The impact of cybersecurity on the oil and gas industry

The matrix below details the areas of cybersecurity where oil and gas companies should be focusing their time and resources. We suggest oil and gas companies invest in technologies shaded in green, explore the prospect of investing in technologies shaded in yellow, and ignore areas shaded in red.  

In the graphic below, no areas of cybersecurity’s value chain are shaded red due to the critical nature of this theme to the safe and reliable operation of oil and gas companies. The interconnected nature of the cybersecurity value chain means that an oil and gas company’s cybersecurity is only as robust as its weakest element. Therefore, GlobalData recommends investing in almost all aspects of the value chain.  

However, chip-based security represents an aspect of cybersecurity that is more suited to pursuing contracts and partnerships, so the graphic recommends only exploring this technology and not yet investing in it. 

The Covid-19 pandemic changed the operating environment of oil and gas companies and catalysed internal change within the industry. More generally, the pandemic saw an increase in cyberattacks as attackers exploited the unprecedented nature of the situation to target cyber-naïve, remote-working employees.  

Google confirmed this in April 2020, when it stated that it had blocked 18 million daily malware and phishing emails related to Covid-19 in one week. This was in addition to more than 240 million Covid-related daily spam messages. The pandemic increased the cyber threat level. In this new landscape, no industry is safe, and the oil and gas sector remains especially vulnerable.  

To stay competitive amid the pandemic’s disruption to oil product demand, companies operating in the sector invested in technologies that would streamline production and cut costs. As a result, the wider industry experienced a rapid acceleration in its digitalisation. In particular, there was an uptick in demand for technologies that facilitated remote collaboration between field technicians and equipment experts. 

In a short time, devices such as rugged AR headsets, mobile phones, and tablets became necessities for the industry and provided a means to circumvent travel barriers. This reduced machine downtime by streamlining repair and maintenance activities, providing the companies that capitalised on this technology with a competitive edge. Companies such as BP, Chevron, Exxon Mobil, Baker Hughes, and National Orwell Varco continue to develop their remote collaboration tools.  

However, this rapid digitalisation significantly increased the attack surface for hackers, and the industry is still playing catch up on the threat posed. At the same time, the cyberattack risk remains high, and the need for robust cybersecurity is now acute. Some technology vendors are already positioning themselves to respond to the industry's demand for cybersecure digitalisation tools.  

In an interview with GlobalData, the co-founder and COO of Kognitiv Spark, Duncan McSporran, described an increase in demand for the company’s remote collaboration tool, RemoteSpark, during the pandemic. The COO asserted the importance of cybersecurity to the tool's success, describing Kognitiv Spark as “a cybersecurity company selling mixed reality solutions.” The interview also revealed that the ability to safely deploy the remote collaboration tool behind a firewall was now a priority for the company’s oil and gas clients.  

Using the example of remote collaboration tools, it is clear that the Covid-19 pandemic and the accompanying rush to digitalise have left the oil and gas industry vulnerable in an increasingly treacherous landscape of increasing cyberattacks. Oil and gas companies must now provide watertight security for their assets and ensure third-party suppliers and service providers do not compromise the company’s overall cyber defences. 

Although it was expected that the Russia-Ukraine war would be the first large-scale conflict in which cyber warfare would play a leading role, this has so far not taken place. However, the risk of cyber warfare coming into play as the war escalates remains real. Some commentators have suggested it is only a matter of time before the world sees a cyber Pearl Harbor.  

The critical nature of oil and gas infrastructure in an increasingly unstable world will heighten the risk of cyberattacks. On March 21, 2022, President Biden said intelligence indicated Russia was exploring a cyberattack against the US. He urged critical infrastructure owners and operators to “accelerate efforts to lock their digital doors.” The capacity for severe disruption, combined with the convergence of OT and IT and inadequately protected oil and gas infrastructure, will see oil and gas companies become prime targets during future conflicts. 

Oil and gas companies are waking up to the challenge of ESG and increasingly recognise its importance to investment decisions within their businesses. Although ESG contains three pillars, environmental, social, and governance, the first aspect is often seen as oil and gas companies’ biggest weakness. Additionally, progress on environmental issues has been slow, with events such as Covid-19 and the Russia-Ukraine war shifting focus away from longer-term strategies such as the industry’s energy transition.  

The cyberattack on the Colonial Pipeline in May 2021 was a wake-up call that exposed the oil and gas industry’s vulnerability to bad actors. Although the motivation for the attack was obtaining a ransom, the rise of hacktivism could see cyberattacks increasingly used to protest against companies with poor performance in ESG.  

Recent years have witnessed the rise of hacktivism, where computer or internet hacking activities are motivated by social or political causes. In 2017, the Carbon Disclosure Project (CDP) released a report detailing how 100 active fossil fuel producers, including ExxonMobil, Shell, BHP Billiton, and Gazprom, were linked to 71% of industrial greenhouse gas emissions since 1988. Although the attack on the Colonial Pipeline was motivated by extortion, a scenario where activist groups target oil and gas companies no longer seems so remote.  

In addition to the cost of disruption, oil and gas companies could face fines for improper safeguarding against these events as data security becomes an increasingly important aspect of ESG’s social pillar. For example, in May 2022, US regulators proposed that Colonial Pipeline be fined $1 million for lacking a sufficient cyberattack recovery plan and delaying the review of its cybersecurity systems. A robust, frequently reviewed cybersecurity system is needed if oil and gas companies are to avoid the disruption caused by cyberattacks. As the ESG landscape becomes ever more relevant and companies come under closer scrutiny for their data protection, cybersecurity will become an increasingly critical requirement. 

Technologies such as AI, blockchain, cloud computing, IoT, robotics, VR, and AR can offer tangible benefits to oil and gas companies. As a result, companies have heavily invested in these technologies in recent years to streamline their operations and gain an edge over their competitors. This is evidenced by GlobalData’s Patent Analytics. Total patent publications by oil and gas companies in this suite of technologies increased by 46% between October 2019 and April 2021, indicating a significant phase shift within the industry.  

However, integrating these technologies into oil and gas operations also comes with significant risks. The digitalisation wave in the oil and gas industry is creating new access points in industrial networks for hackers to exploit. As technology develops, from mobile to the cloud to IoT, the level of complexity needed for organisations to maintain a cyber-aware stance also increases. Delivering a secure environment for various mobile devices accessing corporate networks at any time is a world away from old intra-office systems. Today's default position is that systems are mobile, with significant security implications. In addition, the oil and gas industry will become increasingly vulnerable as it adopts wearable technology, integrating additional devices into its operations. 

Like many other sectors, the oil and gas industry suffers from a cybersecurity skills shortage. This shortage has become so acute that the World Economic Forum’s (WEF) 2022 Global Risks Report identified a 3-million-person shortage in cyber professionals worldwide. This shortage affects all industries, but the oil and gas industry is particularly exposed. The complexity of oil and gas supply chains and the prevalence of aging infrastructure has meant that the convergence of IT and OT has increased the risk of cyberattack.  

Additionally, widespread mobile device use has increased the risk of employee negligence facilitating or causing a cyberattack. The 2022 WEF Global Risks Report found that 95% of cybersecurity issues involved human error. Clearly, a combination of increasing digitalisation without the required awareness of cybersecurity leaves the oil and gas industry in a precarious position in the face of increasing cyberattacks. Mandatory cybersecurity awareness training across the workforce and recruitment of experienced cybersecurity professionals will be required.