- Digitization of the chemicals sector has improved output and profitability, but also increased the risk of cyber attack by creating additional channels and vulnerabilities that hackers can exploit.
- Financial motivation remains the key driver behind attacks, with ransomware and intellectual property theft proving the greatest threat to chemical-sector issuers.
- Attacks targeting operating technology have the greatest capacity to damage chemicals companies, and thus the most potential to affect credit quality through lost profitability, weakened competitiveness, liquidity issues, and reputational damage at both the brand and governance levels.
The pace of digitization and data interconnectivity in the chemicals industry is accelerating as adoption of new technologies, including the Internet of Things (IoT), data analytics, and AI and machine learning, delivers benefits to production and prompts the further adoption of new technologies.
This virtuous circle is driving greater profitability and sustainability across the chemicals sector, but it comes with a caveat. New technologies, particularly those that create digitally interconnected systems, expand the digital perimeter of organizations, and in doing so offer hackers potential new weaknesses to exploit.
The particularities of the cyber threat faced by chemical companies is inherent to their focus on production facility digitization, which offers the greatest return on investment. This has meant critical operational technology (OT)--the hardware and software that monitors or controls equipment, assets, and processes--becoming increasingly connected to externally facing information technology (IT), enabling companies to better collect real-time data, monitor, track, and document production, improve automation, reduce response times, improve quality, and, above all, secure greater efficiency.
There are more than just cost savings on offer. Streamlining of business processes through digitization also promises improved sustainability. For example, scheduling-software that matches a facility's production with demand can reduce energy use and greenhouse gas emissions, while better data analytics can reveal paths to achieve higher yields and improve energy efficiency. This is not just theoretical. South Africa-based chemicals and energy group Sasol Ltd. has announced plans to use artificial-intelligence technology to monitor, measure and analyze energy use and emissions at its Lake Charles ethylene plant in Louisiana, U.S.
Increased Cyber Risk
The idea that digitization could contribute to a greater risk of cyberattack may seem self-evident, but the magnitude of the increase may still surprise. A report, published in April 2022 by cybersecurity group Skybox Research Lab, found that over 2021 there had been an 88% increase in new vulnerabilities attributed specifically to OT products and which could be used to attack critical infrastructure.
Corporations pursuing digitization also face a growing array of threats, according to research that suggests cyber-attackers are more actively searching for vulnerabilities in internet-accessible OT devices. IoT malware attacks, designed to provide an attacker with control of connected devices, rose 77% in the first half of 2022, according to research by cybersecurity company SonicWall, which used data from the U.S. government's National Vulnerability Database and Cybersecurity and Infrastructure Agency. That tally included 12.9 million attacks in June alone, a record for any single month. Moreover, the number of vulnerabilities published in 2021 and exploited in the same year rose by 24%, according to Skybox. This suggests an acceleration in the speed at which new weaknesses are being exploited, and that corporations have an ever-narrower window in which to effectively respond to new threats.
The surveys' findings suggest that interconnectivity has become a major vector for cyberattacks, enabling hackers that compromise IT networks to move laterally into OT systems and exploit weaknesses in that ecosystem.
We consider OT-focused attacks that target industrial control systems to be a particular concern for chemicals makers, given the likelihood that such attacks will lead to operational downtime with direct effect on plant utilization rates and thus revenue. We also note the heightened risk that an attack could have rating implications should business interruption combine with a material balance sheet event. That could include diminished liquidity due to a ransom payment or regulatory fines, or significant asset impairments, including of long-lived assets affected by corrupted hardware or software, patents, and other customer-related intangible assets.
Poor Patching: A Sign Of Wider Issues
Given the cyber-risks faced by chemicals makers, it might be expected that companies employ generally robust security protocols, known as 'cyber hygiene standards', to secure networks, train employees in cyber security, and better respond to and recover from attacks.
Yet remediation (patching) in the chemicals industry is relatively infrequent, according to data collated by U.S.-based software company Guidewire (see chart 1). This poor patching rate suggests a high proportion of vulnerabilities and misconfigurations that have been detected but not remediated, while each unpatched vulnerability presents cyber-criminals with an opportunity to compromise a corporate network.
The chemical sectors' sluggish patching performance appears even more problematic given evidence, reported by IBM, that vulnerabilities related to IoT and industrial control systems increased from 2020 to 2021 by 16% and 50%, respectively, outpacing wider growth in cyber vulnerabilities, which increased 0.4% over the same period. We consider a company's ability to protect its assets through good cyber hygiene practices, including frequent patching, within our assessment of a company's risk management practices (see "How Cyber Risk Affects Credit Analysis For Global Corporate Issuers", published March 30, 2022).
Older Operational Technology Comes With Inherent Risk
Research suggests that chemical companies aren't just slow to patch systems, but also slow to update the systems themselves (and particularly operating technology). A February 2022 study by Cyber security services company Bridewell Consulting found that 70% of chemical companies in the U.K. relied on OT systems that were 6 to 20 years old, while 30% had systems between 11 and 20 years old. At the same time, 74% of chemical companies said their OT environment was accessible from corporate networks.
We view these aging systems, particularly when they are connected to corporate IT infrastructure, as a key vulnerability for manufacturers. Older OT systems were not designed to provide security capable of meeting today's dynamically evolving, and often sophisticated, cyber threats. For example, these devices often lack user authentication technology or the means to ensure that firmware and software updates are verified. Furthermore, legacy technology often uses hardware and software that may no longer be supported by vendors, and thus is infrequently (if ever) updated to deal with emerging threats. OT-specific malware, such as Triton, which emerged in 2017, demonstrates that threat actors are increasingly targeting OT facilities to exploit such weaknesses.
We believe that a digital asset base that benefits from sufficient investment can be a factor in differentiating issuers' creditworthiness, not only by supporting higher profitability and margins, but also by reducing the risk of a cyber-attack. Our management and governance assessment of chemicals issuers thus considers the identification and inventory of vulnerable devices, implementation of network hygiene protocols (including active monitoring for patches), and enforcement of segmentation controls to be important risk mitigation factors. This stance is in line with the U.S. National Institute of Standards and Technology's cyber security framework.
Money Is The Motivation
Financial gain motivates the bulk of cyberattacks, including on chemical issuers. In practice, this means that incidents tend to manifest either as intellectual property (IP) theft or ransomware attacks-- whereby money is extorted in return for the release of encrypted information or for the lifting of an impediment to operations.
We consider ransomware attacks that cause business interruption to be the most potentially damaging for issuers in the chemicals industry. This view is based on the outsized cost of operational downtime for chemical companies, particularly when compared with many other industries.
Business Interruption Is A Chemical Sector Pressure Point
The extent to which the chemical sector is exposed to the risk of business interruption resulting from cyberattacks has been highlighted by a handful of incidents. In 2019, Norwegian aluminum producer Norsk Hydro was hit with a ransomware attack that directly disrupted its manufacturing processes, halting production at several plants while facilities were switched to manual operations. The breach, which was traced to a phishing email that appeared to have been sent from a trusted customer, provided hackers with administrative credentials, and resulted in an estimated financial loss of $71 million.
In the same year, US-based chemical companies Momentive Performance Materials Inc. and Hexion Inc. were both hit by cyber-attacks that required their IT systems to be shut down to contain the damage. Those attacks are thought to have been caused by the same encryption program used in the Norsk Hydro attack.
The events underline the chemical sectors vulnerability to ransomware attacks that target business interruption as leverage to extort payments. We believe that chemical manufacturers low tolerance for down time is fostering a perception that they are likely to pay ransoms to avoid costly operational disruptions, increasing the likelihood that they will be targeted with such attacks. This is supported by our analysis, utilizing data from Guidewire, that finds there has been an increase, since late 2020, in the number of attacks focused on business interruption at chemicals issuers (see chart 3).
Preparedness And The Problem With Shutting Down
A rapid operational shutdown can help companies both track and contain a cyber attack, and is thus a standard and often deployed response to intrusion. Yet, in hazardous environments, such as at many chemical plants, a rapid shutdown can come with significant safety issues, including the risk of chemical release, fire, or explosion. Furthermore shutdown (and start-up) periods typically involve many non-routine and time consuming procedures that are required to safely transition a facility from an operational to an idle state, according to the U.S. Chemical Safety and Hazard Investigation Board.
Those factors limit chemical companies' ability to employ a full and rapid shut down and compels them to consider other remediation strategies to combat a cyber interloper. IT system segmentation, which divides an IT network into parts that can either be quarantined (if infected) or ring fenced (if clean), can minimize the impact of a successful attack and provide a modular alternative to a complete shutdown.
That strategy was employed by Norsk Hydro during its incident in 2019 and enabled it to isolate its plants and transfer to manual operation the affected industrial systems, to contain the attack and avoid shutdown risks. We understand that the company also had an insurance policy that compensated for losses arising from the incident. Momentive and Hexion also reacted to their attacks by implementing business continuity plans that disabled certain systems, and thus limited the contagion's spread.
From a credit standpoint, we consider those responses demonstrated good cyber risk preparedness, characterized by a clearly defined incident response plan that enabled the companies to quickly contain an attack and limit damage. Post incident, we would also expect to see management teams conduct reviews, and incorporate lessons learned into their risk practices.
Malicious Data Encryption: A Lesser Risk
Chemical companies are not known to hold extensive or sensitive customer data, particularly when compared to sectors like business services, health care, or financial services. This makes them less evident targets for extortion that uses encrypted data as leverage. However, we consider that the growing occurrence of such attacks, in conjunction with the large size of some chemical companies, means they remain susceptible to such extortion. That risk was evident in April 2021, when a ransomware attack at the North American division of chemicals distributor Brenntag SE resulted in the theft and encryption of 150 gigabytes of data. The hackers, who gained access using employee login credentials, were paid $4.4 million to decrypt the stolen information.
Intellectual Property Theft Is A Significant Threat
Chemical companies were the fourth biggest victim of IP theft, by value, in the U.K. over 2021, just behind software and computer service providers, according to a report by BAE Systems Digital Intelligence (formerly Detica) and the U.K. government's Office of Cyber-Security and Information Assurance (see chart 4). The report found that the elevated risk of IP theft in the chemicals sector was linked to the significant volume of IP generation. We consider this to be of particular concern to specialty chemicals producers, which make material investments in research and development.
The most notorious example of such an attack in the chemical sector remains the so-called Nitro attacks of 2011, when the systems of 29 chemical companies were infected with malware that collected intellectual property including proprietary designs, formulas, and details on manufacturing processes. The attackers gained access using a phishing email.
More recently, in January 2022, a North Korean-linked group targeted chemical companies with spyware that provided access to screenshots and transferred files containing trade secrets, according to security software and services provider Symantec.
We consider attacks that secure IP can have particularly strong consequences within the context of ratings. The loss of trade secrets, including formulas and processes, which are then made available (at a price) to competitors can significantly harm a business's competitive position and therefore its growth prospects and returns.
Politically Motivated Attacks: An Additional Risk Factor
The U.S.'s Cybersecurity and Infrastructure Security Agency identifies chemical facilities as key targets for high-profile terrorist attacks. This reflects not only chemical plants position within a nations' critical infrastructure, but also the possibility that an attack could cause both economic damage and endanger public health and safety.
There is a clear potential for these attacks to take the form of cyber criminality, including through the hijacking of operations and equipment to trigger spills or explosions. We consider safety systems that regulate voltage, pressure, and temperature to be particularly vulnerable to such attacks, while operations handling toxic or explosive compounds, such as chlorine, are also of particular concern. We also note the risk that cyber actors could target the theft of chemicals that could be converted into weapons through relatively simple processes.
That threat of terrorism raises the specter that chemical companies could become the target of cyber-attacks motivated by politics or ideology, rather than financial gain. Such an attack is not merely theoretical. In 2017, an unnamed petrochemical plant in Saudi Arabia was the target of a cyber-attack that resulted in intruders gaining control over a safety system. The intention was to force a malfunction of industrial equipment to cause an explosion, but the attack failed due to a coding flaw in the malware. Investigators looking at the attack concluded that it was likely politically, rather than commercially, motivated.
Implications For Our Ratings
A successful cyber-attack can affect several aspects of an issuer's credit quality, with the magnitude of the impact typically dependent on the scale of the damage done.
We note that cyber regulation and disclosure rules vary across jurisdictions, and companies may not be required to disclose an attack in all instances. However, we consider transparency to be beneficial to our assessment of a company's management and governance.
A temporary business interruption, or a total plant shut down, may also impact an issuer's creditworthiness, including by reducing cash flow and profitability, and by acting as a prompt to litigation risk. Moreover, business interruption incidents, along with heightened public scrutiny may lead to further additional costs, and necessitate greater investment, in order to meet more stringent operating standards. And finally, the payment of a ransom may constrain a company's liquidity. Thankfully, examples of such payments in the chemical sector (and adjacent industries) suggests ransoms are typically only a small percentage of a company's annual EBITDA. We consider, however, that the financial risks are increasing along with the frequency of incidents.
Given this context, we believe liquidity buffers and/or (sufficient) cyber insurance to be important defenses against the potential credit implications of a cyber-attack. In addition, we expect issuers we rate to have a comprehensive plan to contain and recover from an attack and to regularly re-evaluate and update that plan based on prevailing conditions and lessons learned. Proactivity is important to mitigating risk, in our view.
We consider that the loss of IP or confidential information due to theft, can damage a company's reputation and weaken its competitive position. A resultant decline in sales due to customer attrition, lower margins due to lost pricing power, or weaker growth prospects, can weigh on an issuer's cash flow and credit metrics. That said, we believe that the impact of IP theft tends to be less immediate than that of a ransomware attack resulting in business interruption or data encryption.
Within the context of ratings, attacks with significant social consequences can impact a business's competitive position through adverse reputational impact and heightened public scrutiny. Loss of operational control, particularly leading to the release of potentially toxic materials, may harm the surrounding environment and have an adverse effect on biodiversity and health. This could entail not only litigation risks and remediation costs, which could affect cash flows, but also threaten modification, suspension, or removal of a plant's license to operate.
Digitization: An Unavoidable Risk Worth Taking
Continued digitization of the chemicals industry is inevitable and welcome. The greater integration of IT and OT systems promises productivity gains, new efficiencies, and improved profits. Yet it also comes with burdens. Greater digitization will create new vulnerabilities that hackers can exploit. And the burdens of a successful cyberattack appear particularly onerous for chemical companies given the critical infrastructure role they occupy, the potentially dangerous nature of their operations, and the outsized impacts of business interruption.
The peculiarities of chemical companies' operations also make them especially vulnerable to certain types of ransomware, notably those that target operational technologies, business interruption, and intellectual property theft. Those same peculiarities limit companies' ability to react to an interloper, notably by restricting their ability to rapidly shutdown IT and OT systems that are often integral to safety.
This combination of factors makes cyber preparedness vital to the mitigation of risk for chemicals issuers. We believe that preparation should include the identification and inventory of vulnerable devices, systematic network hygiene practices, proactive detection of potential threats, and a clearly defined incident response plan. Evaluation of these practices forms part of our cyber risk assessment for corporate issuers, and, along with adequate insurance and financial flexibility, can help issuers recover from an attack while minimizing the credit and rating impact of a cyber incident.
Research contributor: Alice Kettlewell
- Cyber Trends And Credit Risks, Oct. 25. 2022
- How Cyber Risk Affects Credit Analysis For Global Corporate Issuers, Mar. 30, 2022
This report does not constitute a rating action.
|Primary Credit Analyst:||Nikolaos Boumpoulis, CFA, London +44 20 7176 0771;|
|Secondary Contacts:||Paulina Grabowiec, London + 44 20 7176 7051;|
|Tiffany Tribbitt, New York + 1 (212) 438 8218;|
|Michael P Altberg, New York + 1 (212) 438 3950;|
|Mark Habib, Paris + 33 14 420 6736;|
|Gareth Williams, London + 44 20 7176 7226;|
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.