Skip to main content

Cyber security: the changing threat landscape in oil and gas

Published by
Hydrocarbon Engineering,

Cyber crime costs the global economy more than US$400 billion per year, according to estimates by the Centre for Strategic and International Studies. With Evraz and Rosneft falling victim to the most recent widespread Petya ransomware attack, the increasingly digitised industry is facing major cyber security concerns for the first time.

A connected revolution

Historically reluctant to invest in technology, oil and gas companies are now experimenting with cloud and Internet of Things (IoT) to improve operational efficiency, visibility and safety. Applications include:

  • Monitoring and measuring emissions data in real time. By using cloud technology, companies can build a better picture of trends over time and use this insight to drive emissions strategies.
  • Storing data on remote servers anywhere in the world in real time via IoT. Monitoring equipment installed on local assets transmits information to software that is stored on central servers, rather than physically on an oil and gas site.
  • Feeding data into software such as a continuous emission monitoring system (CEMS) to collect, record and report data remotely. Businesses can access CEMS data and analyse it using a variety of devices. It is not necessary to store and run the software on a machine on-site, which reduces cost and removes the need to have on-site staff. Additionally, data is stored securely on multiple remote servers with back up and is not dependent on the health and reliability of an on-site machine.

Companies now need to consider how effective existing security arrangements are, how connected technology has changed the threat landscape and what level of investment in cyber security and privacy is needed to prevent attack.

Recognising risk

While the finance sector was hit hardest by the recent Petya malware attacks, Cybersecurity firm Kaspersky Labs, reports that more than 50% of the remaining targets fell into the categories of manufacturing or oil and gas. The high-value and high profile nature of the Oil & Gas Industry, together with its complex layers of supply chains, processes and industrial controls, makes it a high value target for hackers. A problem in one system can effect an entire operation.

The threat landscape

Security vulnerabilities arise when companies connect industrial control systems (ICSs) – along value chains in upstream, midstream, and downstream operations - to enterprise IT networks for more operational visibility and business insight.


Advanced persistent threats (APT) are one of the most deceptive types of cyber threat, breaching security with ‘low and slow’ attacks that are hard to detect before a breach is fully executed. APTs operate under the radar of most conventional IT cybersecurity tools, executing a series of small events that may not constitute a cyber attack, but could still indicate malicious intent.

Planned ransomware assaults may be the biggest threat, but unintentional incidents are just as dangerous. For example, an infected USB drive or third-party laptop can accidentally introduce malware and an overload of connected devices can overwhelm systems. It is expected that incidents like these will increase as more IoT devices migrate to operational environments.

Oil and gas firms commonly use third parties for operational technology (OT) management. This means they can have insufficient OT-specific knowledge of their equipment and, as a result, less control of the infrastructure and its security. For critical infrastructures and industrial companies, attacks can impact a company’s technological process and control systems, affect business production, finances, and even human safety.

The smartest business decision

Cyber security skills are crucial for the energy sector today. Oil and gas companies need to consider the importance of investing in cyber security specialists and training operational teams to ensure actions and processes are considered with cyber security in mind. This should include taking a high level view of all operational systems, equipment and personnel on a rig or a facility, to evaluate what is most vulnerable to attack. When assessing cyber security, human and social factors should be considered. This includes gaining a better understanding of how people behave and how this could affect security - such as how individuals share information internally. Are USBs connected and reconnected to different computers? Is critical data shared by email?

As cyber criminals become more sophisticated, the energy industry must develop a stronger and more responsive defence.

Read the article online at:


Embed article link: (copy the HTML code below):


This article has been tagged under the following:

Downstream news