The 2021 Colonial Pipeline cyberattack prompted the Energies and Chemicals (E&C) industry (which includes oil and gas) and government regulators to impose stricter critical infrastructure cybersecurity measures. Hackers stole and encrypted data and demanded roughly $4.4 million in ransom. The attack caused a fuel shortage for 50 million Americans over 11 days, shutting down nearly half of the gasoline and jet fuel supplied to the U.S. east coast.
Cyberattacks are not unique to this particular incident and have increased frequency and sophistication across industries. Infosecurity Magazine reports a 7% increase in weekly global cyberattacks in Q1 2023 vs. the same period in 2022. Companies face, on average, 1,248 attacks per week. Open protocol communications, Wi-Fi networks, and the proliferation of the Internet of Things (IoT) devices create a larger attack surface, offering hackers more potential entry points.
Beyond ransomware, hackers can remotely control networks, lock systems, steal confidential information, and shut down operations. For example, hackers or disgruntled employees could sabotage operations by sending false signals to wastewater or oil refinery facilities valves to release toxins into nearby rivers or oceans.
Counteracting cybersecurity threats
Because of heightened levels of cyberattack risk, E&C industry executives are revisiting their cyber-protection plans by focusing on three essential pillars:
- Technology – New generation Industry 4.0 digital technologies, including hardware, software, and services, can help E&C companies affordably monitor, identify, and neutralize advanced cyber threats.
- Security processes and procedures – E&C companies can benefit from embracing stricter rules regarding physical visits of non-employees to pipeline and refinery sites. For example:
- Requiring guests to leave computers and cell phones at the gate during visits
- Mandating specific procedures for maintenance personnel when interacting with corporate assets
- Adhering to pre-defined and precise system access rights as a condition of employment for staff members
- People – Educating employees on attack types and risky behaviors (such as opening suspicious emails or clicking on suspect links, which may inadvertently grant unauthorized access to internal systems) is crucial for sustained cybersecurity success.
Governments also help protect critical national assets such as wastewater facilities, power stations, pipelines, and refineries. For example, the U.S. Transportation Security Agency (TSA) —traditionally responsible for airport security — now oversees O&G pipeline physical security and cybersecurity. They require E&C companies to perform annual cybersecurity assessments to identify their most critical assets (e.g., a power generation plant or SCADA system), determine their attack vulnerability, and increase security levels as necessary.
Enlisting the right partner is critical to achieving success
Many E&C organizations may not consider cybersecurity a core competency, and experts in this field are scarce and can be difficult and expensive to recruit. However, every digital transformation, expansion, or upgrade project (whether brownfield or greenfield) should include a sound cybersecurity component.
To address accessing cybersecurity experts, third-party partners can support cybersecurity modernization by:
- Providing solutions to help identify and protect against vulnerabilities in critical assets
- Offering a highly customized cybersecurity protection deployment for operations technology (OT) systems (as opposed to traditional information technology computer systems)
- Assisting in fulfilling government cybersecurity audits
- Helping to interpret and enforce global cybersecurity standards ISA/IEC 62443
- Filling resource gaps and keeping firms current with artificial intelligence (AI) software updates
- Training employees on secure pipeline and refinery behaviors
Schneider Electric experts understand how power, automation, and safety systems operate and are uniquely qualified to help secure them. We actively cyber-protect 200+ global manufacturing and distribution warehouse facilities and use that knowledge to offer more protection to E&C industry customers.
We further conducted a cybersecurity assessment, based on IEC 62443, at select North American refineries. Our experts:
- Assessed each location’s current compliance situation
- Defined an overall cybersecurity plan
- Customized a remediation strategy encompassing processes, procedures, people, products, networks, and applications
To learn more about how Schneider Electric can better protect your pipeline and refinery networks, visit our Cybersecurity Virtual Academy web page.
About the author
Roger A. Roa
Cybersecurity Business Consultant
Roger A. Roa has broad knowledge of OT cybersecurity solutions, networking and telecom. He has +17 years of international experience with cybersecurity product portfolios, business strategy, developing technical readiness, technical sales, alliances and partner ecosystems. His passion for industrial cybersecurity enable critical infrastructure companies in Energies and Chemicals segment to mitigate cybersecurity risk, increase efficiency and concentrate on their core competencies. Roger holds a Master of Science degree in Telecommunications, a Master of Business Administration degree and a Post graduate degree in Power and Gas Regulation. Roger is ISA/IEC 62443 OT Cybersecurity Expert certified.