The oil and gas industry is one of the most powerful financial sectors in the world, critical to global and national economies. Therefore, this industry is a valuable target for adversaries seeking to exploit Industrial Control Systems (ICS) vulnerabilities. As the recent increase in attacks against ICS demonstrates, adversaries with a specific interest in oil and gas companies remain active and are evolving their behaviors. Protection against cyber attacks is essential to the worldwide economy.

What particular challenges does the  industry face and how can security teams prevent them?

The Industry’s Basic Structure

The industry can be broken down into three segments: upstream, midstream and downstream.

Upstream businesses are concerned with resource exploration and production. These companies explore the globe for reservoirs of raw materials and drill to extract them.

Midstream businesses are focused on transportation. They are responsible for transporting the extracted raw materials to refineries to process them. These firms oversee shipping, operating pipelines and storing raw materials.

Downstream businesses refine the raw materials. They remove impurities and convert the raw materials to products for the public, such as gasoline, jet fuel, heating oil and asphalt.

Cybersecurity Challenges for the Oil and Gas Industry

This large industry faces many cybersecurity threats and challenges. More than 370 United States oil and gas security professionals surveyed by the Ponemon Institute identified the following challenges to cyber readiness for the industry:

  • Operational technology (OT) is at higher risk than information technology (IT).
  • Cyber risks, particularly those impacting the supply chain, are difficult to address.
  • Many oil and gas firms are unprepared for cyber attacks and security breaches.
  • Organizational challenges impact cyber readiness.
  • Negligent and malicious insiders pose the most serious threat to critical OT.

According to the survey findings, the industry’s cybersecurity measures are not keeping up with the increasing digitalization of oil and gas operations. Only 35% of those surveyed rated their organization’s OT cyber readiness as high.

Two-thirds of respondents admitted that their operations experienced at least one security compromise that resulted in the loss of confidential information or OT disruption in the previous year.


2020 cyberattacks on ICS and examples of malware

While the industry is seemingly unprepared for cyber attacks, adversaries are investing heavily in the ability to disrupt critical infrastructure. Additionally, the agenda and motives of the attackers have changed. The attackers are aiming at business disruption and distortion, which impacts equipment and could result in loss of life. Other attackers’ motives include infrastructure sabotage, espionage and data theft.

2020 Cyberattacks and Malware

A cyber attack at facility can occur at any point across the three major stages of oil and gas operations: upstream, midstream or downstream. Throughout the oil and gas production, transportation and distribution process, OT environments are near IT networks. As adversaries targeting ICS bolster their capabilities, they can more easily carry out destructive attacks that cause operational disruptions and environmental damage.

Dragos noted that there were several “activity groups” targeting oil and gas industry in 2019, including:

  • XENOTIME, which targeted Triconex controllers to disrupt Saudi Arabian oil and gas facilities in 2017, has expanded its target list to include oil and gas companies in Europe, the U.S., Australia and the Middle East; electric utilities in North America and the Asia-Pacific region; and devices beyond Triconex controllers.
  • HEXANE has begun attacking oil and gas and telecommunications in Africa, the Middle East and Southwest Asia.
  • DYMALLOY is an aggressive and capable group that can achieve long-term and persistent access to IT and OT environments for intelligence collection and possible future disruption attacks.

Defending an Oil and Gas Operation

Threats toward the oil and gas industry are increasing, with targets including both IT and OT environments. This is a critical time to invest in security operations centers (SOCs) by bringing OT into their scope and by assessing existing gaps in SOCs. The threats are evolving, so organizations need to adapt their strategy towards security and their SOCs continuously.
The U.S. federal government has developed the Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2) to help organizations to assess their SOC and improve their cybersecurity. For more on the maturity model, see A_Quick_Guide_to_Using_the_ONGC2M2_Model.

More from Energy & Utility

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT asset owners and operators, all of whom understand the need to keep critical infrastructures running safely, need to be aware…

One Year After the Colonial Pipeline Attack, Regulation Is Still a Problem

The Colonial Pipeline cyberattack is still causing ripples. Some of these federal mandates may mark major changes for operational technology (OT) cybersecurity. The privately held Colonial Pipeline company, which provides nearly half of the fuel used by the East Coast — gasoline, heating oil, jet fuel and fuel for the military totaling around 100 million gallons a day — was hit by a double-extortion ransomware attack by a DarkSide group in May of 2021.  In reaction, the company shut down…

Lessons Learned by 2022 Cyberattacks: X-Force Threat Intelligence Report

Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

A New Cybersecurity Executive Order Puts the Heat on Critical Infrastructure Suppliers

Ransomware. Five years ago, the cybersecurity community knew that term well, although among others it was far from dinner table conversation. Times have changed. Since early 2020, ransomware has hit a slew of headlines. People inside and outside of the security industry are talking about it, and many have experienced the ransomware pain firsthand. The IBM Security 2021 Cost of a Data Breach report notes that ransomware attacks cost on average $4.62 million, excluding the cost of paying the ransom.…