Cybersecurity challenges and solutions in the oil and gas sector

Petroleum Development Oman (PDO) is Oman’s biggest oil and gas producer. The company has over 8,900 employees and a concession area of 90,000 square kilometres, equivalent to one-third of Oman’s geographical area. The concession area consists of around 209 oil-producing fields, 55 producing gas fields, and more than 8,000 active wells. Due to the scale of its operation, the company increasingly uses digital technologies to enhance its efficiency, including a partnership with Honeywell. However, the importance of PDO’s operation at the national level also increases its cyber risk factor.  

Over the last few years, the company has stepped up its cybersecurity defences. Part of this fortification involved a partnership with Hexagon. Hexagon’s work focuses on sensors, software, and autonomous solutions. The company offers bespoke services to oil and gas clients, providing specific solutions to manage the convergence of IT and OT.  

PDO uses Hexagon’s PAS Cyber Integrity product, having signed a five-year partnership agreement in 2019. Hexagon initially reviewed PDO’s existing cybersecurity infrastructure before drawing up a project schedule for the partnership. PDO hopes to achieve robust cybersecurity across its operational technology using Hexagon’s Cyber Integrity solution. The integrated product includes inventory management, which maintains a completed inventory of OT and IT configuration data, vulnerability management, configuration management, risk analytics, compliance management, and backup and recovery features. It allows PDO to continuously identify emerging cyber risks within the company’s networks.  

Although PDO has not disclosed information on the number of cyber risks identified, the company has not reported any breaches since the inception of the partnership with Hexagon, even as the relative cyber risk level increased during 2021. 

Founded in 2000, Forescout delivers automated cybersecurity solutions across IT, IoT, and OT assets. The company serves a range of industries, but its emphasis on the convergence of IT and OT, and the cybersecurity risks associated with this, have attracted large oil and gas companies as clients. 

One of Forescout’s oil and gas customers is a leader in the offshore drilling industry with high levels of technology adoption and a large fleet. The company was faced with the challenge of identifying, quantifying, and mitigating cybersecurity risks within its extensive operational network. Due to the potential for cybersecurity incidents to impact worker safety and the reliability of its business, understanding cybersecurity risks and their origin was a priority for the company.  

Forescout worked to identify vulnerabilities within the client’s critical offshore system by building a qualified team that mapped the network’s vulnerabilities. In addition, all the existing assets within the network were identified and assessed for their relative risk level using an OT network monitoring tool.  

The company selected Forescout’s eyeInspect tool, which passively discovers, classifies, and monitors OT network devices. This process ensures that all assets are sufficiently protected. The tool includes in-depth device visibility, situational awareness, real-time threat detection, streamlined compliance, and effective incident response to provide an integrated cybersecurity solution. Automated data gathering was used to flag network traffic anomalies and create reports, allowing the company’s cybersecurity team to undertake real-time analysis of the incident.  

Due to the size of the client’s OT networks and constraints on the number of system sensors, Forescout strategically placed its hardware on choke points within the oil and gas company’s vessel network. As a result, Forescout demonstrated a pragmatic approach that balanced the need to provide robust cybersecurity to clients with large volumes of critical infrastructure and hard limits on the number of devices that can be monitored within an extensive network.

OMV is an Austrian multinational integrated oil, gas, and petrochemical company. The company, a leader in cybersecurity within the oil and gas industry, has continuously invested in its cybersecurity defenses. OMV asserts that cybersecurity is integral to its digital journey, identifying it as a key initiative within its digital infrastructure. Cybersecurity also forms a central aspect of the company’s sustainability annual reporting framework. 

OMV has created its own security framework, consisting of 50 regulatory documents that coincide with ISO 27000-series recommendations. External audits also provide quality control and assurance. In addition, OMV operates an information security management system (ISMS) in accordance with ISO 27000. The system provides a continuous improvement cycle where cyber threats are identified and mitigated and any potential information leaks are remediated. 

Continuous vulnerability scans of OMV’s cyber assets occur, and multifactor authentication is used throughout the company’s operations. Internal and external penetration tests also check for weaknesses in OMV’s cybersecurity defenses. OMV also conducts cyber emergency exercises annually using external expertise. Despite the rapid increase in cyber incidents in 2021 as cybercriminals exploited the exceptional circumstances of the pandemic, OMV did not report any noteworthy incidents.  

OMV also worked with Capgemini to increase the cybersecurity awareness of 27,000 employees in 2015. This aimed to increase the protection of critical information assets. Capgemini initially conducted a survey involving 22,000 participants. The survey responses were used to tailor a cybersecurity awareness strategy for OMV. The cybersecurity awareness training involved demonstrating live-hacking demos and classroom training for OMV’s employees.  

OMV has continued to develop its employees’ cybersecurity awareness, launching its KnowBe4 information security awareness platform in 2021. The platform involved extensive training content and included mandatory e-learnings and knowledge check tests, topic-based videos, classroom training, and anti-phishing email campaigns.