Cybersecurity in the Oil & Gas Industry
What Is the Oil & Gas Industry?
The oil & gas industry is a type of critical infrastructure. In the words of the Department of Homeland Security (DHS), “critical infrastructure includes the vast network of highways, connecting bridges and tunnels, railways, utilities and buildings necessary to maintain normalcy in daily life.”[1] The U.S. Cybersecurity and Infrastructure Security Agency (CISA) pointed out that there are 16 sectors of critical infrastructure within the United States. Energy is one of those sectors; it compromises all electricity, oil, and natural gas organizations in the country.[2]
Essentially all industries rely on energy organizations to fulfill their business objectives. That statement holds true for other critical infrastructure sectors such as transportation and healthcare.
How Is the Oil & Gas Industry Growing?
According to Globe Newswire, analysts expect the global oil & gas market to increase from $5870.13 billion in 2021 to$7425.02 billion by 2025.[3] This market value encompasses the sale of oil and gas by organizations, sole traders, and partnerships that explore for, extract, drill for, and refine oil and gas products. It covers oil & gas upstream activities along with downstream products. It does not include petrochemicals.
Some regions represent larger shares of the global oil & gas market than others. For instance, Asia Pacific accounted for a third of the market in 2020. This was followed by North America at 19%. By contrast, South America was the smallest region in the market at that time.
How Are Oil & Gas Organizations Exposing Themselves to Cybersecurity Risks?
As in other critical infrastructure sectors, many oil & gas organizations are bringing together their Information Technology (IT) and Operational Technology (OT) environments for maximizing uptime and productivity. Some of this activity assumes the form of organizations deploying Industrial Internet of Things (IIoT) devices across their industrial environments. It also includes oil & gas organizations using big data analytics and artificial intelligence (AI) to make sense of all the raw data they’re collecting from IIoT products and other connected sensors, noted Globe Newswire. With those web-enabled technologies, organizations in the oil & gas sector can monitor the performance of their OT assets and use those insights to conduct preventative maintenance, thereby maximizing uptime and productivity.
The issue is that many organizations’ OT assets are decades old and no longer (or never did) support the ability to receive updates remotely. As a result, these legacy systems might be riddled with older vulnerabilities that malicious actors can use to disrupt an organization’s industrial processes. All attackers need to do is pivot to those assets after establishing a foothold in an organization’s production environments using traditional IT threats like ransomware.
What Motivations Do Attackers Have for Targeting Oil & Gas?
Malicious actors oftentimes target oil & gas organizations’ OT systems to disrupt the availability and reliability of those assets. They might have various reasons for doing so. In disrupting the operations of one oil company, for instance, cyber criminals might benefit a competitor organization serving the same region. There’s also the possibility that a disruption at an oil & gas organization could create tumult within the affected host country. Sometimes, nation-states sponsor groups of attackers with achieving this outcome for political gain.
The majority (98%) of attackers who go after organizations in the oil & gas tend to be external actors. They do so largely for financial gains, with at least 78% of these individuals motivated by the prospect of making money. Towards that end, attackers might target oil & gas organizations for the purpose of stealing data, selling it to a competitor, and/or providing it to a state sponsor.
How Are Attackers Targeting Oil & Gas?
Let’s use the Colonial Pipeline incident as an example. In May 2021, the Colonial Pipeline Company announced that it had learned of a ransomware attack involving its business networks. The pipeline company responded by deactivating those systems as well as assets responsible for monitoring the transportation of fuel between Houston and New York Harbor each day. This disruption caused gas prices to rise on the East Coast and generated panic buying of fuel across the region—even in areas not serviced by the pipeline company.
After learning of the attack, Colonial contacted the FBI to assist it with its recovery efforts. The FBI examined the indicators of compromise and subsequently confirmed that the DarkSide ransomware gang had been responsible for the infection. At the time, DarkSide was a relatively new threat group that security researchers had been tracking only since August 2020.
Other attacks targeting oil & gas organizations have followed on the heels of the Colonial Pipeline incident. On February 3, 2022, for instance, BBC reported that three oil transport and storage organizations in Germany, Belgium, and the Netherlands were grappling with digital attacks that had severely disrupted their systems or had knocked them offline. Those intrusions affected dozens of terminals with oil storage and transport around the world. Even so, there was no evidence publicly available at the time of BBC’s reporting to suggest that the attacks were part of a coordinated incident.[4]
What Resources Can Oil & Gas Use to Defend Themselves?
Organizations in the oil & gas sector can use numerous resources to defend themselves against digital attacks. For instance, they can use Revision 2 of the NIST Risk Management Framework (SP 800-37) to define their security and privacy requirements in alignment with their business functions. Oil & gas organizations might consider using business-centric control selection towards this end because it enables them to leverage their own process for selecting controls. Such flexibility can help specialized and highly regulated organizations like entities in the oil & gas industry to meet their security needs.
Those in the oil & gas industry can also draw upon the API 1164. This cybersecurity standard once applied only to the supervisory control and data acquisition (SCADA) systems of pipeline companies. But an updated version of the standard uses NIST’s Cybersecurity Framework and NERC-CIP to ensure the cybersecurity of all control systems in these companies via the use of risk assessment guidelines, an implementation model, and a framework for building an industrial automation control (IAC) security program that complies with the security requirements set forth by the U.S. Transportation Security Administration (TSA).
News of API 1164 followed a couple of months after the TSA issued two Security Directives in response to the Colonial Pipeline incident. The first Security Directive required pipeline organizations to designate a Cybersecurity Coordinator and to submit to a self-assessment of their cybersecurity practices. It was the first time that the U.S. government had imposed cybersecurity requirements on the oil & gas industry. The second Security Directive required pipeline companies to implement measures that would help them to defend against ransomware and other digital threats.[5]
What Best Practices Can Oil & Gas Organizations Implement?
Oil & gas organizations can defend themselves against attacks such as the Colonial Pipeline incident by balancing the convergence of their IT and OT environments with proactive security controls such as multi-factor authentication (MFA), incident response plans, and data backups. They might also consider segmenting their business IT and their industrial control systems (ICS). Doing so can help to prevent criminals from using a successful incident on the production side of things to pivot to their victim’s industrial systems.
Many if not all those measures are useless if oil & gas organizations don’t focus on taking some essential steps first, however. For instance, entities need to focus on creating an accurate inventory of their hardware and software assets. If they have an accurate inventory, they can implement secure configuration management to monitor for changes that could be indicative of an attack. If they don’t, they won’t know what they must protect. Hence the need for organizations in the oil & gas sector to use passive asset discovery tools so that they don’t miss anything. They also might want to incorporate walkdowns to validate electronic to physical lists.[6]
What Challenges Do Oil & Gas Organizations Face Along the Way?
Not all organizations in the oil & gas sector can implement the security controls discussed above on their own. IIoT, big data analytics, AI, and other emerging technologies are new to most entities in this sector. Few in the industry are used to considering themselves as digital organizations with digital challenges. Subsequently, they might lack people, processes, and technology for the purpose of upholding their digital security.
The makeup of this triad reflects the extent to which cybersecurity functions as corporate culture, not as a check-box exercise. For instance, if they fail to align their IT and OT teams, oil & gas organizations might not be able to get their personnel to collaborate around digital threats that could span both environments. Those teams might instead operate in silos where they don’t share their security priorities and challenges, creating a lack of communication that could leave organizations at greater risk of an attack.
How Can Itegriti Help?
ITEGRITI designs and implements programs that help companies avoid hacks, detects breaches when they occur, minimize business disruption during a cybersecurity event, and reduce incident recovery time. We work with organizations to align cybersecurity programs with enterprise risks and first consider existing security hardware, software, and security/compliance controls. We help companies establish and evaluate specific control objectives and internal controls, measure operational effectiveness, and establish an improvement plan that includes actionable remediation activities.
Simultaneously, Itegriti understands that some oil & gas organizations need help meeting their specific security requirements on a certain budget. It thus uses its managed services to offer its cybersecurity and compliance advisory services through virtual managed offerings like vCISO.
[1] “Critical Infrastructure.” U.S. Department of Homeland Security. Retrieved 2022-03-01.
[2] “Critical Infrastructure Sectors.” U.S. Cybersecurity & Infrastructure Security Agency. Retrieved 2022-03-01.
[3] “Global $7425.02 Billion Oil and Gas Markets, 2015-2020, 2020-2025F, 2030F.” GlobeNewswire. Published 2021-03-04. Retrieved 2022-03-01.
[4] Tidy, Joe. “European oil facilities hit by cyber-attacks.” BBC News. Published 2022-02-04. Retrieved 2022-03-01.
[5] Pekoske, David P. “Pipeline Cybersecurity: Protecting Critical Infrastructure.” The U.S. Transportation Security Administration. Published 2021-07-21. Retrieved 2022-03-01.
[6] Sanchez, Michael. “10 Essential Steps to Cyber Resilience as Hackers Target Critical Infrastructure.” Homeland Security Today. Published 2021-05-18. Retrieved 2022-03-01.