C2M2 Case Study — Meridian Specialty Chemicals Inc.

🏢

Company Overview

PROFILE ▼

Company Name

Meridian Specialty Chemicals Inc.

MSCI

Legal Status

Privately Held Corporation

Louisiana C-Corp

Founded

1974

Baton Rouge, Louisiana

Headquarters

Baton Rouge, LA 70802

4801 River Road, Suite 100

Annual Revenue

$187.3 Million

FY 2024 (unaudited)

Total Employees

340 Full-Time

+ 45 Active Contractors

Manufacturing Area

42-Acre Campus

Main plant + Prairieville satellite

Batch Reactors

4 Reactor Trains

3,000-gal capacity each

C2M2 Score Range

MIL 0–1

Baseline assessment (most domains)

Primary Regulation

CFATS Tier 3

EPA RMP Prog. 3 · OSHA PSM · LA DEQ

Primary Contact

Dr. Patricia Nguyen

VP Manufacturing & EHS

IT Staff

8 FTE

OT Controls: 2 FTE · Cyber Dedicated: 0

Company Description

Meridian Specialty Chemicals Inc. (MSCI) is a privately held specialty chemical manufacturer operating a 42-acre production campus in Baton Rouge, Louisiana, and a satellite blending and warehousing facility in Prairieville, LA. Founded in 1974 to serve petrochemical feedstock demand along the Mississippi Chemical Corridor, MSCI has expanded into four primary product lines: specialty solvents for electronics cleaning and semiconductor fabrication, polymer additives for plastics compounders, crop protection intermediates for agricultural chemical formulators, and high-purity cleaning agents for pharmaceutical manufacturing. MSCI supplies approximately 180 customers across North America under long-term supply agreements.

MSCI's manufacturing operations are classified under DHS CFATS Tier 3 due to the presence of several chemicals of interest (COI) above screening threshold quantities, including chlorine, anhydrous ammonia, and certain flammable liquids. The facility is subject to EPA Risk Management Program (RMP) Program 3 requirements for two covered processes, OSHA Process Safety Management (PSM) regulations, and Louisiana DEQ Title V air permitting. MSCI operates an eight-person IT department and two OT/Controls engineers — cybersecurity is treated as a collateral duty of IT Director Carlos Mendes, who estimates less than 8% of his time is spent on security activities. There is no dedicated cybersecurity staff, no CISO, and no formal cybersecurity program.

🏭

Facilities & Physical Infrastructure

2 SITES / 8 AREAS ▼

Area	Location	Function	Physical Security	IT / OT Presence
Main Plant — Admin & IT Building	4801 River Road, Baton Rouge	Corporate offices, IT server room, main control room, EHS department	Card Access CCTV Mantrap (server room)	Domain controllers, DCS application servers, historian, corporate LAN, control room HMIs
Reactor Building A/B (Trains A & B)	Main Plant Campus, North Wing	Batch chemical synthesis — 2 × 3,000-gal glass-lined reactors per train	Badge Access CCTV (partial) No Visitor Log	Honeywell Experion DCS nodes, AB ControlLogix (utilities tie-in), local HMI panels
Reactor Building C/D (Trains C & D)	Main Plant Campus, South Wing	Batch chemical synthesis — 2 × 3,000-gal Hastelloy reactors; higher-hazard chemistry	Card Access CCTV Legacy XP Workstation Present	Honeywell Experion DCS nodes, Safety Manager SIS, local operator panels, WS-006 (Windows XP)
Distillation & Solvent Recovery Unit	Main Plant Campus, East Process Area	Two continuous distillation columns; solvent recovery/recycle; EPA RMP covered process	Perimeter Fence Badge Access No CCTV	Experion DCS, Honeywell Safety Manager SIS (ESD), Emerson Daniel flow computers
Utilities Area (Boiler, Cooling Tower, Compressed Air)	Main Plant Campus, West Side	Steam generation (2 × 50,000 lb/hr firetube boilers), cooling tower, instrument air	Perimeter Fence Padlock Only Unmanaged Switches	Allen-Bradley ControlLogix L85 PLCs — FLAT NETWORK (shares corporate VLAN)
Quality Control Laboratory	Main Plant Campus, Building C	In-process and finished goods testing; GC/MS analysis; stability studies	Card Access Badge Log Only	LabVantage LIMS 8.7 workstations; network-connected GC/MS instruments
Warehouse & Shipping (Main Plant)	4801 River Road — South Gate	Bulk solvent storage (ASTs), drum warehouse, truck loading/unloading, COI storage area	Badge Access CCTV No IDS / Alarm	Barcode scanning workstations; SAP S/4HANA WMS module; no OT systems
Prairieville Satellite Facility	2240 Airline Hwy, Prairieville, LA 70769	Blending, repackaging, and distribution; no chemical synthesis; CFATS Tier 4 sub-threshold	Perimeter Fence Badge Access No Dedicated IT Support	Standalone Windows 10 workstation (WS-008); shared VPN to main plant; no OT systems

👥

Organizational Structure & Staffing

12 KEY ROLES ▼

Critical Gap — No Dedicated Cybersecurity Staff MSCI has zero dedicated cybersecurity employees. IT Director Carlos Mendes serves as the CFATS Facility Security Officer (FSO) and handles all cybersecurity matters as a collateral duty, estimating less than 8% of his time is spent on security activities. There is no CISO, no security operations function, and no OT-specific security role. CFATS requires designation of an FSO and submission of a Site Security Plan (SSP) — MSCI has met these requirements administratively, but implementation of SSP cybersecurity measures is incomplete.

Role	Name	Department	Cybersecurity Responsibility	System Access Level
VP Manufacturing & EHS	Dr. Patricia Nguyen	Executive	SSP approval authority; cyber incident escalation; CFATS executive point of contact	Executive — Read-Only DCS
IT Director (CFATS FSO)	Carlos Mendes	Information Technology	Primary CFATS FSO; all IT/OT cybersecurity decisions; vendor access oversight; SSP implementation	Domain Admin + DCS Admin
Senior Sysadmin	Derek Walsh	Information Technology	Windows server administration; patch management; backup execution	Server Local Admin
Network Engineer	Lena Park	Information Technology	Cisco network infrastructure; Palo Alto NGFW; GlobalProtect VPN management	Network Admin
IT Sysadmin	Omar Rashid	Information Technology	Helpdesk; workstation support; Active Directory user account management	Helpdesk Admin
Database Admin	Mia Torres	Information Technology	SAP HANA DB; LabVantage LIMS DB; SQL Server instances	DB Admin
Controls Engineer	Frank Albright	Engineering	DCS configuration changes; SIS engineering; informal OT change management	DCS Full Admin + SIS Read
Instrumentation Technician	Bobby Tran	Engineering	Field instrument calibration; PLC panel access; loop checks	OT Panel Local Access
Production Supervisor	Angela Carter	Manufacturing	Batch execution oversight; approves operator system access requests	DCS Operator (Read/Control)
Lead DCS Operator	Marcus Hill	Manufacturing	DCS monitoring; batch operations; alarm management; shift reporting	DCS Operator (Read/Control)
EHS Manager	Tina Kowalski	EHS	CFATS compliance coordination; EPA RMP; OSHA PSM program; regulatory incident reporting	LIMS + SAP Read-Only
Batch Server Admin (Contractor)	Siemens SITEC LLC	Contractor	Batch execution server (SIMATIC IT) maintenance, recipe management; remote VPN access	Remote VPN — Batch Server Admin

💻

IT Asset Inventory

SERVERS & WORKSTATIONS ▼

Server Inventory

Asset ID	Description	Hardware	Operating System	Location	Key Gaps / Notes
SRV-001	Primary Domain Controller	Dell PowerEdge R750	Windows Server 2019 Standard	IT Server Room, Baton Rouge	Patched Current No Tier-0 isolation for domain admin accounts
SRV-002	DCS Application Server (Honeywell Experion PKS)	HP ProLiant DL380 G10	Windows Server 2016 Standard	IT Server Room, Baton Rouge	CRITICAL — Domain-joined DCS server No MFA on DCS HMI login
SRV-003	Process Historian (AspenTech IP.21)	Dell PowerEdge R540	Windows Server 2016 Standard	IT Server Room, Baton Rouge	IP.21 v14.0 — Patch 14.1 available IT/OT bridge — accessible from both networks
SRV-004	Batch Execution Server (Siemens SIMATIC IT / ISA S88)	Dell PowerEdge R440	Windows Server 2012 R2 — EOL	IT Server Room, Baton Rouge	EOL OS — No Security Patches Since 2023 Port 8443 internet-facing (legacy recipe upload — ACTIVE)
SRV-005	SAP S/4HANA App Server (ERP — Finance, Procurement, Sales)	Virtual (VMware ESXi 7.0)	Windows Server 2019 Standard	IT Server Room, Baton Rouge (VM)	Patched Current SAP basis admin shared with external SAP partner — standing access
SRV-006	LIMS Server (LabVantage 8.7 — QC Lab)	Dell PowerEdge R340	Windows Server 2019 Standard	IT Server Room, Baton Rouge	LIMS accessible from plant network — no segmentation from QC lab VLAN
SRV-007	File Server (CFATS CVI Documents, Engineering Drawings)	Dell PowerEdge R340	Windows Server 2019 Standard	IT Server Room, Baton Rouge	CVI documents — no access controls beyond standard AD login No DLP or audit logging on CVI folder

Workstation Inventory

Asset ID	Description	Hardware	Operating System	Location	Key Gaps / Notes
WS-001 through WS-004	DCS Operator HMI Workstations (4 units)	Dell OptiPlex 7090	Windows 10 LTSC 2019	Main Control Room	No MFA on DCS login Shared "operator" account active on WS-002 and WS-003
WS-005	DCS Engineering Workstation	Dell Precision 5760	Windows 10 Pro	Controls Engineering Office	Dual-homed: IT LAN (VLAN 10) + DCS network (VLAN 20) USB ports unrestricted; no removable media policy
WS-006	LEGACY Process Graphics Workstation	Dell OptiPlex GX280 (2005 vintage)	Windows XP SP3 — EOL since April 2014	Reactor Building C/D, Local Panel Room	EOL OS — unpatched since 2014 No EDR agent possible on Windows XP Network-connected to DCS VLAN
WS-007	IT Admin Workstation	Dell Precision 3650	Windows 10 Pro	IT Director Office	No PAM tool — IT Director uses direct RDP to all servers from this workstation
WS-008	Prairieville Facility Workstation	Dell OptiPlex 5090	Windows 10 Pro	Prairieville, LA Satellite Facility	No EDR agent installed Connected to main plant via split-tunnel VPN; no dedicated IT support on-site

⚙️

OT / ICS / DCS Asset Inventory

DCS / SIS / BATCH ▼

Critical Finding — Legacy Windows XP DCS Workstation & Internet-Facing Batch Server Port Two critical OT vulnerabilities exist in MSCI's environment. First, process graphics workstation WS-006 in Reactor Building C/D is running Windows XP SP3, an operating system that has received no security patches since April 2014. This machine is network-connected to the DCS VLAN and cannot host modern endpoint detection tools. Second, the Siemens SIMATIC IT batch execution server (SRV-004) has TCP port 8443 open and internet-facing — a legacy configuration from a 2009 remote recipe upload feature that has never been disabled. IT staff are unaware this port is active. An attacker with knowledge of this port could potentially interact with the batch execution system without traversing the corporate network or triggering any existing security control.

Asset ID	Description	Vendor / Model	Firmware / Version	Location	Security Notes
OT-001	DCS Master Controller — Primary	Honeywell Experion PKS	R430.1 (2020)	IT Server Room, Baton Rouge	R430.3 patch available — not yet applied No application whitelisting on Experion nodes
OT-002 through OT-005	DCS Process Controllers — Reactors A–D (4 units)	Honeywell C300 Process Controllers	R430.1 firmware	Reactor Buildings A/B and C/D	Firmware update requires planned process shutdown No keyswitch lock policy enforced on 2 units
OT-006	DCS Process Controller — Distillation & Solvent Recovery	Honeywell C300	R430.1 firmware	East Process Area	Same firmware patch gap as reactor controllers Network-isolated on dedicated VLAN
OT-007	Safety Instrumented System (SIS)	Honeywell Safety Manager SC	v160 (current)	Reactor C/D and Distillation Unit	Current firmware IT staff have SIS read access via corporate AD credentials — not SIS-dedicated accounts
OT-008	Utility PLC — Boilers, Cooling Tower, Compressed Air	Allen-Bradley ControlLogix L85	v33.013 (current)	Utilities Area, West Plant	CRITICAL — On corporate VLAN (flat network, no IT/OT boundary) No industrial firewall at utilities network boundary
OT-009 through OT-010	Batch Execution System — ISA S88 Recipe Management (2 nodes)	Siemens SIMATIC IT R&D Suite	v8.1.0 (2019)	IT Server Room (logical — SRV-004)	Port 8443 internet-facing (legacy — still active) v8.2 update available — requires Siemens on-site Contractor remote access: no MFA, no session recording
OT-011 through OT-012	Flow Computers — Custody Transfer & Mass Balance (2 units)	Emerson Daniel 3-Phase Flow Computer	v2.31	East Process Area (Distillation)	Audit logs enabled — not reviewed on any regular schedule
OT-013 through OT-016	Industrial Ethernet Switches — Managed (4 units)	Cisco Catalyst IE-3400	IOS-XE 17.6.1	DCS network and server room	SNMP v2c enabled — community string "msciint" VLANs configured for DCS isolation at main plant
OT-017 through OT-021	Industrial Ethernet Switches — Unmanaged (5 units)	Phoenix Contact FL SWITCH 1005	N/A (unmanaged)	Utilities area and Prairieville facility	Unmanaged — no logging, no port security, no VLAN capability Cannot enforce segmentation at utilities or remote site
OT-022	Gas Detection System (Fixed LEL / H2S / Cl2 — 38 sensor points)	MSA PrimaX Pro	v3.4 (current)	Main plant process areas (all buildings)	Controller connected to safety network — no formal cybersecurity review or risk assessment performed for this system

🌐

Network Architecture

IT / OT TOPOLOGY ▼

╔══════════════════════════════════════════════════════════════════════════════════════════╗ ║ MERIDIAN SPECIALTY CHEMICALS INC. — NETWORK TOPOLOGY (SIMPLIFIED) ║ ╚══════════════════════════════════════════════════════════════════════════════════════════╝ ┌─────────────────────────────────────────────────────────────┐ │ INTERNET / CLOUD SERVICES │ │ SAP S/4HANA Cloud (SAP-hosted HANA DB) │ │ MSCI Office 365 · Azure AD Connect (SSO) │ └────────────────────────────┬────────────────────────────────┘ │ AT&T Fiber — 500 Mbps Internet Circuit ▼ ┌─────────────────────────────────────────────────────────────┐ │ CORPORATE PERIMETER FIREWALL │ │ Palo Alto PA-3220 NGFW (PAN-OS 10.2.6) │ │ ✓ IPS/IDS enabled on internet-facing zones │ │ ✓ App-ID + User-ID policies active │ │ GlobalProtect SSL VPN ⚠ NO MFA — username/password only │ └─────────────────────────────┬───────────────────────────────┘ │ Corporate LAN (VLAN 10 — 10.10.10.0/24) ▼ ┌─────────────────────────────────────────────────────────────┐ │ CORPORATE IT NETWORK │ │ SRV-001 Domain Controller (Windows Server 2019) │ │ SRV-005 SAP S/4HANA App Server (VM — Windows 2019) │ │ SRV-006 LabVantage LIMS Server (Windows 2019) │ │ SRV-007 File Server ⚠ CVI DOCS — UNPROTECTED FILE SHARE │ │ Cisco Catalyst 4500X Core Switch │ └──────────────┬──────────────────────────┬────────────────────┘ │ VLAN 20 (10.20.0.0/16) │ VLAN 30 (Safety — 10.30.0.0/24) ▼ ▼ ┌───────────────────────────┐ ┌──────────────────────────────┐ │ DCS / PROCESS CONTROL │ │ SAFETY NETWORK │ │ NETWORK (VLAN 20) │ │ OT-007 Honeywell Safety │ │ │ │ Manager SC (SIS) │ │ SRV-002 Experion PKS │ │ IEC 61511 compliant SIS │ │ SRV-003 IP.21 Historian │ │ ⚠ IT staff have read access │ │ ⚠ BRIDGE: VLAN 10+20 │ │ via corporate AD creds │ │ SRV-004 Batch Server │ │ (not SIS-dedicated accts) │ │ ⚠ PORT 8443 INTERNET │ └──────────────────────────────┘ │ WS-001 to WS-004 HMIs │ │ WS-005 Eng. WS │ │ ⚠ DUAL-HOMED VLAN10+20 │ │ OT-001 to OT-006 C300s │ │ OT-013–016 IE-3400 SW │ └───────────────────────────┘ ┌─────────────────────────────────────────────────────────────┐ │ ⚠ UTILITIES FLAT NETWORK — NO SEGMENTATION (VLAN 10) │ │ │ │ OT-008 Allen-Bradley ControlLogix L85 PLC │ │ (Boilers · Cooling Tower · Compressed Air) │ │ SAME SUBNET AS CORPORATE LAN — no firewall │ │ ANY corporate workstation can reach this PLC │ │ │ │ OT-017 to OT-021 Phoenix Contact Unmanaged Switches │ │ No logging · No port security · No VLAN support │ └─────────────────────────────────────────────────────────────┘ VENDOR REMOTE ACCESS (ALL via GlobalProtect VPN — NO MFA): ────────────────────────────────────────────────────────────── Honeywell PSS → VPN → SRV-002 DCS Full Admin (shared cred, no recording) Siemens SITEC → VPN → SRV-004 Batch Server Admin (no MFA, port 8443 unknown) SAP Partner → VPN → SRV-005 SAP Basis Admin (standing access since 2021) LabVantage → VPN → SRV-006 LIMS Admin (annual, no MFA, active year-round) ⚠ No vendor access reviews performed · No session recording on any vendor session

Utilities Flat Network Gap The Allen-Bradley ControlLogix L85 utility PLCs (OT-008) — controlling the boiler plant, cooling tower, and compressed air system — share the same corporate VLAN (VLAN 10, 10.10.10.0/24) as all corporate IT workstations, servers, and the GlobalProtect VPN termination point. There is no industrial firewall, no VLAN boundary, and no access control list between the corporate network and the utility PLC Ethernet ports. Any device connected to the corporate LAN, including a compromised workstation or an authenticated VPN session, can communicate directly with the PLC without traversal of any security boundary.

Dual-Homed Engineering Workstation & Internet-Facing Batch Server Port WS-005 (DCS Engineering Workstation) has two active network interfaces — one on VLAN 10 (corporate IT) and one on VLAN 20 (DCS/process control). This dual-homed configuration creates a direct network bridge that bypasses the Palo Alto NGFW segmentation between IT and OT at the Baton Rouge campus. Additionally, SRV-004 (Batch Execution Server) has TCP port 8443 open and reachable from the internet. This port is not present in the current Palo Alto firewall ruleset because it predates the firewall — the port was configured in 2009 and was inadvertently carried forward when MSCI migrated to the Palo Alto platform in 2017. No IT staff member is currently aware the port is active or internet-reachable.

🔒

Cybersecurity Controls Assessment

12 CONTROL DOMAINS ▼

Domain	Current Control / Status	Implementation	Key Gap / Finding
Access Management	Active Directory with RBAC groups; Palo Alto GlobalProtect VPN; local accounts on DCS Experion server	Partial	No MFA on VPN, DCS HMIs, or batch server; shared operator accounts on WS-002 and WS-003; no PAM tool; no privileged access review process
Threat & Vulnerability Management	Rapid7 InsightVM deployed on IT network; no OT scanning; informal patch process for Windows servers only	Partial	All OT assets (DCS, SIS, PLCs) excluded from vulnerability management program; WS-006 (Windows XP) unpatched since 2014; Experion R430.3 available but not applied; no risk-based patching schedule for OT systems
Situation Awareness	Palo Alto firewall logs reviewed manually and ad-hoc; no SIEM; Windows event logs retained locally only; no OT network monitoring	Missing	No SIEM or centralized log aggregation; DCS/OT network has zero intrusion detection or anomaly monitoring capability; log retention less than 14 days on most systems; internet-facing port 8443 on SRV-004 was never detected by existing controls
Incident Response	Draft IT-focused IRP exists; OSHA PSM emergency response plan covers chemical process releases (not cyber); no cyber tabletop exercises conducted	Partial	IRP has no OT/DCS-specific runbooks; no cyber-physical scenario planning; PSM emergency plan and cyber IRP are completely separate and not integrated; no tabletop or functional exercise history; DHS expects incident response capability even though CFATS does not prescribe specific IR procedures
Service Continuity	Tape backups performed for IT servers; no tested restoration procedure; BCP covers physical hazards (hurricane, fire, chemical release) only; DCS has no backup or recovery procedure	Missing	No cyber BCP or DR plan; no defined RTO/RPO for DCS, batch server, or historian; SRV-003 (IP.21 Historian) backup has never been tested for successful restoration; no backup DCS controller or hot standby for Experion PKS; batch recipe library (SRV-004) has no verified backup
Risk Management	CFATS CSAT completed 2022 (DHS hazard-based assessment); OSHA PHA addresses process safety risks only; no formal cybersecurity risk assessment exists	Missing	No cyber risk register; CFATS CSAT findings from 2022 only partially implemented; no cyber-physical risk analysis for batch reactor DCS compromise scenarios; CFATS Tier 3 SSP contains a cybersecurity section but the required technical controls have not been fully operationalized
Asset Management	IT CMDB in ServiceNow maintained for IT assets; OT assets tracked in spreadsheet by Controls Engineer Frank Albright; no automated asset discovery	Partial	OT asset inventory incomplete and not integrated with CMDB; WS-006 (XP workstation) not listed in ServiceNow; SRV-004 internet-facing port 8443 not in any asset or configuration record; no configuration baseline documented for DCS controllers; software inventory for OT systems not maintained
Identity Management	Active Directory manages IT user identities; DCS accounts locally managed on Experion application server; no formal identity lifecycle management for OT accounts	Partial	Two former contractor AD accounts remain active (departed within last 12 months); DCS accounts for at least one departed controls contractor not removed; no periodic user access certification; SAP partner retains standing VPN access between quarterly visits — access not deprovisioned between engagements
Supply Chain & Third-Party Risk	Vendor contracts reference general liability; Honeywell and Siemens hold active remote VPN access; no third-party vendor risk management program	Missing	No third-party cyber risk assessment program; Honeywell remote DCS access uses shared credential with no MFA and no session recording; Siemens batch server access has same gaps plus undiscovered internet-facing port; no annual vendor security review; no cybersecurity requirements in any vendor SOW or MSA
Workforce Management	OSHA and EHS safety training mandatory and well-documented; cybersecurity awareness training completely absent; background checks for new hires and all CFATS-designated personnel	Partial	No cybersecurity awareness training program; no phishing simulations ever conducted; DCS operators have not received any ICS security training; IT Director / CFATS FSO (Carlos Mendes) holds no formal cybersecurity certification; CFATS personnel surety (background check) requirements are met but no cyber-specific training requirements are enforced
Physical Security	HQ and control room: card access + full CCTV; reactor buildings: badge access; utilities area: padlock only; CFATS SSP physical security measures partially implemented	Partial	Utilities area — containing PLCs on the flat corporate network — has only padlock-level physical security with no CCTV and no intrusion alarm; no visitor escort policy for contractor access to OT panel rooms in reactor buildings; Prairieville satellite facility has no dedicated IT or security support and a single badge-access entry point
Configuration Management	IT change tickets managed in ServiceNow; OT changes performed verbally by Controls Engineer without documentation; no formal OT change management process; no DCS configuration backup	Missing	No formal OT change management process; DCS controller configurations not backed up or version-controlled; PLC ladder logic not stored in a version control system; WS-006 (XP workstation) configuration is completely unknown; the batch server's internet-facing port 8443 exists because of an undocumented 2009 configuration change that was never reviewed or recorded

🤝

Third-Party Relationships & Vendor Access

8 VENDORS ▼

Vendor Remote Access — No MFA, No Session Recording, No Review Three vendors — Honeywell PSS, Siemens SITEC, and the SAP partner — hold administrative-level remote access to MSCI's most critical systems (DCS, batch server, ERP). All three connect via GlobalProtect VPN using username and password only (no MFA). Sessions are not recorded or monitored. Access is not time-limited or deprovisioned between engagements. No formal vendor risk assessment has been performed for any vendor. Honeywell's VPN credential is shared among multiple Honeywell field service engineers — MSCI has no way to determine which individual accessed the DCS at any given time, or what changes were made.

Vendor	Service Provided	Access Level	Risk Rating	Notes / Gaps
Honeywell Process Solutions (PSS)	Experion PKS DCS application support, patch deployment, configuration changes	Remote VPN — DCS Full Admin	HIGH	Shared credential used by multiple Honeywell engineers; no MFA; no session recording; access not time-limited; no annual review; last remote session date not logged
Siemens SITEC LLC	SIMATIC IT batch execution server maintenance, ISA S88 recipe management updates	Remote VPN — Batch Server Admin	HIGH	No MFA; no session recording; SRV-004 has internet-facing TCP port 8443 that Siemens itself is unaware of; last confirmed remote access: approximately 4 months ago; v8.2 software update pending
SAP SE / Authorized Partner	SAP S/4HANA BASIS administration, quarterly software patches and system health checks	Remote VPN — SAP Basis Admin (quarterly)	MEDIUM	No MFA; standing VPN access not deprovisioned between quarterly visits; same credential in use since 2021; SAP partner personnel turnover not communicated to MSCI; no time-of-day access restrictions
LabVantage Solutions	LIMS application support and annual version upgrade	Remote VPN — LIMS Admin (annual)	MEDIUM	Remote access only during annual upgrade engagement; however, VPN account remains active year-round and is never deprovisioned between annual visits; no MFA
PSC Environmental Services (EHS Consultant)	EPA RMP plan updates, CFATS CSAT submission support, OSHA PSM third-party auditing	Onsite Only + LIMS/SAP Read-Only	LOW	Physical access only during PSM audit and RMP update engagements; limited read-only data access on-site; CFATS personnel surety (background check) completed for all PSC personnel; CVI handling training confirmed
Air Products and Chemicals (Gas Supply)	Specialty gas cylinder delivery — nitrogen, hydrogen, argon, instrument air	Physical Delivery Only	LOW	No IT or OT system access; delivery personnel issued temporary badge at dock; drivers do not enter process areas; CFATS personnel surety completed for drivers accessing COI storage areas
Cisco SmartNet / CDW Government	Network equipment maintenance contracts, replacement hardware procurement, Cisco TAC support	Onsite — Network Access (as needed)	MEDIUM	On-site access only when replacing failed equipment; CDW has no standing remote access; Cisco TAC support accessed via case portal only; no formal security requirements in SmartNet or CDW statements of work
DHS / CISA — CFATS Inspector	CFATS compliance inspections — SSP verification, physical security walk, chemical inventory audit	Onsite — SSP Review + Physical Walk	REGULATORY	Access per DHS CFATS inspection schedule; no IT or OT system access during inspections; all CFATS documentation shared under CVI handling requirements; follow-up inspection scheduled for 2026 based on 2022 CSAT findings

📋

Policies & Governance

POLICY INVENTORY ▼

Critical Gap — CFATS CVI Data Improperly Protected Chemical-terrorism Vulnerability Information (CVI) is a sensitive DHS-protected category of information under 6 CFR Part 27, Appendix A. MSCI's CFATS documentation — including the Site Security Plan (SSP), CSAT vulnerability assessment results, facility chemical inventory above screening threshold quantities, and security vulnerability findings — is stored on SRV-007 in a standard Windows file share accessible to all domain users with a basic Active Directory login. CVI handling regulations require access controls limited to personnel with a demonstrated need to know, audit logging of all access, and restrictions on copying or transmitting CVI. None of these controls are implemented. Any MSCI employee, or any attacker with a compromised domain account, could access CVI documents without restriction or detection.

Policy & Procedure Inventory

In Place — 2023 Acceptable Use Policy (AUP) — Covers IT systems, internet use, and email; all employees sign annually; does not address OT systems, removable media on DCS workstations, or CFATS CVI document handling requirements
Draft — Never Exercised Incident Response Plan (IRP) — IT-focused draft document; no OT or DCS-specific runbooks; not integrated with the OSHA PSM Emergency Response Plan; never tested via tabletop or functional exercise; CFATS does not specify IR procedures but DHS expects a documented and practiced capability
Informal — IT Only Change Management Procedure — ServiceNow change tickets used for IT infrastructure; all OT changes performed verbally or via email by Controls Engineer with no formal documentation or approval gate; no change advisory board; the batch server's internet-facing port 8443 exists because of a 2009 change that was never reviewed, approved, or recorded
Does Not Exist OT Patch Management Policy — No formal policy governing DCS, SIS, or PLC firmware and software patching; updates applied ad-hoc when a vendor recommends during a service call; WS-006 (Windows XP) has received no security patches since April 2014; no compensating controls documented for unpatched OT systems
IT Only — OT Not Addressed Access Control Policy — IT user provisioning and deprovisioning process documented; OT account management completely absent from the policy; two former contractor AD accounts remain active; DCS accounts are not synchronized with the HR offboarding process
Does Not Cover Cyber Business Continuity Plan (BCP) — Physical BCP covers hurricane, fire, equipment failure, and chemical release scenarios; does not address cyber-induced operational disruption; no defined RTO or RPO for IT or OT systems; no cyber BCP testing history; batch recipe library recovery not addressed
Does Not Exist Third-Party / Vendor Access Policy — No documented policy governing vendor remote access; no requirements for MFA, session recording, access time limits, or scope restrictions; no annual vendor access review; vendor SOWs and MSAs do not include cybersecurity requirements or right-to-audit clauses
Improperly Implemented CFATS CVI Handling Policy — CVI handling obligations are referenced in the SSP but have never been operationalized; CVI documents are stored on an open file share accessible to all AD-authenticated users; no access logging, no need-to-know enforcement, no CVI training records for personnel beyond the FSO; this constitutes a potential CVI mishandling violation under 6 CFR Part 27
Does Not Exist Removable Media Policy — No policy restricts the use of USB drives or external media on OT workstations; USB ports on WS-005 (DCS engineering workstation) and WS-006 (XP graphics workstation) are unrestricted; Honeywell PSS has historically delivered DCS patches via USB media without hash verification or malware scanning prior to OT use
Filed 2022 — Partially Implemented CFATS Site Security Plan (SSP) — Required cybersecurity measures were identified in the 2022 CSAT submission; SSP approved by DHS; several Tier 3 required cybersecurity controls specified in the SSP have not yet been technically deployed; a DHS follow-up compliance inspection is scheduled for 2026 to verify SSP implementation status

📊

C2M2 Domain Assessment — Indicative Scores

10 DOMAINS ▼

Assessment Scope Note The following indicative C2M2 v2.1 maturity scores are based on the asset inventory, controls assessment, and policy review documented in this case study. Students should validate these scores by mapping individual C2M2 practices to the evidence presented, identifying where MSCI's actual practices fall short of the documented MIL threshold. MSCI's process safety maturity (OSHA PSM program, IEC 61511-compliant SIS) is high relative to its peer group — but cybersecurity maturity is largely independent and must be assessed separately. A common student error is to conflate PSM program maturity with C2M2 cybersecurity maturity; these are distinct disciplines with distinct evidence requirements.

🗂️ ASSET — Asset, Change & Configuration Management

MSCI maintains an IT CMDB in ServiceNow and tracks OT assets in a spreadsheet, yielding a partial MIL 1. Critical gaps include WS-006 (XP workstation) absent from the CMDB, the internet-facing port 8443 not recorded anywhere, and no DCS configuration baselines.

IT CMDB exists but OT inventory is a separate, incomplete spreadsheet
WS-006 (legacy XP workstation) not present in any asset tracking system
No configuration baseline for Experion DCS controllers or PLCs
Top Practice: ASSET-2a — Establish unified OT asset inventory with configuration baselines and change history

Current MIL: 1 (IT) / MIL 0 (OT Config Mgmt)

🎯 THREAT — Threat and Vulnerability Management

Rapid7 InsightVM provides IT vulnerability scanning, but all OT assets are excluded. WS-006 has been unpatched for over 10 years. The Experion R430.3 patch is available but not applied. No OT-specific threat intelligence sources are monitored.

OT assets (DCS, SIS, PLCs, XP workstation) excluded from vuln program
WS-006 (Windows XP EOL) — no patches since April 2014
Experion R430.3 patch available; not scheduled for application
Top Practice: THREAT-1a — Extend vulnerability management scope to cover all OT/ICS assets

Current MIL: 1

⚖️ RISK — Risk Management

CFATS CSAT is a DHS-driven hazard inventory, not a cybersecurity risk assessment. No cyber risk register exists. CSAT findings from 2022 are partially implemented. No cyber-physical risk analysis has been performed for DCS compromise scenarios in the batch reactor environment.

No documented cybersecurity risk register of any kind
CFATS CSAT ≠ C2M2 risk management — students should clearly distinguish these
2022 CSAT findings only partially implemented — DHS follow-up inspection due 2026
Top Practice: RISK-1a — Establish cyber risk register incorporating CFATS, PSM, and OT threat scenarios

Current MIL: 0

🔑 ACCESS — Identity and Access Management

AD RBAC and Palo Alto VPN provide basic IT access controls. However, no MFA is deployed anywhere — not on VPN, DCS HMIs, or the batch server. Shared operator accounts and stale contractor accounts are active. OT identities are outside AD governance.

No MFA on VPN, DCS HMIs, or batch server — highest priority gap
Shared "operator" account on two HMI workstations
Two former contractor AD accounts still active; DCS accounts not reviewed
Top Practice: ACCESS-2b — Implement MFA for all VPN, remote access, and DCS HMI authentication

Current MIL: 1

👁️ SITUATION — Situational Awareness

The most significant MIL 0 domain. No SIEM, no centralized logging, no OT network monitoring of any kind. The internet-facing port 8443 on SRV-004 is the clearest evidence of this gap — it existed for 15 years without being detected by any security control.

No SIEM or centralized log aggregation platform
OT/DCS network has zero IDS or behavioral anomaly monitoring
Log retention less than 14 days on most systems — insufficient for forensics
Top Practice: SITUATION-1a — Deploy SIEM with IT + OT log ingestion; add passive OT network monitoring

Current MIL: 0

🚨 RESPONSE — Event and Incident Response, Continuity

A draft IT IRP exists. The OSHA PSM emergency response plan is mature for process safety events but completely separate from the cyber IRP. No tabletop exercises have ever been conducted. No OT-specific runbooks or cyber-safety decision trees exist for operators.

IRP and PSM emergency plan are entirely separate — not integrated
No OT incident runbooks; DCS operators have no cyber guidance
No tabletop exercise has ever been conducted at MSCI
Top Practice: RESPONSE-1b — Develop and exercise integrated cyber-physical IRP with OT runbooks

Current MIL: 1

🏢 THIRD-PARTIES — Third-Party Risk Management

No third-party risk management program of any kind. Three vendors hold admin-level remote access to critical systems with shared credentials, no MFA, and no session recording. Vendor contracts contain no cybersecurity requirements. No reviews have been performed.

Honeywell DCS access: shared credential, no MFA, no session monitoring
Siemens batch server access: identical gaps + unknown internet-facing port
No security requirements in any vendor contract or SOW
Top Practice: THIRD-1a — Establish vendor access policy with MFA, session recording, and annual review

Current MIL: 0

👷 WORKFORCE — Workforce Management

OSHA and EHS safety training is mandatory and well-documented — a strength. However, no cybersecurity awareness training exists, no phishing simulations have been run, and DCS operators have received no ICS security training. The CFATS FSO holds no security certification.

No cybersecurity awareness program — zero training history for any role
DCS operators cannot identify cyber incident indicators
CFATS FSO (IT Director) has no formal cybersecurity qualification
Top Practice: WORKFORCE-1a — Implement cyber awareness training with OT/ICS-specific content for all roles

Current MIL: 1

🏗️ ARCHITECTURE — Cybersecurity Architecture

The Palo Alto NGFW is a genuine strength at the perimeter. DCS VLAN segmentation exists at the main plant. However, WS-005 dual-home bypasses the VLAN boundary, utilities PLCs are on the flat corporate VLAN, and unmanaged switches eliminate visibility and control at utilities and Prairieville.

Utilities PLCs on flat VLAN 10 — any corporate device can reach them
WS-005 dual-homed — bridges VLAN 10 and VLAN 20, bypassing Palo Alto
5 unmanaged switches — no logging, port security, or VLAN capability
Top Practice: ARCHITECTURE-2a — Segment utilities network; remove WS-005 dual-home; replace unmanaged switches

Current MIL: 1

🗓️ PROGRAM — Cybersecurity Program Management

No formal cybersecurity program exists at MSCI. The CFATS SSP was filed to meet a regulatory obligation, not as part of a strategic security program. There is no CISO, no security budget line item, no governance structure, and no program roadmap. Cybersecurity is entirely reactive and collateral.

No cybersecurity budget — funded ad-hoc from IT operating budget
No executive governance (no CISO, no security steering committee)
CFATS SSP filed for compliance but not operationalized as a program
Top Practice: PROGRAM-1a — Establish executive-sponsored program with budget, CISO, and governance structure

Current MIL: 0

🎓

Exercise Discussion Questions & Scenario Injects

5 SCENARIOS ▼

Scenario A — Spear-Phishing Targeting the Controls Engineer A threat actor sends a convincing spear-phishing email to Controls Engineer Frank Albright, appearing to come from Honeywell PSS with a link to "review a critical Experion security advisory." The link installs a remote access trojan (RAT) on WS-005, the dual-homed engineering workstation connected to both VLAN 10 (corporate IT) and VLAN 20 (DCS network). The RAT begins enumerating the DCS network and attempts to authenticate to SRV-002 (Experion PKS application server) using Frank's cached domain credentials.

Discussion: What detection capability does MSCI have at each stage of this attack chain — initial delivery, execution, lateral movement to DCS? How does the dual-homed WS-005 affect the blast radius and containment options? What does the draft IRP require Frank to do, and is that guidance sufficient? Which C2M2 domains are most directly implicated? Which implemented controls, if any, would have disrupted this scenario?

Scenario B — Internet-Facing Batch Server Port Discovered During a routine Rapid7 InsightVM scan of the IT network, Network Engineer Lena Park notices an anomalous outbound connection originating from SRV-004 (Batch Execution Server) on TCP port 8443. She escalates to IT Director Carlos Mendes. Carlos has no record of this port in the Palo Alto firewall ruleset, the ServiceNow CMDB, or any change record. He contacts Siemens SITEC, who confirms the port exists as a legacy feature from 2009 but states they have not used it in several years and cannot confirm whether it has been accessed by any other party.

Discussion: How does MSCI determine whether this port represents a benign historic misconfiguration, an active exploit, or an authorized but completely undocumented feature? What change management and configuration management practices are missing that allowed this to persist for 15 years? Map this finding to specific C2M2 ASSET and ARCHITECTURE domain practices. What are the CFATS regulatory implications if this port is discovered by a DHS inspector before MSCI addresses it?

Scenario C — DHS CFATS Unannounced Follow-Up Inspection A DHS/CISA chemical security inspector arrives at the facility for an unannounced follow-up compliance inspection related to MSCI's 2022 CSAT submission. The inspector requests evidence of implementation for the cybersecurity measures specified in MSCI's approved Site Security Plan, specifically: (1) access control measures for CFATS CVI documents; (2) network segmentation between IT and OT systems; (3) remote access security controls for DCS systems; (4) personnel cybersecurity training records; (5) evidence of a cybersecurity monitoring and detection capability.

Discussion: For each of the five SSP implementation items, assess MSCI's ability to provide adequate compliance evidence. Which items are most likely to generate an SSP amendment requirement or corrective action? What are the potential enforcement consequences under 6 CFR Part 27 for unimplemented SSP measures? Build a 60-day emergency remediation plan prioritized by CFATS compliance risk, distinguishing between quick administrative fixes and longer technical implementations.

Scenario D — Ransomware Lateral Movement from IT to Utilities PLC A ransomware variant enters MSCI's network via a phishing email clicked on a corporate workstation on VLAN 10. The ransomware rapidly encrypts files on corporate file shares (including SRV-007, which contains CFATS CVI documents) and begins scanning for additional targets. Because the Allen-Bradley ControlLogix utility PLCs (OT-008) share VLAN 10 with the corporate LAN, the ransomware's network scanner reaches the PLC's Ethernet port. The PLC firmware does not support the SMB exploit used for lateral movement, but the cooling tower PLC loses communications when the ransomware encrypts the engineering workstation that was polling it on VLAN 10. The cooling tower trips on communication loss, causing a process upset in Reactor Train C.

Discussion: Trace the full attack path and identify the precise network segmentation boundary that, if implemented, would have contained the ransomware to VLAN 10. What is the production and safety impact of an unplanned cooling tower trip during an active exothermic batch in Reactor Train C? Does MSCI's BCP address this scenario? What is the cyber-versus-process-safety decision-making process when the cooling tower trips — who makes the call, and what does the OSHA PSM emergency plan require? Map the containment failure to C2M2 ARCHITECTURE and SERVICE CONTINUITY domain practices.

Scenario E — Insider Threat: Departing Contractor with Active AD Account During a routine student-led access review exercise, a former Honeywell controls contractor who departed MSCI 8 months ago is found to have an active Active Directory account with Experion DCS read access. The account can authenticate to the GlobalProtect VPN from any external location. HR records confirm the contractor was terminated for cause following a workplace dispute. The IT ticket to disable the account was created but never completed — it was closed as a duplicate of a different ticket that referred to a different contractor.

Discussion: How long has this account represented a live external attack surface, and what is the worst-case exposure? What monitoring capability would detect unauthorized VPN authentication from this account — and does MSCI have it? Walk through the complete MSCI account deprovisioning process and identify exactly where it failed in this case. Map this finding to C2M2 IDENTITY and WORKFORCE domain practices. What immediate containment steps should Carlos Mendes take today, and what long-term process controls should be implemented to prevent recurrence?