Ian Elsby, Siemens Digital Industries Head of Chemical Industry
Effects of the pandemic and Brexit are further driving digitalisation often without the much-needed protection against cyber attacks. Ian Elsby, Siemens Digital Industries Head of Chemical Industry explains.
It’s been over 18 months since I wrote on the topic ‘Why Cyber Attack Threats should not hinder digitalisation in the Chemical Industry’ in the Chemical Industry Journal.
A lot of water has passed under the bridge since. We as a nation are separated from the EU – Brexit is the new reality; and the world is still reeling and combating one of the biggest pandemics of our technologically advanced world. Covid-19 has triggered collaboration from not just the pharmaceutical and chemical sectors but from the entire manufacturing industry to keep those necessities produced, be it PPE or sanitisers.
As we progress into making our factories smart, digitalised, and most importantly sustainable to meet our net zero goals for a better future, one of the over looming topics is cyber security.
Having to face unknown viruses in real life we also have to be prepared to face those viruses and cyber attacks that can bring our factories and plants to a halt.
According to figures highlighted in the Chemistry Council’s website, the chemical and pharmaceutical industry adds £18 billion of value to the UK economy every year from total annual turnover of £50 billion.1 It also states that ‘the products and technologies of the Chemical industry are essential parts of medicines, food & drink, telecommunications, energy-saving, I.T, clothing and much more’.
These constitute our basic essentials in the time of crises and need top notch protection both to the physical as well as technology assets that run our plants. Cyber threats make us vulnerable, increasing our risks to failure of plants and even shutdowns.
These vulnerabilities are termed as viruses, malware, ransomware and hackings. Rogue organisations can go as far as employing hackers to infect the assets and software with either a worm or ransomware. It is easy to obtain intelligence on any plant and identify weaknesses in any system, and if you have a legacy plant with older Windows operating systems that are not patched or updated, the hackers find routes to break into the network.
Most chemical companies continue to resort to air gap, which effectively means they remove the ability of a process system to connect to the internet, which solves part of the problem. However, this is not a long-term solution and may only work to keep the problem away temporarily.
The new problems that have further impacted the chemicals industry and sectors attached to it is Covid-19, where on one side there has been an impetus to digitalise to meet the heightened demand for certain products. Economic and budget restrictions may have resulted in less resilient options ignoring cyber security completely.
So, plant owners need to go beyond this stop-gap measure by adopting an advanced in-depth approach by conducting a cyber security gap analysis survey that would involve a thorough infrastructure assessment of the different technology layers and identification of vulnerabilities. This would result in nullifying risks by installing latest technologies, firewalls and managed cyber security services.
The UK chemical industry’s digitalisation progress has been quite good, with varying levels of success in linking physical infrastructures to digital networks, but advances like adoption of Industrial Internet of Things (IIoT) and Industrial Edge have brought in new challenges, including vulnerability to attacks and hackings.
Several chemical plants and their process machines or their processes are not interconnected. They still work in a ‘business silo’, with each department working independently, without sharing information. Fortunately, digitalisation offers unparalleled solutions in this scenario, helping bridge those business silos and link them to the outside world, enabling remote access and visualisation for users at multiple sites domestically and globally.
Combating cyber-attacks is an ongoing process. Sometimes, it could involve plant-by-plant and machine-by-machine discussions pertaining to the interlinking of the assets. The success of any cyber security measures lies in proper assessment of the specific requirements of each chemical plant embracing digitalisation. This so-called defence-in-depth approach to cyber security will ensure comprehensive solutions, rather than an ad hoc solution. Cyber security is all the more important to a chemical plant as there is a chemical or biological transformation and/or separation of hazardous materials.
Digitalisation and IoT have been identified by the UK’s Chemistry Council as two of the key strategy levers to accelerate innovation-led growth in the chemical industry.
Global industry standards, such as the IEC 62443, are very important. These should be implemented both at hardware and software levels, or else the adoption of digitalisation could be left open to cyber threats. Additionally, complying with the UK’s ISO standard 27001 is equally important.
The UK Government’s initiative of Cyber Essentials (CE), a cyber security standard that provides organisations with effective protection against the most common cyber security threats further underpins the importance of cyber security.
The CE+ is an ideal standard for chemical plants, as it ensures that organisations undertake a series of onsite technical assessments that include internal vulnerability tests against servers and sample workstations.
In our industry we continue to have healthy debates on the challenges and opportunities that digitalisation brings to the sector and adopt robust cybersecurity systems.
Siemens as the founder of the Charter of Trust which was set up in 2018 at the Munich Security Conference continues the good work to raise global awareness of cyber security and will further increase its members.
With Industrial Edge and IoT controls systems becoming more common, the industry has to take the one additional step to ensure cyber security. The advanced cloud-based solutions used in IoT technologies are excellent for analytical investigation and monitoring.
Prevention is the best form of defence, installing the best technology to monitor and assess any external inference is the most critical step.
Cybersecurity is a key element of digitalisation. It is a comprehensive process that affects all parts of the plant and requires continuous auditing and monitoring. So, I reiterate my thoughts to industry peers on taking cyber security seriously. Integration of these measures for your plant are even more vital post COVID-19. Organisational working practices have changed, the workforce is now a mix of remote, hybrid & site-based staff – and digital technologies provide an advantage to this. But it’s key to have adequate levels of cybersecurity in place to remain safe.