The oil and gas industry is a vital component of the global economy. After all, it employs millions worldwide and is responsible for providing energy to power homes, businesses, and transportation systems, as well as supporting trade and commerce, technological advancements, infrastructure development, and more. As with most critical industries today, oil and gas companies have become increasingly reliant on digital technology — making the implementation of a strong cybersecurity strategy more important than ever.
Oil and gas is one of the largest industries in the world, and is primarily separated into three main segments: upstream, midstream, and downstream. Each of these industry segments is interconnected and plays a crucial role in ensuring efficient production, transportation, and delivery of oil and gas products. However, these segments have several key differences, and the elements and implications of an effective cybersecurity strategy heavily depend on which industry segment(s) an oil and gas company resides in. Here are the key differences:
The upstream segment focuses on locating and gathering the raw oil and natural gas materials that midstream and downstream companies then transport and refine into fuel, chemicals, and other finished products. Upstream includes a variety of different methods of gathering materials, including via oil wells and derricks, off-shore drilling, oil sands extraction, and fracking. Upstream operations often take place in remote and challenging environments, and their assets are often distributed across large geographic areas. These conditions can make it difficult for upstream companies to not only monitor and secure the full extent of their operations and assets, but also to perform software updates, apply patches, and implement other necessary security controls. As a result, upstream oil & gas systems tend to be more exposed and vulnerable to cyberattacks.
The midstream segment encompasses the transportation and storage of the raw oil & gas materials obtained via upstream exploration and production. Midstream companies typically use pipelines, storage tanks, tankers, and/or other specialized vehicles to store and transport crude oil and natural gas from upstream extraction sites to downstream processing and refining facilities or distributed to centers for customers. Much like upstream organizations, midstream architectures tend to be widespread and geographically dispersed, causing challenges with cybersecurity monitoring and often-unsecured remote access. These organizations’ typically heavy reliance on pipelines to transport oil and gas from production sites, as well as their common dependence on third-party vendors and contractors to provide equipment and services, also contribute strongly to their remote access challenges. By targeting pipelines, or exploiting vulnerabilities inherent to third-party vendors, hackers can gain unauthorized access, disrupt operations, and even cause physical damage. An incident of this nature was seen via an attack on Colonial Pipeline, which impacted oil and gas delivery, and precipitated a rise in fuel prices for consumers, among other implications. We will further discuss this unprecedented attack on U.S. critical infrastructure later on in this article.
The downstream segment focuses on processing the raw materials procured during the upstream process. This involves converting crude oil into usable products such as gasoline, diesel, and jet fuel. It also involves the distribution of these products through networks of pipelines, tankers, and retail outlets (i.e. gas stations) to end-consumers. Downstream network architectures tend to be more closely related to those found in traditional “plant” environments seen in other industries, like power generation and manufacturing.
The physical processes that underpin downstream environments often rely on legacy systems and equipment — most of which were not designed with security in mind. And given that these systems and equipment are often simply too old or fragile to support software updates, they tend to be more prone to containing both known and zero-day vulnerabilities that can be easily exploited by attackers. Additionally, as IT and OT converge, the industrial control systems (ICS) located in these environments have become increasingly connected to the internet. This interconnectivity has broadened the attack surface for downstream organizations, making them more vulnerable to cyber risk.
The oil and gas industry faces several challenges that require innovative solutions and strategic partnerships to help them adapt and respond to these challenges.
The first challenge faced by companies in this industry is extreme volatility in oil and gas barrel prices. Barrel prices are subject to a range of geopolitical, economic, and environmental factors, which create difficulty for companies trying to plan and execute long-term projects and investments. This issue particularly affects upstream development, as it is directly related to the price of oil. More complicated upstream methods such as oil sands refining and offshore drilling will stop operating if the price of oil falls too drastically.
This challenge also puts pressure on upstream oil and gas companies to keep costs as low as possible, many times putting pressure on them to reduce spending on cybersecurity initiatives. With limited resources to invest in robust security technologies, companies are left with unprotected systems and equipment. Ultimately, failure to prioritize cybersecurity can result in even great financial losses, reputational damage, and regulatory penalties.
A second major challenge faced by oil and gas companies is the increase in regulations and standards that are shaping the industry. Due largely to recent cyber attacks in the industry, new regulations regarding cybersecurity requirements for pipeline owners and operators have been created by the Transportation Security Administration (TSA).
Although these regulations most directly impact midstream companies, many larger organizations also have exposure due to their size. With ongoing threats to critical infrastructure, regulations will continue to develop in order to reduce risk — making it increasingly important for oil and gas companies to implement the right cybersecurity strategies. Additionally, oil and gas companies are many times subject to regulatory compliance with these regulations, which can be extremely costly for small and mid-sized companies. Without dedicated compliance teams in place, or partnerships with cybersecurity vendors, companies will not only struggle to meet requirements, but will also fail to improve their cybersecurity posture.
A third significant challenge is related to aging infrastructure. Much of the oil and gas industry’s infrastructure, particularly in the upstream and downstream sectors, is aging and is in need of repairs or replacements. The challenge is that the cost of updating equipment in pipelines, refineries, and production facilities is typically more than expected commercial output of the life of the plant. This makes projects challenging to justify, causing old equipment to remain in place.
These legacy systems and outdated technology also pose significant oil and gas cybersecurity risks as they were not designed with security in mind. Many times, they do not have the latest software updates or security patches, leaving them more vulnerable to attacks.
Another noteworthy challenge stems from geopolitical risk. The oil and gas industry faces several challenges when it comes to geopolitical risk including trade tensions, control, and instability in producing countries. These risks can affect the availability and price of oil and gas, making it more difficult for companies to operate in certain regions. This can be seen today with the distribution of energy trade between Europe and Russia, which has driven global gas markets to new highs — reaching six to ten times US Henry Hub prices, according to Deloitte’s 2023 oil and gas industry outlook.
Such political instability has the potential to create a volatile cybersecurity environment, making it difficult for companies to protect operations and sensitive information. Geopolitical risks can also come in the form of cyber terrorism, which are typically carried out in an attempt to disrupt operations or cause physical damage, and can be difficult to prevent or detect. Overall, these risks have a significant impact on cybersecurity as attackers seek to gain access to sensitive information, disrupt operations, or steal intellectual property.
According to many upstream companies, the sources of oil and gas that had traditionally been easier to procure have already been explored — to the point where many are deemed empty. Now, more expensive and complicated methods such as oil sands, off-shore, and fracking are being used.
These methods raise the cost of finding new sources, making upstream companies even further exposed to the price of oil. They also have increased upstream companies' reliability on OT systems, ICS systems, and supervisory and data acquisition (SCADA) systems. These systems are critical to exploration and production activities as they increase efficiency and safety; however, their interconnectivity has further expanded the attack surface — making them more vulnerable to cyberattacks.
There have been various recent cybersecurity incidents that have been shaped by and/or furthered the above challenges for oil and gas companies, as well as made the implementation of a strong cybersecurity strategy paramount.
One of the major incidents that has plagued the oil and gas industry is the disruptive ransomware attack against the East Coast’s largest gasoline, diesel, and natural gas distributor, Colonial Pipeline. This attack on Colonial's IT network prompted the company to shut down pipelines, causing gas prices to soar and in some states, causing consumers to scramble to find gasoline at the pumps. The Colonial Pipeline incident specifically has become a catalyst for an increase in cybersecurity regulations in the industry, and has served as a wake-up call for executives when it comes to establishing a strong cybersecurity strategy across their organization. As we’ve increasingly seen, ransomware has become a scourge to enterprises worldwide, and attacks are only predicted to grow in number and in sophistication.
Another recent incident that affected oil and gas cybersecurity is an attack targeting oil loading facilities in the Amsterdam-Rotterdam-Antwerp (ARA) refining hub. This attack considerably disputed the loading and unloading of refined product cargoes as many of these processes are automated. The impact was felt most severely by the flow of oil products such as heating oil, diesel, jet fuel, and gasoline. This cyberattack not only has reverberating consequences on ARA’s business operations, but also could cause cascading societal and economic impacts across Europe. The ARA refinery ransomware attacks were very similar to that of the US Colonial Pipeline incident a year prior, and further demonstrate how cybercriminals are capitalizing on the shortcomings of oil and gas industry defensive measures.
Both of these attacks have distributed the critical infrastructure that delivers foundational support to economies and society as a whole — making it clear that there is an increasing need to secure legacy systems which have been left inadequately protected as a result of digital transformation and their increased connectivity to the internet. These attacks have also driven government action on the importance of cybersecurity, which can be seen by the regulations and standards listed below.
Following the Colonial Pipeline ransomware attack, we saw unprecedented action from the U.S. government regarding mandated incident-reporting procedures and hardened cybersecurity practices from pipeline owners and operations. Here are a few of the key cybersecurity standards and regulations that have been put in place:
As discussed earlier in this article, the TSA has introduced a pipeline security directive with the goal of reducing the risk that cybersecurity threats pose to critical pipeline systems and facilities. This directive mandates that TSA-specified owners and operators of pipeline and liquefied natural gas facilities implement three cybersecurity measures to prevent disruption and degradation to their infrastructure. Although this directive was a jolt for many oil and gas companies, it is a step in the right direction for companies to make better decisions around cyber policies, awareness, training, and skill development for a holistic cybersecurity program.
The IEC has also developed a series of international standards to protect industrial automation and control systems (IACS). The oil and gas sector relies heavily on IACS to manage and monitor critical operations, making the IEC 62443 standards an important tool for companies in this industry to follow. They provide a comprehensive framework for addressing the cybersecurity needs of IACS, which are particularly vulnerable to threats due to their interconnectedness and reliance on legacy technology. The implementation of IEC 62443 standards can also help oil and gas companies comply with regulatory requirements, including those set by the US Department of Homeland Security (DHS) and the International Association of Oil and Gas Producers (IOGP). These standards can be viewed as essential tools for companies to ensure the security and resilience of their critical infrastructure.
Another globally recognized standard for information security management systems (ISMS) is ISO/IEC 27001. This standard significantly impacts oil and gas cybersecurity as these companies rely heavily on IT and handle large volumes of sensitive data. With ISO/IEC 27001 oil and gas companies can establish a comprehensive framework for managing and protecting the confidentiality, integrity, and availability of sensitive information — including exploration and production data, financial data, and personal data of both employees and customers. Much like IEC 62443, ISO/IEC 27001 can help organizations to comply with regulatory requirements, including those set by the DHS and the European Union’s General Data Protection Regulation (GDPR). Overall, by implementing this standard, oil and gas companies can protect sensitive data against cyberthreats, and maintain a secure and safe operating environment.
Although there are several other regulations and standards in which the oil and gas industry comply with today, the last cybersecurity framework we will discuss in this article is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This framework is based on a risk management approach, and provides a set of guidelines and best practices for organizations to manage and reduce cybersecurity risks. NIST CSF consists of five core functions: Identify, Protect, Detect, Respond, and Recover. These core functions allow organizations to prioritize threats, focusing their resources on the areas of highest risk. Much like IEC 62443 and ISO/IEC 27001, NIST CSF can help oil and gas companies to comply with regulatory requirements, including those set by the DHS and the North American Electric Reliability Corporation (NERC). By adopting this framework, oil and gas companies can enhance their cyber and operational resilience and reduce the likelihood of future cyber incidents.
These regulations and standards provide a strong framework for oil and gas cybersecurity in every sector to help manage their risks, protect their sensitive data, and comply with industry regulations. By following the above directives, standards, and frameworks, the oil and gas industry can ensure they have the appropriate security measures in place to meet these requirements, and to protect their critical infrastructure.
Securing the operational technology (OT) environments that underpin upstream, midstream, and downstream oil and gas operations and infrastructure is not an easy task. As digital transformation soars and IT increasingly integrates with OT systems, the oil and gas industry faces more challenges to their critical infrastructure than ever. That’s why Claroty has created a portfolio of oil and gas cybersecurity solutions to help companies address these challenges.
Claroty helps oil and gas companies secure their OT environments with three key principles. First, they assist companies in gaining visibility into all cyber-physical systems (CPS) within their OT environment. Asset visibility is foundational to industrial cybersecurity — which is why all segments of oil and gas must attain a comprehensive, real-time inventory of their assets across all drilling sites, platforms, pipelines, plants, and refineries. The second key principle Claroty provides assistance with is the integration of oil and gas companies existing IT tools and workflows with OT. Because most CPS in oil and gas use proprietary protocols and legacy systems, they are incompatible with traditional IT systems. But, rather than requiring customers to expand their tech stacks, Claroty integrates with them — allowing customers to simply extend their existing tools and workflows from IT to OT. Lastly, Claroty helps companies extend their IT security controls and governance to OT. Unlike their IT counterparts, most OT environments lack essential cybersecurity controls and consistent governance. Claroty assists in eliminating this gap by unifying security governance and driving all use cases on your oil and gas companies journey to operational and cyber resilience.
Claroty empowers upstream, midstream, and downstream oil and gas companies to protect their critical infrastructure and establish a purpose-built cybersecurity strategy unique to their organizations needs. We also help companies comply with industry standards and regulations which, as seen above, is a complex and ever-evolving endeavor for oil and gas. With unprecedented visibility and complete control of your oil and gas companies OT environments, organizations can ensure that standards and regulations are met, industry challenges are reduced, and major cybersecurity incidents are prevented.