improvement processes)

The above represents a foundational level of controls that can be supplemented as organisational OT cyber maturity increases. Supplementary controls can be procedural or technology-based and include:

  • Internal assurance and compliance (self-assessment of OT cyber security risk management maturity)
  • External audit (independent assessment of OT cyber security risk management maturity)
  • Third-party/supplier assurance (OT cyber security requirements embedded within contracts)
  • Network monitoring and threat detection solutions (active monitoring and alerting of cyber events of interest)
  • Asset monitoring and vulnerability detection solutions (helps foresee potential security and reliability issues before they impact operations)
  • PAM – Privileged access management solutions (safeguards identities with special access or capabilities beyond regular users)  

Knowing which business risks, regulatory drivers, and real-time operational insights to focus on is only the start of the OT cyber security journey. Organisations must also be realistic about their ability to execute and sustain a strategy/programme, therefore they should ask:

  • Are budgets adequate?
  • Do the right skills exist in-house?
  • Can our suppliers and service vendors support the requirements?
  • Do governance mechanisms exist to enable business leaders to make decisions and support the cyber security strategy/programme?

The ultimate aim is to reduce an organisation’s exposure to weaknesses and vulnerabilities that could be exploited by malicious threat actors. Additionally, greater awareness of cyber risk and formalised ways of working reduce the likelihood of cyber incidents caused by workforce error or misuse of OT assets.

Of course, one size does not fit all, therefore a focused process of discovery and risk assessment is paramount to identify an effective but sustainable blend of controls that meet business needs and address the cyber risks being faced.

Call to Action

Operating a Chemical asset without an appropriate OT cyber security strategy and relevant controls is high risk. To help you discover your level of risk exposure and to illustrate how we can support effective OT cyber security return on investment, get in touch for a free 30-min consultation.