We seek to protect our people, information and assets by using a risk-based, multilayered approach to cybersecurity. The threat landscape has evolved with increased targeting of process control networks, exploitation of trusted software in supply chains, and frequency of ransomware attacks. Chevron’s digital strategy strengthened our ability to navigate the risk environment and advance a digitally driven future.
employee spotlightkayla lacefield
operational technology cybersecurity engineer
Before joining Chevron, I was a systems administrator in the U.S. Air Force for eight years. That experience was great preparation for my current work as operational technology, OT, cybersecurity engineer at Chevron.
In the Air Force, I supported all aspects of IT, from delivering network security to software configuration. As an OT security engineer, I provide digital support to our operations, which focuses on managing our process control networks. My role is to design and establish the guardrails for the multiple safeguards we have in place to prevent or mitigate impacts to our PCNs.
One of our biggest assets is Security by Design, which helps build cybersecurity into a system’s architecture and individual solutions. Using Security by Design, my team works with our business units to develop guardrails and test that those guardrails are effective. The team also evaluates our vendors to certify that they’re secure by design – it’s a process that not only supports cybersecurity, integrity and reliability, but also has the potential to reduce costs.
There’s also a very human side to our work. For example, a PCN may monitor the facility’s emissions and effluents. My team’s job is to put in the protocols so that we have confidence that the data are protected and reliable. Accurate and timely data enable us to have the information to help keep our employees and the communities where we operate safe and healthy.
assuring safeguards are in place
We test our cybersecurity program using internal and external assessments to verify that safeguards are in place and effective. The frequency and rigor of compliance controls and audits are determined using a risk-based approach. Because the threat landscape continuously changes, we use penetration testing, which simulates attacks against the company, employing tactics, techniques and procedures hackers use to achieve their objective of accessing sensitive data or disrupting business operations. Our cybersecurity maturity is externally assessed against an internationally recognized framework by a top security company.
Our cybersecurity safeguards and programs align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and risk management and assurance is incorporated through our Operational Excellence Management System (OEMS). The OEMS enables us to systematically manage risk, implement and assure safeguards, and foster a culture of learning across different focus areas for our business, including security.
preparing the workforce
We require employees and contractors to complete training either annually or biannually on a range of cybersecurity best practices, including information on risk awareness, data privacy, privileged user access and email phishing. Training is updated regularly to reflect current cybersecurity challenges and Chevron’s cybersecurity objectives. We also have a cybersecurity awareness campaign to make the workforce aware of risks and threats and educate people on safe cyber behaviors.
establishing resilient operations
The intensifying threat landscape and the speed and sophistication of the ability of malicious actors to exploit vulnerabilities have made cyber attacks increasingly difficult to prevent. Therefore, we seek to quickly identify and rapidly respond to cyber incidents to limit their scope and impact and enable us to restore normal operations as fast as possible.
Although we experience cyber incidents in our business, including breaches, we have taken actions to mitigate the impact of these incidents through our cybersecurity safeguards. None of these incidents or breaches resulted in losses that had a material adverse effect on our business or results of operations, including over the last three years.