Sarnia-Lambton is Canada's second-largest petrochemical and refining cluster and one of the most concentrated industrial corridors in North America. More than 40 major chemical and petrochemical facilities operate within a 25-kilometre radius, including refineries, speciality chemical manufacturers, polymer producers, and industrial gas operations. The region produces a significant portion of Canada's transportation fuels, petrochemical feedstocks, and speciality chemicals from continuous process operations running 24 hours a day.
This operational density means that Sarnia's industrial control systems, SCADA networks, and safety instrumented systems represent a target profile comparable to the Gulf Coast petrochemical corridor in the United States. The same threat actors conducting reconnaissance against Gulf Coast refinery OT environments are active in Canadian industrial networks. The Canadian Centre for Cyber Security has specifically identified the chemical and petrochemical sector as a high-priority target in recent advisories.
We provide OT cybersecurity assessments, IEC 62443 alignment, and OT security program services for operators in Sarnia-Lambton and across the Ontario industrial corridor, delivered remotely and on-site.
The OT Cybersecurity Risk Landscape in Sarnia's Chemical Valley
Continuous Process Refining Operations
Sarnia's refineries operate distributed control systems managing crude distillation, hydrotreating, catalytic reforming, and product blending as continuous processes. Like Gulf Coast refineries, these operations run on patching cycles measured in years, with planned turnarounds representing the primary window for OT system maintenance. The installed DCS platforms at many Sarnia facilities include legacy versions of major vendor platforms that no longer receive security patches, creating an environment where network-level compensating controls are the primary available defence.
Petrochemical and Polymer Manufacturing
Sarnia's petrochemical facilities produce ethylene, vinyl chloride monomer, polyethene, polypropylene, and a range of speciality polymers from continuous cracking and polymerisation processes. These facilities operate safety instrumented systems with SIL-rated functions protecting against over-pressurisation, exothermic runaway, and hazardous material release. The security of SIS systems in Sarnia's Chemical Valley is a direct process safety issue, not just a cybersecurity compliance matter.
Speciality Chemical and Industrial Gas Operations
Sarnia's speciality chemical and industrial gas facilities operate smaller-scale OT environments but face many of the same security challenges as their larger neighbours: vendor remote access for maintenance, IT/OT integration for enterprise reporting, and legacy control hardware running unpatched firmware. The concentration of facilities in a small geographic area also creates shared infrastructure dependencies, where a cybersecurity incident at one facility could affect shared utilities or emergency response resources across the cluster.
Applicable Standards and Compliance Framework for Sarnia Operators
| Standard | Applies To | Key OT Security Requirement |
|---|---|---|
| CCCS Industrial Control Systems Security Guidelines | Canadian critical infrastructure operators | Network segmentation, asset inventory, incident detection and response |
| IEC 62443 | Industrial automation and control system operators | Zone and conduit architecture, Security Levels, access control, and patch management |
| IEC 61511 (Functional Safety) | Operators of safety instrumented systems | SIS lifecycle security, cybersecurity assessment for safety systems |
| Ontario Energy Board (OEB) cybersecurity requirements | Ontario electricity distributors and transmitters | OT security program requirements for utility operators in the region |
| Responsible Care (Chemistry Industry Association of Canada) | Chemical and petrochemical manufacturers | Process security, emergency preparedness, community right-to-know |
| Canadian Environmental Protection Act (CEPA) | Chemical manufacturers above thresholds | Hazardous substance handling, release prevention, and emergency planning |
Industries We Serve in Houston and the Texas Energy Corridor
OT Cybersecurity Services for Sarnia-Lambton Industrial Operators
OT Risk Assessment and Gap Analysis
A structured OT gap assessment for a Sarnia-area petrochemical or refinery operator maps current controls across process control networks, safety system networks, historian and enterprise integration points, and remote access infrastructure. The assessment references IEC 62443 and CCCS guidelines and accounts for the specific operational constraints of continuous process environments where assessment activities must not interfere with running operations.
Safety Instrumented System Security
SIS security at Sarnia petrochemical facilities sits at the intersection of IEC 61511 functional safety requirements and IEC 62443 cybersecurity requirements. We assess the cybersecurity posture of safety system networks and develop compensating controls that protect SIS logic integrity, access controls, and network isolation without affecting safety function performance. This is a specific competency that most general IT security providers do not have and is critical for Chemical Valley operators.
IEC 62443 Zone Architecture Design
For a Sarnia refinery or petrochemical facility with multiple process units, IEC 62443 zone and conduit design provides the framework for segmenting process control networks by unit, controlling data flow to historian and corporate systems, and limiting the blast radius of any compromise. We design zone architectures that map to the physical and logical structure of Sarnia-area facilities and define the firewall rules, DMZ architecture, and conduit controls needed to implement them.
OT Vulnerability Assessment
Passive vulnerability assessment identifies CVEs and configuration vulnerabilities across your OT asset base without disrupting live operations. For Sarnia facilities running legacy Honeywell TDC 3000, Foxboro I/A, or Yokogawa CS 3000 platforms alongside newer DCS installations, we identify which installed versions have known vulnerabilities and assess which are exploitable given your network architecture and compensating controls.
Remote Access Security for Vendor and Engineering Access
Chemical Valley facilities rely on vendor remote access for DCS maintenance, specialist troubleshooting, and engineering support. Poorly controlled vendor access, including shared credentials, persistent VPN connections, and a lack of session recording, is one of the most common OT attack vectors. We assess and redesign vendor remote access architecture to enforce least-privilege access, multi-factor authentication, and session monitoring without disrupting the vendor relationship management that Chemical Valley operators depend on.
Frequently Asked Questions
Sarnia-Lambton's concentration of petrochemical and refining operations in a small geographic area creates a unique risk profile. The density of high-consequence OT environments, the shared infrastructure dependencies between facilities, and the use of vendor remote access across multiple operators in the same cluster mean a successful OT compromise at one facility can have implications beyond that facility's fence line. The cluster profile is also well understood by threat actors who map industrial infrastructure systematically.
End-of-life OT platforms are common in Chemical Valley, and the appropriate response is not always immediate replacement. The first step is to assess exploitability: is the platform network-accessible, and if so, from where? Proper network segmentation and access controls can substantially reduce the risk of an unpatched, end-of-life DCS while a replacement project is planned and funded. We help operators develop a realistic risk management position for legacy platforms, including compensating control recommendations and a migration timeline that accounts for process safety requirements.
Yes. IEC 62443 covers industrial automation and control systems broadly, which includes safety instrumented systems. IEC 62443 Part 3-3 defines system security requirements that apply to safety system networks. The relationship between IEC 62443 and IEC 61511 is explicitly addressed: IEC 61511 Clause 8.2.4 requires that cybersecurity be considered as part of the safety lifecycle, and IEC 62443 provides the specific technical requirements for how to do so. Operators of SIS at Sarnia petrochemical facilities have obligations under both standards.
Yes. The integration of functional safety and cybersecurity consulting is a common engagement model for petrochemical operators. We coordinate with existing functional safety consultants, process safety engineers, and operations teams to ensure that cybersecurity recommendations are developed with full awareness of safety function requirements and that no security control interferes with safety system performance.
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}
.png){kind=logo}