Applying NIST SP 800-53 to secure oil refineries: A comprehensive guide

Oil refineries are easily among the most critical components of global energy infrastructure. They work to convert crude oil into usable products like gasoline, diesel, and petrochemicals, making them essential to the functioning of modern economies. However, this importance also makes them a prime target for sophisticated cyberattacks carried out by state-backed and/or evolved threat actors.

From ransomware incidents to nation-state threats, the cybersecurity landscape for refineries is often complex and associated with high-risk. To address these challenges, adopting a comprehensive and standardized security framework is vital. One such framework is NIST Special Publication 800-53 (SP 800-53), which offers a catalogue of security and privacy controls for federal information systems and organizations. While originally designed for federal systems, NIST SP 800-53 is now being adapted to industrial and critical infrastructure environments, including oil refineries (and pipelines).

Today’s blog post explores how NIST SP 800-53 can be practically applied in an oil refinery setting to enhance cybersecurity posture, ensure regulatory compliance, and support resilient operations.

Understanding the relevance of NIST SP 800-53 to oil refineries

NIST SP 800-53 outlines a comprehensive set of controls split into categories such as Access Control, Incident Response, System and Communications Protection, and more. Although the publication was earlier aimed at IT systems, its modular and flexible nature allows for adaptation to Operational Technology (OT) environments prevalent in oil refineries.

Oil refineries already operate under regulatory pressures such as NIST CSF, IEC 62443, API 1164, and TSA guidelines in the U.S. and in other geographies that have refineries operating under the shadow of a geopolitical issues, integrating SP 800-53 into this ecosystem offers the benefit of aligning refinery operations with a globally recognized set of best practices.

Challenges in adapting SP 800-53 to oil refineries

While NIST SP 800-53 offers rich guidance, its implementation can present real-world challenges such as those related to:

· Legacy systems: Many OT devices lack the capability to implement modern security controls.

· Confusion on applicability and roadmap

· Cultural barriers: Engineering teams may resist changes that impact plant uptime.

· Skill gaps: Implementing controls requires cross-functional expertise in both cybersecurity and OT engineering.

· Resource constraints: Smaller refineries may lack the budget or staffing to implement the entire control catalogue.

These challenges make a risk-based, phased approach critical.

So how can we overcome such challenges? Lets begin by mapping the control families to OT environments.  

Mapping NIST SP 800-53 control families to refinery OT environments

1. Access Control (AC)

o Implement role-based access to ICS and SCADA systems.

o Enforce least privilege for engineers and operators.

o Use multifactor authentication for remote access to refinery networks.

o Ensure deployment of physical containment barriers to prevent manipulation of devices

2. Audit and Accountability (AU)

o Ensure logs are stored in a manner that allows tamper proof retrieval

o Maintain logs of operator actions on DCS systems.

o Implement tamper-evident logging mechanisms.

o Periodically audit control room activity and remote access events.

3. System and Communications protection (SC)

o Segregate corporate and control networks using firewalls and DMZs.

o Employ encryption for remote sensor telemetry.

o Disable unused communication ports on PLCs and RTUs.

o Control sessions lengths

o Using systems to detect NIDS solutions such as Shieldworkz to detect anomalous communication

4. Incident Response (IR)

o Develop refinery-specific incident response plans.

o Test playbooks and responses in near real-world scenarios

o Ensure regular updation of IR playbooks

o Upskill IR teams

o Conduct OT-specific tabletop exercises involving engineering and security teams.

o Coordinate response with local CERT and relevant government agencies, if necessary.

5. Configuration Management (CM)

o Baseline firmware versions of all field devices.

o Document and control changes to control logic in safety instrumented systems (SIS).

o Prevent unauthorized changes to configurations

o Conduct periodic IEC 62443-based audits to ascertain if any attack paths are open or exploitable and close such gaps

o Configuration information should be stored and updated as and when needed

6. System Integrity (SI)

o Baseline system behaviors and configurations

o Apply integrity-checking tools for detecting unauthorized changes in HMIs and historian systems.

o Use endpoint detection systems customized for OT protocols.

7. Personnel Security (PS)

o Conduct background checks for third-party vendors.

o Provide cybersecurity training tailored to refinery OT staff.

8. Risk Assessment (RA)

o Perform periodic IEC 62443 and NIST-based cyber risk assessments covering safety and environmental impact.

o Include cyber risk metrics in refinery-wide risk registers.

9. Contingency Planning (CP)

o Maintain offline backups of process control logic.

o Develop failover scenarios for network and control system outages.

10. Maintenance (MA)

o Track third-party maintenance on OT devices.

o Ensure maintenance activities follow secure protocols.

11. Use security tools effectively

o Determine your security posture at all times and improve it using additional controls

o Conduct threat hunting to detect any existing threats

Applying controls at the device and network layer

A key challenge in oil refinery cybersecurity is the diversity and age of OT systems. Many legacy PLCs, RTUs, and analyzers were never designed with security in mind. NIST SP 800-53 can help mitigate this challenge through layered and targeted controls.

At the device level:

o Disable unused services and ports.

o Enforce firmware integrity checks.

o Limit physical access to control cabinets.

o Conduct system integrity checks and log findings for remediation where ever applicable

At the network level:

o Segment networks to prevent lateral movement

o Use microsegmentation to secure crown jewels and systems that carry additional risks or are easy targets

o Deploy intrusion detection sensors tuned for ICS protocols like Modbus, OPC, and PROFINET.

o Establish VLANs and enforce unidirectional gateways where feasible.

Integration with existing standards and regulations

Let’s revisit the point on oil refineries often operate in highly regulated environments. Given the level of scrutiny, can anything more be done to secure infrastructure further from future threats?

Here’s how SP 800-53 can align with or complement existing compliance mandates and frameworks:

· NIST CSF: SP 800-53 provides the technical controls that underpin CSF functions (Identify, Protect, Detect, Respond, Recover). When implemented together or in series, NIST CSF and SP 800-53 can help manage and reduce cyber risks across the board.

· NIS2: Mandates refineries to take appropriate technical and organizational measures to prevent, detect, and respond to cyber incidents that could disrupt their operations or impact the energy supply chain. Supply chain security, management accountability and training and awareness are key pillars for NIS2 compliance.

· IEC 62443: Similarities in system requirements, access control, and network segmentation. IEC 62443 2-1, 3-2 and 3-3 are key aspects that can be considered along with SP 800-53. In addition, lifecycle management, zone and conduct models, security levels and risk-based approach mandated by IEC 62443 can help strengthen NIST SP 800-53 implementation while the overlaps can help validate existing controls.

· API 1164: It offers guidance for managing cyber risks linked to industrial automation and control systems in pipeline operations. AP 1164 is relevant in instances where refineries are depending on pipelines for transporting refined products.  

· TSA Security Directives: Helps ensure refinery cybersecurity programs meet U.S. pipeline and energy regulations. This is again relevant in instances where refineries are also owning pipelines or working with pipeline owners for transport of refined products. Cybersecurity assessment plans, incident response, continuous monitoring and exercise and cybersecurity enhancement measures implemented at a pipeline level can be extended to the refinery as well, in case the same has not been done.

Operationalizing NIST SP 800-53 in the Refinery

Implementing SP 800-53 is not a one-off project; it requires a continuous improvement mindset. The following steps can help operationalize the framework:

1. Risk assessment and gap analysis

o Conduct a current-state assessment aligned to SP 800-53 control families.

o Identify critical gaps in access, monitoring, and configuration management.

2. Risk-based prioritisation

o Rank controls by potential safety and operational impact.

o Focus on high-value assets like safety systems and primary control networks.

o Review risks constantly to account for changes in the OT environment

3. Implementation roadmap

o Develop a phased roadmap integrating SP 800-53 controls over 12–24 months.

o Include quick wins (e.g., log centralization) and long-term projects (e.g., full network segmentation).

4. Monitoring and reporting

o Set up dashboards to track control maturity and incident trends.

o Use KPIs aligned with SP 800-53 control objectives.

5. Audit and review cycles

o Perform periodic reviews with operations, IT, and compliance teams.

o Update control implementations based on threat intelligence and plant changes.

6. Training and sensitisation

All employees should undergo periodic training and sensitisation on SP 800-53 controls and their operational and security relevance

NIST SP 800-53, while originally designed for federal information systems, has significant applicability in securing complex, high-risk environments such as oil refineries and pipelines. By tailoring its control families to fit OT use cases and scenarios, refineries can build a robust cybersecurity foundation that supports operational resilience, regulatory compliance, and safe plant performance.

Refineries looking to improve their cybersecurity posture should consider a strategic implementation of SP 800-53 alongside existing frameworks like NIST CSF, IEC 62443, and API 1164. In a world where the thin line between physical and cyber threats continues to fade and disappear, adopting a control-based, standards-aligned approach is not just best practice—it’s a business imperative.

Learn more about our unique approach towards NIST SP 800-53 adoption by oil and gas refineries.

Talk to our oil and gas OT security specialist.

Reach out for a pre-assessment discussion on your existing controls.