Process industries rely on integrated control systems to ensure efficient and safe operations. Among these, chemical and refinery industries involve highly complex and tightly coupled processes that depend heavily on automation and digital control, increasing their exposure to targeted cyber threats. Therefore, understanding how such threats can exploit control system vulnerabilities is essential for maintaining safe and reliable operations. In this article, we examine cybersecurity risks associated with refinery process control systems, identifying vulnerabilities that can compromise process safety, lead to hazardous incidents, and disrupt operations. As a representative scenario for cyber risk assessment, we focus on the separation section of a typical refinery, specifically the distillation process, overhead receiver (reflux drum), and associated control systems. To evaluate and quantify these risks, we have employed the Risk-Based Process Safety framework, integrating methods such as cyber-HAZOP, Cyber Process Hazard Analysis, and LOPA with the Common Vulnerability Scoring System and Exploit Prediction Scoring System. Our analysis focuses on four key threat vectors: Data Manipulation, Denial of Service, Privilege Escalation, and Credential Stuffing. The findings underscore the importance of a robust defense-in-depth strategy, combining advanced technological safeguards, continuous monitoring, and workforce training. The findings serve as a benchmark for conducting cyber risk assessment and implementing mitigation strategies aimed at strengthening the resilience of refinery operations.
