The oil and gas industry is one of the most powerful financial sectors in the world, critical to global and national economies. Therefore, this industry is a valuable target for adversaries seeking to exploit Industrial Control Systems (ICS) vulnerabilities. As the recent increase in attacks against ICS demonstrates, adversaries with a specific interest in oil and gas companies remain active and are evolving their behaviors. Protection against cyber attacks is essential to the worldwide economy.

What particular challenges does the  industry face and how can security teams prevent them?

The Industry’s Basic Structure

The industry can be broken down into three segments: upstream, midstream and downstream.

Upstream businesses are concerned with resource exploration and production. These companies explore the globe for reservoirs of raw materials and drill to extract them.

Midstream businesses are focused on transportation. They are responsible for transporting the extracted raw materials to refineries to process them. These firms oversee shipping, operating pipelines and storing raw materials.

Downstream businesses refine the raw materials. They remove impurities and convert the raw materials to products for the public, such as gasoline, jet fuel, heating oil and asphalt.

Cybersecurity Challenges for the Oil and Gas Industry

This large industry faces many cybersecurity threats and challenges. More than 370 United States oil and gas security professionals surveyed by the Ponemon Institute identified the following challenges to cyber readiness for the industry:

• Operational technology (OT) is at higher risk than information technology (IT).
• Cyber risks, particularly those impacting the supply chain, are difficult to address.
• Many oil and gas firms are unprepared for cyber attacks and security breaches.
• Organizational challenges impact cyber readiness.
• Negligent and malicious insiders pose the most serious threat to critical OT.

According to the survey findings, the industry’s cybersecurity measures are not keeping up with the increasing digitalization of oil and gas operations. Only 35% of those surveyed rated their organization’s OT cyber readiness as high.

Two-thirds of respondents admitted that their operations experienced at least one security compromise that resulted in the loss of confidential information or OT disruption in the previous year.

2020 cyberattacks on ICS and examples of malware

While the industry is seemingly unprepared for cyber attacks, adversaries are investing heavily in the ability to disrupt critical infrastructure. Additionally, the agenda and motives of the attackers have changed. The attackers are aiming at business disruption and distortion, which impacts equipment and could result in loss of life. Other attackers’ motives include infrastructure sabotage, espionage and data theft.

2020 Cyberattacks and Malware

A cyber attack at facility can occur at any point across the three major stages of oil and gas operations: upstream, midstream or downstream. Throughout the oil and gas production, transportation and distribution process, OT environments are near IT networks. As adversaries targeting ICS bolster their capabilities, they can more easily carry out destructive attacks that cause operational disruptions and environmental damage.

Dragos noted that there were several “activity groups” targeting oil and gas industry in 2019, including:

• XENOTIME, which targeted Triconex controllers to disrupt Saudi Arabian oil and gas facilities in 2017, has expanded its target list to include oil and gas companies in Europe, the U.S., Australia and the Middle East; electric utilities in North America and the Asia-Pacific region; and devices beyond Triconex controllers.
• HEXANE has begun attacking oil and gas and telecommunications in Africa, the Middle East and Southwest Asia.
• DYMALLOY is an aggressive and capable group that can achieve long-term and persistent access to IT and OT environments for intelligence collection and possible future disruption attacks.

Defending an Oil and Gas Operation

Threats toward the oil and gas industry are increasing, with targets including both IT and OT environments. This is a critical time to invest in security operations centers (SOCs) by bringing OT into their scope and by assessing existing gaps in SOCs. The threats are evolving, so organizations need to adapt their strategy towards security and their SOCs continuously.
The U.S. federal government has developed the Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2) to help organizations to assess their SOC and improve their cybersecurity. For more on the maturity model, see A_Quick_Guide_to_Using_the_ONGC2M2_Model.