Colonial Pipeline. JBS Foods. Aliquippa Water Authority. Halliburton. Every major critical infrastructure attack started with a phishing email or stolen credential that a trained employee could have stopped. Live expert training built for energy operators, OT engineers, control room staff, and utility executives.
Most cybersecurity awareness training is designed for office workers. It covers email phishing, password policies, and cloud storage hygiene. None of it maps to a control room, a pipeline compressor station, or a water treatment SCADA system.
Energy and utility environments have three distinct vulnerabilities that office-focused training ignores: flat IT/OT network architectures where a compromised laptop can reach industrial control systems; legacy SCADA, DCS, and EMS platforms running on unsupported operating systems that cannot be patched without a maintenance window; and vendor remote-access connections that persist long after the service call ends and provide a persistent entry point for attackers.
The Colonial Pipeline attack succeeded not because DarkSide broke through an impenetrable perimeter — it succeeded because a single set of stolen VPN credentials, exposed on a dark web forum, granted access to a system with no multi-factor authentication. One trained employee who knew how to recognize and report that kind of exposure could have changed the outcome. SecurEveryone's energy program is built on NERC CIP standards, CISA ICS-CERT advisories, and real incident timelines — not a generic phishing module.
DarkSide ransomware — accessed via a single stolen VPN password found on a dark web forum — encrypted Colonial Pipeline's billing and business systems, causing the company to preemptively shut down 5,500 miles of pipeline for six days. The Southeast United States experienced widespread fuel shortages, panic buying, and a national state of emergency. Colonial paid $4.4M in Bitcoin; the FBI recovered approximately $2.3M. The pipeline had no MFA on the compromised VPN account.
REvil ransomware shut down all JBS beef processing plants in the United States and disrupted operations in Australia and Canada. The attack halted roughly 25% of U.S. beef production capacity for 11 days. JBS — the world's largest meat processing company — paid an $11M ransom to restore operations. The FBI attributed the attack to REvil, a Russia-based group, and the White House described it as a ransomware attack on a food supply chain critical infrastructure target.
IRGC-affiliated group CyberAv3ngers compromised a Unitronics Vision Series PLC at the Municipal Water Authority of Aliquippa, Pennsylvania — part of the booster station controlling water pressure for roughly 6,600 customers. The attackers displayed an anti-Israel message on the HMI screen. CISA issued Emergency Directive AA23-335A. The PLCs had internet-exposed default credentials, a configuration pattern found across dozens of U.S. water utilities. EPA and CISA followed with a joint advisory in 2024.
RansomHub ransomware attacked Halliburton, one of the world's largest oilfield services companies, forcing the company to take systems offline and restrict network connectivity at its Houston headquarters. Halliburton filed a Form 8-K with the SEC under the new cybersecurity disclosure rules — one of the first high-profile energy sector incident disclosures under the 2023 SEC cyber rules. The attack disrupted global business operations and client connectivity across Halliburton's field services network.
Walk control room operators, SCADA engineers, and field technicians through the specific phishing and social engineering attacks that target ICS environments — not generic office phishing. Covers vendor impersonation emails requesting remote access credentials, spear-phishing targeting HMI operators and EMS staff, USB attacks at unmanned substations, and the credential-harvesting techniques used in the Colonial Pipeline attack chain. Employees learn to recognize and report anomalies before the infection reaches control systems. Includes the CISA "living-off-the-land" indicator checklist from Advisory AA24-038A so operators understand what Volt Typhoon-style intrusion looks like without triggering alarms.
A live ransomware tabletop built specifically for energy and utility environments — where the consequence of an attack isn't just data loss but potential physical harm, environmental damage, and public safety impact. Uses the Colonial Pipeline and Aliquippa Water Authority timelines as the core case studies. Covers: the 15-minute detection and isolation decision window for OT systems, the IT/OT segmentation tradeoff analysis under active attack, CISA 72-hour notification requirements and CIRCIA reporting obligations, the operational continuity vs. ransom payment decision tree, and how to coordinate with FBI Cyber Division during an active incident. Operations teams leave with a completed facility-specific ransomware response decision matrix.
Walk utility executives through the specific regulatory, legal, and communications obligations that activate when a cybersecurity incident hits a critical infrastructure organization. Uses the Halliburton SEC 8-K disclosure as the primary case study — the first major energy sector incident disclosure under the new 2023 SEC cybersecurity rules. Covers: materiality determination for SEC Item 1.05 4-day disclosure, NERC CIP-008 incident reporting to E-ISAC and CISA, FERC regulatory obligations, board briefing structure for directors with limited cyber context, media response protocol that doesn't create additional legal exposure, and investor communication sequencing when operations are disrupted. Executives leave with a pre-drafted board briefing template and regulatory notification checklist.
OT/ICS environments have fundamentally different threat models, availability requirements, and patching constraints than IT environments. Standard IT security training focuses on email phishing, endpoint protection, and cloud security hygiene. Our energy and utilities training focuses on the specific attack vectors that target SCADA systems, PLCs, RTUs, and EMS/DMS platforms: vendor remote-access exploitation, spear-phishing targeting control system operators, USB-based attacks at substations, and the IT-to-OT lateral movement pattern used in the Colonial Pipeline attack. Every scenario is drawn from real ICS incidents and CISA ICS-CERT advisories.
Yes. NERC CIP-004-7 requires documented security awareness training for all personnel with access to BES Cyber Systems. SecurEveryone provides signed training completion records that include: session date, attendees (de-identified count for bulk electric system compliance), curriculum covered, threat scenarios addressed, and instructor attestation. These records satisfy CIP-004-7 R1 (Security Awareness Program) and R2 (Cyber Security Training) documentation requirements for both applicable and newly identified personnel.
Yes — and this is where generic cybersecurity training fails energy organizations most. CISA Joint Advisory AA24-038A (February 2024) documents Volt Typhoon pre-positioning in U.S. critical infrastructure networks for years without detection, using living-off-the-land techniques that bypass signature-based detection. Our training specifically addresses how to recognize and report anomalous behavior that SIEM tools miss: unusual legitimate credential usage patterns, unexpected connections to OT network segments from IT systems, and the human-layer indicators that precede lateral movement to control systems.
TSA Pipeline SD02C (the revised directive following Colonial Pipeline) requires owners and operators of critical pipeline facilities to implement a Cybersecurity Implementation Plan (CIP) and conduct annual cybersecurity assessments. The CIP must include a documented personnel training program covering awareness of cybersecurity threats and incident reporting procedures. Our pipeline-specific training covers the Colonial Pipeline attack chain in detail, the 72-hour CISA notification requirement, and the operational technology isolation decision tree that operators must understand before an incident — not during one.
EPA America's Water Infrastructure Act (AWIA) Section 2013 requires community water systems serving 3,300+ people to conduct risk and resilience assessments every five years and update their emergency response plans. The CyberAv3ngers attack on Aliquippa's Unitronics PLCs in November 2023 exposed how many water utilities have internet-exposed control systems with default credentials. Our water utility training covers the CISA AA23-335A advisory, OT access controls for PLCs and SCADA systems, and EPA/CISA joint guidance on reducing water sector cyber risk. Training records support AWIA documentation requirements.
SEC disclosure rules now require publicly traded utilities to disclose material cybersecurity incidents within four business days under Item 1.05 of Form 8-K. Halliburton filed an 8-K in August 2024 after the RansomHub attack — one of the first high-profile energy sector SEC cybersecurity disclosures under the new rules. Our executive training covers: what constitutes 'materiality' under the SEC rules, how to communicate operational impact without creating additional liability, FERC/NERC incident reporting obligations, and how to brief a utility board that has cyber risk on its governance agenda but may lack technical context. Executives leave with a pre-drafted board briefing template.
Book a session directly below. Every session is live, expert-led, and built around your specific facility type — electric utility, pipeline operator, oil & gas, or water/wastewater.