The pace of digitization and data interconnectivity in the chemicals industry is accelerating as adoption of new technologies, including the Internet of Things (IoT), data analytics, and AI and machine learning, delivers benefits to production and prompts the further adoption of new technologies.

This virtuous circle is driving greater profitability and sustainability across the chemicals sector, but it comes with a caveat. New technologies, particularly those that create digitally interconnected systems, expand the digital perimeter of organizations, and in doing so offer hackers potential new weaknesses to exploit.

The particularities of the cyber threat faced by chemical companies is inherent to their focus on production facility digitization, which offers the greatest return on investment. This has meant critical operational technology (OT)--the hardware and software that monitors or controls equipment, assets, and processes--becoming increasingly connected to externally facing information technology (IT), enabling companies to better collect real-time data, monitor, track, and document production, improve automation, reduce response times, improve quality, and, above all, secure greater efficiency.

There are more than just cost savings on offer. Streamlining of business processes through digitization also promises improved sustainability. For example, scheduling-software that matches a facility's production with demand can reduce energy use and greenhouse gas emissions, while better data analytics can reveal paths to achieve higher yields and improve energy efficiency. This is not just theoretical. South Africa-based chemicals and energy group Sasol Ltd. has announced plans to use artificial-intelligence technology to monitor, measure and analyze energy use and emissions at its Lake Charles ethylene plant in Louisiana, U.S.

Increased Cyber Risk

The idea that digitization could contribute to a greater risk of cyberattack may seem self-evident, but the magnitude of the increase may still surprise. A report, published in April 2022 by cybersecurity group Skybox Research Lab, found that over 2021 there had been an 88% increase in new vulnerabilities attributed specifically to OT products and which could be used to attack critical infrastructure.

Corporations pursuing digitization also face a growing array of threats, according to research that suggests cyber-attackers are more actively searching for vulnerabilities in internet-accessible OT devices. IoT malware attacks, designed to provide an attacker with control of connected devices, rose 77% in the first half of 2022, according to research by cybersecurity company SonicWall, which used data from the U.S. government's National Vulnerability Database and Cybersecurity and Infrastructure Agency. That tally included 12.9 million attacks in June alone, a record for any single month. Moreover, the number of vulnerabilities published in 2021 and exploited in the same year rose by 24%, according to Skybox. This suggests an acceleration in the speed at which new weaknesses are being exploited, and that corporations have an ever-narrower window in which to effectively respond to new threats.

The surveys' findings suggest that interconnectivity has become a major vector for cyberattacks, enabling hackers that compromise IT networks to move laterally into OT systems and exploit weaknesses in that ecosystem.

We consider OT-focused attacks that target industrial control systems to be a particular concern for chemicals makers, given the likelihood that such attacks will lead to operational downtime with direct effect on plant utilization rates and thus revenue. We also note the heightened risk that an attack could have rating implications should business interruption combine with a material balance sheet event. That could include diminished liquidity due to a ransom payment or regulatory fines, or significant asset impairments, including of long-lived assets affected by corrupted hardware or software, patents, and other customer-related intangible assets.

Poor Patching: A Sign Of Wider Issues

Given the cyber-risks faced by chemicals makers, it might be expected that companies employ generally robust security protocols, known as 'cyber hygiene standards', to secure networks, train employees in cyber security, and better respond to and recover from attacks.

Yet remediation (patching) in the chemicals industry is relatively infrequent, according to data collated by U.S.-based software company Guidewire (see chart 1). This poor patching rate suggests a high proportion of vulnerabilities and misconfigurations that have been detected but not remediated, while each unpatched vulnerability presents cyber-criminals with an opportunity to compromise a corporate network.

The chemical sectors' sluggish patching performance appears even more problematic given evidence, reported by IBM, that vulnerabilities related to IoT and industrial control systems increased from 2020 to 2021 by 16% and 50%, respectively, outpacing wider growth in cyber vulnerabilities, which increased 0.4% over the same period. We consider a company's ability to protect its assets through good cyber hygiene practices, including frequent patching, within our assessment of a company's risk management practices (see "How Cyber Risk Affects Credit Analysis For Global Corporate Issuers", published March 30, 2022).

Chart 1

Older Operational Technology Comes With Inherent Risk

Research suggests that chemical companies aren't just slow to patch systems, but also slow to update the systems themselves (and particularly operating technology). A February 2022 study by Cyber security services company Bridewell Consulting found that 70% of chemical companies in the U.K. relied on OT systems that were 6 to 20 years old, while 30% had systems between 11 and 20 years old. At the same time, 74% of chemical companies said their OT environment was accessible from corporate networks.

We view these aging systems, particularly when they are connected to corporate IT infrastructure, as a key vulnerability for manufacturers. Older OT systems were not designed to provide security capable of meeting today's dynamically evolving, and often sophisticated, cyber threats. For example, these devices often lack user authentication technology or the means to ensure that firmware and software updates are verified. Furthermore, legacy technology often uses hardware and software that may no longer be supported by vendors, and thus is infrequently (if ever) updated to deal with emerging threats. OT-specific malware, such as Triton, which emerged in 2017, demonstrates that threat actors are increasingly targeting OT facilities to exploit such weaknesses.

We believe that a digital asset base that benefits from sufficient investment can be a factor in differentiating issuers' creditworthiness, not only by supporting higher profitability and margins, but also by reducing the risk of a cyber-attack. Our management and governance assessment of chemicals issuers thus considers the identification and inventory of vulnerable devices, implementation of network hygiene protocols (including active monitoring for patches), and enforcement of segmentation controls to be important risk mitigation factors. This stance is in line with the U.S. National Institute of Standards and Technology's cyber security framework.

Money Is The Motivation

Financial gain motivates the bulk of cyberattacks, including on chemical issuers. In practice, this means that incidents tend to manifest either as intellectual property (IP) theft or ransomware attacks-- whereby money is extorted in return for the release of encrypted information or for the lifting of an impediment to operations.

We consider ransomware attacks that cause business interruption to be the most potentially damaging for issuers in the chemicals industry. This view is based on the outsized cost of operational downtime for chemical companies, particularly when compared with many other industries.

Chart 2

Business Interruption Is A Chemical Sector Pressure Point

The extent to which the chemical sector is exposed to the risk of business interruption resulting from cyberattacks has been highlighted by a handful of incidents. In 2019, Norwegian aluminum producer Norsk Hydro was hit with a ransomware attack that directly disrupted its manufacturing processes, halting production at several plants while facilities were switched to manual operations. The breach, which was traced to a phishing email that appeared to have been sent from a trusted customer, provided hackers with administrative credentials, and resulted in an estimated financial loss of $71 million.

In the same year, US-based chemical companies Momentive Performance Materials Inc. and Hexion Inc. were both hit by cyber-attacks that required their IT systems to be shut down to contain the damage. Those attacks are thought to have been caused by the same encryption program used in the Norsk Hydro attack.

The events underline the chemical sectors vulnerability to ransomware attacks that target business interruption as leverage to extort payments. We believe that chemical manufacturers low tolerance for down time is fostering a perception that they are likely to pay ransoms to avoid costly operational disruptions, increasing the likelihood that they will be targeted with such attacks. This is supported by our analysis, utilizing data from Guidewire, that finds there has been an increase, since late 2020, in the number of attacks focused on business interruption at chemicals issuers (see chart 3).

Chart 3

Preparedness And The Problem With Shutting Down

A rapid operational shutdown can help companies both track and contain a cyber attack, and is thus a standard and often deployed response to intrusion. Yet, in hazardous environments, such as at many chemical plants, a rapid shutdown can come with significant safety issues, including the risk of chemical release, fire, or explosion. Furthermore shutdown (and start-up) periods typically involve many non-routine and time consuming procedures that are required to safely transition a facility from an operational to an idle state, according to the U.S. Chemical Safety and Hazard Investigation Board.

Those factors limit chemical companies' ability to employ a full and rapid shut down and compels them to consider other remediation strategies to combat a cyber interloper. IT system segmentation, which divides an IT network into parts that can either be quarantined (if infected) or ring fenced (if clean), can minimize the impact of a successful attack and provide a modular alternative to a complete shutdown.

That strategy was employed by Norsk Hydro during its incident in 2019 and enabled it to isolate its plants and transfer to manual operation the affected industrial systems, to contain the attack and avoid shutdown risks. We understand that the company also had an insurance policy that compensated for losses arising from the incident. Momentive and Hexion also reacted to their attacks by implementing business continuity plans that disabled certain systems, and thus limited the contagion's spread.

From a credit standpoint, we consider those responses demonstrated good cyber risk preparedness, characterized by a clearly defined incident response plan that enabled the companies to quickly contain an attack and limit damage. Post incident, we would also expect to see management teams conduct reviews, and incorporate lessons learned into their risk practices.

Malicious Data Encryption: A Lesser Risk

Chemical companies are not known to hold extensive or sensitive customer data, particularly when compared to sectors like business services, health care, or financial services. This makes them less evident targets for extortion that uses encrypted data as leverage. However, we consider that the growing occurrence of such attacks, in conjunction with the large size of some chemical companies, means they remain susceptible to such extortion. That risk was evident in April 2021, when a ransomware attack at the North American division of chemicals distributor Brenntag SE resulted in the theft and encryption of 150 gigabytes of data. The hackers, who gained access using employee login credentials, were paid $4.4 million to decrypt the stolen information.

Intellectual Property Theft Is A Significant Threat

Chemical companies were the fourth biggest victim of IP theft, by value, in the U.K. over 2021, just behind software and computer service providers, according to a report by BAE Systems Digital Intelligence (formerly Detica) and the U.K. government's Office of Cyber-Security and Information Assurance (see chart 4). The report found that the elevated risk of IP theft in the chemicals sector was linked to the significant volume of IP generation. We consider this to be of particular concern to specialty chemicals producers, which make material investments in research and development.

Chart 4

The most notorious example of such an attack in the chemical sector remains the so-called Nitro attacks of 2011, when the systems of 29 chemical companies were infected with malware that collected intellectual property including proprietary designs, formulas, and details on manufacturing processes. The attackers gained access using a phishing email.

More recently, in January 2022, a North Korean-linked group targeted chemical companies with spyware that provided access to screenshots and transferred files containing trade secrets, according to security software and services provider Symantec.

We consider attacks that secure IP can have particularly strong consequences within the context of ratings. The loss of trade secrets, including formulas and processes, which are then made available (at a price) to competitors can significantly harm a business's competitive position and therefore its growth prospects and returns.

Politically Motivated Attacks: An Additional Risk Factor

The U.S.'s Cybersecurity and Infrastructure Security Agency identifies chemical facilities as key targets for high-profile terrorist attacks. This reflects not only chemical plants position within a nations' critical infrastructure, but also the possibility that an attack could cause both economic damage and endanger public health and safety.

There is a clear potential for these attacks to take the form of cyber criminality, including through the hijacking of operations and equipment to trigger spills or explosions. We consider safety systems that regulate voltage, pressure, and temperature to be particularly vulnerable to such attacks, while operations handling toxic or explosive compounds, such as chlorine, are also of particular concern. We also note the risk that cyber actors could target the theft of chemicals that could be converted into weapons through relatively simple processes.

That threat of terrorism raises the specter that chemical companies could become the target of cyber-attacks motivated by politics or ideology, rather than financial gain. Such an attack is not merely theoretical. In 2017, an unnamed petrochemical plant in Saudi Arabia was the target of a cyber-attack that resulted in intruders gaining control over a safety system. The intention was to force a malfunction of industrial equipment to cause an explosion, but the attack failed due to a coding flaw in the malware. Investigators looking at the attack concluded that it was likely politically, rather than commercially, motivated.

Implications For Our Ratings

A successful cyber-attack can affect several aspects of an issuer's credit quality, with the magnitude of the impact typically dependent on the scale of the damage done.

We note that cyber regulation and disclosure rules vary across jurisdictions, and companies may not be required to disclose an attack in all instances. However, we consider transparency to be beneficial to our assessment of a company's management and governance.

A temporary business interruption, or a total plant shut down, may also impact an issuer's creditworthiness, including by reducing cash flow and profitability, and by acting as a prompt to litigation risk. Moreover, business interruption incidents, along with heightened public scrutiny may lead to further additional costs, and necessitate greater investment, in order to meet more stringent operating standards. And finally, the payment of a ransom may constrain a company's liquidity. Thankfully, examples of such payments in the chemical sector (and adjacent industries) suggests ransoms are typically only a small percentage of a company's annual EBITDA. We consider, however, that the financial risks are increasing along with the frequency of incidents.

Given this context, we believe liquidity buffers and/or (sufficient) cyber insurance to be important defenses against the potential credit implications of a cyber-attack. In addition, we expect issuers we rate to have a comprehensive plan to contain and recover from an attack and to regularly re-evaluate and update that plan based on prevailing conditions and lessons learned. Proactivity is important to mitigating risk, in our view.

We consider that the loss of IP or confidential information due to theft, can damage a company's reputation and weaken its competitive position. A resultant decline in sales due to customer attrition, lower margins due to lost pricing power, or weaker growth prospects, can weigh on an issuer's cash flow and credit metrics. That said, we believe that the impact of IP theft tends to be less immediate than that of a ransomware attack resulting in business interruption or data encryption.

Within the context of ratings, attacks with significant social consequences can impact a business's competitive position through adverse reputational impact and heightened public scrutiny. Loss of operational control, particularly leading to the release of potentially toxic materials, may harm the surrounding environment and have an adverse effect on biodiversity and health. This could entail not only litigation risks and remediation costs, which could affect cash flows, but also threaten modification, suspension, or removal of a plant's license to operate.

Digitization: An Unavoidable Risk Worth Taking

Continued digitization of the chemicals industry is inevitable and welcome. The greater integration of IT and OT systems promises productivity gains, new efficiencies, and improved profits. Yet it also comes with burdens. Greater digitization will create new vulnerabilities that hackers can exploit. And the burdens of a successful cyberattack appear particularly onerous for chemical companies given the critical infrastructure role they occupy, the potentially dangerous nature of their operations, and the outsized impacts of business interruption.

The peculiarities of chemical companies' operations also make them especially vulnerable to certain types of ransomware, notably those that target operational technologies, business interruption, and intellectual property theft. Those same peculiarities limit companies' ability to react to an interloper, notably by restricting their ability to rapidly shutdown IT and OT systems that are often integral to safety.

This combination of factors makes cyber preparedness vital to the mitigation of risk for chemicals issuers. We believe that preparation should include the identification and inventory of vulnerable devices, systematic network hygiene practices, proactive detection of potential threats, and a clearly defined incident response plan. Evaluation of these practices forms part of our cyber risk assessment for corporate issuers, and, along with adequate insurance and financial flexibility, can help issuers recover from an attack while minimizing the credit and rating impact of a cyber incident.

Related Research

• Cyber Trends And Credit Risks, Oct. 25. 2022
• How Cyber Risk Affects Credit Analysis For Global Corporate Issuers, Mar. 30, 2022