The use of outdated cybersecurity guidelines puts thousands of US chemical companies at risk of attacks; and as shown by the 2017 incident in Saudi Arabia, these attacks may aim for more than simply files for ransom. The aforementioned attack targeted an industrial plant’s safety system directly, possibly trying to create an explosion. The hacker gained access to the system through a phishing scheme – something not covered by the Chemical Facility Anti-Terrorism Standards, which have not been updated in more than a decade – the term did not exist.
An additional problems stems from US companies lacking the incentive to update their security, as they have not been the recipients of a major attack. Also, there is a divide between how IT people think things should operate in a chemical plant and the reality on site.
