Chemical Plant and HAZMAT Site Security | CloseProtectionHire

The Security Risk Profile of Chemical and HAZMAT Sites

Chemical plants sit at the intersection of physical security, process safety, and national infrastructure protection. They hold hazardous substances in bulk quantities, operate continuous processes with little tolerance for disruption, and employ large, often transient workforces with varying levels of vetting. For those reasons, they attract a range of threat actors: from disgruntled insiders and opportunistic thieves to organised criminal groups and, according to CISA Advisory AA21-209A (August 2021), nation-state-affiliated actors with an interest in industrial control systems.

The security challenge is compounded by the operational reality of chemical sites. Deliveries arrive around the clock. Contractor workforces rotate frequently. Maintenance windows require access by teams who may never have set foot on site before. Each of those factors creates entry points that a security programme must manage without disrupting production.

COMAH 2015 and the Regulatory Framework

In the United Kingdom, the Control of Major Accident Hazards Regulations 2015 (COMAH 2015) governs sites that hold hazardous substances above threshold quantities. Operators of top-tier COMAH sites – those holding the highest quantities – must produce a safety report, establish a major accident prevention policy, and maintain an on-site emergency plan. The competent authority, jointly the Health and Safety Executive (HSE) and the Environment Agency, conducts inspections against these requirements.

COMAH 2015 is primarily a process safety instrument. It focuses on preventing accidents – releases, fires, explosions – rather than on deliberate attack. Physical security falls under a separate set of obligations: CPNI guidance for critical national infrastructure sites, National Security Inspectorate (NSI) standards for security management, and site-specific Counter Terrorism Security Adviser (CTSA) recommendations for sites of particular national significance.

The distinction matters in practice. A site can be COMAH-compliant – with detailed accident prevention policies and emergency response arrangements – while having material physical security gaps: inadequate perimeter lighting, poor visitor management, or no formal insider threat programme.

CISA’s Warning to the Chemical Sector

In August 2021, the US Cybersecurity and Infrastructure Security Agency published Advisory AA21-209A, warning that sophisticated threat actors were targeting the chemical sector. The advisory documented spear-phishing campaigns aimed at plant management, attempts to access industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks, and reconnaissance activity against facility layouts and substance inventories.

This is not a purely cyber concern. Chemical process control systems – distributed control systems (DCS), programmable logic controllers (PLC) – interface directly with physical plant. An actor who gains access to a DCS can manipulate process conditions: temperatures, pressures, feed rates, valve states. The result is a physical incident that may be indistinguishable from an accident.

Physical-cyber convergence at chemical sites means that perimeter security, network segmentation, and insider access management must be treated as a unified programme rather than separate IT and facilities functions.

Insider Threat: High Consequence, Often Underestimated

Insider threat at a data-centric business carries consequences measured in financial loss or reputational damage. At a chemical plant, the calculus is different. An insider with legitimate access to hazardous substance storage, process control panels, or emergency shut-down systems has the potential to cause mass casualties.

The historical record includes cases in which employees with process knowledge have introduced contaminants into product streams, disabled safety systems, and diverted controlled substances. More recently, law enforcement agencies in the US and EU have identified attempts by extremist-linked individuals to seek employment at high-hazard sites.

An effective insider threat programme at a chemical site requires more than a pre-employment background check. Behavioural monitoring – changes in working patterns, unexplained access to sensitive areas, financial stress indicators – must be integrated into the security management system. Access privileges must be reviewed regularly, not just at onboarding. Contractors, who often have less consistent vetting histories than permanent employees, need particular attention.

Site Security Architecture

The physical security architecture of a chemical plant reflects a risk hierarchy. Process units containing the most hazardous substances sit at the core. Around them, a series of controlled zones increases in access restriction. At the perimeter, the site boundary must provide standoff distance from the public road network – blast-rated barriers or earth bunds for sites containing explosive risk materials.

Vehicle access is a persistent vulnerability. Delivery vehicles represent legitimate, high-frequency entry points. They also represent the most direct route for an actor seeking to introduce an improvised device or to remove bulk quantities of controlled substance. Airlock gate systems, under-vehicle inspection mirrors, advance delivery manifests, and photo-ID verification for all drivers reduce this risk. In P1 city environments, where document fraud is widespread, advance manifest cross-referencing with supplier notification systems is the minimum standard.

Workforce access control depends on a credentialing system that distinguishes between permanent employees, regular contractors, and one-off visitors – each with different access permissions and escort requirements. Turnstile or mantrap systems at critical zone boundaries prevent tailgating.

CCTV coverage of the perimeter, all entry points, hazardous substance storage areas, and process control rooms provides deterrence and post-incident evidence. At high-tier COMAH sites, CCTV should be monitored continuously rather than recorded-only.

P1 City Context: Mumbai, Istanbul, Jakarta

Three P1 cities host significant chemical manufacturing concentrations with distinct risk profiles.

Mumbai’s Thane-Belapur chemical corridor, stretching along the Maharashtra industrial coast, is one of the largest chemical manufacturing clusters in Asia. The Maharashtra Industrial Development Corporation (MIDC) manages the zone, but site-level security standards vary considerably between operations. Expatriate plant managers working in the corridor face both site-level risks and personal security considerations: express kidnapping, vehicle surveillance, and targeted theft of personal devices carrying process data.

Istanbul’s Kocaeli province – particularly Gebze, Dilovasi, and the Tupras Kocaeli refinery complex – represents Turkey’s densest industrial zone. Cross-border movement of chemical precursors through Turkish ports creates additional intelligence targeting interest. Security for senior management at Kocaeli operations must account for both site perimeter integrity and personal travel security between Istanbul city and the industrial zone.

Jakarta’s Cilegon chemical cluster, at the western tip of Java near the Sunda Strait, concentrates petrochemical, fertiliser, and industrial gas production. The area has experienced periodic labour disputes, and local contractor vetting can be inconsistent. Visiting executives from European or North American parent companies typically require close protection that integrates with the on-site security team and covers overland travel from Jakarta Soekarno-Hatta International Airport.

Close Protection for Chemical Sector Executives

Senior engineers, plant managers, and executives visiting chemical operations in P1 cities face a layered risk profile. They carry process-sensitive information on personal devices. They are identifiable as high-value targets by virtue of the industrial context. And they must navigate both the site security system and the broader personal security environment of the host city.

Close protection for this audience requires an officer who understands industrial site access protocols: pre-arrival coordination with the plant security team, vehicle search procedures, emergency rally points within the site perimeter, and communication protocols that account for restricted-device zones. Standard close protection training does not cover these elements, and improvisation under pressure rarely produces good outcomes.

Route planning between airports, hotels, and industrial sites in cities such as Mumbai, Istanbul, and Jakarta must account for congestion patterns – which create predictability and therefore vulnerability – and for the location of emergency medical facilities capable of treating chemical exposure casualties.

For extended engagements, the close protection officer should conduct a site security survey documented to the standard described in physical security assessment surveys, and coordinate with the host plant’s emergency response team before the principal’s arrival.

Building a Proportionate Security Programme

The size and nature of a chemical site determines the appropriate security programme. A small specialty chemical operation is not the same as a top-tier COMAH facility. But the threat landscape – from insider access abuse to targeted reconnaissance by outside actors – applies across the sector.

A proportionate programme starts with a current threat and risk assessment, not a template from five years ago. It accounts for the specific substance inventory, the workforce composition, the site’s proximity to infrastructure targets, and the threat environment in the host country. Sites operating in P1 cities should apply standards closer to those appropriate for national critical infrastructure, regardless of whether regulatory thresholds formally require it.

For a structured framework to assess existing controls against the current threat picture, the process outlined for security for water utilities and critical infrastructure provides a useful parallel – the threat actors and security architecture requirements share significant overlap with the chemical sector. For LNG receiving terminals and onshore gas processing facilities – where COMAH top-tier obligations, ISPS Code PFSP requirements, compressor station sabotage risk, post-Nord Stream European security baseline, and P1 market gas infrastructure threat environments overlap with but extend beyond the standard chemical site framework – see our security for LNG and gas infrastructure guide.

James Whitfield is a Senior Security Consultant with experience in critical infrastructure protection, close protection operations, and high-risk market security planning. Enquiries: use the contact form.