We recently completed a Facility Security Assessment (FSA) which included a cybersecurity assessment in which we informed the IT/OT/Cybersecurity departments at a large refinery of the new requirement to have cybersecurity as part of the facility security plan (FSP).  We also made clear that there are required notifications of any cybersecurity incidents to the Facility Security Officer (FSO), National Response Center and the local Coast Guard Captain of the Port.  Shortly after completing the FSA, this refinery in the northeast was awash in phishing email attempts that were spurred by some recent changes.  The FSO attributes his recent FSO training and the FSA process in educating all necessary parties to the cyber requirements and with ensuring all required notifications were properly made and done so in a timely fashion.  

This cybersecurity threat was noticed when the entire company received suspicious emails regarding new administrative requirements and numerous employees contacted their cybersecurity department to investigate.  The cyber team did a superb job of determining that these were phishing emails and a companywide alert was sent out to that effect.  The FSO was notified so that the required notifications could be made.  The phishing attempts failed at inserting malware onto the companies’ network because of the quick action by the facility team. 

This thwarting of a full-blown potential cybersecurity incident is a perfect example of why all MTSA regulated facilities are required to conduct a cybersecurity assessment as part of the FSA and include a cybersecurity annex in their FSP, not to mention having current cyber policies and training. 

A reminder - all MTSA regulated facilities are required to conduct a cybersecurity assessment and include a cybersecurity annex to their FSP by their audit anniversary date September 30, 2022.