How Honeywell raises cyber-resilient pipelines and storage terminals

Knowing the cybersecurity terrain, history and root causes can enable csHazOps and other well-suited protections
Nov. 13, 2025
6 min read
Photo by Keith Larson
Pranav Bhopatkar, Honeywell, at Honeywell Users Group 2025 in The Hague

As hard as it is to provide cybersecurity for process applications, at least their devices and networks mostly stay at home and onsite. Even if they’re out in the field, those components are in locations with well-defined boundaries. Not so with pipelines.

Pipelines travel dozens, hundreds or even thousands of kilometers (km), so who knows what unsavory characters, sketchy communications and cyber-threats they might encounter on their long and often unsupervised trips. And the same goes for their terminals, where pipelines receive and send raw materials, finished products, and support fluids and gases.

“Pipelines and terminals can get hit by cyber- or physical attacks, or hybrid events combining both,” said John Colpo, strategy and marketing lead for LNG, pipelines, terminal and shipping at Honeywell Process Solutions. “Knowing what’s special about each is essential to protecting them.”

Colpo and Pranav Bhopatkar, regional leader for OT and ICS cybersecurity at Honeywell Process Solutions, presented “Evaluating cyber-resilience for pipelines and storage terminals” at this week’s Honeywell Users Group 2025 for Europe, Middle East and Africa at the Hague in the Netherlands.

Cyber-threat and loss landscape

Colpo reported primary, cybersecurity-related characteristics and risks for pipelines and terminals include:

  • As critical infrastructure, they’re attractive targets for sophisticated and unsophisticated actors, and have a special mandate for societal continuity, nation building and special regulations.
  • Because they perform transport and storage logistics only, pipelines and terminals have low-value-added business models and are constrained by tariffs that drive cost take-outs. They also have broad geographical footprints with physical and OT and IT cyber-attack surfaces.
  • Risk-based cybersecurity isn’t enough because it focuses on generic cyber-threats, while crime is prevalent across midstream process industries, so more integrated cybersecurity is needed.
  • Theft from pipelines and terminals is a multi-billion-dollar problem, so cybersecurity for custody transfer equipment and locations is especially crucial and must by linked and integrated with theft prevention.
  • Holistic approach needed so risk management can be expanded to commodity theft, physical security and safety. Positive return on investment (ROI) is possible when fraud and theft are prevented and/or when lost and unaccounted for gas (LAUF) is reduced.

“More than $133 billion of oil and gas products are stolen each year, which amounts to 5-7% of worldwide production,” explained Colpo. “These thefts range from simple fuel-card skimming up to hijacking tanker trucks and ships. However, custody transfer regulations are in place in very few nations, and participants assume their information is secure and handled by authorized people. This is why mitigation against theft and fraud must be implemented with a zero-trust approach.”

In addition, Colpo added that oil and gas supply chains are more vulnerable because their upstream, midstream and downstream sections are very diverse, have widely dispersed facilities, low staff ratios, and work with fungible, commodity products that are easy to resell.

“Many pipelines may only have radio or cellular monitoring every 20-50 km at a valve station with a remote terminal unit (RTU), which again means their vulnerabilities and attack surfaces extend over very long distances. Even their OT or IT networking devices are in locations that are normally unstaffed and/or only lightly secured,” added Colpo. “This makes all of them particularly exposed to man-in-the-middle, cyber-attacks via standard protocols like Modbus/TCP at pipeline tapping points by using commoditized tools and simple I/O signatures.”

Because product theft requires a physical, in-person attack at some point, Colpo reported they’re typically staged at some distance from OT and IT devices. Plus, as more theft-detection technologies are deployed, physical actors refocus their efforts on threatening, blackmailing or bribing personnel, and concentrate more on attacking central OT and IT locations, as well as remote pipeline sections and OT areas with fewer protections. And, just as anti-theft measures improve, thieves also improve their equipment and methods.

Root causes for better practices

Just as process engineers fear the underlying reasons for shutdowns more than any downtime that follows, Bhopatkar reported they must also focus on uncovering hidden cyber-vulnerabilities more intently than on any potential cyber-attacks and outages they could trigger later.

“Cyber-resilience isn’t mainly about cyber-attacks. It’s about how quickly and effectively end-users can respond and recover,” said Bhopatkar. “This also means learning about the important events in cybersecurity history, including the Stuxnet worm in 2010, Triton safety-system malware in 2017, and the Colonial Pipeline ransomware incident in 2021.”

Bhopatkar added that Colonial Pipeline was a wake-up call because it involved capturing a password on an inactive account. This allowed the cyber-intrusion to seem like normal activity on the surface, even as the attackers gained unauthorized access for two hours, exfiltrated 200 Gigabytes of data, and demanded and received a substantial ransom. These events also prompted Colonial to voluntarily shut down its pipelines due to a lack of OT and IT visibility and confidence. A subsequent investigation resulted in several arrests and substantial ransom recovery, but the intervening chaos led to U.S. congressional hearings, and multiple regulatory-directive updates and cybersecurity upgrades.

“Colonial Pipeline triggered 52 new, U.S. federal cybersecurity regulations that are in effect or proposed, and inspired 156 countries to enact cyber-crime legislation,” said Bhopatkar. “Many are increasing the liability on companies and organizations if they don’t make efforts to mitigate their cyber-risks.”

Because IT cybersecurity solutions aren’t always an ideal fit with OT infrastructures and priorities, Bhopatkar reported both parties must understand their differences, including:

  • Operating priorities due to IT’s focus on maintaining business information confidentiality, and OT’s focus on maintaining safe operations and uptime.
  • Deployment models with IT loading software patches and performing reboots at will, while OT must wait for appropriate scheduling to avoid unplanned downtime.
  • Required skills and experiences due to OT’s need to understand and respond to existing, interconnected assets, such as emergency shutdown (ESD) systems, and integrating them with new cybersecurity requirements.
  • Impact on business because OT network performance can affect production and quality, potentially cause injuries or loss of life, and impact local environments.

HazOps for all cybersecurity seasons

“More users and their organizations are asking themselves if they’re doing enough on cybersecurity, and questioning whether they’re ready to respond and recover,” added Bhopatkar. “The good news is that process safety examples, such as an emergency shutdown (ESD) on an oil storage tank, can serve as a template for cybersecurity and how to handle a cyber-attack. Just as we do scenario-driven risk assessments, hazard and operability (HazOp) studies and layers of protection analyses (LOPA) for process safety, we can also do cybersecurity HazOps (csHazOps) to determine which tools, tactics and procedures will provide the most effective protection.”

Bhopatkar reported that a csHazOp can also enable each process application and facility to transfer risk by closing in on compliance with cybersecurity standards like ISA/IEC 62443, U.S. National Institute of Standards and Technology’s Cybersecurity Framework 2.0, and the European Union’s new Cyber Resilience Act.   

“Honeywell provides csHazOps that can provide more quantitative and qualitative looks into individual process applications, help users improve their risk appetites by reducing their risk thresholds, and generally be more proactive about their cybersecurity,” concluded Bhopatkar. “For example, NIST CSF 2.0’s five cybersecurity steps are identify, protect, detect, respond and recover, so Honeywell’s services include industrial control system (ICS) incident response, defensible architectures, ICS network visibility monitoring, secure remote access, and risk-based vulnerability management. Honeywell also provides tabletop drills, penetration testing and walkthroughs for practicing all of those principles.”

About the Author

Jim Montague
Email

Jim Montague

Executive Editor

Jim Montague is executive editor of Control.