The oil and gas sector, especially the pipeline industry, plays a pivotal role in the global economy. However, this critical sector faces an escalating cybersecurity challenge. High-profile cyber attacks, like the 2021 Colonial Pipeline ransomware incident, have disrupted operations and caused significant financial losses, highlighting the sector’s vulnerability to digital threats.
The Colonial Pipeline cyberattack caused widespread supply disruptions and financial upheaval, underscoring the vulnerability of this vital industry to digital threats. The ransomware attack included the theft of 100 gigabytes of data before locking pipeline operations until the company (working with the FBI) paid $4.4 million to the hackers.
It wasn’t the first or the last. The energy sector was targeted with 10.7 percent of cyberattacks across worldwide industries in 2022, according to Statista. This included a cyberattack on European oil refining ports and storage facilities that targeted a total of 17 terminals, including the oil refining hub of Amsterdam-Rotterdam-Antwerp, Oiltanking and Mabanaft in Germany, SEA-Invest in Belgium, and Evos in the Netherlands.
These events led to immediate shortages and price hikes and exposed the fragility of our critical infrastructure against cyberthreats. They have highlighted a pressing need for stringent cybersecurity measures and the importance of working with the government to ensure infrastructure security.
Securing Our Infrastructure
In response to these concerns, the Transportation Security Administration (TSA) issued directives that brought about a paradigm shift in how the pipeline industry approaches cybersecurity. These directives mandate that operators report cybersecurity incidents, thoroughly review their digital defenses, and develop robust remediation measures. While the mandate does leave some leeway for pipeline companies that aren’t yet equipped to meet high standards, it still demands that everyone meets the minimum requirements.
The Securities and Exchange Commission (SEC) also adopted new cybersecurity risk management strategy governance and incident disclosure rules. These rules standardize cybersecurity disclosure requirements for public companies, many of which are in the oil and gas sector, emphasizing the need for annual disclosure of cybersecurity risk management strategies and the reporting of material cybersecurity incidents.
Cyberattacks can disrupt the supply of gasoline and fuel, causing problems extending far beyond the industry itself. They cause a financial ripple effect for all stakeholders while potentially destroying the reputation of the targeted company. Not to mention any time there’s a security breach, it draws government scrutiny, and regulations increase.
Today’s leadership must focus on securing critical infrastructure to combat these growing concerns and regulations.
Beyond Compliance: A Strategic Imperative
Compliance with these regulations and TSA’s directives is crucial for business continuity and stakeholder trust. It goes beyond ticking regulatory boxes; it’s a strategic imperative for the pipeline industry, and leadership needs to be ready. A cyberattack is a significant business continuity concern that requires diligence and vigilance throughout the organization from the top down.
By adopting new compliance measures, companies are protecting their infrastructure, safeguarding their reputation, ensuring business continuity, and maintaining stakeholder trust. Integrating frameworks like NIST CSF, ISA 62443, and ISO 27001, as recommended by cybersecurity experts, offers a structured approach to managing these risks.
One crucial step is to move quickly from assessments to response planning. Doing so requires more internal training, as the human element is the weakest link in any security regime. No matter how watchful employees are, passwords aren’t always updated or complex enough, and malicious links from phishing attacks are getting more sophisticated daily.
The most significant security risk of all is ignoring the problem, and it’s easy for leaders to fall into this trap while focusing on how to grow versus how to protect and maintain what they have. Their jobs depend on the business earning money and keeping investors happy, which can be a challenging position to be in, knowing the high price of security.
These competing priorities must be balanced to meet the modern industry’s security challenges.
- Global Energy Security
Cyberthreats in one market can impact oil and gas markets globally, as the industry is highly interconnected. The U.S., for example, imports petroleum from Canada, Mexico, Saudi Arabia, Iraq and Colombia, among others. This intrinsically ties all regions together, making a cyberattack in one sector a global concern.
- Operational Continuity
Proactive security measures are necessary to ensure organizations can continue operating under the threat of any type of attack. This requires intentional redundancies and constant diligence to ensure the protections are functioning as needed over time.
- Advancing Technology
Cutting-edge technologies like artificial intelligence (AI) are a boon to business. However, they can also arm criminals with high-powered tools to develop malware, unleashing a new era of threats that must be mitigated. Staying abreast of new technologies and their impact on cybersecurity is imperative to keeping your defenses current.
- Environmental Safety
Most importantly, a compromised system could have a detrimental impact on the environment. A security breach can create a disaster like a catastrophic oil spill similar to the deadly Deepwater Horizon incident, making cybersecurity in this sector a matter of environmental safety and responsibility.
Today, increasing cybersecurity concerns have sparked essential government and private sector collaboration, which is crucial for developing more resilient cybersecurity strategies and practices. Investment in cybersecurity is no longer optional; rather, it’s a critical component of the industry’s future stability and growth.
Moving forward, the oil and gas sector and the pipeline industry must comply with regulatory guidelines and embrace a culture of continuous improvement in cybersecurity. Cyberthreats continue to evolve, and protecting critical infrastructure is vital. This means ensuring that every step of the supply chain is covered, providing a holistic, zero-trust environment. To survive unscathed, the industry must be agile, adapt to new threats and technologies, and proactively ensure the security of all systems rather than reacting after an attack.
References:
“Colonial Pipeline Cyber Attack: What We Know So Far,” BBC News, 2021.
“Cybersecurity Threats: The Daunting Challenge of Securing the Oil and Gas Industry,” Forbes, 2022.
“Cyberattack Paralyzes Key European Oil Facilities,” The Wall Street Journal, 2022.
“SEC Adopts New Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Requirements,” SEC.gov, 2023.
“Implementing Effective Cybersecurity Strategies in the Oil and Gas Sector,” Cybersecurity Journal, 2023.
“Evolving Cybersecurity Threats in the Energy Sector,” Energy Policy Journal, 2023.
“Collaborative Cybersecurity in the Pipeline Industry: A Case Study Review,” International Journal of Cybersecurity, 2023.
“The Role of Public-Private Partnerships in Enhancing Cybersecurity,” Cybersecurity and Infrastructure Security Agency, CISA.gov, 2023.
“Navigating the SEC’s Cybersecurity Disclosure Rules: Implications for the Oil and Gas Industry,” Financial Times, 2023.
“The Future of Cybersecurity in the Oil and Gas Sector,” Energy Security Analysis, 2023.
Chad Alessi is an experienced leader in the energy industry with over 20 years of experience in oil and gas operations, engineering, project management and operations consulting.
Oil and gas operations are commonly found in remote locations far from company headquarters. Now, it's possible to monitor pump operations, collate and analyze seismic data, and track employees around the world from almost anywhere. Whether employees are in the office or in the field, the internet and related applications enable a greater multidirectional flow of information – and control – than ever before.
