Securing the oil and gas industry
The oil and gas sector remains a crucial pillar of the global economy, an industry that supports not only millions of jobs worldwide but also underpins essential energy provisions for homes, businesses, and transportation networks.
Yet, as digital technology continues to pervade this sector, oil and gas companies are increasingly being exposed to critical cyber threats. The industry's increasing dependence on digital systems has escalated the importance of robust cybersecurity strategies, presenting an array of unprecedented challenges.
Oil and gas infrastructures are a complex web of interconnected segments -- upstream, midstream, and downstream, each with its unique facets and cybersecurity considerations. The upstream segment, involving exploration and raw material extraction, often grapples with the immense geographic dispersion of assets, rendering cybersecurity monitoring a formidable task. The midstream sector faces similar challenges, further exacerbated by dependencies on third-party vendors, making it susceptible to cyberattacks, as evidenced by the Colonial Pipeline incident. At the same time, the downstream segment, focusing on refining and distribution, relies heavily on legacy systems, often ill-equipped to cope with modern cyber threats.
The unique and complex challenges of these segments make effective cybersecurity a rather difficult task for such organizations. Let’s take an in-depth look at why security is such a complex challenge in this sector and how organizations can safeguard this critical industry against the constantly evolving threat landscape.
Why is cybersecurity challenging in the Oil and Gas industry?
The oil and gas sector is significantly dependent on several external variables, which complicates the industry's operational landscape, consequently making cybersecurity a unique challenge. Among these, the issue of rising costs stands prominently. The volatility in barrel prices, influenced by a myriad of geopolitical, economic, and environmental factors, significantly impacts the sector's long-term project planning and investments.
Notably, upstream operations that depend directly on oil prices feel this volatility acutely, with advanced methods such as offshore drilling and oil sands refining becoming economically unviable when prices plummet. This volatility can result in cost-saving measures, often at the expense of essential cybersecurity initiatives, leaving systems and equipment unprotected. Ironically, a lack of cybersecurity investments can lead to more significant financial losses, damage to reputation, and regulatory penalties.
Coupled with these challenges is the issue of ageing infrastructure. Much of the sector’s upstream and downstream facilities require costly updates or replacements. The challenge lies in the prohibitive costs versus the expected commercial output. This reluctance to update infrastructure leads to outdated and vulnerable systems existing within the organizational network, resulting in heightened cybersecurity risks.
Geopolitical risks present another major obstacle. Industry operations can be hampered by geopolitical instability, affecting the availability and price of oil and gas. This instability can also foster a volatile cybersecurity environment, exposing companies to risks of cyber terrorism, disruption of operations, and theft of sensitive information. It’s been well documented that whenever geopolitical tension increases, state-sponsored actors tend to make the oil and gas infrastructure a common target for cyberattacks.
It’s also important to consider the challenges created by production source depletion. The depletion of traditional oil and gas sources has necessitated the exploration of new ones, using more expensive and complex methods. This process has amplified the reliance on operational technology (OT) systems, industrial control systems (ICS), and supervisory control and data acquisition (SCADA) systems. While these technologies increase efficiency and safety, they also broaden the potential attack surface, making the industry more susceptible to cyber threats. Thus, robust cybersecurity strategies must be a priority to mitigate these multifaceted challenges.
Regulatory Environment and Compliance Challenges
The regulatory environment of the industry is constantly changing as cyber threats become more pervasive. Post the Colonial Pipeline ransomware attack, the U.S. government mandated stricter cybersecurity practices for pipeline operators, introducing regulations and standards including the Transportation Security Administration (TSA) directive, International Electrotechnical Commission (IEC) standards, ISO/IEC 27001, and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).
The TSA directive requires pipeline owners to implement specific cybersecurity measures, promoting improved cyber policies, awareness, and training. The IEC standards protect industrial automation and control systems (IACS), a crucial aspect of oil and gas operations. ISO/IEC 27001 provides a framework for information security management, protecting sensitive data against cyber threats, while NIST CSF offers guidelines to manage and reduce cybersecurity risks.
While complying with these requirements can help companies safeguard their critical infrastructure, it is highly challenging to keep up with this constantly changing regulated environment. Regulatory compliance with these directives can be particularly costly, especially for small and mid-sized companies lacking dedicated compliance teams or partnerships with cybersecurity vendors.
Safeguarding the Oil and Gas industry
To combat the unique security challenges of this sector, oil and gas companies should strive for thorough visibility into all cyber-physical systems (CPS) within their OT environment. A comprehensive, real-time inventory of assets across drilling sites, platforms, pipelines, plants, and refineries is essential to industrial cybersecurity. Without this visibility, it is impossible to secure what is not known or understood. Therefore, asset visibility forms the bedrock of a robust cybersecurity strategy.
Effective integration of existing IT tools and workflows with OT is also crucial. CPS in the oil and gas industry often utilize proprietary protocols and legacy systems, making them incompatible with traditional IT systems. Rather than expanding their technology stacks, companies should seek solutions that integrate with their existing infrastructure, allowing the extension of existing IT tools and workflows to OT environments.
It’s also critical to extend IT security controls and governance to OT. Operational environments such as SCADA systems, Industrial Control Systems, Remote Terminals, and Human Machine Interfaces frequently lack the cybersecurity controls and consistent governance found in IT environments. To eliminate this disparity, companies should work towards unifying their security governance, thereby promoting operational and cyber resilience across their operations.
Armed with these principles, upstream, midstream, and downstream oil and gas companies can better protect their critical infrastructure and devise cybersecurity strategies tailored to their unique requirements. Compliance with industry standards and regulations, a complex and continually evolving task, can also be better managed. With full visibility and control of their OT environments, companies can ensure they meet regulatory standards, reduce industry challenges, and most importantly, prevent significant cybersecurity incidents.
Justin Woody is Senior Director Industrial Strategy at Claroty.