Chemical sites and IT security: Too many cooks spoil the broth

74% of all cyberattacks are directed against the chemical and pharmaceutical industries most affected by this form of crime – according to a study by the Criminological Research Institute of Niedersachsen. 

This gives food for thought due to their handling of hazardous materials as well as a corporate structure that often makes it difficult to deal with cybersecurity in a state-of-the-art and uniform manner.


Individual divisions – Too many IT solutions
Chemical sites and chemical parks are usually controlled and managed autonomously by the various corporate divisions or individual companies on the site. Synergies are achieved through highly efficient interaction between the various production facilities on a site or in a chemical park.

Chemicals are a capital-intensive industry, and the life cycle of production plants is therefore very long. Due to the long-life cycle and the demand for cost-efficient production, investments are handled very restrictively.

In these companies, cybersecurity, if it is an issue at all, is usually handled by a central unit, such as an additional staff position in IT.

However, the cybersecurity needs of each individual production plant are not reflected. The knowledge of what the various business units actually need is low or is not coordinated well. Each division is responsible for the operation of its chemical plants and does not have a clear view of the issue of cybersecurity.

Production control systems, some of which are up to 30 years old, are replaced from time to time, but only in part, so that IT inevitably drifts apart.

This special IT is often outdated because of the high acquisition costs, and the technology used is only tailored to the special plant and cannot be integrated. The problem is clear: because of the strong focus on costs that is often found, urgently needed modern technology is not purchased. Thus, you find software programs in these plants that can no longer be updated. This investment gap means that most companies in heavy industry are not sufficiently prepared for the increasing threats and cybercrime has an easy game. In addition, there are also organizational specifics. The door is virtually open to intruders.


Cybersecurity must work cross-functionally
It makes sense for business units to be responsible for cybersecurity-related issues on a chemical site themselves, as well as to work very closely with central units.

The central units are usually responsible for major IT projects on a site, e.g., setting up a 5G network as a basis for the further rollout of digitization projects.

Large enterprises such as chemical sites often experience attacks on both their IT and their OT (operational technology) systems, which, as in most companies, operate in isolation from each other. Because many systems, including critical controls, are digitized in these companies, vast amounts of data are exposed to potential manipulation that could cause catastrophic accidents in a worst-case scenario.

TIP: Security experts should be in any digitization project from the beginning. They belong in every company organization and in large industrial even more than one! We support you in structuring the tasks and work with you side by side for the security of your company.

The case for flat networks
Safety First! Cybersecurity in times of Corona