Cyber-attacks are a clear and present danger

Cyber-attacks are a growing risk to society, business, and industry. Especially the chemical industry. A 2021 UK government study estimated that cyberattacks cost the industry in general £1.3 billion a year.

Hiscox reported in 2022 that a fifth of businesses warned that a serious cyber-attack nearly left them bankrupt, with 87% viewing it as a bigger threat than an economic downturn.

Unlike attacks on IT, where the aim is usually financial gain through threat of data loss or denial of service, the impact of successful attacks on OT (Operational Technology) may be more severe, as they can have a physical impact on plant and equipment in real-time, in the physical world. The consequences may therefore be far reaching, especially in the hazardous process industries…

  • Fires and explosions, leading to harm to employees and the public (even loss of life), long-term environmental damage and regulatory breaches.
  • Damage to manufacturing plant and to products manufactured which may harm end users for example, in the pharmaceutical sector.
  • Business failure from costs arising from attack.
  • Impact on local or national security.   

Historically, OT was not connected to the internet, systems were ‘isolated’ or ‘air-gapped’, but the move to Industry 4.0, increased connectivity to provide real-time data analysis and integration with business systems generally, has increased the digital attack surface.

McKinsey noted that around 35% of declared OT cyber-attacks in 2021 had physical consequences, including shutdowns, outages, leakages, and explosions, with damages estimated at $140m per incident.

Notable OT malware events

There have been many well documented malware attacks on OT systems, which include:

  • Stuxnet, first uncovered in 2010, caused substantial damage to the Iranian nuclear programme by targeting the supervisory control and data acquisition (SCADA) systems.
  • BlackEnergy 3 Malware disrupted the Ukraine power grid in 2015, impacting on customers’ power supply. 
  • Termed the ‘world’s most murderous software’, Triton, a malware that can disable safety instrumented systems specifically designed to prevent major accidents was first discovered at a Saudi petrochemical plant in 2017.
  • DarkSide, a hacker group that also offers Ransomware as a Service (RaaS), exploited the IT network of Colonial Pipeline – an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States – and stole 100 gigabytes of data in May 2021 before infecting the network with ransomware that necessitated shutdown of the pipeline to stop the spread. The company had to pay the group for a decryption key to regain control of its systems.

In the UK, 74% of OT organisations reported experiencing data breaches (Cyber Security Breaches Survey 2024, GOV.UK). And according to the 2024 Threat Report from Waterfall, in 2023 there were 68 deliberate OT attacks which impaired operations at over 500 sites. The number is projected to rise to 100 during 2024.

Building resilience in the sector

Resilience in the UK chemical sector is not mandated but operators must comply with relevant safety and environmental legislation. Currently, 872 sites fall under the Control of Major Accident Hazards (COMAH) Regulations 2015, which require duty holders to take all measures necessary to prevent major accidents and to limit their consequences for human health and the environment. This means all COMAH Operators must implement effective Cyber Security Management Systems (CSMS) to mitigate the effects of cyber-attacks, as foreseeable events.

In many situations, the threat of OT attacks may not have been considered fully, given that responsibility for cyber security is often the domain of IT, who may not fully understand OT vulnerabilities and potential consequences. Engaging both engineering and IT functions is an essential step in understanding the significant issues operators face.

Assessing CSMS maturity

Cyber security management should be incorporated into broader process safety management programmes, with appropriate assurance processes to ensure the organisational and technical measures in place are appropriate and remain effective.

OpenPSM provides a state-of-the-art cloud-based application to allow operating companies to assess PSM system design and implementation to provide assurance that essential systems and procedures are fit for purpose and remain effective over time.

Soon to be added to this offering is a tool for self-assessment of Cyber Security Management Systems (CSMS), against established and evolving good practice guidance.