Cybersecurity Overview for the Oil and Gas Industry

The Result of Not Addressing Increasing Cybersecurity Risk

The increased potential of blurring boundaries between Information Technology (IT) networks and Operational Technology (OT), for example Industrial Control Systems (ICS), poses a huge risk to the oil and gas industry.

As the industry increases its efficiency with automation, companies are significantly increasing their cyber attack surface. Internally, changes due to human error, misconfiguration, insider threat, or supply supply chain can change one part of the business indirectly and have major consquences. These changes need to be considered when mitigating cybersecurity risks.

The oil and gas industry has been at risk of losing competitive advantage in several areas, including exploration information or bidding information, by way of intellectual property theft at the hands of a cyber threat adversary. The most significant wake up call occurred in 2012 with the Shamoon attack on Saudi Aramco that was destructive in nature as over 30,000 Windows-based machines began to be overwritten. A significant problem for the company which provides 10% of the globe’s oil supply and caused impacts to their IT systems.

What’s more alarming is that 2017 saw the unauthorized release of sophisticated national state cyber tools to the masses, which were then weaponized for multiple destructive campaigns, including WannaCry and NotPetya, which impacted 100s of thousands of computer systems globally.

With a heightened awareness of cyber breachs and their impacts, it’s still alarming that many IT teams are taking a reactive approach to cybersecurity. Meeting regulation or compliance requirements that don’t evolve rapidly enough to keep pace with adaptive cyber threat adversaries, is no longer an option. There is too much political and financial gain to be had by threats and cyber is becoming their choice avenue of attack because in many cases it is the easiest path and cheapest way to achieve success.

Organizations, especially in the oil and gas industry, are huge targets with very signifant consequences that could include destruction of plants or pipelines, loss of life, oil spills and financial loss.  Proactive attention is needed by organizations to prevent these tragic scenarios from becoming a reality.

What can the Oil and Gas Industry do?

Technological advancements and cloud adoption don’t eliminate cyber risk, they only change the roles and responsibilities for mitigating cyber risk. That change, especially in large enterprise environments, can unknowingly open opportunities for an adversary to gain access to an organization’s assets. They also increase the stakes when organizations go through IT consolidation. The consolidation of an organization’s information and business critical data offers many advantages, but it can also consolidate the time and effort used by a threat advesary if a breach were to occur.

While there is no standard set of cybersecurity rules for the oil and gas industry, organizations should start by with a set of requirements for narrowing the risk of breaches and restriciting access to parts of the organization that, formerly, were not connected:

  • Isolate (or “air gap”) OT/ICS systems from IT systems (especially web-facing systems)
  • Implement emerging security technologies to better keep pace with adversarial innovation
  • Ensure a level a higher level of security on backups, where they’re located and how often they’re accessed
  • Establish and enforce a “least privilege” culture across your IT systems
  • Limit the avenues of attack to your key data(from production to exploration to sales, each group’s data should be treated as high value)
  • Enact a specialized and focused security monitoring program on the critical systems/network segments
  • Test your network and its protection and reactive measures vigorously

Mitigating Destructive Malware

One approach for the IT team is to treat each group’s access and behaviors differently. While the establishment of a company-wide security plan can look good to the CTO, clearly defining each group’s security thresholds with its leadership or IT leads can greatly reduce risk and assist in the establishment of testing and monitoring each group’s risk. So while legal

By identifying that risk, IT teams can use that data to help drive where resources should be allocated for the reduction of risk.

One growing area is the sophisitication of these attacks. Attackers are no longer trying to break in, they’re designing their attacks to take down the systems that are used for IT recovery. In the past, backup systems have been a vital and necessary tool for bring back a company after a malicious attack. Now, ransomware such as Locky and WannaCry actually look for remote shares and backup stores.

Proper cyber hygiene is always important (and yes, very difficult to achieve 95%+ in organizations), staying current with patches and increased communication with a security vendor’s content can aid greatly in repeat attacks where files are reused by the adversary. This is where defense in depth comes into play and incorporate other security best practices to limit the adversary’s ability to maneuver and move laterally across your organization.

Segmenting this key data on the network and focusing your security operations teams to prioritize its monitoring will greatly improve your chances of thwarting a destructive malware attack. Lastly, leveraging non-signature based detection technologies, e.g. Artificial Intelligence/Machine Learning (AI/ML), can rapidly analyze unknown content and identify threats rapidly to enable detection and response in order to miminize impact.

The key aspect in a destructive attack is to prevent via good hygiene. If the adversary leverages a zero-day exploit or finds a crack in your organization’s security armor, then speed of detection and containment is crucial.

Technological Advancements to Deal With This Problem

Cyber adversaries have been very successful at staying one step ahead. Constantly changing their tools and techniques continue to aid in their success. There are even service offerings on the black market, for example “ransomware as a service,” that can enable less sophisticated actors. The increased financial and political gain by cyber breaches have caused a rapid increase in the number and sophistication of threat actors. Organizations in the oil and gas industry, in conjunction with a strong cyber hygiene program and proper network segementation, should explore security solutions that can help detect and identify unknown threats that routinely evade signature/threat intelligence-based cybersecurity prodcuts. For example, real-time threat detection using AI/ML is focused on malicious content (file-based or fileless attacks) without the use of signatures or behavior detection engines.

With the rapid increase in ransomware and other destructive malware, which are capable of impacting an organization immediately upon payload delivery, organizations should shift their focus to leveraging artificial intelligence at the point of entry into their network to better deliver rapid and scalable detection along with increased analyst efficiency.


Proactive cyber defense must be the new normal. The luxury of being able to wait for an attack to react is over. Do not expect others to solve or stop cybersecurity problems for your organization. Cyber risks pose physical and potentially catastrophic risks to many industry verticals, including the oil and gas industry. Over reliance on reactive security and check box compliance are proven recipes for failures in mitigating cyber risks, as routinely seen in the news. The oil and gas industry has taken major steps at reducing cyber risk over the last several years, but in security, the job is never done as long as there are capable adversaries wanting access.

First Published in American Public Gas Association’s (APGA) quarterly publication: The Source

Team member
Travis Rosiek
With nearly 20 years of experience in the security industry, Travis Rosiek is a highly accomplished cyber defense professional having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity across product development, quality assurance, technical marketing, professional services and sales engineering. Prior to his role at BluVector, Rosiek held several leadership roles including CTO at Tychon and Federal CTO at FireEye as well as senior roles at CloudHASH Security, McAfee and Defense Information Systems Agency (DISA).

All Threat Reports