I am not Nostradamus (although my kids think I am old enough that old Nosie and I used to hang together), but I have written extensively over the years about emerging environmental and sustainability risks. For the most part, these were business management risks rather than things that could imminently and substantially endanger human health. Even so, back in 2010 and again in 2014, I sounded the alarm of a very real risk that the next environmental catastrophe could be caused by hackers.
Almost all industrial manufacturing (such as chemicals, oil refining, metals smelting, pulp & paper, pharmaceutical and food processing) and utilities (power, water and wastewater) in the US is controlled with computer systems. These facilities manage a variety of potentially dangerous processes, including:
- chemical management systems critical to preventing spills, releases and mixing of incompatible chemicals
- combustion equipment (e.g., boilers and kilns) fuel feed controls and safety systems
- waste storage, disposal and monitoring systems
- dams, impoundments and flood prevention systems
- water purification and wastewater treatment systems
- fire control systems
- fenceline air quality monitoring
- numerous automated alarms
A front page article in USA Today now brings this risk to the public in the aftermath of the Colonial Pipeline and JBS hacks. Even so, the article misses many risks and arguably downplays potential catastrophes of those covered in the piece. It’s not a stretch to imagine a terrorist group intentionally disabling process controls at a large chemical processing site, resulting in a Bhopal-like scenario. Or hackers “just” seeking to temporarily disable a power utility for a ransom, accidentally disabling all operational safety controls and causing fuel explosions and possibly a nuclear incident.
These are truly nightmarish scenarios – and perhaps closer to reality than you think.
What You Can Do
Environmental catastrophes are not the first thing that pops into people’s head when the topic of cybersecurity arises, but the potential for these events should be included in corporate risk assessments, cyber security assessments and in ESG materiality determinations. At least four facets of this risk should be evaluated:
- Human health risk. Depending on the type of manufacturing operation and equipment, the risk to employees on-site and the community at large can be significant in the event of process failure. Chemical emissions, fires and explosions are deadly and they can have a wide area of impact. Facilities subject to OSHA’s Process Safety Management or EPA’s Risk Management Plan regulations are required to perform off-site consequence analyses that are helpful in assessing the risk, but they are limited to only specifically covered chemicals/processes. Gas-fired boilers and dams/dikes are not covered. When evaluating human health risks associated with your operations, it would be prudent to take a wide view of what may impact employees and the community.
- Environmental impact. Similar to human health risk, operational failures or breaches can cause environmental contamination and loss of wildlife, ecosystems/habitat, and endangered species.
- Consequential impacts. Catastrophic events at a single location can also start a domino effect of “downstream” consequential impacts. For instance, chemical contamination of food crops, energy outages at hospitals and critical infrastructure, flooding of other manufacturing facilities or utilities, drinking water safety and loss of public use areas. There is even a possibility of disturbing previously closed environmental disposal sites – Hurricane Katrina flooded a closed municipal landfill, causing not only environmental damage, but also structural instability of the reclaimed land.
- Financial exposure. Insurance usually provides a useful financial backstop for unplanned, sudden and accidental losses. However, your coverage likely has significant – or even absolute – exclusions or limitations for terrorist acts, cyber risk, pollution and consequential liabilities. It is advisable to review your insurance policy language in detail to identify and assess any relevant exclusions/limitations and make an informed decision about what to do from there.