Blog
Why chemical companies need more robust security
5-MINUTE READ
February 2, 2024
Thank you to Accenture’s Jeff Hutson for his contributions to this blog.
Fun fact: 96% of manufactured goods depend on chemicals.1 That’s a powerful testament to the vitality of the industry. But it also means that protecting chemical assets and operations from theft or disruption is more critical than ever. And because the chemical industry processes hazardous, toxic and explosive materials as part of its manufacturing processes, the safety of people and their environment must also be a prime focus of business leadership. Today, managing those safety and security risks requires a new focus — cybersecurity.
Where are the cybersecurity shortcomings in the industry? And what can be done to raise maturity levels?
Understanding the demand for operational data and information
Historically, operational technology (OT) environments have been locally managed with limited corporate oversight and few regulations specifically oriented around cybersecurity.
Today, as chemical companies initiate transformational changes, they recognize the valuable data OT systems offer — especially when integrated with information technology (IT) systems — to enable real-time decision-making, predictive equipment maintenance, insights for improving operational efficiency and fully maximizing the use of intellectual property and trade secrets in manufacturing processes.
The problem, however, is many companies lack a holistic security strategy that spans both the OT and IT worlds. Consequently, greater connectivity and integrations risk exposing OT networks to threats that never before existed. In recent years, there have been prominent stories in the news about cyberattacks on critical operational infrastructure. These OT cyberattacks allowed threat actors to move laterally across the network and ultimately impacted supply chain operations. One such attack compromised industrial control systems and manipulated chemical flow settings at a public water treatment utility. Another hit offshore facilities in North America with ransomware. Phishing opened the door for cyber criminals to access a company’s OT systems simply because an employee clicked a link in an email.
Not only are cybercrimes costly, but they also have the potential to weaponize a chemical facility. The impacts can include theft or damage to intellectual property, production downtime, regulatory violations, environmental contamination and, most critical, safety of workers and the public. Consider the potential damage if a bad actor breaches an OT system controlling a critical process and tampers with the recipe, resulting in an explosion when the wrong mix of chemicals is used.
The cybersecurity landscape is continually changing. Threat actors are getting smarter, exploits more sophisticated and potential attack surfaces ever broader. Chemical companies need to strengthen their digital core and invest more in cybersecurity measures to keep up with the bad guys — and minimize the potential damage they could inflict on the business. And they need to start early. Accenture's State of Cybersecurity Resilience 2023 report found that by converting cybersecurity from an incident-driven reaction into part of the fabric of transformation efforts, organizations can not only boost cybersecurity resilience but also position themselves to reinvent the whole enterprise and set a new performance frontier, safely.
Addressing technology and organization challenges
Chemical companies face several challenges in elevating their cybersecurity maturity and strengthening protection of critical OT systems. The reality is typical OT environments have been in place for many years and were designed to ensure uptime and optimization, not necessarily cybersecurity. Their age and complexity also make many of these systems sensitive to new integrations, updates or software changes.
Many chemical companies also lack visibility into what OT devices and systems are on the network, other systems with which they communicate and/or share data and how they operate with one another. Lack of automation is another obstacle to producing utilization reports, lifetime patch status and other important information associated with securing these systems.
Companies must also address organization and process challenges, such as ongoing system governance. Ensuring that consistent security measures are in place across multiple plants and processes is difficult if there are different people in each plant responsible for the systems. Clear roles and responsibilities are needed for proper governance and accountability. Since security has not traditionally been a focus in OT, companies may also lack the necessary security expertise, requiring a talent assessment and possible workforce changes.
Often, industrial change management processes do not incorporate security. Additionally, response plans may be well designed to support maintenance, repair and overhaul but overlook security, potentially leaving a serious gap in the event of a cyberattack. Companies should have a robust incident response plan that is designed specifically to react to major security impacts within the OT space. Critical business processes mapped to threat modeling scenarios can give focus to cybersecurity investment decisions, as well as identify the correct trigger points for an incident response plan and the key activities associated with it. For example, who makes the decision to pay the ransom if critical data has been encrypted on a system due to a ransomware attack?
Strategies for elevating cybersecurity maturity
The need for chemical companies to improve cybersecurity maturity is critical and urgent. The question for most companies is where to begin.
It is first important to define the scope for new cybersecurity initiatives. This starts by determining the maturity requirements of the organization — which is the capability required to mitigate cybersecurity risks to an acceptable level — and then developing a plan to get there. The process typically involves a risk assessment and evaluation of current security programs, technology and governance. As part of this work, companies will also want to identify a maturity target based on Capability Maturity Model Integration (CMMI) levels (see Figure 1).
An OT security capability plan for chemical companies
Figure 1: OT Security Capability Plan
Source: Accenture project experience and analysis
To establish a solid foundation for building a more mature OT cybersecurity program, we believe chemical companies should focus on two key factors: visibility and governance.
Start by improving visibility of OT assets
Simply put, if assets are not visible, they can’t be protected. Until it is known what assets exist in the OT environment, and how they interact, it will be difficult to make any meaningful decisions about how to keep them safe. Asset management should be at the core of any cybersecurity program.
Our recommended option is to use a monitoring solution — placing sensors on the OT network to passively detect anomalies and inventory devices and determine which systems are communicating and sharing data with each other. This effort will produce an asset list as well as details on data flow critical to assessing risk and implementing effective security measures. Feeding this information into an incident management or service management platform will enable the creation of an automated process for identifying devices needing security patches and generating service tickets so those patches can be applied according to established maintenance cycles.
Companies can also consider using artificial intelligence to enhance OT cybersecurity. For example, generative AI can analyze data from sensors to monitor network traffic and detect anomalies and threats — helping protect infrastructure from attacks.
Greater visibility aids in full lifecycle asset management. In some cases, assets may no longer be supported by the vendor, and, therefore, no new security patches are available. This will prompt action to develop a refresh plan, which may affect how other production systems and applications are updated or refreshed. All of this is fundamental to informing a longer-range cybersecurity program.
Establish governance between security leadership and the business
Addressing governance is key to ensuring security policies and practices are applied consistently across multiple plants and manufacturing processes. To be effective, companies should establish a bridge between security leadership and business leadership to enable a unified culture of security awareness and commitment across all production operations.
Consider a chemical company with 20 or 30 different products manufactured within a single business line. This company would need someone in place with operational responsibility and security authority specific to that business line — someone who can implement the security strategy established by the company’s chief information security officer in a way that is appropriate for the operation.
For example, this business line may only be able to accommodate downtime of one hour each month for patches. Another business line in the company may manufacture products serving a seasonal industry and could support longer patch and maintenance windows but only certain times of the year. That’s why it is important to build working partnerships between each business and security leadership, so the security strategy is followed consistently but implemented in a way that works for each individual operating plant.
Building a long-range cybersecurity plan
Having established the foundational building blocks of visibility and governance, chemical companies will be in a solid position to begin developing a long-range cybersecurity program. Knowing today’s status is critical to determining which projects to undertake and in what priority, leading to each organization’s cybersecurity maturity goal. Those decisions should be based on risk and, in most cases, start with opportunities to achieve quick wins. The most important thing is to have a prioritized plan and follow it.
The risks associated with a cybersecurity breach are great and deserve priority attention by chemical companies to improve their cybersecurity maturity and address disparities between IT and OT security. As we’ve discussed, there are technical and organizational challenges impeding change. But by addressing the fundamentals of cybersecurity and methodically rolling out a comprehensive program over time, companies can close OT/IT security gaps to better protect employees, intellectual property, revenue streams and reputational integrity.
Are you ready to secure your company’s future? Let’s talk about how to get started.
1 U.S. Specialty Chemical Markets End Second Quarter on a Solid Note