Amir Samoiloff, CEO of SIGA, writes: In oil and gas operations, the key question during a cyber incident is whether the event has affected the physical process or created uncertainty about process integrity.

Operational decisions (whether to continue, reduce flow, isolate sections or initiate shutdown) depend on confidence that pressure, flow, and safety functions are behaving as expected. If that confidence is lost, operators may decide to slow or halt operations until the physical state can be verified.

Once a control system is suspected of compromise, data from SCADA, PLCs or HMIs may not be sufficient to confirm physical impact. As a result, operators often rely on human verification of the process. This can include validating pressure readings locally, confirming whether equipment is running, or checking terminals and field assets directly.

This reliance introduces delays and operational uncertainty. It becomes more complex when facilities are remotely supervised, when access to infrastructure is limited or when fewer personnel are physically present because of automation, retirements and skill shortages.

This article examines:

Colonial Pipeline offers a clear example of the verification challenge during a cyber event in oil and gas transmission.

In May 2021, a ransomware attack disrupted Colonial’s billing systems. There was no confirmed compromise of the operational technology that manages pipeline control or safety systems. The issue was that the company could not confirm, quickly or with certainty, that the physical process remained unaffected.

Pipeline operations were halted across the system.

Before restarting, Colonial required assurance that flows, system pressure and safety conditions were normal. That could not be confirmed through supervisory data alone. Personnel were deployed to terminals and field assets to verify conditions on the ground.

This dependency on physical verification contributed to a shutdown of several days across the largest refined petroleum pipeline network in the United States.

The structure of operations has been changing for years. Facilities that once maintained continuous on-site staffing are now managed from centralised control rooms. Field personnel cover wider territories rather than being stationed locally. Compressor and pump stations, as well as block-valve sites, typically run unattended outside scheduled maintenance or inspection windows. Control centres oversee these assets but lack immediate physical access to verify what is occurring in the process.

As a result, when cyber-related uncertainty arises, confirming the physical state of the system can take hours instead of minutes. Travel logistics, site access restrictions, and mandatory safety procedures all extend response timelines and increase exposure.

Growing automation has further reduced informal process awareness. With fewer people physically present, discrepancies between displayed data and actual equipment behaviour are less likely to be noticed unless personnel are explicitly dispatched.

Manual verification therefore remains the ultimate assurance method when system data cannot be trusted - but it is now slower, less available, and operationally disruptive at precisely the moment rapid validation is most critical.

In oil and gas transmission, an evolving cyber incident may not immediately damage physical equipment. But there is significant risk from the loss of visibility as to whether the physical process is still behaving as expected. If there is any doubt that control system data reflects actual field conditions, flow or restart cannot proceed until the physical state is verified.

The Colonial Pipeline incident made this operational reality visible. The ransomware intrusion was contained to corporate IT systems, but once there was uncertainty around the accuracy or reliability of operational data, continued product flow was halted. Before resuming operations, the company needed confirmation that the physical system was stable and operating within safe parameters. That confirmation could not come from screens alone - it required physical validation, and that process took time.

In oil and gas operations, there are situations where the control system indicates a process condition, but operators cannot be certain it reflects what is happening in the field. This is uncommon, but when it happens following a cyber breach, decisions about keeping product flowing, isolating a line or restarting equipment depend on information that only field verification can provide.

At that point, the sequence is predictable:

This gap between detecting a cyber event and confirming the physical process is where operational, commercial and safety pressure builds.

In oil and gas operations, control system data (e.g., SCADA, PLCs or HMIs) represents a processed and network-dependent view of the physical process. Level 0 (of the Purdue Model) data is different. It is the raw electrical and physical signal generated by the process itself: pressures, currents, flows, valve positions, etc. These values exist before software interprets them, before they pass through controllers, and before they can be altered or suppressed by an attacker.

Level 0 monitoring is not about replacing SCADA or safety systems. It establishes a process-oriented source of truth that remains tied to physics, not logic. That distinction becomes critical during an evolving cyberattack, especially when there is doubt about whether the equipment in the field is behaving in line with what the control system reports.

When Level 0 visibility is in place, operators gain the ability to:

Regulators are increasingly treating cybersecurity and process integrity as a single obligation. Following the Colonial Pipeline incident, the US Transportation Security Administration (TSA) issued a series of security directives (such as Pipeline Security Directive Pipeline-2021-01A and -02B) requiring pipeline operators to implement network segmentation, continuous monitoring, and rapid incident reporting to CISA -with verification of operational impact now part of compliance (TSA directive summary).

In parallel, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates that critical infrastructure owners report substantial cyber incidents within 72 hours (CISA CIRCIA). In Europe, the EU NIS2 Directive expands obligations for energy operators to include OT systems and proof of business-continuity readiness (EU NIS2).

These frameworks share a common expectation: operators must be able to prove that the physical process remains in a safe, known state during and after a cyber event. That assurance depends on validated, physics-based process data.

In oil and gas cyber incidents, what matters most is not whether a network or controller was breached, but whether the physical process is still behaving as intended. When that can’t be confirmed, operations slow or stop – not because equipment is damaged, but because safety cannot be proven.

Industry structure has changed: fewer people on-site, more automation, and wider supervisory coverage make physical verification slower and more costly. When control system data can’t be trusted, SCADA, PLC, or HMI displays alone are no longer enough.

That’s why process-level monitoring is now critical. It provides a source of truth rooted in physics rather than software logic, enabling faster verification, better decisions, and less dependence on field checks. And as regulations increasingly link cybersecurity with process safety and physical integrity, verifying the true state of the process has become more than an operational necessity - it’s a regulatory and governance requirement.

Read the article online at: https://www.oilfieldtechnology.com/special-reports/19012026/the-hidden-risk-in-oil-and-gas-cybersecurity-verifying-the-physical-process/

Embed article link: (copy the HTML code below):

This article has been tagged under the following:

US upstream news

Digital oilfield news