Stephane Konarkowski, security consultant at Outpost24, warns that cybercrime is a massive and growing threat to the industry.

Chemical manufacturing as a broad term encapsulates a wide variety of processes and procedures that manifest in a global multi-billion-dollar industry. These organisations are crucial to our way of life, producing essential services and products required for critical national infrastructure (CNI).

Imagine your life without any of these essentials if cybercriminals were able to disrupt the production or infiltrate the information technology (IT) systems of these core products and services.

Cybercriminals have been targeting these organisations and the supply chain in recent years including Brenntag, a chemical distribution company, which was forced to pay a $4.4 million ransom to the Darkside ransomware gang. With the cost of a cyberattack expected to rise globally to $10.5 trillion by 2025, the chemical manufacturing industry is becoming increasingly vulnerable, and must be aware of the threats coming from ransomware groups, nation state hackers and business rivals.

With the challenge of the pandemic, chemical manufacturing played a pivotal role in the production of vaccines and medicines. This means that an attack on a chemical manufacturing plant could impact human lives. In fact, the need for better cybersecurity in the industry is well recognised, with US Congress’s push for the ‘Strengthening American Cybersecurity Act of 2022’. This cross-party act would require chemical manufacturers and distributers as well as other businesses supplying CNI to report a cyberattack within 72 hours. However, manufacturing companies should not wait until a law is mandated to secure an area within their digital ecosystem that is often overlooked – web applications, as the exploitation of unpatched software is now the prime reason for a data breach for the industry.

Sizing up the external attack surface

In order to ascertain the state of application security Outpost24 has conducted a detailed analysis of the internet exposure and security posture of the biggest chemical manufacturers in the EU, uncovering concerning levels of vulnerabilities and weak spots in their digital footprint.

The findings reveal a rather large external attack surface for top chemical manufacturers, with a total of 22,507 internet exposed web applications over 6,175 domains. When these were scanned, a percentage of them were identified as testing/staging environments that shouldn’t be exposed. Additionally, some of the applications were utilising outdated components which contain known vulnerabilities, a major security issue used by threat actors for ransomware attacks. There was even evidence of compromised web applications where user credentials and password have been unknowingly disclosed in the deep and dark web, waiting to be exploited.

Top attack vectors in chemical manufacturing applications

Amongst the most common attack vectors in web applications, the following were identified as the biggest risks in their web applications:

Security mechanisms (SM): When data sent over the internet between the user and the application wasn’t encrypted it can allow eavesdroppers and hackers to intercept traffic and steal sensitive information such as passwords and payment details in transit. Failure to implement such basic security protocol for external web applications shows that there is still a gap between DevOps and security.

Degree of distribution (DOD): Another critical issue found within the web applications of chemical manufacturers is how an application spans across multiple domains. Distribution also increases the number of potential attack vectors. Distribution makes such issues more likely as it requires the application to work around the same-origin policy enforced by web browsers to separate resources of different origins.

Active contents (ACT): Active content increases the attack surface on the client side, requiring the user to have plug-ins in place and adding client-side code and processes to the application. This in turn increase the risk for cross-site scripting as flaws and outdated components that allow these attacks in web browsers are widespread

With such large volumes of assets and critical operations at stake, attack surface management should be made a top priority for chemical manufacturers, as annual scans quickly becoming inadequate to identify real-time security issues, leading to delays in detection and remediation of critical security issues. The attack surface is a sprawling landscape as more and more applications become interconnected and distributed across the cloud. Not to mention sophisticated hackers today are automating reconnaissance at an industrial scale to identify their next victim. To combat these challenges, companies must work to achieve complete visibility and continuous assessment to remove the risk before attackers exploit them.

As cybersecurity budgets are stretched to cope with other operational security controls, it is essential that decision-makers within the manufacturing vertical utilise their budget more wisely to prevent unsecured assets from becoming prime targets.

More advice about cyber risk management solutions is available at