Skip to main content

Defence-in-depth cybersecurity

 

Published by
Hydrocarbon Engineering,

In this special report, Marco Ayala, ABS Consulting, explores how oil, gas, and chemical facilities can map their tolerable risk state to sustain uptime amid supply chain and cyber vulnerabilities.

The digital threatscape is widening across the energy value chain. Protecting industrial control systems (ICS) from cyber threats remains a top operational priority for facility operators, engineers, and the boards that govern them.

What is changing? Further technology convergence with enterprise IT and operational technology (OT) is compounding cyber risk. A form of ‘normalisation of deviance’ is already elevating risk in industrial settings where emerging technologies do not undergo an objective, third-party assessment. All too often, the industry does not act until an incident occurs.

What is known? Cyber risk does not exist in isolation. It stacks with volatile energy prices, margin compression, supply chain disruptions, and evolving regulatory requirements. Operators increasingly need practical solutions to manage these complex, interconnected risks.

Tracking OT cyber risk

The data underscores urgency. Zscaler’s ThreatLabz 2025 Ransomware Report found that ransomware attacks on the oil and gas industry surged 935% between April 2024 and April 2025.1 Oil and gas companies may be facing more attacks because their ICS are increasingly automated and digitised, expanding the sector’s attack surface. Separately, the Dragos 2026 OT Cybersecurity Year in Review tracked 119 ransomware groups impacting approximately 3300 industrial organisations in 2025, a 49% increase from 80 groups the previous year.2

These recent reports confirm that investing in cyber risk management is essential to prevent costly downtime caused by ransomware, spoofing field instrumentation, or compromising wireless communications. Such headline events carry significant economic, safety, and environmental consequences. That is why an integrated, defence-in-depth cybersecurity strategy is no longer optional but rather critical.

A case for defence-in-depth

In December 2025, a coordinated cyberattack struck more than 30 renewable energy and combined heat-and-power facilities across Poland, compromising operational technology (OT) and ICS simultaneously. Attackers gained initial access through vulnerable, internet-facing edge devices and deployed wiper malware that damaged remote terminal units (RTUs), corrupted firmware, and wiped data on human-machine interfaces (HMIs). Operators temporarily lost the ability to monitor and control affected sites, though electricity and heat production continued through automated failsafes.

The US Cybersecurity and Infrastructure Security Agency (CISA) reported the incident in a February 2026 alert, warning that similar exposed OT/ICS equipment exists across the global energy landscape.

The implications are direct for oil, gas, and chemical operators. The same classes of edge devices, including historians, remote access gateways, and unmanaged ‘manageable’ switches, and inadequate security configurations are prevalent across refining and petrochemical operations. The Poland incident illustrates why perimeter-only security strategies fail in modern industrial environments. The attackers did not breach a sophisticated firewall. They exploited edge devices that were not designed to withstand targeted intrusion.

A defence-in-depth approach that layers network segmentation aligned with ISA/IEC 62443 zones and conduits, anomaly detection, strict control of remote access channels, and manual override capabilities would have forced adversaries to overcome multiple barriers before reaching systems capable of physical manipulation.

 

https://dlgivnpf6gg8w.cloudfront.net/media/Marco+Ayala+Analysis.png
Figure 1. Primary OT/ICS industry targets and percentage of detections. Source: the author’s own industry analysis.

 

Escalating risk to refining and petrochemical operations

Energy and petrochemical infrastructure are a target for adversaries ranging from state-sponsored groups to hacktivists. For a refinery running distributed control systems (DCS), safety instrumented systems (SIS), and SCADA platforms, a persistent backdoor of this nature represents a severe exposure. An adversary with sustained access can map control loops, identify safety system configurations, and establish the pre-conditions for operational disruption or a process safety event.

Consider some broader findings from Dragos’ 2026 Year in Review. The firm concluded that 2025 marked a clear escalation in industrial cyber activity, with specialised threat groups moving beyond reconnaissance to mapping control loops and understanding physical processes at a granular level. Three new OT threat groups were identified, bringing the total to 26 globally, with 11 active in 2025.

In May 2025, CISA issued an alert warning that unsophisticated cyber actors were actively targeting ICS/SCADA systems within the US oil and natural gas sector. These actors employed basic but effective methods, including exploiting default credentials, conducting brute-force attacks, and targeting misconfigured remote access points. The joint advisory, co-authored with the FBI, the US Environmental Protection Agency (EPA), and the US Department of Energy (DOE), made clear that even elementary techniques can cause operational disruptions and, in severe cases, physical damage when they encounter poor cyber hygiene and exposed assets.

Operational prudence

Over four decades of digitisation, energy operators have adopted technologies that are not always fully vetted beyond the original equipment manufacturer (OEM) due diligence. Without independent peer review, inherent bias enters the assessment process and prevents organisations from establishing a tolerable risk state for their operations.

Operational prudence requires full visibility of control system risk to safeguard an organisation’s most critical assets and processes. To manage cyber risk proactively, operators must first map their own systems, identifying strengths, weaknesses, and exposures, before adversaries do it for them. This means shifting from reactive incident response to proactive, situationally aware risk management.

However, OT cyber threats are not always visible at the perimeter. Achieving comprehensive asset inventory and network visibility through passive network monitoring, protocol-aware deep packet inspection, and structured asset discovery across Purdue Model Levels 1 through 3 may be challenging but it is non-negotiable. These capabilities align with the NIST Cybersecurity Framework’s asset management functions and provide the foundation for informed risk decisions. Once operators have a thorough understanding of their installed base, they can build layered defences around high-risk components without depending on any single vendor’s software stack.

End-to-end resilience

Operators require comprehensive process hazard analyses (PHAs) that encompass systems, procedures, and control software, consistent with the requirements of OSHA’s Process Safety Management standard (29 CFR 1910.119) and the EPA’s Risk Management Program (40 CFR Part 68). Increasingly, operators also require dedicated industrial cybersecurity programmes to manage and reduce risk across regulated operations. An integrated, defence-in-depth strategy must account for the geopolitical risk profile of deployed equipment.

True resilience must be built end-to-end, from field sensors and safety instrumented systems (SIS) to OT networks, DCS, and SCADA platforms, and outward into edge, cloud, and enterprise environments. SIS integrity is paramount in hydrocarbon operations, representing the last automated barrier before a process safety event. Any cybersecurity strategy that does not explicitly address SIS protection is incomplete.

The energy sector is increasingly adopting the ISA/IEC 62443 series of standards to secure industrial automation and control systems against cyber threats. The standard’s zones-and-conduits model provides a structured framework for segmentation, access control, and risk assessment that maps directly to the layered architecture of refining and petrochemical facilities.

Strengthening cyber resilience across complex, interconnected assets is a multi-year undertaking, not a single project. Most organisations require a three to five-year roadmap supported by tailored advisory, assessment, and verification services spanning the full energy value chain. Cyber safety, risk, and compliance management must extend across the full lifecycle of each critical asset.

Industry must move beyond regulatory compliance to achieve measurable cyber risk reduction – before an incident forces the conversation. Collaborative measures include sharing threat intelligence and incident data through sector-specific bodies, such as the Oil and Natural Gas Subsector Coordinating Council (ONG SCC), the Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC), and Oil and Natural Energy Information Sharing and Analysis Center (ONE-ISAC), participating in standards development and engaging government agencies, such as CISA’s Joint Cyber Defense Collaborative.

Staying vigilant as an industry

Regardless of current cyber maturity, every operator benefits from structured training, cross-sector collaboration, and sustained investment in defence-in-depth strategies. Build visibility, segment networks, harden remote access, and integrate cybersecurity into process safety management to help protect the world’s critical energy infrastructure.

References

  1. ‘ThreatLabz 2025 Ransomware Report’, Zscaler Inc., (2025).
  2. ‘2026 OT Cybersecurity Report’, Dragos Inc., (2026).
 

This article has been tagged under the following:

Downstream news