Image Source: Getty
The 2017 cyberattack on a petrochemical plant in Saudi Arabia was a watershed moment in cybersecurity, the perpetrator remains unconfirmed. It marked the first intentional use of malware to cause physical harm—a previously theoretical threat. The malware, known as Triton, could potentially release toxic hydrogen sulphide gas or trigger explosions, risking the lives of those in the vicinity and the entire industry plant. Following this event and the fear that such an attack could also target other countries with critical infrastructure, the United States of America established its Chemical Facility Anti-Terrorism Standards (CFATS) Statutes in January 2019. However, as of July 2023, these statutes have expired and are no longer the baseline for security measures in US Chemical plantations. Despite this step forward, the expiration of these statutes does not indicate a change in trends. India also does not have a single legislation for cybersecurity in chemical security. While India does have a comprehensive list of cybersecurity governance efforts, as shown in Table 1, and governance tools for chemical security, as shown in Table 2, the lack of overlap in the two areas is glaring.
The malware, known as Triton, could potentially release toxic hydrogen sulphide gas or trigger explosions, risking the lives of those in the vicinity and the entire industry plant.
Critical infrastructure in India primarily comprises the power, banking, telecom, transport, and government sectors. While strategic sectors are clubbed as a whole in this area of governance, there is no explicit mention of the chemical and petrochemical industry in the critical infrastructure protection ecosystem, nor is there any mention of cybersecurity and allied security in the chemical industry governance. Additionally, India has seen an increase of 278 percent in state-sponsored cyberattacks between 2021 and 2023 alone. This number has shown an increasing trend of about 3,000 attacks per week, even in subsequent months, highlighting the need to protect chemical plants and other critical infrastructure.
Thus far, India's chemical security approach has primarily been related to disaster management and environmental impact. While covered by the cybersecurity governance ecosystem, the potential for a cyberattack resulting in a tragedy can still slip through the gaps. Despite the evidenced need for cybersecurity for all critical infrastructure, the overlap between chemical security and cybersecurity has been ignored. These gaps can be exploited in many ways, including espionage, a malware attack similar to Saudi Arabia’s. Ransomware is used for information theft of plant plans, and faculty and staff information is another risk.
Table 1: Cybersecurity governance in India
Governance tool |
Offerings |
National Cyber Security Policy, 2013 |
Protecting cyberspace information and infrastructure, building capabilities to prevent and respond to cyber-attacks, and minimising damage. |
Cyber Surakshit Bharat Initiative |
To raise cybercrime and form safety measures for Chief Information Security Officers (CISOs) and IT staff in government departments. |
Indian Cyber Crime Coordination Centre (I4C) |
A framework for law enforcement to deal with cybercrimes. It includes the National Cyber Crime Threat Analytics Unit and the National Cyber Crime Reporting Portal. |
Cyber Swachhta Kendra |
To detect botnet infections and notify, clean, and secure end users' systems to prevent further infections. |
Computer Emergency Response Team - India (CERT-In) |
Collects, analyses, and disseminates information on cyber incidents and issues alerts on cybersecurity incidents. |
National Critical Information Infrastructure Protection Centre (NCIIPC) |
Established to protect the Critical Information Infrastructure (CII) of sectors like power, banking, telecom, transport, government, and strategic enterprises. |
Defence Cyber Agency (DCyA) |
Manages threats with capabilities for cyber operations, such as hacking, surveillance, data recovery, encryption, and countermeasures against cyber threat actors. |
Source: Author’s own research
Table 2: Chemical security in India
Governance tool |
Offerings |
National Authority for Chemical Weapons Convention (NACWC) |
Oversees the implementation of the Chemical Weapons Convention (CWC) in India, ensuring compliance and monitoring the use of toxic chemicals. |
Chemical Accidents (Emergency Planning, Preparedness and Response) Rules, 1996 |
It provides a framework for emergency planning, preparedness, and response to chemical accidents, including establishing emergency plans and response mechanisms. |
National Disaster Management Authority (NDMA) |
Coordinates disaster management efforts, including those related to chemical accidents, and develops guidelines and frameworks for effective response and management. |
Accident and Environmental Impact Management |
Implements safety regulations and monitoring and provides advice on occupational safety and health. Includes: Directorate General of Factory Advice and Labour Institutes (DGFASLI), Central Pollution Control Board (CPCB), State Pollution Control Boards (SPCBs), Industrial Health and Safety Regulations |
Source: Author’s own research
The 2019 Norsk Hydro attack is a global reminder of major operational shutdowns, leading to over US$70 million in financial losses. Similar attacks on Indian companies could have even more devastating consequences, especially given the country’s reliance on chemicals for agriculture, pharmaceuticals, and industrial growth. If exploited by non-state or malicious actors, this gap can result in another tragedy akin to the Bhopal gas leak incident. Thus, India must prioritise this area to avoid catastrophic incidents as the world approaches digital integration. Furthermore, existing policies can be effectively leveraged to enhance protection and address these emerging threats.
The existing regulations around the chemical industry do not consider the potential for an attack and oversee chemical leaks only under disaster management strategies to prevent or curb leaks.
As is seen, the existing regulations around the chemical industry do not consider the potential for an attack and oversee chemical leaks only under disaster management strategies to prevent or curb leaks. This gap of overlooking potential intentional attacks can be overcome by employing certain strategies aimed at addressing existing vulnerabilities:
- Implementing robust security protocols: Indian chemical companies must invest in firewalls, intrusion detection systems, and regular security audits. An important step is network segmentation, which isolates critical OT systems from IT networks to reduce the risk of a single-point attack spreading throughout the entire operation. The ISO/IEC 27001 already has a framework for information management and cybersecurity that encourages private sector plants to protect themselves. Such a framework must be made mandatory in chemical industries across India.
- Training and awareness: Despite the governance ecosystem, collaboration amongst different organisations, industry verticals, and human error remains one of the weakest links in cybersecurity. Implementing mandatory training and awareness programs that link multiple verticals and simulation exercises where employees learn to identify phishing and other cyber threats can reduce the risks of cyber threats.
- Embracing emerging technologies and upgrading detection methods: AI and machine learning can detect anomalies in system behaviour, allowing for predictive threat detection. These technologies can bolster cybersecurity defences, particularly in OT environments where traditional methods might fall short.
Despite the governance ecosystem, collaboration amongst different organisations, industry verticals, and human error remains one of the weakest links in cybersecurity.
Unlike other industries, a cyberattack on a chemical facility cannot be mitigated simply by shutting down systems. Unplanned shutdowns can result in chemical leaks, fires, or explosions, worsening an already dangerous situation. The government must adapt and evolve existing cybersecurity frameworks to address the unique challenges critical infrastructure like chemical plants face. By leveraging existing policies, investing in advanced technologies, and fostering collaboration across sectors, India can protect its chemical industry from the growing threat of cyberattacks.
Shravishtha Ajaykumar is an Associate Fellow with the Centre for Security, Strategy and Technology at the Observer Research Foundation
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.