OT/ICS Security Since 2012

Oil & Gas IT — SCADA Security · OT/IT Convergence · California Operations

A cyberattack on your SCADA system isn’t just data loss — it’s a safety incident. IT Center protects California oil and gas operators with purpose-built OT security, ICS monitoring, and field connectivity that keeps production running and regulators satisfied.

The Colonial Pipeline Precedent: In May 2021, a ransomware attack forced a six-day shutdown of 5,500 miles of pipeline, triggering fuel shortages across the southeastern US and a $4.4 million ransom payment. The attack entered through IT systems and spread to OT. California operators — Kern County fields, LA Basin production, Santa Barbara Channel, and coastal refineries — face the same threat profile. The question is whether your OT/IT boundary is a firewall or an open door.

Free SCADA Assessment View Services

ICS-CERT Aligned Response

API Cybersecurity Guidance Compliant

Zero Production Downtime Incidents

24/7 OT Monitoring

0Production downtime incidents from cyber events

24/7OT network and SCADA monitoring

2012Protecting California operators since

100%ICS-CERT aligned incident response

APISTD 1164 cybersecurity guidance compliant

The Threat Environment

Nation-State Actors Are Targeting Your Infrastructure

Energy infrastructure is the highest-priority target for nation-state threat actors. California oil and gas operators face a layered threat environment unlike any other industry — from sophisticated APT groups to ransomware-as-a-service crews that develop ICS-aware payloads specifically for energy targets.

Volt Typhoon — Pre-Positioned for Disruption

CISA and NSA have confirmed that Chinese state-sponsored actors (Volt Typhoon) have embedded themselves in US critical infrastructure OT networks — not for espionage, but to pre-position for disruptive attacks during geopolitical crises. California energy assets are explicitly within scope of their targeting.

Nation-State APT

Sandworm / BlackEnergy — ICS-Aware Malware

Russian GRU’s Sandworm group deployed INDUSTROYER and CRASHOVERRIDE malware engineered specifically to manipulate industrial control systems. BlackEnergy targeted SCADA HMI software used in oil and gas globally. These tools carry ICS-specific payloads that can directly command field devices.

ICS-Specific Malware

Colonial Pipeline — The IT-to-OT Pivot

DarkSide ransomware entered via an inactive VPN account with no MFA. It compromised IT billing systems, prompting an operator-initiated OT shutdown to prevent spread. The $4.4M ransom and six-day outage demonstrated that OT disruption can originate entirely from IT-side compromise.

Ransomware

PHMSA Pipeline Safety Data Requirements

The Pipeline and Hazardous Materials Safety Administration mandates digital safety data management, incident reporting, and integrity management recordkeeping. Insecure or unavailable systems during a PHMSA audit create regulatory exposure that compounds the operational risk of any cyber incident.

PHMSA Compliance

CalOES & CARB Reporting Obligations

California Office of Emergency Services (CalOES) and CARB impose strict reporting timelines on spill events and emissions data. EPA Tier II chemical reporting systems must be available and accurate. Attacks that corrupt or block regulatory reporting create dual liability: operational and regulatory.

CA Regulatory

API Cybersecurity Guidance for Oil & Gas

The American Petroleum Institute published API STD 1164 cybersecurity guidance for pipeline operations. Aligning to API standards demonstrates due diligence to regulators, insurers, and incident responders. IT Center implements API STD 1164 as a baseline for all oil and gas clients.

API STD 1164

What We Do

OT/IT Security Services for Oil & Gas Operators

Every service is designed for operational environments where a wrong move costs production time, regulatory standing, and potentially human safety. We build around zero-downtime principles and OT-first methodology.

OT/IT Network Segmentation with DMZ Architecture

Hard boundaries between corporate IT and OT zones using DMZ architecture, jump servers, and unidirectional data flows. Prevent lateral movement from IT compromise into SCADA systems following the Colonial Pipeline attack model.

SCADA/ICS Security Monitoring

24/7 passive monitoring with purpose-built OT security platforms including Claroty, Dragos, Nozomi Networks, and Tenable OT Security. Detect anomalies in ICS protocols without disrupting operations or stressing legacy controllers.

Encrypted VPN for Remote SCADA Access

MFA-enforced, encrypted VPN tunnels for remote SCADA and HMI access. Eliminate unauthorized legacy remote access pathways — the exact vector exploited in the Colonial Pipeline attack. Zero standing access by default.

Remote Field Worker Connectivity

LTE primary and satellite backup connectivity for Kern County field sites, offshore platforms, and remote wellheads. Maintain SCADA telemetry and field communications regardless of terrestrial network conditions.

Historian Data Protection & Backup

Immutable backup and disaster recovery for OSIsoft PI, Wonderware Historian, and GE Proficy historians. Preserve operational data integrity for PHMSA compliance, litigation hold, and business continuity after any incident.

Field Device Inventory & Firmware Management

Complete asset discovery and inventory of PLCs, RTUs, flow computers, and safety instrumented systems (SIS). Track firmware versions, identify end-of-life devices, and manage update windows during planned maintenance shutdowns.

Vendor Remote Access Management

Privileged access management (PAM) for third-party OEM vendor access to DCS and SCADA systems. Session recording, time-limited credentials, and just-in-time provisioning for Honeywell, Emerson, ABB, and Yokogawa support sessions.

Emergency Response Communications

Redundant communications for emergency operations centers: satellite voice, encrypted radio integration, and out-of-band management networks that remain operational during primary network failure or active incident response.

OT Patch Management — Zero-Downtime Approach

Coordinated patch management for OT environments with production scheduling constraints. All patches tested in staging environments, deployed during planned maintenance windows, and validated against vendor interoperability matrices before any live system change.

Where We Operate

California’s Oil & Gas Footprint — We Know This Terrain

California remains a significant oil and gas producing state with distinct operational geographies. Each region carries unique connectivity challenges, regulatory exposure, and OT system profiles. IT Center has direct experience across all major California producing basins and refining centers.

Los Angeles Basin — Wilmington & Long Beach
The Wilmington Oil Field is one of the largest urban oil fields in the US. Dense production infrastructure, proximity to residential areas, and CalOES reporting obligations create elevated regulatory complexity for every operator in this basin.
Bakersfield / Kern County
California’s largest producing region. Remote field sites with limited terrestrial connectivity, steam flood operations with specialized instrumentation, and large field device counts. LTE/satellite hybrid connectivity is standard for our Kern County deployments.
Santa Barbara Channel
Offshore platform operations with strict BSEE compliance requirements. Satellite-only primary connectivity, high-availability requirements, and emergency shutdown system (ESD) network integration define this environment.
Southern California Refineries — Torrance, Carson, El Segundo, Wilmington
Large DCS footprints, complex VLAN architectures, MES/ERP integration, and continuous CARB emissions monitoring requirements. Refinery OT environments are among the most network-dense industrial settings we support.
Pipeline Operators & Natural Gas Distribution
Interstate and intrastate pipeline operators subject to TSA Security Directives and PHMSA cybersecurity requirements. SCADA systems monitoring pressure, flow, and compressor station operations across hundreds of miles of right-of-way.

California Operations Profile

Crude oil production rank (US states)7th

Active DOGGR well count (est.)53,000+

Southern CA refinery capacity (bpd)650,000+

PHMSA-regulated pipeline miles (CA)50,000+

Primary regulatory bodiesDOGGR · CARB · PHMSA · CalOES

Federal ICS guidanceICS-CERT / CISA

EPA Tier II reporting deadlineMarch 1 annually

API pipeline cybersecurity standardAPI STD 1164

OT/IT Convergence Architecture

The Purdue Model — How We Structure Your Defense

The Purdue Enterprise Reference Architecture defines the security zones of an industrial control environment. IT Center implements Purdue Model segmentation as the structural foundation of every oil and gas OT security engagement, then layers active monitoring, access controls, and incident response on top.

L4/L5

Enterprise IT Network

Corporate ERP, email, business applications. Must be isolated from all OT zones via firewall policy, DMZ architecture, and monitored data transfer paths.

Manufacturing Operations Zone (DMZ)

Historian servers, MES/ERP integration, patch management servers, remote access jump hosts. The critical boundary where most intrusions pivot from IT into OT.

SCADA / Supervisory Control Layer

HMI workstations, SCADA servers, engineering workstations, alarm management systems. Direct command authority over physical processes — highest value target for attackers.

Basic Control (DCS / PLC Layer)

DCS controllers, PLCs, RTUs, flow computers. Executes SCADA commands. Compromise here means direct manipulation of physical field equipment.

Field Devices & Physical Process

Sensors, actuators, valves, pumps, compressors, emergency shutdown systems (ESD). The physical consequence layer where a cyberattack becomes a safety incident.

Network Security Controls

VLAN segmentation enforcing Purdue zone boundaries
Unidirectional security gateways (data diodes) for historian replication
Next-generation firewalls with ICS-protocol deep packet inspection
Anomaly detection for Modbus, DNP3, OPC-UA, and EtherNet/IP traffic
Jump server / bastion host architecture for all OT zone access
Out-of-band management networks for emergency access paths
Air-gapped vs. connected SCADA environment assessment and design

Monitoring & Response

Passive OT asset discovery — no active scanning that can disrupt PLCs
Behavioral baseline modeling for ICS protocol communications
Claroty, Dragos, or Nozomi platform deployment and managed operations
24/7 SOC coverage with OT-trained analysts on California time zones
ICS-CERT aligned incident response playbooks per environment
Tabletop exercises simulating ransomware and nation-state scenarios
Coordinated alerting with physical security and ESD system teams

Common Questions

Frequently Asked Questions

Every oil and gas operator we speak with has the same core concerns. Here are direct, engineering-level answers.

What is the difference between OT security and IT security?

IT security prioritizes confidentiality, integrity, and availability — in that order. OT security inverts the priority: availability comes first because a stopped pump or closed valve has immediate physical and financial consequences. OT systems were designed for reliability over decades, not security, which means they often run legacy operating systems with no patch cycle, cannot tolerate active network scans, and may crash if subjected to standard IT security tools. OT security requires passive monitoring, protocol-aware firewalls, and change management processes synchronized with production schedules rather than IT release calendars.

How do you secure SCADA systems without disrupting production?

The core principle is passive-first monitoring. We never use active network scanning tools like Nmap or vulnerability scanners against live OT networks — they can crash PLCs and RTUs. Instead, we deploy passive sensors that observe network traffic without injecting packets. Asset discovery is done through traffic analysis, not probing. Firewall rules and network segmentation changes are staged, tested in equivalent lab environments, and executed during planned maintenance windows coordinated with your operations team. Patch management follows your turnaround schedule, not an IT calendar.

What are the PHMSA cybersecurity requirements for pipeline operators?

Following the Colonial Pipeline attack, TSA issued Security Directives (SD-02A through subsequent revisions) requiring: identification and protection of critical cyber systems; implementation of specific access control and monitoring measures; development of a Cybersecurity Incident Response Plan (CIRP); and an annual architecture review cycle. PHMSA coordinates with TSA on these requirements. Operators must also maintain data integrity for safety records required during PHMSA inspections. IT Center aligns your SCADA and IT environments to TSA Security Directive requirements and supports your CIRP documentation and testing obligations.

How do you handle remote vendor access to OT systems?

Vendor remote access is one of the highest-risk vectors in OT environments. We implement Privileged Access Management (PAM) specifically scoped to OT vendor access: vendors receive time-limited, just-in-time credentials that expire automatically after each session; all sessions are recorded with full video and keylogging for post-incident review; access is restricted to specific IP ranges and specific target systems; multi-factor authentication is mandatory; and a human approval workflow is required before each session initiates. This applies to OEM vendors from Honeywell, Emerson, ABB, Yokogawa, Rockwell, Schneider Electric, and any other third party accessing your control systems.

What happens if our SCADA system is hit with ransomware?

Our ICS-CERT aligned incident response plan activates immediately. First action is network isolation of affected segments to prevent spread to OT zones, while maintaining safety system functionality. We assess whether the attack has crossed the IT/OT boundary. If it has, we invoke your Cybersecurity Incident Response Plan (CIRP) and coordinate TSA/PHMSA notification requirements if you are a regulated pipeline operator. Simultaneously, we begin recovery from immutable backups for historian data and execute bare-metal restore procedures for SCADA servers from clean, validated snapshots. Our goal is safe operational recovery — not just IT recovery.

Do California oil and gas operators have specific cybersecurity requirements?

Yes, from multiple regulatory directions simultaneously. California operators face federal requirements (TSA Security Directives for pipeline operators, EPA Tier II reporting, PHMSA data integrity requirements) plus California-specific obligations including CalOES critical infrastructure protection coordination and CARB continuous emissions monitoring data integrity. DOGGR oversees well operations and requires accurate digital reporting. A cyberattack that corrupts emissions or production data creates regulatory liability beyond the operational impact. California’s SB 327 IoT security law and CPRA data privacy requirements may also apply to connected field sensors. IT Center maps your full regulatory exposure at the start of every engagement.

Free Assessment

Get a Free SCADA Security Assessment for Your Operation

IT Center has been protecting California industrial operations since 2012. Tell us about your environment — the assessment is free, zero-obligation, and conducted by engineers who understand DCS architectures, not just firewalls.

OT/IT boundary review — identify where your SCADA is exposed
Vendor remote access audit — map every third-party access path
PHMSA / API STD 1164 cybersecurity guidance gap analysis
Field device inventory and firmware exposure report
No active scanning — zero production risk during assessment

(888) 221-0098 — Call Directly

Request Your Free SCADA Assessment

We respond same business day. No sales pressure — just engineering expertise.