{"id":223424,"date":"2026-06-01T00:00:00","date_gmt":"2026-06-01T04:00:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/01\/unraveling-cybersecurity-myths-in-chemical-manufacturing-chemical-engineering\/"},"modified":"2026-06-01T07:05:25","modified_gmt":"2026-06-01T11:05:25","slug":"unraveling-cybersecurity-myths-in-chemical-manufacturing-chemical-engineering","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/01\/unraveling-cybersecurity-myths-in-chemical-manufacturing-chemical-engineering\/","title":{"rendered":"Unraveling Cybersecurity Myths in Chemical Manufacturing – Chemical Engineering"},"content":{"rendered":"

Unraveling Cybersecurity Myths in Chemical Manufacturing – Chemical Engineering<\/a><\/p>\n

https:\/\/www.chemengonline.com\/unraveling-cybersecurity-myths-in-chemical-manufacturing\/<\/a><\/p>\n

Publish Date: 2026-06-01 00:00:00<\/a><\/p>\n

Source Domain: www.chemengonline.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\n\t\t\tUnderstanding common myths surrounding the ISA\/IEC 62443 cybersecurity standard can help put chemical manufacturers on a path to safer, more resilient operations<\/p>\n

Picture a petrochemical plant running steady in the dead of night \u2014 pipes humming, reactors holding pressure, safety systems standing watch over exothermic reactions that could release toxic clouds or trigger runaway events if anything was to go wrong. Then a digital intruder slips in, not through the property fence, but the vendor\u2019s or integrator\u2019s remote access to the engineering workstation or application server. This remote access may have been understood to be \u201cjust for diagnostics purposes.\u201d
\nSafety systems start to blink. Pressures climb. Critical alarms that should be screaming are suddenly suppressed or inhibited, then buried in an overwhelming alarm flood. What should have been another routine shift suddenly edges toward potential disaster.
\nThis is not a movie script. In 2017, the TRITON (or TRISIS) malware hit a petrochemical facility in Saudi Arabia and went straight for the Schneider Electric Triconex safety instrumented system (SIS). The attackers \u2014 later tied by agents within the U.S. Treasury Department to a Russian government research institute \u2014 reverse-engineered the proprietary TriStation protocol, exploited a zero-day cyberattack, and tried to reprogram the very controllers that keep explosions and toxic releases from happening. Only a coding slip that tripped the SIS into safe shutdown saved the day.
\nYears earlier, the Stuxnet computer virus \u2014 part of the U.S.-Israeli covert cyber-sabotage campaign known as Operation Olympic Games \u2014 had already shown the world that cyber payloads could physically destroy industrial equipment. In chemical manufacturing \u2014 where the materials are hazardous, the processes are continuous, and the consequences are measured in lives, environmental impact and multi-million-dollar restarts \u2014 cybersecurity stopped being an \u201cIT thing\u201d a long time ago. Cybersecurity is process safety, plain and simple.
\nYet myths about how to protect these environments refuse to die. These myths are damaging because they slow down real progress and keep creating dangerous gaps between the cybersecurity team and the personnel who actually run the units day after day. ISA\/IEC 62443, the leading international series of standards for industrial and automation and control system cybersecurity, was written precisely for this world. Developed by the International Society of Automation\u2019s (ISA; Durham, N.C.; www.isa.org) ISA 99 committee as an American National Standard Institute (ANSI; Washington, D.C.; www.ansi.org) product, and later adopted by the International Electrotechnical Commission (IEC; Geneva, Switzerland; www.iec.ch), the standard provides a risk-based, practical framework that respects equipment lifecycles ranging from 20 to more than 30-years, real-time demands and clearly acknowledges the fact that a cybersecurity incident here can cause physical harm on a scale most IT professionals never have to consider (Figure 1).
\nFIGURE 1. ISA\/IEC 62443 is a risk-based cybersecurity standard that acknowledges the fact that cyberincidents can cause real physical harm in process facilities (this diagram comes from the International Society of Automation Industrial Cybersecurity Course IC32, animation by M. Ayala)
\nI\u2019ve been applying these standards \u2014 or their early drafts \u2014 since the ISA technical report that came out in 2004, well before the first published version of ISA\/IEC 62443 in October 2007. That means two decades of working them out in the field at plant sites, mentoring teams through the real developments we\u2019ve faced as industry and technology have shifted. And for the past decade, I\u2019ve been teaching the standards in classrooms around the world, tailoring the material to the specific challenges each group of students brings from their own facilities. The myths discussed here are the ones I still hear on almost every assessment I perform. This article aims to clear them up once and for all.
\nDigital opportunities and perils
\nDigital tools have sharpened what chemical manufacturers have already been doing \u2014 real-time optimization of distillation columns, predictive maintenance on rotating equipment, tighter supply-chain visibility for raw materials and finished products. But every new connection widens the potential cyberattack surface. Ransomware has already frozen chemical production lines for days. Espionage crews chase proprietary formulations that represent years of research and development investment. Manufacturing, especially of chemicals, sits near the top of every threat list year after year.
\nThe outdated idea that chemical process plants are somehow isolated is gone. Plant data historians talk to corporate networks. Vendors dial in remotely. Wireless instruments and portable media move data in and out. A breach here doesn\u2019t just result in stolen files \u2014 it means a risk of tampering with a controller to turn a stable reaction into something far worse, perhaps even forcing the plant to initiate an emergency shutdown that takes a week to safely restart.
\nThat\u2019s why the ISA\/IEC 62443 series matters. It\u2019s modular and risk-based, built to be adopted in phases, the same way process safety programs have been built over the years. ISA\/IEC 62443-1-1 lays out the core concepts and models that hold the whole series together. ISA\/IEC 62443-2-1 spells out the asset-owner security program (especially useful now with the 2024 maturity model), 62443-3-2 offers practical steps for security risk assessment and for designing the zones and conduits that are actually needed on the plant floor, 62443-3-3 defines the system security requirements and the four security levels for scaling to real threats and 62443-2-4 makes sure service providers and integrators are held to the same standard, so the whole supply chain pulls its weight. The recent updates, outlined in the bullet points here, make it even more user-friendly.
\n\u2022 ANSI\/ISA-62443-2-1-2024 (January 2025) refreshed the asset-owner security program requirements for the first time since 2009. It added a maturity model for incremental progress, cleaned out overlap with IT-centric standards and reorganized everything into clear security program elements.
\n\u2022 ISA-TR62443-2-2-2025 (December 2025) delivers practical day-to-day guidance on security operations and maintenance.
\nFar from being an academic exercise, this standard series is a roadmap written for the plant floor by people who understand that a controller reboot is not just an IT ticket \u2014 it can affect product quality, environmental compliance and the safety of everyone on shift.
\nDispelling the myths
\nThe following are not harmless old stories. Adhering to them creates complacency in an industry where one missed layer can cascade into a very bad day, a near-miss or worse (Table 1).<\/p>\n

Myth 1: \u201cOur control networks are air-gapped \u2014 we\u2019re safe.\u201d I wish this were still true. The idea of an \u201cair-gap\u201d in which operational technology (OT) computer networks are physically isolated from unsecure networks persists. Modern plants have dozens of connections \u2014 historian replication, vendor diagnostics, wireless instruments, USB\/portable media transfers. The malware TRITON didn\u2019t \u201cjump\u201d the gap between IT and OT systems; it pivoted laterally from an engineering workstation that sat on both sides. In my assessments, I routinely find hidden pathways that even the most experienced automation teams had forgotten about.
\nISA\/IEC 62443\u2019s zones-and-conduits model (Part 3-2) assumes those connections exist. It forces users of the standard to map every asset and every pathway, then put safety systems, business IT, wireless devices and temporary laptops in separate zones with controlled boundaries. Believing that a plant\u2019s network is air-gapped just means the plant operators are flying blind.
\n Myth 2: \u201cProprietary protocols and firewalls make us bulletproof.\u201d\u00a0 Obscurity is not security. TRITON\u2019s authors reverse-engineered the undocumented TriStation protocol. Stuxnet did the same with Siemens S7. Firewalls are useful, but they stop at the perimeter. Phishing, insiders, compromised vendor laptops and supply-chain attacks walk right past them. I\u2019ve seen a single undocumented cellular modem located in the field bypass what everyone thought was an impenetrable perimeter, and a single infected vendor portable drive infect an entire control system.
\nThe ISA\/IEC 62443 series of standards answers with defense-in-depth \u2014 seven foundational requirements across four security levels (Part 3-3). No single technology carries the whole security load.
\n Myth 3: \u201cOur safety instrumented systems handle cyber threats too.\u201d Safety instrumented systems (SIS), governed by ISA\/IEC 61511 \u2014 the functional safety standard that grew out of the ISA 84 working group and is further supported by technical report ISA-TR84.00.09 on cybersecurity related to the safety lifecycle \u2014 are built for equipment failures and operator errors, not for intelligent adversaries who study the exact configuration of a unit. TRITON went straight for the SIS because that\u2019s the last line of defense. I\u2019ve sat in process hazards analysis (PHA) review meetings where teams realized too late that their safety layer was sharing the same network as the basic process control system (BPCS, or distributed control system (DCS)).
\nISA\/IEC 62443 treats cyber and process safety as complementary, but distinct. It puts safety systems in their own dedicated zones and provides additional rigor beyond ISA\/IEC 61511 requirements. Conflating the two creates a single point of failure.
\n Myth 4: \u201cCybersecurity is the IT department\u2019s problem.\u201d This myth is particularly upsetting, and I hear it constantly. The people who truly own the cybersecurity risk are the automation engineers, instrument technicians, process engineers, operators and plant leaders. Patching a controller means understanding what a reboot does to the reaction. Segmenting networks requires knowing which control loops communicate with each other.
\nThe 2024 update to ISA\/IEC 62443 Part 2-1 makes it clear: this is the asset owner\u2019s responsibility, and the risk assessment (Part 3-2) demands cross-functional input. Insider threats \u2014 which are implicated in 20\u201340% of manufacturing breaches \u2014 can\u2019t be fixed with firewalls alone.
\n Myth 5: \u201cStandards are too complex and burdensome.\u201d Most chemical engineers already are well-versed in the Occupational Safety and Health Administration\u2019s (OSHA; Washington, D.C.; www.osha.gov) Process Safety Management (PSM) requirements, the Environmental Protection Agency\u2019s (EPA; Washington, D.C.; www.epa.gov) Risk Management Program (RMP), ISA\/IEC 61511, and layer-of-protection analysis (LOPA). ISA\/IEC 62443 is an extension of that same mindset \u2014 consequence-based, layered, continuous improvement.
\nFinally, there is a common gripe about the standard\u2019s complexity \u2014 \u201cIt\u2019s too much, with hundreds of pages, endless rules.\u201d This usually stems from partial reads or outdated views. A bit of hands-on ISA cyber training often changes that perspective quickly. Standard users don\u2019t swallow the whole series on day one. Start with risk assessment and zone mapping, then scale controls to actual threats using the four security levels. The new maturity model lets plant personnel begin with the plant\u2019s current situation and climb from there. Legacy systems are addressed. Compensating measures (data diodes, application control, allow-listing\/whitelisting, enhanced monitoring) are explicitly allowed. The 2024 update even removed redundant ISO 27001 overlap. The standard series is leaner than it used to be, and I can attest that plants can implement it without adding any new capital projects.
\nMyths cause damage
\nWhen these myths linger, the damage shows up in three places: process safety, reliability and regulatory readiness (Table 2).<\/p>\n

An attacker who manipulates BPCS readings while the SIS sits in the same unsegmented network can collapse every protection layer at once. TRITON showed exactly that path. The human and financial cost of even a near-miss in the chemical process industries (CPI) can be staggering.
\nRansomware on input-output (I\/O) tag servers, a human-machine interface (HMI) or a data historian doesn\u2019t just slow production \u2014 it can stop operations entirely, and in continuous chemical processes, the restart can take days. Legacy systems (15-to over 30-year lifecycles) are the norm. ISA\/IEC 62443 gives practical ways to manage them without a full rip-and-replace. One prolonged outage can easily result in millions of dollars in lost production, plus the ripple effects through customers who depend on the intermediates produced in these processes.
\nThe Chemical Facility Anti-Terrorism Standards (CFATS) expired in July 2023, but the pressure hasn\u2019t gone away. NIS2, reinterpretations of OSHA PSM and EPA RMP and global regulators increasingly point to ISA\/IEC 62443 as the consensus standard. Building a plant cybersecurity program on it keeps that facility ready, no matter which rule lands next. It also demonstrates to auditors and company leadership that the organization understands process safety and cybersecurity to be two sides of the same coin.
\nDefenses for real operations
\nCybersecurity is a process safety enabler, not a tax. Here\u2019s a four-step path that the author has used successfully with chemical sites around the world (Table 3).<\/p>\n

Step 1: Map the environment and assess risk. Define the full system under consideration \u2014 every asset, every overlooked connection. Pull in automation engineers, instrument technicians, process engineers, safety professionals, IT personnel and operations staff. Use your existing PHA and LOPA data; don\u2019t reinvent the wheel. Consequence categories should be safety, environmental, operational and regulatory \u2014 similar to what is likely already being done. In practice, I always ask teams to walk the unit and physically verify what\u2019s connected; paper diagrams rarely tell the whole story.
\nAs a tip for chemical-manufacturing operations, consider that existing PHA and LOPA studies already contain the exact consequence data that are needed for ISA\/IEC 62443 cybersecurity risk assessments. The standard\u2019s consequence-based approach fits seamlessly with the hazard analysis work chemical engineers already perform every day. Don\u2019t start from scratch \u2013 build on what is already in place.
\n Step 2: Segment wisely \u2014 zones, conduits and security levels. Put safety systems in their own zone, separate from BPCS. Keep enterprise IT out with a proper DMZ. DMZ refers to a \u201cdemilitarized zone,\u201d an analogy to a secure buffer between internal and external networks. Treat vendor remote access and wireless devices as controlled conduits. Assign target security levels based on real risk \u2014 SIS usually needs the highest; a historian may not. The Purdue model (ISA-95) is a great starting scaffold; ISA\/IEC 62443 simply adds the security lens. I\u2019ve found that starting zone mapping with the most hazardous reaction or storage areas yields the largest degree of risk reduction quickly.
\n Step 3: Layer controls and build the culture. Implement the seven foundational requirements scaled to each zone\u2019s target level. Eliminate shared passwords, enforce least privilege and multi-factor authentication (MFA), deploy application whitelisting, use deny-all\/permit-by-exception rules and monitor with OT-aware tools. For legacy gear, compensating measures work.
\nBake cybersecurity into the processes a plant already owns: add a security impact check to management of change (MOC), include cybersecurity scenarios in operator drills, require Software Bills of Materials (SBOMs) from suppliers. On one recent project, we added a simple \u201ccyber what-if\u201d question to every MOC form, and it caught several risky vendor changes before they reached the plant floor.
\n Step 4: Monitor, measure and adapt. Track meaningful KPIs \u2014 mean time to detect\/respond, zone coverage, patch\/compensation status, MOC review completion. Reassess when the plant changes or threats shift. Align audits with your PSM\/RMP cadence. Use the 2024 maturity model honestly; it\u2019s a ladder, not a club. The plants that treat this as a living program, reviewed quarterly with the same discipline as their safety metrics, are the ones that stay ahead.
\nStewards of a critical industry
\nChemicals products from this industry sector feed the world, protect the water, build devices and keep patients alive. Most people never think about that supply chain until it breaks. Fertilizers that grow the food on our tables, polymers in the medical devices that save lives, specialty gases that keep semiconductor fabs running, water-treatment chemicals that keep communities healthy \u2014 all of it flows from the plants operated by CPI companies.
\nThat makes every one of us a steward of something irreplaceable. In an era of escalating threats, stewardship means facing the truth: air gaps are illusions, firewalls are not fortresses, safety systems are not cyber shields, and this responsibility belongs to all of us.
\nISA\/IEC 62443 provides the shared language and practical tools that are already familiar and understand \u2014 consequence analysis, layers of protection, continuous improvement. The 2024\u20132025 standard updates have made the standard even more accessible for the real-world plants that are operated every day.
\nThe future doesn\u2019t require perfection on day one. It asks for steady, honest progress \u2014 starting where the risk is highest, building defenses that fit our operations and sustaining the program with the same discipline routinely brought to process safety. CPI professionals owe it to the communities that surround our facilities, to colleagues on shift, and to the global supply chain that depends on their products.
\nThe process safety and industrial cybersecurity lifecycles are very well aligned \u2014 analyze and assess; design and Implement; operate and maintain. Let\u2019s get to work.
\nEdited by Scott Jenkins
\nAuthor
\nMarco Ayala (Email: marayala@absconsulting.com) is an ISA Fellow, bringing three decades of expertise in designing, implementing and maintaining process instrumentation, automation systems, safety systems and process-control networks. Ayala drives innovation by developing robust strategies to secure critical systems, ensuring resilience and alignment with national security priorities. With more than two decades dedicated to industrial cybersecurity, he has spearheaded initiatives to safeguard the oil-and-gas (upstream, midstream, downstream), maritime port, offshore facilities and chemical sectors. His leadership supports federal, state and local entities in securing private-sector critical infrastructure. A 22-year senior member of the ISA, Ayala is a certified ISA\/IEC 62443 cybersecurity instructor and an active volunteer. He serves as Chair of Threat Intelligence and Cybersecurity for the AMSC Gulf of Mexico\/America (GOM\/GOA) cybersecurity committee, a sworn role with the U.S. Coast Guard overseeing the Outer Continental Shelf (OCS). Since 2014, he has been an InfraGard member and currently holds the position of President for the Houston Members Alliance. He is also technical director, Cybersecurity Center of Excellence, Global Energy, Oil & Gas, Chemicals and Specialty Gases.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Unraveling Cybersecurity Myths in Chemical Manufacturing – Chemical Engineering https:\/\/www.chemengonline.com\/unraveling-cybersecurity-myths-in-chemical-manufacturing\/ Publish Date: 2026-06-01 00:00:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":223425,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"http:\/\/www.chemengonline.com\/wp-content\/uploads\/2026\/06\/CHE_0626-15cover-image.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24,32,25],"class_list":["post-223424","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity","tag-malware","tag-phishing"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/223424"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=223424"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/223424\/revisions"}],"predecessor-version":[{"id":223426,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/223424\/revisions\/223426"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/223425"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=223424"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=223424"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=223424"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}