Over the past decade or so, oil and gas has gone from being seemingly technology-less to being driven by digitization. Just like every other industry, the digital age has made its way into the energy sector.

While technology provides new and exciting possibilities, such as cognitive capabilities, it also increases the risk of cyberattacks immensely. Oil and gas does not seem like a target industry for fraudsters, but with all the data-based linkages to rigs, transportation, refineries, headquarters and more, the risk has risen considerably.

Top 10 Security Gaps in the Oil and Gas Industry

According to Offshore Energy Today, the top 10 cybersecurity vulnerabilities affecting the oil and gas industry are:

  1. Lack of cybersecurity awareness and training;
  2. Remote access during operations and maintenance;
  3. Use of standard IT products with known vulnerabilities;
  4. A limited cybersecurity culture among vendors, suppliers and contractors;
  5. Insufficient segmentation of data networks;
  6. Use of mobile devices and storage units;
  7. Data networks between on- and offshore facilities;
  8. Poor physical security of data storage facilities;
  9. Software vulnerabilities; and
  10. Legacy control systems.

What can upstream oil and gas companies do to combat these vulnerabilities? The first step is education. Companies should provide cybersecurity training to all employees, not just the IT department. This should be reiterated each fiscal year.

Remote work is another important consideration. Today, everyone owns a laptop, and many individuals work from the moment they get up until the very moment they fall asleep, whether in the office, from home, on the road or from coffee shops. If there is absolutely no way to pull out laptops, they work on smartphones from anywhere and at any time.

There is always risk involved when connected to public Wi-Fi. It is easier for fraudsters to target personal and enterprise data when on public networks. Still, many people connect to public Wi-Fi without batting an eye. However, with cyberattacks on the rise, users need to be aware of their susceptibility to threats while working from public locations. The simplest way to combat these risks is to use the hot spot on a phone until you can get to a location where the internet is secure.

Security Doesn’t Come Standard

The third and ninth vulnerabilities on the list can be addressed as one. Standard IT products are, by definition, standard — meaning that they can be bought by anyone, including cybercriminals. This enables fraudsters to learn the ins and outs of the equipment safeguarding sensitive assets and more capably exploit security gaps in the oil and gas industry.

Instead of relying on standard solutions, energy and utilities organizations should invest in industry- or company-specific products. It may also be a good idea to require all employees to run a virus scanner before updating and/or downloading software to ensure that there are no threats before opening a device for installation.

Take Advantage of Downtime

Because this is a slow time of year in the energy industry, now is the time to focus on developing better internal processes. Use this time to educate your employees about cybersecurity, reach out to trusted security specialists, and understand that fraudsters are actively exploiting vulnerabilities and security gaps in the oil and gas industry, whether we like it or not.

Read the X-Force Research Report: Energy and Utility Companies — Targeted on all sides

More from Energy & Utility

Today’s biggest threats against the energy grid

2 min read - Without the U.S. energy grid, life as we know it simply grinds to a halt. Businesses can’t serve customers. Homes don’t have power. Traffic lights no longer work. We depend on the grid operating reliably each and every day for business and personal tasks. That makes it even more crucial to defend our energy grid from modern threats. Physical threats to the energy grid Since day one, the grid has been vulnerable from a physical perspective. Storms knocking the grid…

2022 industry threat recap: Energy

3 min read - In 2022, 10.7% of observed cyberattacks targeted the energy industry, according to the X-Force Threat Intelligence Index 2023. This puts energy in fourth place overall — the same as the year prior and behind manufacturing, finance and insurance and professional and business services. The report notes that this reduction in total cyberattacks may be partly tied to pushback from highly public breaches in 2021, such as the Colonial Pipeline attack. Despite the overall drop in threats, however, the industry remains…

X-Force 2022 insights: An expanding OT threat landscape

9 min read - This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT asset owners and operators, all of whom understand the need to keep critical infrastructures running safely, need to be aware…

One Year After the Colonial Pipeline Attack, Regulation Is Still a Problem

3 min read - The Colonial Pipeline cyberattack is still causing ripples. Some of these federal mandates may mark major changes for operational technology (OT) cybersecurity. The privately held Colonial Pipeline company, which provides nearly half of the fuel used by the East Coast — gasoline, heating oil, jet fuel and fuel for the military totaling around 100 million gallons a day — was hit by a double-extortion ransomware attack by a DarkSide group in May of 2021.  In reaction, the company shut down…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today