Site Security

This Wiki page summarizes all of the standards from Star Factory relating to Security.

1. Introduction

This Site Security standard intends giove a framework to ensure an adequate level of protection of all of our sites (production, warehouses, administration, etc.) against all the threats, physical and cyber, that can be encountered. The levels of protection must be in line with the levels of threat which are themselves commensurate to the criticality of the site / asset. It is therefore important to define and implement these security measures to limit the potential impact of threats to an acceptable level. The objective of these standards is to safeguard our capacity to conduct business.

A detailed playbook has been developed by the industrial team and can be found here.

An important distinction is the Site Security Classification, as not all sites are exposed to the same level of threat. The attractiveness of a site for malicious activity depends on a number of criteria, in function of the type of attacker. 

Solvay applies 3 classifications of sites (irrespective if they are production, pilot line or formulation):

• A Sites – sites that hold so-called security relevant chemicals (SRC); these are chemicals that have the potential (toxic or explosive) to cause significant numbers of fatalities outside of the side resulting from malicious release through explosion, fire or other. This means that presence and quantity both are important.  These sites would typically be a target for terrorist attacks.
• B Sites – sites that hold so-called precursors to explosives or drugs; these sites would typically be targeted by organized crime or terrorists to obtain the precursors for use elsewhere. This means that the presence of these precursors is enough to be classified as B.
• C Sites – sites that are not A or B;

However, ALL sites are considered possible targets for opportunistic criminals (metal theft, theft of precious metals, theft of IT hardware…), or cyber criminals trying to get access to the Solvay network. Therefore, all site classifications require minimal measures of protection.

2. Solution

The most important tool at hand is the Security Vulnerability Self Assessment (SVSA), which must be conducted by all sites every 3 years (or after a major incident) to define security classification and risk levels. This SVSA, with the support of the Group Security teams will help outline security measures that should be implemented to reduce security vulnerabilities and risks to an acceptable level. Then these functional or technical solutions should be implemented.

Note: A-1 rated sites must mitigate the risks with-in one year from the last SVSA date.

The prerequisites are: have an SVSA report up-to-date; functional security systems, controls, and procedures as per Solvay standards; Security awareness, training, and drills. Each site must have a Security Champion, which will ensure these requirements are maintained and the improvement measures implemented.

3. Impact

The SVSA will define a Security Risk Level (1-3; therefore an A-1 site is the most “exposed” and critical) and compliance score (0-100). KPIs related to Group Cyber Security standards are also tracked. 

Compliance Scores

• Required Compliance Score for an A-rated site is 80% or above
• Required Compliance Score for B-rated site is 75% or above
• Required Compliance Score for C-rated site is 60% or above

Major security breaches, especially in A-rated sites with high volume security relevant explosive or toxic chemicals, can potentially lead to serious injuries or loss of life, property loss or damage, sensitive data leaks, and stoppage of production which can have significant impact to the bottom-line and company reputation.

Cyber Security Policies, Assessments, and Standards are developed and implemented by the Group Cyber Security and DT teams at the Group Level. Please reach out to Chris Roth and Xavier Paulus