Cybersecurity as a Safety Imperative in Oil and Gas Operations

Executive summary

In today's oil and gas operations, cybersecurity is not limited to being an IT add-on; it has become a critical component of process safety. The alarms, safety instrumented systems, and control networks that once operated mechanically are now fully digital. From Purdue Level 0 field devices up through Level 3 operations management, each layer that keeps plants safe depends on digital integrity. A single cyber incident can bypass decades of engineered safeguards, rendering protective systems ineffective and creating a false sense of confidence.

Real-world incidents prove this shift. Attacks like Triton/Trisis and Oldsmar targeted controllers and SIS logic at Levels 1–2, while Colonial Pipeline's ransomware forced the organization into a proactive action that shut down its OT network, crippling operations management at Levels 3–4

These events reveal a harsh truth: it doesn't matter where the weakness lies; a crack anywhere can put people and assets at risk. Additionally, AI isn't just helping defenders; it is also weaponizing the attackers.  Phishing kits write themselves, malware learns your environment in real-time, and bots can mimic user behavior to bypass many-layered defenses.  What used to take a team of hackers weeks can now happen in minutes.  Now it's smarter, faster attacks that go from nuisance to shut down before anyone knows it.

Regulators and insurers are responding in kind. Transportation Security Administration (TSA) pipeline directives, IEC 62443, API 1164, and ESG-driven underwriting all link cybersecurity maturity to safety, reliability, and insurability. Companies that treat cyber controls as safety barriers now reduce risk, downtime, and premiums while protecting their license to operate.

There is a clear path to address these concerns: embed cybersecurity into the same processes that already drive safety. Extend HAZOPs and LOPAs to digital risks, map protections to Purdue levels (patch control at Level 0–1, segmentation at Level 2, MFA and anomaly detection at Level 3), and track cyber near-misses alongside Loss of Primary Containment (LOPC) and Total Recordable Incident Rate (TRIR). Segment OT networks using Purdue levels as firebreaks so a compromise at Level 3 cannot silently reprogram Level 1 SIS controllers.

At the end of the day, cybersecurity is safety. The companies that operationalize this by making it a part of drills, KPIs, and the decisions of their leaders will be the ones prepared and ready to protect lives, assets, and secure the future of their operations.

Introduction

Safety is a critical consideration in the oil and gas industry. From rigs to refineries and pipelines, the job is to prevent harm to people, the environment, and the plant. Today, that includes the digital side; security and safety are the same job. The systems that run and protect critical operations are tied into the same networks and data paths that keep business moving. When those digital layers fail, safety goes with them. Cybersecurity isn't just paperwork or policy; it's essential for keeping people, assets, and operations alive and running.

This paper explores the direct correlation between cybersecurity and safety in oil and gas operations, highlighting real-world incidents, regulatory drivers, and practical approaches to treating cybersecurity as a core element of process safety.

The takeaway is clear: the next generation of process safety must include cybersecurity at its foundation.

Cyber and safety: Two sides of the same coin

Process safety is about stopping loss of containment, uncontrolled energy release, and major incidents. Valves, alarms, safety systems, and operator training are all designed to detect problems before they escalate. Now those safeguards are tied directly to the digital systems that run them. 

• Alarms are now digital. Instead of analog gauges, operators depend on HMI screens and distributed control system (DCS) dashboards. If malware or ransomware makes those screens go dark, the operator may be "blind" at the very moment early intervention is critical.
• SIS logic is digital. Safety instrumented systems rely on programmable controllers. A single malicious or accidental logic change can silently disable the very safeguards meant to stop an explosion or release.
• Process control is digital. PLCs, SCADA, and DCS networks orchestrate critical operations across entire plants and pipelines. If adversaries gain access, they can override setpoints, disable interlocks, or force unsafe shutdowns.

From Purdue Level 0 (field devices) through Level 3 (operations management), every layer that was once purely physical now depends on digital integrity. Safety-critical logic lives at Levels 0–2 (controllers, SIS), operator visibility at Level 3, and business/remote connectivity above, so a compromise at any layer has direct safety consequences.

This convergence means that a cyber incident, whether malicious or accidental, can directly undermine safety systems in ways that bypass decades of engineering safeguards:

• Malware altering SIS logic could prevent safety valves from closing in the event of an emergency.
• Ransomware freezing operator HMIs could blind teams to dangerous pressure build-ups until it's too late.
• Compromised remote access accounts could allow attackers to change setpoints, disable alarms, or quietly erode protective layers.

Unlike mechanical degradation, which usually shows signs of wear and tear, cyber failures can occur suddenly, invisibly, and simultaneously across the entire facility. A plant designed with multiple redundant mechanical barriers can still be rendered unsafe by a single well-placed digital exploit.

The lesson is stark: safety is no longer only about physical integrity; it is about digital integrity. Protecting people, equipment, and the environment means recognizing that every safety system now depends on connected tech. Ignoring that fact leaves gaps that can get people hurt.

Real-world examples: Where cyber meets safety

There have been past incidents that illustrate how cybersecurity lapses can become safety hazards:

• Stuxnet (2010): Though targeting Iran's nuclear facilities, it demonstrated that malware could alter control logic while hiding the changes from operators. The lesson: adversaries can make unsafe physical conditions appear normal.
• Triton/Trisis (2017): A cyberattack on a Middle Eastern petrochemical plant targeted the SIS itself, the last line of defense against catastrophic release. This was the nightmare scenario: attackers intentionally attempting to disable safety systems to enable a future explosion.
• Colonial Pipeline (2021): A ransomware attack hit IT systems and led to a complete shutdown of operations. The equipment wasn't damaged, but the team couldn't be sure it was safe to run. What looked like a supply problem from the outside was, inside the company, a decision made for safety.
• Oldsmar Water Plant (2021): Attackers gained remote access and attempted to change chemical dosing (sodium hydroxide) to dangerous levels. Though not oil and gas, the incident illustrates how small OT changes can have massive safety consequences.
• Saudi Aramco (Shamoon 2012 & 2017): While essentially an IT attack, it wiped 30,000 endpoints and forced manual operations. Had those manual transitions faltered, safety-critical systems could have been compromised.
• An Iranian hacktivist group, Lab Dookhtegan, disabled satellite communications on 64 Iranian ships, including 39 oil tankers and 25 cargo vessels.
• They targeted Fannava, a provider of maritime satellite terminals, exploiting iDirect software to overwrite storage and cause permanent damage.
• This follows a March 2025 attack where the group similarly crippled communications on 116 Iranian vessels linked to arms shipments for Yemen's Houthis.

Each of these incidents can be mapped to Purdue layers; Triton/Trisis and Oldsmar were Level 1–2 (controllers and SIS) attacks, while Colonial Pipeline's impact played out at Level 3–4 (operations management/IT). Seeing incidents this way makes clear which layers carry which safety exposures and how attacks can jump between them.

This isn't just a security risk; attackers probing industrial protocols could disable monitoring, alarms, or controls, creating process safety hazards.

These examples show a continuum: cyber events can cause direct unsafe conditions (Triton, Oldsmar), proactively disable operations to avoid dangerous conditions (Colonial), or overwhelm systems and people with indirect safety consequences (Shamoon). What makes them so important is that they prove cyber is no longer just about protecting data or uptime. Each of these incidents moved from the screen to the field, forcing crews to make tough safety calls under pressure. In oil and gas, a cyber gap isn't just an IT problem; it's a doorway to a fire, a spill, or worse. The takeaway is simple: treat cybersecurity with the same urgency and discipline as process safety. They're now one and the same.

FUD with purpose: Why this matters now

It only takes one pathway for an adversary to bypass decades of engineered safety barriers:

• One compromised contractor laptop connecting to a control network.
• One phishing email leading to remote access credentials.
• One unpatched PLC vulnerability that exposes an entire SIS.

Cyber events scale in ways physical ones never could. A single valve failure might take down a unit, but a single piece of malware can knock out safety systems across multiple sites in seconds. That kind of reach makes treating cyber as a safety risk not optional, but essential. And now, with AI in the mix, the game has changed again. The same technology that's driving speed and insight for business is also being used to launch faster, smarter, and more targeted attacks than ever before. What AI is doing for productivity, it's doing just as effectively for hackers, amplifying their precision, scale, and impact.

And the threat isn't abstract. Nation-states and cybercriminals are increasingly probing industrial environments. The Triton attack proved that adversaries are willing to go beyond disruption to cause physical harm intentionally. The Oldsmar incident showed that even small facilities are not immune; a single operator mistake or delayed response could have poisoned an entire community.

This is the core danger: cyber bypasses the traditional rules of failure. There are no slow warning signs or early readings to catch. A coordinated cyberattack can wipe out screens, silence alarms, or change safety logic in seconds, leaving even the best teams with no way to see what's coming.

For oil and gas operators, every unpatched device, open vendor connection, or unsecured remote session isn't just a tech gap, it's a safety risk. It threatens people, the environment, and the ability to keep the plant running. Cyber is now part of safety and ignoring it turns those engineered protections into false confidence. 

Regulatory and business implications

Regulators now see that cybersecurity failures in oil and gas aren't just IT problems; they're direct threats to safety and national stability. The TSA pipeline rules that came after the Colonial Pipeline attack made it clear: protecting digital systems is just as critical as protecting the pipe itself. Operators are now expected to demonstrate segmentation, monitoring, and incident response capabilities with the same rigor they apply to mechanical and process safety standards.

Beyond TSA, standards like IEC 62443 and API 1164 are becoming the baseline for good cyber practice, the same way API 570 or OSHA rules define mechanical integrity. The squeeze doesn't stop there. Insurers and investors are now baking cybersecurity maturity into how they judge risk, and weak controls mean higher premiums or less coverage. This is no longer just compliance work; it's directly tied to shareholder value and a company's license to operate.

Cybersecurity is no longer a back-office concern; it's a board-level conversation. Across the industry, leadership teams are adding dedicated cyber experts to translate risk into business impact and embed security into strategic planning. 

Failure to treat cyber as safety is no longer just a technical oversight; it is a regulatory violation, a business risk, and a reputational crisis waiting to happen.

• TSA pipeline directives explicitly tie cybersecurity readiness to pipeline safety and reliability.
• IEC 62443 and API 1164 now serve as baseline frameworks that connect cyber hygiene to process safety.
• Insurance and ESG pressure: Underwriters are increasingly factoring cybersecurity maturity into insurability. Inadequate cyber posture could mean higher premiums or even an inability to insure critical assets.

Practical correlation: Safety and cyber practices aligned

Oil and gas companies don't need to reinvent their culture of safety to embrace cybersecurity. Instead, they can extend familiar process safety tools to cover digital risks. For example, a cyber-HAZOP examines how weaknesses in safety system code, patching, or remote access could lead to hazardous conditions, just as a traditional HAZOP investigates valve failures or control loop problems. In the same vein, a cyber-LOPA treats network segmentation, detection systems, and access controls as protective layers that stop a small problem from turning into a significant incident.

Incident preparedness can also be integrated: combining traditional emergency drills with cyber tabletop exercises ensures operators are ready for complex, real-world scenarios like ransomware locking HMI screens during a flare stack event. Even metrics can align tracking cyber incidents and near misses alongside LOPC or TRIR, creating a common language for risk. When safety leaders see cyber events represented in the same frameworks they already live by, the connection becomes both intuitive and actionable.

Oil and gas companies need to align cyber practices with existing safety and operational frameworks:

• Cyber HAZOPs: Extend hazard and operability studies to include digital pathways. Example: "SIS logic patched without management of change review → loss of protection layer → potential escalation."
• Cyber LOPAs: Layer of Protection Analysis can include cyber barriers (network segmentation, intrusion detection) as formal protection layers.
• Incident Response Drills: Combine fire/emergency drills with cyber tabletop exercises. Example: "Simulate ransomware locking HMI screens while a flare stack event begins."
• Process Safety Metrics: Track cyber incidents alongside traditional metrics (LOPC, TRIR). A near miss in cyber can be as serious as a valve failure.
• Level 0–1 (sensors/actuators, SIS logic): Needs patch control, configuration integrity, and strict management of change.
• Level 2 (SCADA/DCS networks): Needs segmentation, intrusion detection, and monitoring.
• Level 3 (operations management servers, historians, HMIs): Needs MFA, anomaly detection, and endpoint hardening.

Path forward: Building cyber into the DNA of safety

The way forward is to make cybersecurity part of the same mindset that drives safety and reliability. Those two are already non-negotiable, and cyber should be treated the same. Success comes from moving beyond one-off projects or compliance exercises and building a sustainable, measurable program that operators, engineers, and executives all see as integral to safe operations.

Start by segmenting and securing OT networks to keep a minor breach from spreading across the plant. Give teams the visibility to spot unusual activity early, the same way they watch for changes in pressure or flow. Modernizing remote access with MFA, context-based controls, and strict vendor governance closes off the most abused entry points without slowing operations. Consider leveraging Purdue levels as the baseline for safe segmentation: define firebreaks and containment zones so a compromise at Level 3 can't silently reprogram Level 1 SIS controllers.

To succeed, organizations must also operationalize the link between cyber and safety. 

That means:

• Embedding cyber risks into HAZOPs, LOPAs, and safety case reviews, so they are assessed alongside valve failures or containment risks.
• Aligning KPIs and metrics so cyber near-misses are tracked and investigated with the same rigor as LOPC or TRIR events.
• Running joint drills that simulate both process upsets and cyber incidents, ensuring teams practice coordinated responses under real pressure.
• Establishing governance at the leadership level, where cyber is a standing safety agenda item, not just an IT briefing.
• Using the lab/test environment to validate security architectures, patching strategies, and vendor tools before they ever touch live assets.

Finally, leadership must champion the message that cybersecurity is fundamentally about protecting lives, communities, and the environment. It is not an add-on; it is a core part of the license to operate and long-term resilience. Companies that succeed will be those who bring cyber into their safety culture so profoundly that operators see firewalls and intrusion detection systems with the same seriousness they see hard hats and pressure relief valves.

From vision to practice: Metrics, ROI and culture

Embedding cybersecurity into the DNA of safety requires more than frameworks and technology; it involves measurement, business alignment, and cultural adoption. Just as process safety culture matured through relentless measurement and accountability, cybersecurity will only reach the same level of discipline if it is tracked, reported, and tied to outcomes that operators and executives both understand.

One of the most practical steps is to develop a set of cybersecurity metrics that parallel existing process safety indicators. Asset visibility, patch hygiene, incident detection and response times, and the frequency of cyber tabletop exercises all provide concrete ways to assess readiness. Equally important is the inclusion of "near misses," such as blocked malware or unauthorized login attempts, into the same reporting systems used for loss-of-containment or TRIR events. By integrating cyber metrics into familiar safety dashboards, organizations create a shared language of risk that resonates across both OT and IT teams.

The business case for treating cybersecurity as safety is equally compelling. Investments in segmentation, monitoring, and incident response directly protect revenue by avoiding forced downtime, something that can cost millions per day in refining or pipeline operations. Regulatory fines and penalties tied to non-compliance with TSA directives or IEC 62443 frameworks add further weight. Meanwhile, insurers and underwriters are now factoring OT cyber maturity into premiums, meaning stronger programs translate to lower costs and greater insurability. When framed this way, cybersecurity becomes not just a compliance cost but a business enabler that safeguards revenue, reduces risk exposure, and strengthens reputation under ESG expectations.

Culture remains the most critical piece. Safety works because people on the ground have the authority to stop the job when something doesn't look right. That same mindset must carry over to the digital side. A frozen screen, a missing alarm, or a controller acting strangely should get the same attention as a leaking valve. Training crews to spot and speak up about those issues adds another line of defense. Building cyber awareness into existing safety champion programs keeps responsibility where it belongs, with the people on site. Working cyber scenarios into regular drills helps the team stay sharp and ready for the kinds of real-world problems that don't come one at a time.

Track cyber incidents and near-misses by Purdue level. A Level 0–1 near-miss (unauthorized SIS logic change) should trigger higher safety urgency than a Level 3 near-miss (phishing attempt on an operator workstation). This lens is intuitive for process-safety teams and helps leadership prioritize risk mitigation where it matters most.  By focusing on metrics, economic impact, cultural integration, and emerging technologies, oil and gas companies can move the conversation from why cybersecurity is safety to how it is embedded, measured, and sustained. This is the bridge from strategy to execution, ensuring that cyber becomes as natural a part of the safety conversation as PPE, valves, and relief systems.

Looking ahead, the next wave of technology will tighten the link between safety and cybersecurity. Modern monitoring systems can catch issues before they become failures, and digital models can test how a cyber incident would hit plant operations. Seeing those risks play out ahead of time gives leaders a chance to shore up defenses before anything goes wrong. Zero Trust architectures, adapted for OT, limit the blast radius of intrusions by applying identity-based controls and micro segmentation. These innovations do not replace foundational practices, but they enhance resilience and demonstrate to regulators, underwriters, and communities that the organization is not only compliant but future-ready.

Conclusion

In oil and gas, safety has always been the license to operate. What's changed is that the frontline of safety now runs through networks, controllers, and code. Every bypassed login or unpatched device can have the same life-or-death consequences as a corroded pipe or a failed valve. The difference is speed and scale: mechanical failures happen one at a time, while cyber failures can disable protection layers across entire plants or even multiple sites in seconds.

This is why cybersecurity can no longer be siloed as an IT concern or relegated to compliance checklists. It is a core element of operational safety and business continuity. Companies that fail to see this risk are falling behind regulators, underwriters, and most importantly, the expectations of their own workforce and the communities they operate in.

The industry has already built a culture of safety strong enough to drive down incident rates year over year. The opportunity now is to extend that same discipline and culture to digital integrity. Aligning cyber with safety means embedding it into every HAZOP, every drill, every KPI, and every leadership decision.

The call to action is simple: treat cybersecurity as seriously as you treat personal safety and process safety. Because in operations, a cyber incident isn't just about lost uptime or stolen data, it can disable alarms, blind operators, and trigger the very events safety systems exist to prevent. Cybersecurity is safety, and those who lead with this mindset will be the ones best positioned to protect lives, safeguard assets, and secure the future of their operations.

Call to action

People in oil and gas already know how to build a culture where safety isn't optional. That same mindset has to reach the digital side. Start with the basics: segment OT networks, use multi-factor authentication, manage vendor access, and fold cyber risks into HAZOPs and drills. Track those same risks on the safety scorecard so they get the attention they deserve. Demand that your teams view firewalls and detection tools the same way they view hard hats and relief valves.

The industry cannot afford to treat cybersecurity as an afterthought. The next major safety incident could just as easily be triggered by malicious code as by mechanical failure. The imperative is clear: act now, invest deliberately, and lead by example. Cybersecurity is safety, and companies that recognize and operationalize this truth will define the standard for resilience in the oil and gas industry.

Next steps with WWT

WWT helps energy operators bridge the gap between cybersecurity and operational safety. We bring together deep OT experience, advanced lab environments, and proven frameworks to help organizations assess, architect, and operationalize cyber resilience.

WWT can lead a focused discovery workshop to cut through the noise and get to what matters. Together, we'll map the in-place technologies, identify alignment opportunities, and expose the gaps that hold you back. Our assessments go beyond checklists; we give a clear picture of where you stand and what's needed to meet the requirements and expectations in front of you. The goal isn't to force a product; it's to help you design and implement the right solution in the most efficient, practical way possible.

We can help you:

• Assess current maturity across your OT and IT environments using proven cybersecurity and safety frameworks.
• Design and validate secure architectures with segmentation, zero-trust security, and AI-assisted monitoring, built for industrial operations.
• Integrate cyber and safety metrics to track digital risks alongside LOPC and TRIR.
• Run joint workshops and simulations to extend HAZOPs and LOPAs into the cyber domain, turning theoretical risk into actionable protection.

Let's work together to make cybersecurity a measurable part of your safety culture.