As the frequency and sophistication of industrial cyberattacks continue to rise, chemical companies can follow guidance from industry and government directives to help define their organization’s specific cyber-risk profile
Cybersecurity risk is a key topic for all companies, due, in part, to recent high-profile incidents and a heightened focus from regulatory agencies. This is of particular importance to industrial sectors that use technology for automation, control and information storage. Critical infrastructure sectors have increasingly become the targets of cyberattacks and cyber espionage, and it is now even more imperative for organizations in the chemical process industries (CPI) to identify individualized cyber-risk profiles and ensure appropriate safeguards are in place relative to those risks. As the saying goes: an ounce of [cyber] prevention is worth a pound of [cyber] cure.
The rise of cybersecurity concerns
Though all industries face some degree of cyber risk, the chemicals sector carries unique vulnerabilities. Computer-based automated industrial control systems (ICS) are widely used by chemical plant owners and operators to manage and run their facilities. Malicious actors, be they nation states, business rivals or cybercriminals intent on blackmail, are deploying a range of tools — both new and old, common and extraordinary — to exploit vulnerabilities resulting from increased interconnectedness between operational technology (OT) and information technology (IT) systems (Figure 1).
Successful exploitation of these vulnerabilities can create business disruptions and inhibit the use of equipment. They can also result in the theft of proprietary information, such as chemical formulations, customer data or personal information, and ultimately cause significant damage — system damage, reputational damage or even physical damage or safety risks, depending on the process. Threat actors see CPI organizations as high-value targets precisely because of the potential cost, both financial and reputational, to the owner or operator should production stop or sensitive data be stolen.
Furthermore, although cyber incidents are becoming more sophisticated, the tools and tactics that attackers use to access systems remain relatively constant. Some of the most common attack vectors include: social engineering attacks, such as email phishing; exploiting unpatched software vulnerabilities; and compromising remote desktop protocols or other external-facing network ports. Nevertheless, a few troubling trends are emerging. For example, upon gaining access to a system, threat actors often spend considerable time dormant and undetected, often gaining intelligence on system architecture and preparing sensitive data for exfiltration. In recent incidents, threat actors have sold stolen data outright to competitors. In other cases, the threat actors use the data as leverage for a ransom payment.
At the same time, the current regulatory framework intended to support the CPI against cyberthreats is under question. Critics argue that the Chemical Facility Anti-Terrorism Standards (CFATS), the federal regulations specific to the chemicals sector (which have not been updated since their adoption in 2007), do not adequately reflect the current risk landscape.
For example, there is nothing in the CFATS addressing email phishing campaigns. In fact, a 2020 audit by the U.S. Government Accountability Office (GAO) found that chemical facilities are more vulnerable to cyberattacks simply because they are relying on the outdated regulatory guidance [ 1]. A key issue identified by the audit is the lack of an actual process or structure to routinely review the guidance and update to reflect the current threat landscape. Relatedly, a key component of the CFATS program is third-party inspection and oversight, but the GAO similarly found that inspectors did not have adequate cyber expertise or training to properly identify deficiencies.
Specific risk profiles for the CPI
The chemicals sector is an essential part of the nation’s infrastructure. As a result, owners and operators are a high priority for threat actors because of the perceived leverage in ransom demands due to high costs of production disruption or theft of sensitive data (Figure 2). Additionally, these types of attacks receive higher attention, which promotes the “Ransomware as a Service” business model that essentially sells malware to other groups.
In addition, CPI enterprises are becoming more automated, computer-dependent and interconnected. The sector has traditionally been slow to adopt new technological innovations, but digitalization measures are becoming more popular (for instance, digital twins of physical production assets and smart supply chains). Computer-based, automated ICS are widely used by chemical companies to manage and operate their facilities. Most CPI companies have internet-connected devices as part of their process-control systems to allow, among other things, instrument manufacturers to service devices remotely. These remote access points are a popular way for threat actors to gain access to a system. An added risk is the mixture of old and new equipment, which is common in CPI facilities. However, these technological modifications are often made incrementally, and there is not always a clear understanding of how updates in one area may affect other areas, which can lead to vulnerabilities.
Finally, the COVID-19 pandemic has created new cyber challenges for the sector. With the shift towards remote work and a distributed workforce across home networks and hot spots, company networks are spread wider than they have ever been, creating a host of vulnerabilities. As a result, there has been a correlative uptick in electronic messaging, which has led to an increase of phishing messages designed to look like official communications to persuade people to click on malicious links or enter credentials. Additionally, there are more platforms to allow interaction between remote experts and field personnel. And, as noted previously, some essential functions at the plant level, including service engineering, are now routinely done remotely through applications that are at risk of being compromised.
Despite these continued risks, organizations are also being asked to cut costs because of the economic downturn that has resulted from the pandemic. These cuts can have a substantial impact on operations, often requiring companies to choose between new initiatives to fund, potentially thwarting investment in preventative security.
Cyberattacks in the CPI
In 2017, one of the most well-known attacks in the CPI occurred, when a petrochemical facility in Saudi Arabia was attacked. The safety control systems that were in place to prevent a cyber intrusion were thought to be impenetrable. Fortunately, the attack was detected early, and the threat actor was unable to cause serious damage. Nevertheless, the potential for disaster was so great that the attack has been dubbed “the world’s most murderous malware” because experts believe the attack was designed by a nation state actor (probably Iran) to trigger an explosion at the facility.
In 2019, three large chemical manufacturers — Norsk Hydro, Momentive and Hexion — were victims of ransomware attacks [ 2, 3]. As a result of the attacks, the Norway-based global aluminum producer, Norsk Hydro, was forced to shut down plants and switch to manual production after key systems were encrypted and inaccessible. Around the same time, U.S.-based chemical companies Momentive and Hexion announced they had also become victims of a cyberattack. The same encryption program is believed to be behind all three attacks, but investigators could not determine how the malware was introduced into the systems. Experts believe the three attacks were financially motivated.
Finally, in 2021, three other chemical manufacturers — Siegfried, Brenntag and Symrise — were victims of cyberattacks. Swiss drug ingredient manufacturer Siegfried experienced a malware attack that shut down production at multiple sites and cut off network connections . Siegfried was involved in the packaging of the Pfizer COVID-19 vaccine at the time of the attack. Later in 2021, chemical distributor, Brenntag, was a victim of the same ransomware variant used in the Colonial Pipeline attack. Brenntag reportedly paid $4.4 million to the threat actors to recover potentially impacted data, including intellectual property, project data, financial information and employee data. Symrise was also the victim of a ransomware attack. The company reportedly did not pay the ransom but, according to the company’s CEO, the resulting delays in production and logistics directly related to the cyber event caused the company to fall short of its sales targets.
Industry laws and standards
The chemicals sector is not without its guardrails. In addition to the CFATS, there are frameworks that support proper risk profiling and cyber preparation for the sector, as well as regulate the protection of personal information (for instance, customer or employee personal information).
Additionally, new directives are expected for the chemicals sector through the Infrastructure Investment and Jobs Act, which was signed into law in November 2021 .
On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 . It requires entities in critical infrastructure, which includes the chemicals sector, that experience a covered cyber incident to report the incident to the Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security (DHS; Washington, D.C.; www.dhs.gov), within 72 h after the entity reasonably believes the incident occurred. Additionally, in the event a covered entity makes any ransom payment, the entity must report the payment to CISA within 24 h.
The new reporting requirements will not go into effect immediately. Instead, a proposed rule is to be issued by March 15, 2024, and then the Director of CISA is required to issue the final rule within 18 months of the issuance of the proposed rule. The proposed rule should include definitions of covered entities and covered cyber incidents. The new law also includes the creation of a Cyber Incident Reporting Council, aimed to increase cooperation and responsiveness of federal agencies to cyber attacks impacting critical infrastructure.
Additionally, CISA recently announced its focus on the chemicals sector, and that it also will continue to release new guidance directed at critical infrastructure that aligns with President Biden’s cybersecurity executive order .
CFATS. The approximately 3,300 CPI facilities identified as high-risk because they possess certain quantities of designated chemicals of interest are covered under CFATS [ 8]. The CFATS are regulated under CISA and are meant to ensure that security measures are in place to reduce the risk of hazardous chemicals being weaponized. The CFATS regulations apply across the chemicals sector, including chemical plants, chemical storage facilities and electrical generating facilities. Facilities are required to report to CISA within 60 days of when they gain possession of one of the more than 300 identified chemicals of interest (Figure 3). CISA then determines whether the facility is high risk. High-risk facilities are then required to develop and implement a security plan that addresses the CFATS requirements, which include requirements for covered facilities to establish protocols for identifying and reporting significant cyber incidents to appropriate facility personnel, local law enforcement and CISA.
National Institute of Standards and Technology (NIST) Framework. The National Institute of Standards and Technology (NIST; Gaithersburg, Md.; www.nist.gov) cybersecurity framework  has been adopted by many CPI companies to create cyber-risk management programs. NIST establishes specific cyber frameworks for industrial control systems that are organized into the following five key areas:
- Assessment to identify organizational cybersecurity risks to systems, assets, data and capabilities
- Safeguards to protect the organization, including access control, processes and procedures, protective technology and training
- Detecting and identifying cybersecurity events
- Cyber-incident response plans
- Plans to recover and restore capabilities and services should there be an incident
ISA 62443. The International Society of Automation (ISA; Research Triangle, N.C.; www.isa.org) released standards that outline cybersecurity plans, processes and procedures for securing and defending industrial plants from cyberattacks . ISA 62443 is focused on operational technology, rather than information technology, and it is not specifically tailored to the chemicals sector but does offer an approach to create a cybersecurity management system. Companies can seek ISA 62443 certification, which is a third-party technical expert attestation of compliance with the requirements. These include requirements related to engineering processes, product design and network susceptibility.
American Chemistry Council. The American Chemistry Council (ACC; Washington, D.C.; www.americanchemistry.com) requires its members to perform a risk assessment to review cyber vulnerabilities, implement security measures to address those threats, and provide training and guidance to employees on current and emerging threats. ACC members include companies involved in chemical manufacturing, sales, transportation, distribution, and storage and disposal.
Data privacy and protection laws. Should a company fall victim to a cyber incident, there is always a risk that sensitive personal data belonging to individuals could be impacted. There is no single U.S. federal law for data privacy and protection that comprehensively covers the chemicals sector, but every state has passed some form of data-breach response legislation, and many states have consumer protection laws of various types. About half of the states also have minimum technical and security requirements that companies are required to implement to protect data. In addition, California has a comprehensive data-protection regime through the California Consumer Privacy Act (CCPA), which went into effect in 2020. Since the passage of the CCPA, other states, including Virginia and Colorado, have adopted similar laws. Additionally, several countries and regions have adopted comprehensive data protection legislation, including the U.K., Brazil, South Africa, China, South Korea and Japan. The E.U., in particular, has long applied a more wide-ranging data-protection regulatory scheme, and its most recent data protection law, the General Data Protection Regulation (GDPR), has served as a model for other jurisdictions developing robust data-protection requirements.
The ounce of prevention
Given the heightened risk of cyber incidents in the chemical sector, owners and operators should undertake specific steps to protect themselves from cyber vulnerabilities to help mitigate damage to systems and data should they fall victim to an attack.
Adopt a “zero trust” model. A zero trust approach is based on the premise that no source should be trusted, and cybersecurity teams need to assume that attackers are always present inside and outside of their networks. This drives the idea that no communication or activity should be allowed until it is first properly authenticated and authorized.
Zero trust also includes a focus on the micro-segmentation of networks, which unlike traditional network segregation that controls traffic into and out of a data center, is concerned with segmenting traffic moving between applications and processes. This may include separation of operational systems and data systems (for instance, the segregation of OT and critical processes from other business systems) and blackening certain infrastructure with deny-all firewalls and by providing no public IP addresses or open ports.
Foundational controls. Companies should have several foundational controls, including the following:
- Patching with automatic updates
- Encryption of sensitive data
- Offsite backups
- Multi-factor authentication (MFA)
- Malware protection
- An up-to-date anti-virus system
- A reputable firewall configured to block malicious IP addresses
- Application whitelisting
- Asset inventory
These types of controls allow companies better visibility into systems and networks, potential threats and related risk exposure and to identify where vulnerabilities might exist.
Monitor and detect. In addition to controls, companies should have detection capability and security operations to monitor the controls put into place. Companies must consistently review and appropriately respond to events within the network. Companies should perform regular vulnerability scans and should consider implementing an endpoint detection and response (EDR) solution.
Inform and respond. Companies should regularly provide cybersecurity and phishing training and exercises for all members of their organization (Figure 4). Companies should also have a robust incident-response and business-continuity plan, and regularly test both. Finally, chemical engineers and plant operators need to work closely and communicate regularly with the organization’s technology and security teams, as the plant engineers may not understand technical or security issues and the IT or security teams may not understand the OT in the plant.
Cybersecurity must be a key focus and an identified enterprise risk. The number of attacks continues to rise, and at the same time, the attacks are becoming more sophisticated. Regulators are also extremely focused on improving security in the CPI and updating guidelines — the sector must dedicate resources to track and implement these directives. All this is happening in a time when the CPI continues to automate and develop technologies that are more connected and pose more risk. Companies must update their strategies for preventing attacks — that way, if they do fall victim (and unfortunately it is often a question of when, not if) — they are better prepared to mitigate the damage and resume normal operation quickly.
Edited by Mary Page Bailey
1. U.S. Government Accountability Office (GAO), Actions Needed to Enhance DHS Oversight of Cybersecurity at High-Risk Chemical Facilities, GAO-20-453, May 2020.
2. Norsk Hydro, Updates on cyber attack, Press releases dated March 19–April 5, 2019.
3. Bailey, M. P., Hexion and Momentive respond to cyberattacks, Chem. Eng., March 25, 2019.
4. Bomgardner, M. M., Siegfried, Brenntag, and Symrise hit by cyberattacks, Chemical & Engineering News, May 27, 2021.
5. 117 th U.S. Congress, Public Law 117-58, Infrastructure Investment and Jobs Act, November 15, 2021.
6.117 th U.S. Congress, H.R.2471, Consolidated Appropriations Act, March 15, 2022.
7. Cybersecurity and Infrastructure Security Agency (CISA), Cybersecurity Directives, www.cisa.gov/directives.
8. Lozowski, D., CFATS and Chemical Plant Security, Chem. Eng., Sept. 2009.
9. NIST Cybersecurity Framework, www.nit.gov/cyberframework.
10. Cosman, E. C., Industrial Control Systems Security: The Owner-Operator’s Challenge, Chem. Eng., June 2014.
Matthew R. Baker (Email: [email protected]) is a partner at Baker Botts in San Francisco. His practice focuses on white collar defense, crisis management and internal investigations for a broad range of industries, with an emphasis on the energy and chemical sector. He is also well-versed in complex electronic discovery and information governance issues, as well as domestic and international data privacy and information security practices.
Rachel Ehlers (Email: [email protected]) is a special counsel at Baker Botts in Austin, Tex. Her practice focuses on technology transactions, data privacy and cybersecurity. She has extensive experience advising clients on data incidents and breach response, cross-border transfers, and data privacy and cybersecurity issues related to mergers and acquisitions.