Analysis: Here’s how the oil and gas industry can defeat today's cyber threats

Jan. 22, 2025
A proactive, risk-based approach to cybersecurity is now more crucial than ever.

By Ian Bramson, Black & Veatch

In today’s rapidly evolving cyber landscape, critical infrastructure sectors—particularly oil and gas—face unprecedented risks. Digitalization has streamlined operations and boosted efficiency, but it has also widened the attack surface for cyber adversaries. As automation becomes the norm and operations shift online, the risks associated with cyberattacks are no longer hypothetical; they are real and increasingly frequent. 

Cybersecurity in the oil and gas sector has lagged that of other industries. Some oil and gas companies have adopted technologies and cybersecurity best practices that lack a more comprehensive approach to security that is required, given the sophistication of today’s cyber adversaries. This has opened vulnerabilities that these adversaries can exploit, from basic IT breaches to sophisticated attacks targeting operational technology (OT). While some regulatory measures have been implemented post-2021, a proactive, risk-based approach to cybersecurity is now more crucial than ever.

Evolution of cyber threats 

The cyberattack on Halliburton in August 2024 exposed the ongoing vulnerabilities in the energy sector. When RansomHub, a ransomware group, breached Halliburton’s systems, it gained unauthorized access to sensitive data and caused significant operational disruptions. In response, Halliburton took systems offline and brought in external cybersecurity experts to investigate and contain the situation.

This echoes what we saw with the Colonial Pipeline ransomware attack in May 2021, which crippled fuel supplies across the US East Coast. Since then, the US Transportation Security Administration (TSA) has revised its cybersecurity guidelines for pipeline operators several times. The latest update in July 2023 emphasizes annual cybersecurity assessments and requires companies to adopt more robust incident response plans.

Still, enforcement remains a grey area. Much of the guidance is voluntary, leading to inconsistent implementation across the sector. This leaves critical infrastructure vulnerable to evolving cyber threats. Incidents like these are unpleasant reminders of what’s at stake when cybersecurity practices fall short.

What’s more, despite regulatory efforts to bolster defenses, compliance alone won’t be enough to ensure security. In the three years since the Colonial Pipeline attack, the threat landscape has evolved. Cyber adversaries have refined their tactics, expanding their focus from data theft to operational disruption. Ransomware remains a prevalent threat, but attacks are now increasingly consequence-driven, aimed at causing safety issues and downtime.

As cyber threats grow more sophisticated, the oil and gas sector must move beyond reactive compliance and adopt a proactive approach focused on real-world consequences.

Moving beyond compliance 

In response to the Colonial Pipeline incident, US federal agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and the TSA introduced new regulations to strengthen cybersecurity across critical infrastructure sectors. 

A lot has changed in the decade-plus since the White House issued Presidential Policy Directive 21 on Critical Infrastructure Security and Resilience, to develop a national policy to make critical infrastructure more secure. However, compliance alone is insufficient. Regulatory frameworks provide a baseline, but they are often reactive, focusing on past threats rather than preparing for emerging risks, always a dangerous approach to employ.

Indeed, we court danger by presuming that checking the boxes of regulatory compliance equates to security. I heed the caution of an industry expert who once told me, “You can regulate yourself to compliance, but you cannot regulate yourself to security.” A proactive approach to cybersecurity requires oil and gas companies to ask themselves critical questions: What assets do we have? Where are our vulnerabilities? Are we prepared to detect and respond to intrusions effectively?

To address these questions, companies must develop a risk-based strategy that considers both its OT and IT systems. This approach emphasizes operational continuity and safety over mere data protection, ensuring that cybersecurity efforts are aligned with the core mission of keeping essential operations running.

Embracing a consequence-driven approach

Traditional IT cybersecurity prioritizes data protection, but OT environments in the oil and gas sector demand a different approach. The goal in OT cybersecurity is to ensure operational continuity and safety, as a disruption in these environments can have catastrophic consequences. The growing focus on consequence-driven security reflects an understanding that protecting data alone is not enough.

An effective consequence-driven approach ranks risks based on their potential impact on safety, uptime and operational stability. For example, protecting critical systems that control hazardous processes, such as those in LNG (liquefied natural gas) and hydrogen production, should take precedence over securing systems with less potential for physical harm.

Companies are increasingly adopting this approach, focusing on safety as the primary objective, followed by uptime and efficiency. By embedding cybersecurity into process safety frameworks, oil and gas companies can address vulnerabilities that traditional IT security practices might overlook.

New frontiers, new vulnerabilities

Since 2021, technological advances have reshaped the energy landscape, bringing both opportunities and challenges. The oil and gas sector has seen rapid growth in areas like LNG and hydrogen as the energy transition gains momentum. However, these emerging fields also introduce new vulnerabilities that adversaries can exploit.

LNG facilities, for instance, are critical for energy exports but involve high-stake processes with the potential for a catastrophic failure. The hydrogen sector, correspondingly, is expanding as a cleaner energy source but presents unique risks due to the hazardous nature of hydrogen. The complexity and novelty of these operations make them attractive targets for cyber adversaries.

Moreover, oil and gas operations are increasingly using AI for predictive maintenance, demand forecasting and optimization. While AI offers significant benefits, it also poses risks if not properly secured. Adversaries could manipulate AI systems or “poison” data inputs, leading to erroneous decisions or even operational hazards.

For example, malicious outsiders could manipulate an AI-driven demand prediction system to cause overproduction or undersupply, disrupting the market. Oil and gas companies must then protect AI systems not only against external threats but also against accidental malfunctions. This requires a layered security approach that includes AI monitoring, data integrity checks and anomaly detection.

Bridging IT and OT

A recurring issue in the oil and gas sector is the separation of IT and OT cybersecurity. Historically, IT has focused on data protection, while OT has prioritized operational stability. However, this divide can create blind spots, as threats that start in IT systems can spill over into OT environments, as seen in the Colonial Pipeline incident.

To address this, companies must adopt a unified cybersecurity framework that considers both IT and OT as a part of a single ecosystem. This involves adopting technologies that provide real-time monitoring of both environments, ensuring full visibility across the enterprise. Furthermore, cross-functional teams that include both IT and OT specialists can help bridge the knowledge gap and foster collaboration.

In this unified framework, risk assessment should be based on the potential consequences for safety, production uptime and data security, in that order. By adopting this “consequence-first” model, companies can align their cybersecurity priorities with their operational goals, improving resilience against a wider range of threats.

Supply chain attacks

A relatively new concern in the cybersecurity landscape is the concept of “super dependencies.” As companies rely on a small number of cloud providers and critical software vendors, they also become vulnerable to supply chain disruptions that can cascade across industries. It is not a hypothetical risk. In the recent CrowdStrike incident that impacted Microsoft Windows users, a single update caused widespread service interruptions across many sectors.

In the oil and gas industry, a similar reliance on key vendors and service providers can create single points of failure. Companies must map these dependencies and assess the potential impact of a disruption. By doing so, they can identify mitigation strategies, such as diversifying suppliers or implementing redundancy in critical areas.

Supply chain attacks, where adversaries infiltrate software or service providers to compromise their clients, are also on the rise. These attacks are difficult to detect and can have far-reaching consequences. While oil and gas companies have improved their cybersecurity efforts significantly in recent years, they must continue to scrutinize their suppliers’ security practices, ensuring that third-party vendors meet the same security standards they enforce internally.

Preparing for future threats

The future of industrial cybersecurity is increasingly dynamic, with AI-driven threats, super dependencies and evolving regulatory environments shaping the landscape. For oil and gas companies, the time to act is now. Focusing solely on compliance is no longer enough; a proactive, consequence-driven approach is essential.

By investing in comprehensive cybersecurity strategies that include asset management, vulnerability assessments, real-time monitoring and security by design, oil and gas companies can build resilience against future threats. These measures will not only protect the bottom line but also ensure the safety of employees, the environment and the communities they serve.

In a world where cyberattacks on critical infrastructure are becoming more frequent and sophisticated, oil and gas companies cannot afford to be reactive. The lessons learned from previous incidents must serve as a foundation for continuous improvement. For the oil and gas sector, securing the future means embracing a holistic, proactive approach to cybersecurity—because the risks are real, and the stakes are too high to ignore.

 

 

 

 

About the Author

Ian Bramson

Ian Bramson is vice president of Black & Veatch’s Global Industrial Cybersecurity Practice, where he is responsible for the strategy, commercialization and business growth of all the company’s integrated cybersecurity solutions and capabilities. His career in the fields of cybersecurity, risk management, and digital transformation has spanned over 25 years. Bramson works closely with high-level executives in critical infrastructure industries to provide solutions that minimize cybersecurity risks. He has successfully built two cybersecurity consulting services over the past decade, both of which were supported by global sales organizations and implemented in multiple industries. He holds a bachelor’s degree in Economics and English from Cornell University.