Oil and Gas Cybersecurity: Understanding Risks, Consequences, and Proactive Measures

  • November 27, 2018

The oil and gas sector is vulnerable to cyberattacks as it adopts digital means by which to control communications that help power energy production and distribution. Daily activities that we often take for granted are powered by the energy from oil and gas including everyday cooking, heating/cooling, communication, and use of electronic devices and appliances. For context, there exists approximately 1,793 natural gas-powered electricity plants in the U.S. and they generate 34 percent of the nation’s electricity last year. Much of how we live and work is dependent upon the energy produced from oil and gas production. Therefore, even the smallest cyberattack on one of thousands of interconnected and digitalized systems can yield devasting effects.

A company that experiences an attack can experience a plant shutdown, equipment damage, utilities interruptions, production shutdown, inappropriate product quality, undetected spills, and safety measure violations—to name a few. Recently, 87% of senior executives in the natural resources sector have reported being affected by cyber incidents in the past 12 months. Further, 46% of attacks in Operational Technology go undetected.

The following companies have unfortunately fallen victim and become a part of these statistics.

  • In 2010, Stuxnet, a malicious computer worm, was used to hijack industrial control systems around the globe, including computers used to manage oil refineries, gas pipelines, and power plants. It reportedly destroyed a fifth of Iran’s nuclear centrifuges. The worm was delivered through a worker’s thumb drive.
  • In August 2012, a person with privileged access to one of the world’s leading National Oil Companies’ (NOCs’) computers unleashed a computer virus called Shamoon (disk-wiping malware) that erased three quarters (30,000) of the company’s corporate personal computers (PCs) and resulted in an immediate shutdown of the company’s internal network.
  • National Security Authority Norway said 50 companies in the oil sector were hacked and 250 more were warned to check their systems, in one of the biggest hacks in Norway’s history
  • Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States, gained cyber keys necessary to access systems that regulate flow of natural gas.
  • In January 2015, a device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel. Several Guardian AST gas-tank-monitoring systems have suffered electronic attacks possibly instigated by hacktivist groups.

These examples show and tell other oil and gas companies of the consequences that arise from insecure cyber environments, vulnerable systems, and cyber teams that lack the latest skills to stay ahead of attackers.

However, there is hope. To lessen the attack surface, cyber teams need to be prepared to address all possible scenarios that can occur on said attack surface in order to effectively protect and defend IT and OT infrastructures. Project Ares® cyber training platform can prepare teams with the right skills in immersive environments that emulate their own oil and gas networks to be most effective. It is designed for continuous learning among teams, meaning its constantly evolving with new missions rapidly added to address the latest threats and training requirements. Further, targeted training can be achieved from the library of mission scenarios to train specific skill sets.

This solution coupled with proper collaboration between IT and OT divisions to share threat intelligence information and creating a “data privacy first” culture across the enterprise (not just in IT) will do wonders for companies looking to stay out of the negative news headlines and experience an attack.