Introduction 

With the advent and increasing frequency of cyber attacks on large scale infrastructure, knowledge of cyber security risks and threats and how to manage and mitigate them is a new area of systems knowledge needed by practising chemical engineers. Cybersecurity issues are present and escalating in all industries employing chemical engineers from chemical to pharmaceutical to food and materials industries. For example, in 2021, the Colonial pipeline system in the United States (US), endured a cyber attack which stalled the transportation of oil to much of the eastern US, triggering the declaration of a state of emergency across 17 US states and causing skyrocketing gas prices (Tsvetanov and Slaria, 2021). From 2000 to 2019, some 77 large-scale cyber security related incidents related to critical infrastructure were reported, with the majority of reported attacks being on energy-related facilities (Iaiani et al., 2021). 

This fact sheet provides an overview of the current education guidelines for university educators in IChemE accredited programmes, and makes some suggestions with respect to lifelong learning for practising chemical engineers.  

Tertiary programmes 

Until recently, cybersecurity concerns and cybersecurity mitigation methods were absent from chemical engineering curricula at both undergraduate and graduate levels.  

Since 2021, these areas have been included in the IChemE programme accreditation guidelines. Cyber systems are mentioned as being an important part of education in chemical engineering principles, falling under systems education. Specifically, the guide states that “students graduating from an [IChemE] accredited programme will understand the benefits and risks of digitalisation and adopt a holistic and proportionate approach to the mitigation of security risks using process, cyber and automation, and behavioural measures”.  

Process control and process design courses as well as chemical engineering labs could be good places to introduce cybersecurity issues and raise awareness of cybersecurity concerns in the context of the process industries. 

The learning outcome associated with benefits and risks of digitalisation in the accreditation guide is at the level of simple understanding of cybersecurity principles. These could be covered as part of a wider lecture on operations technology (OT) within process control courses. Process control lecturers who practise in the field should have some prior knowledge in this area. The Digitalisation Technical Advisory Group (DigiTAG) has created relevant online resources as part of the Digitalisation Priority Topic for IChemE. Most chemical engineering departments also have contacts with local companies: this content could also be covered by guest lectures by an OT practitioner with the appropriate background. 

Using process, cyber and automation, and behavioural measures to adopt a holistic and proportionate approach to mitigate security risks is a higher-level learning outcome that requires students to be able to analyse and apply their learning. This learning can be addressed by integrating these concepts into the process design course. Also, lecturers teaching process safety and layers of protection analysis could ensure that students understand that hacking is a risk to be considered within HAZOPs, and that cybersecurity controls and hard-wired safety systems may be an important part of cyber incident response and cyber risk mitigation plans. Active learning is a great way to involve students, and is important for engineers who must be able to apply as well as understand theoretical concepts. Reviewing and discussing case studies such as those mentioned above and/or practical laboratory exercises, eg Udugama et al. (2023), which could be entirely simulation based, are also recommended. 

Postgraduate training and lifelong learning 

Key principles for managing risk and ensuring process safety with relation to cybersecurity are articulated in the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity. Understanding of these principles and learning about cybersecurity is critical to those working in the chemical process industries. Many lifelong learning resources are available to help chemical engineers keep up with the development of digitalisation technologies and associated cybersecurity risks.  A range of different professional development resources relate to cybersecurity. Some are technical (eg knowledge and recognition of cybersecurity threats and controls, defence in depth strategies) and others are more business-focussed (eg risk management frameworks, response planning, legal reporting and accountability). It is important for all chemical engineers to build and maintain understanding relevant to their roles. Information is also available online from industry-based papers and platforms, eg LinkedIn Learning, which provides material for self-paced learning. The aforementioned Digitalisation resources available on the IChemE website are also a great starting point for chemical engineers looking to learn about cybersecurity.  

Many companies have employee development schemes, where employees can map out their areas of interest or professional needs, and access relevant training via their employer. Short courses and workshops to communicate recent academic advances in cybersecurity approaches to engineers in industry and inform academics of industrial cybersecurity issues should also be be organised in this developing field, eg areas such as two-tier model predictive control (MPC), attack-resilient MPC, machine-learning based threat detection, encrypted MPC and integrated systems, eg Parker et al. (2023). 

References/bibliography 

• IChemE Priority Topic - Digitalisation 
• IChemE programme accreditation guidelines
• Hunter, T., Cybersecurity and Process Safety, Chemical Engineering Education Online Symposium –the next 100 years of Education, IChemE Education Subject Interest Group, 29 June 2022.
• Iaiani, M., A. Tugnoli, S. Bonvicini, V. Cozzani (2021). Analysis of cybersecurity-related incidents in the process industry. Reliability Engineering & System Safety 209, 107485.
• National Institute of Standards and Technology, 2018, Framework for improving critical infrastructure cybersecurity (version 1.1), Technical report, National Institute of Standards and Technology
• Parker, S., Wu, Z., Christofides, P.D., 2023, Cybersecurity in Process Control, Operations, and Supply Chain, Paper#5, Proceedings of FOCAPO/CPC 2023, San Antonio TX, Jan. 8-12, 2023, 20p
• Tsvetanov, T., S. Slaria (2021). The effect of the colonial pipeline shutdown on gasoline prices. Economics Letters 209, 110122.
• Udugama, I.A., Taube, M.A., Young, B.R., 2023, “A Real-time Based Approach to Distillation Control Education”, Paper#36, Proceedings of FOCAPO/CPC 2023, San Antonio TX, Jan. 8-12, 2023, 6p