Safety management has become a priority for companies across the board - which threats present the highest risk?
There is a pattern in our industry, wherein there is a disaster with major consequences such as fatalities or significant environmental damage, and only then do governments and companies enact regulations to ensure it never happens again. The Bhopal chemical disaster created the process safety code we still use today across chemical plants; Three Mile Island did the same for all nuclear plants; and so on. This cycle tends to take a few years, during which we provide support and analysis to regulators to assist them with better devising regulations that get to the heart of that risk. In the United States, for example, ABS Group has around 140 people working in Washington DC, assisting the federal government in its efforts to shape policies surrounding chemical safety, transportation, etc. Once regulations are in place, we then advise companies working to comply with these policies and assist them through the longtail of certifications.
At the moment, there is one very clear risk that is emerging and not given proper attention: industrial cybersecurity.
All large power plants, chemical plants, drug manufacturing companies and so on, have industrial machinery that control their operations. They likely were not originally designed to be connected to the internet, as we are now in the age of automation and big data. And make no mistake, a cybersecurity breach is not like what you hear about in the news, where some hacker or other steals some data. We are talking about serious breaches that can compromise the entire functionality of the plant, and the safety of the people working there. This is one of our largest concerns regarding the changing landscape of risk and how technology impacts large scale industrial operations.
Do you believe we have learned from these mistakes, or is there such an incident looming in the space of cybersecurity?
The pattern keeps repeating itself, and I expect OT cyber to be no exception. Before we have serious regulation controlling the risk of industrial cybersecurity (and it is still very much in development), I do expect a serious incident to happen in order to spark change. Large scale power generation companies are a relatively early adopter, as are major oil and gas companies.
Having started out in marine and offshore, which industries do you see behaving the wisest in terms of preventative measures to avoid future problems?
We are a subsidiary of the American Bureau of Shipping, and 20% of our business is still in marine and offshore; though for the past 50 years we have been serving several other industries including oil & gas, renewables, and biotech. We are in many high hazard fields and contribute to them, benefiting from balanced regulations. They all take safety seriously; they have to. But when it comes to reliability, there are differences based on how each balances risk management against economics, and as mentioned, major oil & gas firms and large power generation firms appear to be leaders. They are part of the country’s critical infrastructure, and the government is also invested in their protection.
Is decarbonization now integrated in companies’ risk management strategies?
In the marine industry and other capital-intensive industries, it all boils down to the price of carbon. Regulations can contribute to a rising carbon price, and this dictates economic decisions. For example, whether ship owners opt for standard fuel, LNG, or methanol. Many people are now waiting on the sidelines for the dust to settle so that they know what type of engine they should choose, and this applies to many similar industries. Political will and regulations will drive the technology used in the energy transition, and we are all waiting to see at what pace.
Plus, we have world events to take into account. In the light of the conflict in Ukraine and gas shortages, Germany just declared gas a green fuel. It is clearly not. For the time being, everyone’s priority is energy resilience.
What advice do you have for companies navigating Industry 5.0 in order to avoid cybersecurity risks, presuming they are ready to listen?
There is a lot of technology out there that can take operational data and help facilities run smoother, which is fantastic for efficiency but creates other risks caused by increased connectivity of equipment in those networks. Unlike laptops and other modern devices, we cannot easily scan for bad actors; there are simply no tools to do that in an industrial environment because it would disrupt the machinery. There is no easy button to solve the issue.
Hacks manifest very differently in an OT network than in an IT network – OT cybersecurity events likely do not look like hacking. They likely look like a maintenance or configuration problem: maybe a valve starts acting out, or maybe there is a full-scale explosion.
What is your own game plan for ABS Group in the coming two to three years?
Much of our work is driven by regulation and compliance. We plan to keep supporting power plants, chemical plants, wind turbines, and many other facilities by supporting them in their efforts to ensure the safety and security of people’s lives. I see our industry shifting towards more dashboards and data rich outputs, prioritizing the highest risk elements and improving the client’s experience. Going forward I also see cybersecurity becoming an enormous part of our business; it is just an integral part of change in our age.
