Meet American Energy’s First Line of Defense

Energy fuels our modern way of life, and it follows that the infrastructure and industry that makes this possible is a natural target of those looking to stymie American progress.

Today’s saboteurs, though, can do their damage with a keyboard.

As natural gas and oil operations have embraced the digital solutions of the 21st century to increase reliability and efficiency and reach unprecedented levels of safety, cyberattacks are a constant threat. Bad actors increasingly seek to compromise the operational technologies that monitor and control rigs, wells, pipelines and refineries.

As a cybersecurity enterprise architect at Chevron, Marisa Ruffolo is the person standing between highly sophisticated hackers and their targets: industry operations and intellectual property, ranging from corporate offices to well pads to pipelines. An electrical engineer by training with a doctorate from Northwestern University, she spent seven years at a national laboratory exploring the role of cybersecurity in national defense applications.

Ruffolo and her industry peers never rest. Successful cyber breaches could significantly impact U.S. energy and national security, millions of American families and billions of dollars of economic investment.

“At some point you come to terms with the fact that the adversaries are out there, and that there will always be those who are looking to do you harm,” she says. “Today’s hackers are educated engineers and computer science professionals who have been hired by nation states or cybercriminal organizations to develop attacks against companies and governments.”

Recognizing the deep importance of cybersecurity, corporate boards and executives are actively engaged with their growing cybersecurity departments, which are capable of providing state-of-the-art levels of preparedness. Ruffolo says executives place cybersecurity among the highest levels of corporate priorities because they know it’s an enterprise-wide risk not to.

The industry has also adopted international standards and proven guidelines to respond to threats, including a cybersecurity framework established by the National Institute of Standards and Technology. The framework, which consists of five core focus areas — identify, protect, detect, respond and recover — is the same one used across other prominent U.S. industries, such as banking and manufacturing.

Chevron and other companies are also empowering employees to contribute to security. Safety briefings before worker shifts at refineries, pipelines and well sites have been standard industry practice. To meet emerging threats, Chevron now includes cybersecurity concerns — such as phishing attacks and critical security updates — in its briefings.

Preventing cyberattacks requires information-sharing across the industry and with government agencies. The Oil and Natural Gas Information Sharing and Analysis Center, an industry collaboration, receives information from the U.S. intelligence community about potential breaches and works in partnership to address them.

“This sharing helps us better understand whether a threat is just focused on one company or is an industry-wide attack,” Ruffolo says. “The energy industry is so important to our economy, so it makes sense that adversaries would want to disrupt it through cyberattacks. When we have a better understanding of the adversary’s target, we can more efficiently respond.”