Cybersecurity Preparedness for Oil, Gas and Petrochemical Operations

Industrial companies often pride themselves on their safety culture, but few have elevated or advanced cybersecurity activities to a similar level of visibility and prestige. Stuxnet, the first known cyberweapon, hit industrial control systems in the 2010s and, in the dozen years since, information technology (IT) professionals and industrial automation and control system (IACS) experts have worked to protect operational technology (OT) and business systems from similar threats. Unfortunately, cyber threats keep evolving, IT and OT efforts are often unaligned, and many industrial companies struggle to achieve what might be called cybersecurity maturity.

Help is available from the International Society of Automation (ISA) in multiple forms. This article highlights resources available from ISA and the ISA Global Cybersecurity Alliance (ISAGCA) including the ISA/ IEC 624443 Series standards and online cybersecurity training, and reports on some research from ISA’s news and publications subsidiary, Automation.com. It also reveals how Malaysia’s national oil and gas company, PETRONAS, is building “institutionalized capability” in OT cybersecurity to become one of the world’s most cyber mature organizations.

Increasingly frequent and often high-profile attacks like the Colonial Pipeline incident in the U.S., as well as new government regulations around the world, have spurred industrial companies to improve cybersecurity. But studies by McKinsey & Co., Gartner and others reveal that companies fall into a range of maturity levels when it comes to cybersecurity preparedness and protections.

Companies in the energy sector—including oil & gas, electric power generation, coal, renewable energy, and related systems and services—have been the most frequent target of OT cyberattacks in recent years, so it’s not surprising to find a lot of cybersecurity interest and awareness in those companies. Automation.com conducted a survey in May 2023, sponsored by Fortinet, of OT professionals in oil and gas and petrochemical companies to ask about their OT cybersecurity actions and perceptions.

Slightly more than half of respondents believe their companies are on par or above average compared to industry peers when it comes to securing OT systems. These companies seemed more mature in their cybersecurity posture, having completed all or most recommended tasks. The other half of respondents were notably less mature, with plans but little implemented so far.

The survey revealed that some of the concerns of process control engineers and other automation professionals were:

• The increasing risk of cyberattacks on OT systems including supervisory control and data acquisition (SCADA), industrial control, and pipeline control. Recent high-profile attacks have highlighted vulnerabilities.

• The rapid evolution cyber threats, which require continued vigilance and adaptation from companies to detect and mitigate new attack vectors.

• Safety risks, including environmental incidents or harm to human health/safety, resulting from successful cyberattacks that disrupt industrial processes and plant operations.

• Shortage of skilled workers to properly secure systems, detect threats, and respond to incidents.

• Insufficient collaboration between IT and OT teams within organizations to ensure integrated security policies, technology, monitoring and response.

The report suggests OT cybersecurity be made an organization-wide priority, with strong leadership, governance, training, and technological protections put in place to create robust, secure operational environments.

ISA/IEC 62443 standards

Insufficient collaboration between IT and OT teams can result in a lack of alignment between the two groups’ assumptions, procedures, and motivations about cybersecurity. The hardware and software technology used by each group can be similar, but how they are used is often very different. The convergence of IT and OT security ends up being as challenging as the integration of the systems themselves.

Seeing the need for OT-specific cybersecurity action and advocacy, ISA created the ISA Global Cybersecurity Alliance (ISAGCA) in 2020. At the time, Andre Ristaino, managing director of Global Consortia and Conformity Assessment for ISA said, “The operational technologies and control systems that automate critical infrastructure are experiencing a rapid increase in malicious cybersecurity attacks that include data breaches and ransomware. The impact is serious, affecting life, safety, environmental protection and economic viability across sectors. ISAGCA is driving alignment and clarity across public and private sectors.”

The foundation of ISAGCA’s work is ISA/IEC 62443, a series of ISA-developed, consensusbased security standards for automation and control system applications. The ISA/IEC 62443 series of standards address all entities involved in the protection of operating facilities (Figure 1). Various stakeholders—including industrial product designers, system integrators, service providers, and asset owners—leverage ISA/IEC 62443 Series standards to create secure products and systems, conduct risk assessments and much more.

PETRONAS leverages ISA/IEC 62443

PETRONAS, Malaysia’s national oil and gas company, is a dynamic global energy group with presence in more than 100 countries. According to Sharul A. Rashid, PETRONAS GTS head of technical excellence and group technical authority for instrumentation and control, the enterprise-wide cybersecurity program for PETRONAS started in 2018.

“A five-year roadmap toward building an institutionalized capability in OT cybersecurity was crafted and subsequently approved in 2019,” said Rashid. “The institutionalized capability-building program was established mainly to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel commensurate with the risk to critical infrastructure. The organizational objectives were: responsibilities; workforce controls; knowledge, skills and abilities; and awareness.

At that time, the task force consisted of Sharul, principal instrument and control (I & C) engineers Azmi Hashim and Michael Ng Chien Han, and senior I & C engineer Ping Yang. All four men helped shape and steer the PETRONAS OT cybersecurity program.

In November 2020, PETRONAS became a founding member of ISAGCA. By February 2021, it started attending ISAGCA Government Relations—Asia Pacific meetings. “We learned that ISAGCA aspired to designate and reference the ISA/IEC 62443 standard in a country’s law and regulatory policy. So, for Malaysia, we started our efforts to support that,” said Rashid.

OT Risk Management for PETRONAS is based on the ISA/IEC 624443-3-2 Standard, said Ng Chien Han. “Cyber risk of an OT system is established by evaluating the business impact of that system, if it is compromised, and the likelihood of that compromise happening. Business impact is evaluated from the lens of how it affects people, environment and assets, as well as the company’s reputation. The likelihood is established via control compliance in addressing threats from a cyber security threat register,” he explained.

In September 2023, “PETRONAS reached a milestone by—for the first time—executing a cybersecurity risk assessment as part of the engineering design stage of a capital project,” Rashid added. “Through the risk assessment, the Security Level Target (SLT) of each OT system of the project was established. This exercise provided the EPCC (Engineering, Procurement, Construction, and Commissioning), OT, and OT vendors with detailed security specifications for the systems being designed. The specifications to be delivered are from the ISA/IEC 62443-3-3 system security requirements and security levels standard in addition to the PETRONAS technical standards,” he explained.

PETRONAS has made good use of the wide range of cybersecurity resources that ISA offers (see sidebar). “Utilizing the ISA/ IEC 62443 standards in engineering design has helped advance cybersecurity discussions with the OT vendors in delivering secured-by-design OT systems. It has also helped PETRONAS as a tool to strengthen the cybersecurity awareness and practices of its partners and collaborators,” said Rashid.

Role of training and certification

Facing increasing threats of cyber-attacks, PETRONAS sought to better train its staff. “We realized that both IT and OT personnel must work together, and we applied an IT-OT convergence strategy in action,” said Rashid. “We quickly built up and nurtured our best performing team in this area as a high-level, IT-OT converged cybersecurity taskforce, guided by the ISA/IEC 62443 standards’ sustainable, international best practices. As part of this program, competency and capability building was one of our primary agenda points,” he explained.

As part of the competency goals, PETRONAS decided that all cybersecurity task force members would be trained. The team reviewed available OT cybersecurity trainings and chose ISA online certificate courses including Cybersecurity Fundamental, Risk, Design and Maintenance courses and passed four certificate exams to earn ISA/IEC62443 Expert Certificates.

PETRONAS added other trainings, such as the PETRONAS cybersecurity project for OT, short trainings on human defense/ firewall, and more. New IT personnel “attend onboarding programs to ensure that they understand very well the criticality and priority of the OT environment. We are also extending the awareness training to the frontline, such as panel operators and boardmen who are monitoring and controlling OT assets via distributed control systems (DCS) 24/7, 365 days a year,” he said.

More than 1,000 manhours were spent conducting awareness training. “Combining ISA trainings with other relevant trainings, I believe that PETRONAS is moving forward in the right direction toward our goal of enhancing our cybersecurity culture,” said Rashid.

With the staff trained in ISA/IEC 62443, Rashid said PETRONAS personnel are “able to communicate our cybersecurity goals more effectively to our stakeholders and vendors. Knowledge in the standards have also helped us shape the cybersecurity governance framework of our organization.”

Addressing vulnerabilities, supporting staff

In general, OT cybersecurity incident reporting reveals more unauthorized attempts and a marked increase in malicious code attacks. Rashid believes OT systems will be subject to the same vulnerabilities as IT systems, especially as industrial control systems employ more commercial off-the-shelf (COTS) hardware and software with more embedded IT technology such as MS Windows operating system, Ethernet IP-based communication, and virtualization such as VMWare and Hypervisor.

“Common cyber incidences include blue screens, denial of service (DOS), and unauthorized remote access. Therefore, aggressive education, training, visual management, audits, and the courage to give feedback to staff on cybersecurity malpractices is surely needed,” said Rashid. Rashid and Hasim published a case history article showing some of the “aggressive education,” training, and visual management tools PETRONAS used to create the cybersecurity culture they wanted. See the ISAGCA blog titled, “Accelerating Cybersecurity Culture Maturity in the Workplace.

“Today, an established, experienced and matured cybersecurity team is collaboratively working as a fully converged IT-OT enterprise level entity. Core to sustaining PETRONAS’ cybersecurity maturity ambitions was the establishment of a cyber risk management framework. In this regard, PETRONAS has developed a standardized cybersecurity risk management program to cover both IT and OT domains,” said Rashid.

“As part of an accelerated cybersecurity culture at the workplace, one must engage staff, conduct awareness training, and foster an understanding that becoming inactive and uneducated on cybersecurity risk management can lead to a major loss of business,” said Rashid. “In leading the OT Cybersecurity team at PETRONAS, we engage and support staff as much as possible. We build and nurture our best performing teams with our new cybersecurity taskforce, as well as guide them using international standards and best practices on sustainable, pragmatic approaches."

ISASecure and other OT cybersecurity work ISA is doing

Industrial automation and control system cybersecurity, also known as operational technology or OT cybersecurity, is one of the most critical issues facing manufacturing and industrial companies around the world today.

The International Society of Automation plays a key role in helping to protect people, operating sites, products, and systems through its wide range of resources built on the ISA/IEC 62443 series of standards.

As Andre Ristaino, managing director of Global Consortia and Conformity Assessment for ISA explains, “ISA is addressing multiple dimensions of the challenge and seeking to elevate OT cybersecurity from an art to a science and ultimately to an engineering discipline.”

While the ISA Education department trains and certifies personnel on the OT cybersecurity topics, for example, the ISASecure program certifies commercial off-the-shelf (COTS) devices and systems to the ISA/IEC 62443 series of standards. This makes it easier for asset-owner companies like PETRONAS to build secure systems.

“When ISASecure becomes an integral part of an asset owner’s overall security strategy and program, they can include ISA/IEC 62443 product and system conformance in their procurement specifications,” said Ristaino. “That means there are fewer security mitigations needed at the operating site.” The ISASecure program was founded in 2007 and has been elevating the security levels of COTS products since 2010, he added, and “some companies are now informing suppliers that they want ISASecure-compliant products.”

ISASecure has developed a 3-day training class for product developers and assessors (IC47) to teach them how to develop secure products conformant to ISA/IEC 62443-4-1, 4-2, 3-3. “ISASecure is also developing a new program to certify OT systems to ISA/IEC 62443 deployed at operating sites like PETRONAS, along with a 3-day assessor training class,” Ristaino said. Other OT cybersecurity work is being done by ISA in: Standards development. The ISA99 Standards committee writes and publishes the ISA/IEC 62443 standards on which all ISA OT cybersecurity activities are based. The work of this group of ISA volunteers “codifies what amounts to thousands of years of combined experience in OT cybersecurity,” said Ristaino.

Workforce development. ISA educates more than 3,000 students per year on automation and control cybersecurity topics through its online and in-person Training courses and annual events. ISA’s inaugural OT Cybersecurity Summit was held in Aberdeen, Scotland in 2023 and the 2024 summit will be held in London June 18-19.

Credentials. ISA’s Cybersecurity Certificate programs provide credentials to OT cybersecurity professionals. “ISA offers the most comprehensive set of industrial cybersecurity certificate programming and aligned training courses in the world,” said Ristaino. The programs are designed to deliver in-depth, OT-specific knowledge through a series of training courses designed to increase the cybersecurity maturity of individuals and entire organizations. It’s another step in the journey toward a culture of cybersecurity.

Advocacy. The ISA Global Cybersecurity Alliance (ISAGCA) advocates for adoption of ISA/IEC 62443 by suppliers, asset owners, integrators, and public policy makers, and develops work products to accelerate adoption. The ISAGCA blog regularly provides information on risk assessment, compliance, education, and more.

Incident response. The ICS4ICS, or Incident Command System for Industrial Control Systems, is an ISAGCA effort that helps operating sites respond to and recover from attacks. It provides workforce development and credentialling for “incident commanders”—the people who must respond to industrial control system breaches and other cyberattacks. For response structure, roles, and interoperability, ISAGCA joined forces with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity response teams from more than 50 participating companies to adapt the Federal Emergency Management Agency (FEMA) Incident Command System. This system is used daily by first responders worldwide in emergency situations like fires, industrial accidents, extreme weather events, and other high-impact situations.