Cybersecurity Preparedness for Oil, Gas and Petrochemical Operations

Industrial companies often pride themselves on their safety culture, but few have elevated or advanced cybersecurity activities to a similar level of visibility and prestige. Stuxnet, the first known cyberweapon, hit industrial control systems in the 2010s and, in the dozen years since, information technology (IT) professionals and industrial automation and control system (IACS) experts have worked to protect operational technology (OT) and business systems from similar threats. Unfortunately, cyber threats keep evolving, IT and OT efforts are often unaligned, and many industrial companies struggle to achieve what might be called cybersecurity maturity.

Help is available from the International Society of Automation (ISA) in multiple forms. This article highlights resources available from ISA and the ISA Global Cybersecurity Alliance (ISAGCA) including the ISA/ IEC 624443 Series standards and online cybersecurity training, and reports on some research from ISA’s news and publications subsidiary, Automation.com. It also reveals how Malaysia’s national oil and gas company, PETRONAS, is building “institutionalized capability” in OT cybersecurity to become one of the world’s most cyber mature organizations.

Increasingly frequent and often high-profile attacks like the Colonial Pipeline incident in the U.S., as well as new government regulations around the world, have spurred industrial companies to improve cybersecurity. But studies by McKinsey & Co., Gartner and others reveal that companies fall into a range of maturity levels when it comes to cybersecurity preparedness and protections.

Companies in the energy sector—including oil & gas, electric power generation, coal, renewable energy, and related systems and services—have been the most frequent target of OT cyberattacks in recent years, so it’s not surprising to find a lot of cybersecurity interest and awareness in those companies. Automation.com conducted a survey in May 2023, sponsored by Fortinet, of OT professionals in oil and gas and petrochemical companies to ask about their OT cybersecurity actions and perceptions.

Slightly more than half of respondents believe their companies are on par or above average compared to industry peers when it comes to securing OT systems. These companies seemed more mature in their cybersecurity posture, having completed all or most recommended tasks. The other half of respondents were notably less mature, with plans but little implemented so far.

The survey revealed that some of the concerns of process control engineers and other automation professionals were:

• The increasing risk of cyberattacks on OT systems including supervisory control and data acquisition (SCADA), industrial control, and pipeline control. Recent high-profile attacks have highlighted vulnerabilities.

• The rapid evolution cyber threats, which require continued vigilance and adaptation from companies to detect and mitigate new attack vectors.

• Safety risks, including environmental incidents or harm to human health/safety, resulting from successful cyberattacks that disrupt industrial processes and plant operations.

• Shortage of skilled workers to properly secure systems, detect threats, and respond to incidents.

• Insufficient collaboration between IT and OT teams within organizations to ensure integrated security policies, technology, monitoring and response.

The report suggests OT cybersecurity be made an organization-wide priority, with strong leadership, governance, training, and technological protections put in place to create robust, secure operational environments.

ISA/IEC 62443 standards

Insufficient collaboration between IT and OT teams can result in a lack of alignment between the two groups’ assumptions, procedures, and motivations about cybersecurity. The hardware and software technology used by each group can be similar, but how they are used is often very different. The convergence of IT and OT security ends up being as challenging as the integration of the systems themselves.

Seeing the need for OT-specific cybersecurity action and advocacy, ISA created the ISA Global Cybersecurity Alliance (ISAGCA) in 2020. At the time, Andre Ristaino, managing director of Global Consortia and Conformity Assessment for ISA said, “The operational technologies and control systems that automate critical infrastructure are experiencing a rapid increase in malicious cybersecurity attacks that include data breaches and ransomware. The impact is serious, affecting life, safety, environmental protection and economic viability across sectors. ISAGCA is driving alignment and clarity across public and private sectors.”

The foundation of ISAGCA’s work is ISA/IEC 62443, a series of ISA-developed, consensusbased security standards for automation and control system applications. The ISA/IEC 62443 series of standards address all entities involved in the protection of operating facilities (Figure 1). Various stakeholders—including industrial product designers, system integrators, service providers, and asset owners—leverage ISA/IEC 62443 Series standards to create secure products and systems, conduct risk assessments and much more.