How to Protect Oil & Gas Industry Infrastructure

By Cody P. Bann, Director of Engineering, SmartSights

Presidential Policy Directive 21 identifies the energy sector as uniquely critical because it provides an enabling function across all critical infrastructure sectors. Without a stable energy supply, health and welfare are threatened and the U.S. economy cannot function.

The market’s production, transportation and refining processes rely heavily on automation and control systems connected to the Internet, making the sector more vulnerable to cyberattacks due to the high value of the data and systems they control. To that end, the global oil and gas industry experienced an astounding 87% increase in company filings’ mentions of cybersecurity in Q1 2024 compared with the previous quarter.

The natural gas pipeline infrastructure in the United States has also been the target of repeated attacks over a number of years. One of the most recent was a coordinated attack on four of the country’s biggest gas pipeline companies.

According to the latest ransomware report by Sophos, energy/oil and gas/utilities is now the industry with the third highest rate of attack, with 67% targeted by ransomware in 2023. Exploited vulnerabilities were the leading cause of such attacks within the sector, exceeding the rate of all other sectors for this root cause.

And attacks in the sector were highly successful, affecting more computer systems than any other sector — 62% — and compromising 79% backups at a higher rate than any other sector.

While digital transformation may be exacerbating cyberattacks, the answer to optimizing processes, increasing cybersecurity and meeting new government reporting regulations may be rooted in additional technology.

Operations and Technology

The need to optimize production and minimize downtime is crucial in this industry. Leveraging digital technologies can aid in streamlining processes, improving decision-making and reducing inefficiencies. The ultimate goal of adopting modern systems is to have a wholly efficient, maybe even an autonomous process that cuts out excess fat, ballooning costs and wasteful operations.

Focus should be on end-to-end process improvement, which will, in turn, help shape collaboration within the organization. That means investing in training and education, process automation, related hardware and new tools or software.

Continuous operational improvement starts with capturing data from machine assets. This data provides immediate insights for both people and systems, enabling them to make better, faster decisions and drive automation. While accurate, real-time data is pivotal to operations, harnessing this data effectively requires advanced technology and analytical capabilities.

Data Analysis & Efficiencies

Oil and gas companies increasingly use data to drive process improvements and optimize production. Vast amounts of data are collected for environmental reporting, predictive maintenance and safety enhancements, for example, but companies may be challenged to effectively manage and analyze the data.

And while monitoring and alarms can improve system efficiency, they don’t automate the labor-intensive reporting process or provide much-needed analytics that extract raw or summary values over a discrete time period.

Automated third-party reporting software, however, tracks all stages of an energy pipeline supply chain (see chart). The finished reports are then distributed directly to preferred destinations, which streamlines the decision-making process and enhances operational efficiency.

The ability to harness this data effectively can lead to smarter decision-making, improved processes and a competitive edge. Analyzing historical data allows operations management to identify patterns, trends and anomalies that may otherwise go unnoticed. Historical data analytics can help companies transition from reactive to proactive planning and keep planning aligned with operations.

Cybersecurity Protocol and Advanced Software

The oil and gas industry is a prime target for cyberattacks due to the high value of the data and systems they control. The increased reliance on technology makes the sector even more vulnerable, which can cause significant disruptions to operations and potentially have severe consequences for the industry and the broader economy.

In a 2023 industry survey by DNV, 69% of oil and gas professionals worry that their organization is more vulnerable to cyberattacks on their OT networks now than at any other point in their history — and they acknowledge cyberattacks are a question of when, not if.

To build resilience, oil and gas firms need to understand how an attack can impact their operations and primary business processes. Could an incident cause production shutdowns? Could it impact the delivery and agreements the organization has with customers, clients and partners? Could it have an impact on the public and see critical infrastructure that provides gas to a country shut down?

Companies can take proactive steps to help add protection against cyberattacks. Although replacing legacy systems and networks can be costly, it’s essential to work with vendors and cybersecurity experts to implement updates and, if necessary, overhaul outdated systems. Get help from internal or external advisors to prioritize risk and develop a realistic plan for enhancing cybersecurity.

At a minimum, comply with basic standards, including restricted physical and technical access, firewalls, logging and encryption.

Additionally, many SCADA systems are simply over-exposed to the Internet by remote desktop applications (e.g. RDP and TeamViewer). To provide process and asset information to operators, organizations have provided much more access, ignoring the principle of least privilege (PoLP) and opening their entire control systems and hosts to remote desktop access by unnecessary parties. Such broad remote access techniques present an increased security risk.

Advanced remote alarm notification software and reporting software allows remote operators access to only the information they need from SCADA and not access to the SCADA itself or its operating system host. Such notification software is compatible with more secure, layered networks in which a series of firewalls provide added protection from attacks.

This is done by deploying notification solutions alongside the SCADA system at the network's control level and using notification modalities that aren’t Internet facing or distributing Internet-facing notification processes to higher levels.

For example, internal email servers, SMS modems and voice via PBX devices allow communication with the outside world without Internet exposure. Likewise, distributing the processes that interface with SCADA from those that interface with external email servers, VoIP solutions and cloud apps allow Internet-based notifications without compromising security.

Of course, there are valid use cases for desktop sharing software that don’t violate PoLP and go well beyond operator access to process information. For such systems, it’s critical that the remote desktop solutions be implemented with sound security.

Oil and gas companies should not use unattended access features, and IT leaders should configure the software such that the application and associated background services are stopped when not in use. Integrating the remote alarm notification software through the SCADA system is critical to further mitigating cyberattacks.

Oil and gas companies should take several steps to improve their cybersecurity, as follows:

• Update any software to the latest version.
• Deploy multifactor authentication; favor authentication apps and SMS over codes sent to email.
• Use strong passwords changed periodically where multifactor authentication can’t be employed.
• Ensure antivirus systems, spam filters and firewalls are up to date, properly configured and secure.
• Require all personnel go through cybersecurity awareness training.
• Create or review backup and recovery plans.