Always on Guard
Through Advanced Cybersecurity, Chevron’s Marisa Ruffolo Protects Vital Energy Infrastructure.
It’s before dawn as Marisa Ruffolo flows from one yoga pose to the next before heading off to work. Her mind is calm and singularly focused. The class is a kind of controlled endurance trial. It’s a fitting workout, especially the mental preparation, for the kinds of challenges she faces every day as a cybersecurity enterprise architect at Chevron.
Marisa is part of America’s Generation Energy: deploying technologies to support best-in-class cybersecurity standards, protocols and collaborations that safeguard industry and help maintain American energy leadership.
As the job title above suggests, Marisa is a designer and builder. Not of physical structures, but of solutions – measures to defeat cyberattacks targeting industry operations and intellectual property, from corporate offices to well pads to pipelines – which if successful could impact U.S. energy and national security. The threat never rests; neither do Marisa and her industry counterparts. “At some point you come to terms with the fact that the adversaries are out there, and that there will always be those who are looking to do you harm,” she says.
The digital solutions of the 21st century have increased the reliability, efficiency and safety of natural gas and oil operations to unprecedented levels. Advanced security means Americans can have reliable access to cleaner and more affordable energy options that power their modern lives.
With these benefits also come a growing number of cyber-based attacks on the operational technologies that monitor and control rigs, wells, pipelines and refineries.
Countering the threat are today’s industry cybersecurity professionals, who represent a diverse and well-trained cadre of specialists. Collectively, they protect the industrial control systems – the digital brains of physical assets – as well as the information technology, which stores and protects intellectual property and other corporate data, preventing energy disruptions that could harm national security and the public. All but gone are the days when hackers living in their parents’ basement dreamed up nuisance attacks for kicks.
“Sharing helps us better understand whether a threat is just focused on one company or is an industry-wide attack.”
According to Marisa, the modern hacker – or “adversary,” as they are known in cybersecurity circles – is as highly skilled, motivated and proficient as the experts assigned to protect against their attacks.
“Today’s hackers are educated engineers and computer science professionals who have been hired by nation states or cybercriminal organizations to develop attacks against companies and governments,” Marisa says.
Recognizing today’s realities, natural gas and oil companies recruit talented professionals to stay a step ahead in a cyber chess match that’s anything but a game. Marisa is one of the leaders in her field. An electrical engineer by training with a doctorate from Northwestern University, she spent seven years at a national laboratory, exploring the role of cybersecurity in national defense applications.
These days, well-educated cyber professionals have the attention of industry’s C-suite executives, helping natural gas and oil transition to a new, state-of-the-art level of preparedness. A number of corporate boards and executives are actively engaged with their growing cybersecurity departments as they execute defense-in-depth approaches to cyber protection. Marisa says that executives focus on cybersecurity because they see it as enterprise-wide risk management, placing it among the highest levels of corporate priorities.
The focus on security is prevalent even at the most basic operational level. Safety briefings before worker shifts at refineries, pipelines and well sites long have been an industry practice. Marisa notes that Chevron now also focuses specifically on cybersecurity concerns, such as phishing attacks and critical security updates, during these safety briefings.
In addition to this focus, she says that information sharing across the industry and with government agencies makes a real difference in identifying and addressing attacks. Threat information and indicators of potential security breaches are shared by the U.S. intelligence community with cybersecurity experts from natural gas and oil companies as well as industry collaborations like the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC) on an ongoing basis. Threat countermeasures are continually incorporated into company cybersecurity programs.
“This sharing helps us better understand whether a threat is just focused on one company or is an industry-wide attack,” she says. “When we have a better understanding of the adversary’s target, we can more efficiently respond.”
That response is built on international standards and proven guidelines including a Cybersecurity Framework established by the National Institute of Standards and Technology (NIST) with five core focus areas: identify, protect, detect, respond and recover. This same framework is used across U.S. industries from banking to manufacturing. A disciplined approach to protection is necessary because the fight is never over.
“The energy industry is so important to our economy, so it makes sense that adversaries would want to disrupt it through cyberattacks,” Marisa says.
Her day ends much as it began on the yoga mat – with unwavering focus. Fortunately, the natural gas and oil industry – and a country that counts on secure, reliable energy – has cyber defenders like Marisa Ruffolo.