Concerns about cybersecurity within the oil and gas sector are higher than ever, driven by geopolitical upheaval around the globe and cybercriminals seeking to extort money.

GlobalData analytics show that, despite a 35% decline in mentions of cybersecurity in global oil and gas company filings in Q2 2024 compared to the previous quarter, mentions for the full year will surpass those of 2023 in the next month or two to hit an all-time high.

These concerns are not without foundation, with the UK’s National Cyber Security Centre and the White House having both been moved to warn of a growing cyber threat to critical national infrastructure (CNI) organisations.

Speaking in May to Offshore Technology’s sister site Verdict about the threat posed to countries’ CNI, Edgard Capdevielle, CEO of operational technology cybersecurity firm Nozomi Networks, said that the sector rarely experienced cyberattacks a decade ago but that ten years on: “The nature and frequency of attacks has increased dramatically.”

That view was shared by Anthony Young, CEO of CNI cybersecurity firm Bridewell, who said that, while financial services used to be the primary target for cyber attackers, they have since recognised the financial and political potential of disrupting CNI.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Many such attacks are indeed simply for financial gain, but Netscout’s threat intelligence lead Richard Hummel told Verdict: “I would say that attacks associated with geopolitical events are greater than ever before. Honestly, if I had to pinpoint the turning point, it was when Russia invaded Ukraine.”

For the oil and gas sector, the evolving threat landscape is of particular significance. Not only can attacks disrupt supply, but they could be deadly, with the potential for explosive commodities to be weaponised.

Speaking to Offshore Technology, Andrew Lintell, general manager for EMEA at cyber-physical systems protection firm Claroty, which provides industrial cybersecurity controls for oil and gas companies, outlined the evolving threat posed to the sector, the motivations for perpetrators and what organisations need to do to protect themselves.

How have cyber threats in the oil and gas industry evolved over the years?

Andrew Lintell: The biggest evolution in recent years is the digital revolution, which has reshaped the oil and gas industry. It has introduced technologies like the internet of things (IoT), artificial intelligence (AI), virtual reality and big data analytics that have driven efficiency and innovation. However, digital transformation has introduced newer challenges and exposed the sector to sophisticated cyber threats.

Major cyberattacks, like the Colonial Pipeline and the ARA refining hub attack, are testaments to how an attack on the oil and gas sector can impact individuals’ daily lives. The attacks also highlighted the vulnerability of critical infrastructure and prompted tighter regulations.

Hence, new directives and standards like the TSA directive for pipeline owners and operators, IEC standards, ISO/IEC 27001 and NIST CSF have been introduced. However, compliance with these evolving regulations is burdensome, especially for smaller companies, which may struggle with the associated costs and resource demands.

Additionally, much of the industry’s infrastructure is ageing. The legacy systems are often outdated and lack essential security patches, making them prime cyberattack targets. Among the standards, the IEC standards (particularly IEC 62443) specifically address the challenges of securing legacy systems while ISO/IEC 27001 and NIST CSF encourage risk management practices that inherently cover older infrastructure, though they do not focus on it explicitly.

From what type of perpetrators do the main threats come today?

Over the past decade, nation-state actors have increasingly driven cyber threats, particularly targeting critical infrastructure sectors like oil and gas, energy, healthcare and telecommunications. These attacks are often motivated by espionage, sabotage and the desire to influence geopolitical events.

But now, with the rise of AI, even the most amateur criminal gangs can carry out sophisticated, high-end cyberattacks. Adversaries can use machine learning to automate attacks, evade detection and execute sophisticated threats. They can also orchestrate attacks like AI-powered phishing, deep fake scams and automated vulnerability exploitation.

Nation-state-backed cybercriminals, whose modus operandi is to cause maximum disruption, are increasingly using AI-powered tactics like targeted phishing and automated vulnerability exploitation. These threats, specifically aimed at critical sectors like oil and gas, will only intensify as AI becomes more commonplace, making the industry a prime target for such disruptive attacks.

To what extent has geopolitical turmoil increased the threat within the sector?

Fluctuating oil prices, driven by geopolitical tensions, economic instability and environmental pressures, create a volatile environment that challenges long-term planning and investment. Trade pressures, political instability in key producing regions and disruptions like the energy trade shifts between Europe and Russia exacerbate the threat landscape.

The financial uncertainty caused by these issues often forces companies to cut costs, with cybersecurity frequently being one of the first areas to suffer. Such reductions in cybersecurity investment can lead to severe financial, reputational and regulatory repercussions in the long run. The cost of a breach will almost always be more than the cost of investing in effective cybersecurity measures and tools.

Also, the industry’s increasing reliance on advanced extraction methods, such as offshore drilling and fracking, further complicates the situation. These methods depend heavily on interconnected operational technology (OT) systems, industrial control systems (ICS) and SCADA systems.

The integration of these systems across various processes creates more entry points, or an expanded attack surface, that cybercriminals can exploit. As these systems are often connected to both IT networks and physical machinery, a breach can lead to significant disruptions, including the potential manipulation of physical operations, making the sector more vulnerable to sophisticated cyberattacks.

What types of cyberattacks is the industry most at threat from?

Given that the oil and gas sector is classified as critical national infrastructure, a successful ransomware attack can have devastating consequences, not just financially but also in terms of public safety.

This year, 67% of energy, oil, gas and utilities organisations were hit by ransomware, with 80% of these attacks resulting in data encryption. To make matters worse, the financial impact is severe, with recovery costs averaging $3.12m per incident. Also, as I mentioned, the fact that the oil and gas sector uses so many legacy systems is a major concern.

Legacy systems and outdated designs lack the strong security measures to combat modern threats. These systems often run on obsolete operating systems that no longer receive security updates, making them prime targets for cyberattacks such as data breaches and ransomware. The incompatibility of these legacy systems with contemporary security tools further exacerbates their vulnerability.

How should businesses within the sector protect themselves?

To effectively protect the oil and gas sector from cyber threats, comprehensive visibility into all cyber-physical systems (CPS) within the OT environment is essential. Maintaining a real-time inventory of assets across drilling sites, pipelines, refineries and plants is fundamental to industrial cybersecurity. Without this detailed understanding, securing these assets becomes an overwhelming challenge.

Another key strategy is seamlessly integrating IT and OT systems. Since many CPSs in the oil and gas industry rely on legacy systems and proprietary protocols, compatibility with traditional IT systems can be an issue. Instead of overhauling existing technology stacks, companies should adopt solutions that extend IT tools and workflows into the OT environment, ensuring cohesive security management.

It is also crucial to consistently apply IT security controls and governance across OT environments, such as SCADA systems and ICS, which often lack powerful cybersecurity measures. Unified security governance across IT and OT is necessary to build resilience against cyber threats.

Finally, network segmentation is vital. By isolating critical systems and sensitive data, companies can limit the spread of malware and reduce the impact of potential attacks, allowing for tailored security policies that address the specific needs of each network segment.

What does the future of cybersecurity in oil and gas look like?

With digitalisation now being a necessity to the sector, advanced defences must also be a top priority. The future of cybersecurity in the oil and gas industry will be defined by integrating modern-day technologies and the need for a proactive, resilient approach. AI and machine learning will play a critical role in threat detection and response, enabling real-time monitoring and automation of security processes. 

Also, the convergence of IT and OT environments will require a unified security strategy that addresses both traditional IT threats and the unique vulnerabilities of operational technology.

With geopolitical tensions on the rise, companies must prioritise network segmentation, asset visibility and continuous updates to their security frameworks. The adoption of zero-trust architectures and enhanced regulatory compliance will also be crucial.  Ultimately, a strong, adaptive cybersecurity posture will safeguard the industry’s critical infrastructure and ensure its operational continuity in the face of evolving threats.

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up