November 14, 2025 [Control]- As hard as it is to provide cybersecurity for process applications, at least their devices and networks mostly stay at home and onsite. Even if they’re out in the field, those components are in locations with well-defined boundaries. Not so with pipelines.
Pipelines travel dozens, hundreds or even thousands of kilometers (km), so who knows what unsavory characters, sketchy communications and cyber-threats they might encounter on their long and often unsupervised trips. And the same goes for their terminals, where pipelines receive and send raw materials, finished products, and support fluids and gases.
“Pipelines and terminals can get hit by cyber- or physical attacks, or hybrid events combining both,” said John Colpo, strategy and marketing lead for LNG, pipelines, terminal and shipping at Honeywell Process Solutions. “Knowing what’s special about each is essential to protecting them.”
Colpo and Pranav Bhopatkar, regional leader for OT and ICS cybersecurity at Honeywell Process Solutions, presented “Evaluating cyber-resilience for pipelines and storage terminals” at this week’s Honeywell Users Group 2025 for Europe, Middle East and Africa at the Hague in the Netherlands.
Colpo reported primary, cybersecurity-related characteristics and risks for pipelines and terminals include:
“More than $133 billion of oil and gas products are stolen each year, which amounts to 5-7% of worldwide production,” explained Colpo. “These thefts range from simple fuel-card skimming up to hijacking tanker trucks and ships. However, custody transfer regulations are in place in very few nations, and participants assume their information is secure and handled by authorized people. This is why mitigation against theft and fraud must be implemented with a zero-trust approach.”
In addition, Colpo added that oil and gas supply chains are more vulnerable because their upstream, midstream and downstream sections are very diverse, have widely dispersed facilities, low staff ratios, and work with fungible, commodity products that are easy to resell.
“Many pipelines may only have radio or cellular monitoring every 20-50 km at a valve station with a remote terminal unit (RTU), which again means their vulnerabilities and attack surfaces extend over very long distances. Even their OT or IT networking devices are in locations that are normally unstaffed /or only lightly secured,” added Colpo. “This makes all of them particularly exposed to man-in-the-middle, cyber-attacks via standard protocols like /TCP at pipeline tapping points by using commoditized tools and simple I/O signatures.”
Because product theft requires a physical, in-person attack at some point, Colpo reported they’re typically staged at some distance from OT and IT devices. Plus, as more theft-detection technologies are deployed, physical actors refocus their efforts on threatening, blackmailing or bribing personnel, and concentrate more on attacking central OT and IT locations, as well as remote pipeline sections and OT areas with fewer protections. And, just as anti-theft measures improve, thieves also improve their equipment and methods.
Just as process engineers fear the underlying reasons for shutdowns more than any downtime that follows, Bhopatkar reported they must also focus on uncovering hidden cyber-vulnerabilities more intently than on any potential cyber-attacks and outages they could trigger later.
“Cyber-resilience isn’t mainly about cyber-attacks.
It’s about how quickly and effectively end-users can respond and recover,” said Bhopatkar. “This also means learning about the important events in cybersecurity history, including the Stuxnet worm in 2010, Triton safety-system malware in 2017, and the Colonial Pipeline ransomware incident in 2021.”
Bhopatkar added that Colonial Pipeline was a wake-up call because it involved capturing a password on an inactive account. This allowed the cyber-intrusion to seem like normal activity on the surface, even as the attackers gained unauthorized access for two hours, exfiltrated 200 Gigabytes of data, and demanded and received a substantial ransom. These events also prompted Colonial to voluntarily shut down its pipelines due to a lack of OT and IT visibility and confidence. A subsequent investigation resulted in several arrests and substantial ransom recovery, but the intervening chaos led to U.S. congressional hearings, and multiple regulatory-directive updates and cybersecurity upgrades.
“Colonial Pipeline triggered 52 new, U.S. federal cybersecurity regulations that are in effect or proposed, and inspired 156 countries to enact cyber-crime legislation,” said Bhopatkar. “Many are increasing the liability on companies and organizations if they don’t make efforts to mitigate their cyber-risks.”
Because IT cybersecurity solutions aren’t always an ideal fit with OT infrastructures and priorities, Bhopatkar reported both parties must understand their differences, including:
“More users and their organizations are asking themselves if they’re doing enough on cybersecurity, and questioning whether they’re ready to respond and recover,” added Bhopatkar. “The good news is that process safety examples, such as an emergency shutdown (ESD) on an oil storage tank, can serve as a template for cybersecurity and how to handle a cyber-attack. Just as we do scenario-driven risk assessments, hazard and operability (HazOp) studies and layers of protection analyses (LOPA) for process safety, we can also do cybersecurity HazOps (csHazOps) to determine which tools, tactics and procedures will provide the most effective protection.”
Bhopatkar reported that a csHazOp can also enable each process application and facility to transfer risk by closing in on compliance with cybersecurity standards like /IEC 62443, U.S. National Institute of Standards and Technology’s Cybersecurity Framework 2.0, and the European Union’s new Cyber Resilience Act.
“Honeywell provides csHazOps that can provide more quantitative and qualitative looks into individual process applications, help users improve their risk appetites by reducing their risk thresholds, and generally be more proactive about their cybersecurity,” concluded Bhopatkar. “For example, NIST CSF 2.0’s five cybersecurity steps are identify, protect, detect, respond and recover, so Honeywell’s services include industrial control system (ICS) incident response, defensible architectures, ICS network visibility monitoring, secure remote access, and risk-based vulnerability management. Honeywell also provides tabletop drills, penetration testing and walkthroughs for practicing all of those principles.”
