Interview

Cyber threat to oil and gas driven by geopolitics, extortion

Claroty's Andrew Lintell tells Stu Robarts about the growing cyber threat to the oil and gas sector, who's behind attacks and what firms can do.

Andrew Lintell, general manager for EMEA at Claroty.

Concerns about cybersecurity within the oil and gas sector are higher than ever, driven by geopolitical upheaval around the globe and cybercriminals seeking to extort money. 

GlobalData analytics show that, despite a 35% decline in mentions of cybersecurity in global oil and gas company filings in Q2 2024 compared to the previous quarter, mentions for the full year will surpass those of 2023 in the next month or two to hit an all-time high. 

These concerns are not without foundation, with the UK’s National Cyber Security Centre and the White House having both been moved to warn of a growing cyber threat to critical national infrastructure (CNI) organisations. 

Speaking in May to Offshore Technology’s sister site Verdict about the threat posed to countries’ CNI, Edgard Capdevielle, CEO of operational technology cybersecurity firm Nozomi Networks, said that the sector rarely experienced cyberattacks a decade ago but that ten years on: “The nature and frequency of attacks has increased dramatically.” 

That view was shared by Anthony Young, CEO of CNI cybersecurity firm Bridewell, who said that, while financial services used to be the primary target for cyber attackers, they have since recognised the financial and political potential of disrupting CNI. 

Many such attacks are indeed simply for financial gain, but Netscout’s threat intelligence lead Richard Hummel told Verdict: “I would say that attacks associated with geopolitical events are greater than ever before. Honestly, if I had to pinpoint the turning point, it was when Russia invaded Ukraine.” 

For the oil and gas sector, the evolving threat landscape is of particular significance. Not only can attacks disrupt supply, but they could be deadly, with the potential for explosive commodities to be weaponised. 

Speaking to Offshore Technology, Andrew Lintell, general manager for EMEA at cyber-physical systems protection firm Claroty, which provides industrial cybersecurity controls for oil and gas companies, outlined the evolving threat posed to the sector, the motivations for perpetrators and what organisations need to do to protect themselves. 

Stu Robarts: How have cyber threats in the oil and gas industry evolved over the years?

Andrew Lintell: ​​​​​​​The biggest evolution in recent years is the digital revolution, which has reshaped the oil and gas industry. It has introduced technologies like the internet of things (IoT), artificial intelligence (AI), virtual reality and big data analytics that have driven efficiency and innovation. However, digital transformation has introduced newer challenges and exposed the sector to sophisticated cyber threats. 

Major cyberattacks, like the Colonial Pipeline and the ARA refining hub attack, are testaments to how an attack on the oil and gas sector can impact individuals’ daily lives. The attacks also highlighted the vulnerability of critical infrastructure and prompted tighter regulations. 

Hence, new directives and standards like the TSA directive for pipeline owners and operators, IEC standards, ISO/IEC 27001 and NIST CSF have been introduced. However, compliance with these evolving regulations is burdensome, especially for smaller companies, which may struggle with the associated costs and resource demands. 

Additionally, much of the industry’s infrastructure is ageing. The legacy systems are often outdated and lack essential security patches, making them prime cyberattack targets. Among the standards, the IEC standards (particularly IEC 62443) specifically address the challenges of securing legacy systems while ISO/IEC 27001 and NIST CSF encourage risk management practices that inherently cover older infrastructure, though they do not focus on it explicitly. 

Stu Robarts: From what type of perpetrators do the main threats come today?

Andrew Lintell: ​​​​​​​Over the past decade, nation-state actors have increasingly driven cyber threats, particularly targeting critical infrastructure sectors like oil and gas, energy, healthcare and telecommunications. These attacks are often motivated by espionage, sabotage and the desire to influence geopolitical events. 

But now, with the rise of AI, even the most amateur criminal gangs can carry out sophisticated, high-end cyberattacks. Adversaries can use machine learning to automate attacks, evade detection and execute sophisticated threats. They can also orchestrate attacks like AI-powered phishing, deep fake scams and automated vulnerability exploitation. 

Nation-state-backed cybercriminals, whose modus operandi is to cause maximum disruption, are increasingly using AI-powered tactics like targeted phishing and automated vulnerability exploitation. These threats, specifically aimed at critical sectors like oil and gas, will only intensify as AI becomes more commonplace, making the industry a prime target for such disruptive attacks. 

Stu Robarts: To what extent has geopolitical turmoil increased the threat within the sector?

Andrew Lintell: ​​​​​​​Fluctuating oil prices, driven by geopolitical tensions, economic instability and environmental pressures, create a volatile environment that challenges long-term planning and investment. Trade pressures, political instability in key producing regions and disruptions like the energy trade shifts between Europe and Russia exacerbate the threat landscape. 

The financial uncertainty caused by these issues often forces companies to cut costs, with cybersecurity frequently being one of the first areas to suffer. Such reductions in cybersecurity investment can lead to severe financial, reputational and regulatory repercussions in the long run. The cost of a breach will almost always be more than the cost of investing in effective cybersecurity measures and tools. 

Also, the industry’s increasing reliance on advanced extraction methods, such as offshore drilling and fracking, further complicates the situation. These methods depend heavily on interconnected operational technology (OT) systems, industrial control systems (ICS) and SCADA systems. 

The integration of these systems across various processes creates more entry points, or an expanded attack surface, that cybercriminals can exploit. As these systems are often connected to both IT networks and physical machinery, a breach can lead to significant disruptions, including the potential manipulation of physical operations, making the sector more vulnerable to sophisticated cyberattacks. 

Stu Robarts: What types of cyberattacks is the industry most at threat from?

Andrew Lintell: ​​​​​​​Given that the oil and gas sector is classified as critical national infrastructure, a successful ransomware attack can have devastating consequences, not just financially but also in terms of public safety. 

This year, 67% of energy, oil, gas and utilities organisations were hit by ransomware, with 80% of these attacks resulting in data encryption. To make matters worse, the financial impact is severe, with recovery costs averaging $3.12m per incident. Also, as I mentioned, the fact that the oil and gas sector uses so many legacy systems is a major concern. 

Legacy systems and outdated designs lack the strong security measures to combat modern threats. These systems often run on obsolete operating systems that no longer receive security updates, making them prime targets for cyberattacks such as data breaches and ransomware. The incompatibility of these legacy systems with contemporary security tools further exacerbates their vulnerability. 

Stu Robarts: How should businesses within the sector protect themselves?

Andrew Lintell: ​​​​​​​To effectively protect the oil and gas sector from cyber threats, comprehensive visibility into all cyber-physical systems (CPS) within the OT environment is essential. Maintaining a real-time inventory of assets across drilling sites, pipelines, refineries and plants is fundamental to industrial cybersecurity. Without this detailed understanding, securing these assets becomes an overwhelming challenge. 

Another key strategy is seamlessly integrating IT and OT systems. Since many CPSs in the oil and gas industry rely on legacy systems and proprietary protocols, compatibility with traditional IT systems can be an issue. Instead of overhauling existing technology stacks, companies should adopt solutions that extend IT tools and workflows into the OT environment, ensuring cohesive security management. 

It is also crucial to consistently apply IT security controls and governance across OT environments, such as SCADA systems and ICS, which often lack powerful cybersecurity measures. Unified security governance across IT and OT is necessary to build resilience against cyber threats. 

Finally, network segmentation is vital. By isolating critical systems and sensitive data, companies can limit the spread of malware and reduce the impact of potential attacks, allowing for tailored security policies that address the specific needs of each network segment. 

Stu Robarts: What does the future of cybersecurity in oil and gas look like?

Andrew Lintell: ​​​​​​​With digitalisation now being a necessity to the sector, advanced defences must also be a top priority. The future of cybersecurity in the oil and gas industry will be defined by integrating modern-day technologies and the need for a proactive, resilient approach. AI and machine learning will play a critical role in threat detection and response, enabling real-time monitoring and automation of security processes.  

Also, the convergence of IT and OT environments will require a unified security strategy that addresses both traditional IT threats and the unique vulnerabilities of operational technology. 

With geopolitical tensions on the rise, companies must prioritise network segmentation, asset visibility and continuous updates to their security frameworks. The adoption of zero-trust architectures and enhanced regulatory compliance will also be crucial.  Ultimately, a strong, adaptive cybersecurity posture will safeguard the industry’s critical infrastructure and ensure its operational continuity in the face of evolving threats.