Expert view
Key questions about cybersecurity in the oil and gas industry: Q&A with GlobalData thematic analyst
Credit: Bert van Dijk/Getty images.
Powered by
Francesca Gregory joined GlobalData as an associate analyst in the Thematic Intelligence team in September 2021, before specialising as an energy transition analyst in February 2023. Francesca studied Geography at the University of Oxford and has an interest in renewable energy, carbon capture and storage (CCS), and the applications of technology to the energy sector.
Lara Virrey: What are the biggest cybersecurity challenges facing oil & gas companies today?
Francesca Gregory: In recent years, the term ‘digital oilfield’ has come to the fore in the industry. The term is a broad concept that encapsulates how applying digital technologies within oil and gas processes and workflows can maximise productivity, reduce costs, and minimise risks.
Technologies such as AI, blockchain, cloud computing, IoT, robotics, VR, and AR can offer tangible benefits to oil and gas companies. As a result, companies have heavily invested in these technologies in recent years to streamline their operations and gain an edge over their competitors. However, integrating these technologies into oil and gas operations also comes with significant risks.
The digitalisation wave in the oil and gas industry is creating new access points in industrial networks for hackers to exploit.
As technology develops, from mobile to the cloud to IoT, the level of complexity needed for organisations to maintain a cyber-aware stance also increases. In addition, the oil and gas industry will become increasingly vulnerable as it adopts wearable technology, integrating additional devices into its operations.
Lara Virrey: How can oil & gas companies best defend themselves against cyber threats?
Francesca Gregory: In its March 2022 Cybersecurity Skills Gap report, Fortinet revealed that 80% of organisations suffered one or more breaches that could be attributed to a lack of cybersecurity skills and/or awareness. The study illustrates how humans remain the weakest link in the cybersecurity chain.
The oil and gas industry is no exception regarding the cybersecurity skills shortage. The industry already suffers from an aging workforce, and cybersecurity skills in particular are in short supply. As digitalisation continues, strong cybersecurity hiring activity and the further roll out of mandatory cybersecurity best practice training can be expected as the industry tries to better protect itself from cyber threats.
Cybersecurity will also become increasingly integral to oil and gas companies’ digital strategy. Major operators within the sector will continue to seek cloud partnerships with third party tech players, such as Microsoft and Amazon, to protect their digital assets.
Lara Virrey: How has the nature of cybersecurity threats to the oil & gas industry changed in the past two to three years?
Francesca Gregory: The Covid-19 pandemic changed the operating environment of oil and gas companies and catalysed internal change within the industry. More generally, the pandemic saw an increase in cyberattacks as attackers exploited the unprecedented nature of the situation to target cyber-naïve, remote-working employees. In this new landscape, no industry is safe, and the relationship between oil and gas assets and national energy security makes the sector especially vulnerable.
In addition, to stay competitive amid the pandemic’s disruption to oil product demand, companies operating in the sector invested in technologies that would streamline production and cut costs. As a result, the wider industry experienced a rapid acceleration in its digitalisation.
In particular, there was an uptick in demand for technologies that facilitated remote collaboration between field technicians and equipment experts, circumventing travel restrictions. However, this rapid digitalisation significantly increased the attack surface for hackers, and the industry is still playing catch up on the threat posed. At the same time, the cyberattack risk remains high, and the need for robust cybersecurity is now acute.
Lara Virrey: Is the pace of innovation in security technologies keeping up with evolving threats?
Francesca Gregory: To put it bluntly, no it's not keeping up, and there is a risk that emerging technologies such as generative AI will increase the risk to all sectors, including oil and gas. That’s because generative AI tools have the potential to change the way cyber threats are developed and executed. They can generate human-like text and speech, and models can be used to automate the creation of phishing emails, social engineering attacks, and other types of malicious content.
Sometimes the way a phishing message is phrased raises alarm bells because of the grammar, or something just doesn’t look right. But a generative AI model trained on a large dataset of phishing emails could be used to automatically generate new, highly convincing phishing emails that are more difficult to detect. The potential for increasingly convincing phishing emails leaves sectors with workforces that have low cybersecurity awareness highly exposed.
Lara Virrey: Are oil & gas companies doing enough to protect themselves against cyber threats?
Francesca Gregory: The Colonial Pipeline attack in May 2021 was a wake-up call that highlighted the vulnerability of the oil and gas industry to cyber threats. As a result, cybersecurity revenues within the energy sector are expected to strongly increase, reaching $9.3bn by 2026 after experiencing a CAGR of 13.9% between 2021 and 2026.
However, although cybersecurity spending is increasing and this technology is becoming a central tenet to companies’ digital strategies, the absence of a chief information security officer (CISO) on the board of 80% of the top ten most valuable oil and gas companies suggests that cybersecurity is still not being taken seriously enough.
GlobalData, the leading provider of industry intelligence, provided the underlying data, research, and analysis used to produce this article.
GlobalData’s Thematic Intelligence uses proprietary data, research, and analysis to provide a forward-looking perspective on the key themes that will shape the future of the world’s largest industries and the organisations within them.