Hackers are drilling for more than just data in the oil and gas industry

Oil and gas is a critical sector that still largely relies on legacy systems to get things done.

Traditionally slow to adopt new technologies, modern oil and gas companies are trying to bootstrap themselves into the modern cyber age on an ad-hoc basis, with varying degrees of success. While the sector realises the cyber-threats looming over their industry, the long tail of legacy hardware and software dependencies that make up their tech stack makes upgrading cybersecurity tricky, if not impossible.
 

The mix of old and new technologies create unique vulnerabilities

Due to the proprietary nature of technology involved in extraction operations, companies are forced to upgrade hardware and software piecemeal. Legacy systems with multi-generational dependencies are often patched ad hoc to internet-facing networks, creating vulnerabilities that hackers are learning how to better exploit. As companies stack new technologies like IoT on top of aging infrastructure, vulnerabilities multiply and create even more gaps for hackers to exploit.

Operational data is particularly sensitive to the industry, which is gathered at considerable expense by private operators. Oil and gas deposit locations discovered by costly surveying and prospecting work represents a major time and cost investment for any company, large or small. Not only is this hard-won data vulnerable to theft or corruption, it can be leveraged to launch future cyberattacks against the company or any of its partners.

 
The consequences of a data breach in oil and gas

Oil and gas operations face additional risks in the potential for attackers to take control of or even damage physical equipment. Cyberattacks that disrupt output capacity can have knock-on effects for society and the economy at large, as seen with the recent Colonial Pipeline attack. Any compromise of infrastructure also leaves the door open to nation state-backed threat actors performing acts of espionage or sabotage. Besides the financial impact, the public sentiment generated by large scale power outages or fuel shortages will leave the reputation of the organisations responsible in pieces.

Companies now find themselves in the uncomfortable position of scrambling to discover their own cybersecurity flaws before their attackers do. For an industry that has relied on ‘security by obscurity’ until recently, it’s a sink or swim moment. Hackers have become acutely aware that oil and gas operations in general have very rudimentary cybersecurity, and we can expect more oil and gas companies to be targeted.

Despite their best efforts to modernise, many areas in the oil and gas sector still lag behind, making companies who drag their feet on cyber resilience easier targets to single out. Oil and gas companies must foster a cyber-aware culture as a matter of survival, given the long-term risk and liabilities—financial, reputational, societal, and legal—of a potential data breach.  

As cyber risk becomes risk to public infrastructure and wellbeing, we’re seeing the oil and gas companies follow a similar path to other industries that have had to adapt to their new threat environment. Oil and gas companies are now working more collaboratively with cybersecurity thought leaders to establish standards and best practices. Case studies from similarly affected industries like manufacturing are being used to identify vulnerable areas and further shore up cyber defences based on real world learnings.

 
Cyber awareness can massively improve baseline security

The sector has come to rely on a mixture of baseline best practices and bespoke solutions to work around the limitations of a multi-generational technology stack. But technology aside, the single most effective cybersecurity measure companies can take is regular cyber awareness training.  
 
Cyber awareness training is one of the most effective ways to reduce an organisation’s human attack surface. Training needs to start at the senior level to drive a change in behaviour from the top down. Everyone in the organisation needs to follow basic cyber hygiene. As the gateway to any business, employees and contractors are some of the most common targets for social engineering attacks. 

Creating awareness of cyber hygiene at all levels engrains baseline security standards and practices into the culture of the organisation, dramatically reducing common vulnerabilities without worrying about the more complex tech stack issues.

By and large, most hackers still rely on human error to penetrate big organisations, including companies in the oil and gas sector. Your ‘human firewall’ is your biggest defence, which is why any cybersecurity strategy needs to put people at the centre. Fortunately, cyber awareness training has come a long way, and getting people on board with it has never been easier.