Information Security Pen Testing Technology
Oil Rig Night Sky

Since opening a new office in Aberdeen, we’ve been exploring cyber security advancements in the Oil & Gas Industry. 

A key contributor is the adoption of new IoT infrastructures, leading to the industry seeing one of the most significant digital transformations in modern history.

It makes sense. Introducing new data points and creating greater connectivity has reduced operational costs and made the industry more efficient with less waste. Oil and Gas organisations also have access to some of the leading resources for data-backed decision making.

But this revolution has come about at speed. And with speed can come new threats from cyber security. Threats that cost the UK Oil & Gas industry £400 billion a year, according to government research, despite Ofgem not reporting a single data breach from energy companies in 2020

Decision-makers have often understood cyber security as a purely digital process.

This thinking might be why it took a software provider to discover 50% of UK Oil & Gas companies had actually suffered a cyber attack in 2020.

You see, cyber security is just as physical as the IoT infrastructure, mining, and operations across your supply chain. Every sensor and server, the connections between, and the passwords in your employees’ heads impact cyber security. 

That’s why being in Aberdeen is transformative in our process to protect oil and gas companies. We’re able to get out on the ground and use our NIST informed process to analyse both the physical, digital and human risks out there.

What can we learn from increasing cyber attacks in the Gas and Oil industry

Not only are cyber security breaches expensive, but they are also actually on the rise. So, what can we learn from the biggest rising threat to the energy industry?

They are hiding in plain sight

In August 2014, there was the Trojan Keylogger and Virus attack on 50 oil and energy companies in Norway, including State Oil. By Trojan, we mean the attackers accessed target systems in plain sight by posing as an innocent attachment on an email. Without proper training for your staff, they could open up a secure system to unnecessary vulnerabilities.

They are wiping out your hard drives

In January 2017, Saudi Aramco received a malware attack known as Shamoon 2.0. The attack wiped out the organisation’s hard drives and crippling all most all computer systems. Malware attacks such as these are dangerous as in addition to shutting down systems and equipment – they wipe out the evidence of how they worked or where they come from.

They are shutting down pipelines

In 2021, the Colonial pipeline received a ransomware attack that impacted pressure sensors, thermostats, valves and pumps. Doing so cut off multiple major supply pipes transporting 45% of the US East Coast’s fuel. These ransomware attacks take advantage of sophisticated IoT solutions and can cause physical danger to individuals near the lines and permanently damage equipment.

They are causing explosions

In August 2017, the Sarara Chemical Company received a Triton Malware attack that aimed to gain control of the organisation’s operational system and cause an explosion. It goes without saying that this type of attack can be detrimental to human life.

They are blocking IT systems

In May 2021, Engineering firm Weir was hit by a ransomware attack designed to shut down operations and ultimately forced the delay of shipments worth over £50 million. By its nature ransomware is hard to detect and get rid of, meaning hackers can hold an organisation hostage for a prolonged period.

How can you protect your organisation in the Oil and Gas industry?

Protecting your organisation begins with education. You can’t fight what you don’t understand. Evaluate how clued up you are on approaching each of these lines of defence.

Educate employees on how to stay vigilant against cyber attacks

From passwords to phishing emails – what active steps are you taking to educate your employees on emerging technology best practices?

Prioritise cyber security at board level

Attackers will stop at nothing to access your business, so you must require an element of cyber security in every level of decision making. From the coffee machine to GPS software to a new drill, your board needs to be aware of the implications a new touchpoint brings in.

Evaluate the true extent of the impact caused by a security breach

We often think of security breaches and data leaks. But in oil and gas, a breach can cause environmental disasters, loss of human life, damage the economy, and leave entire towns without power. Who relies on your organisation, and who will be impacted when something goes wrong?

Correctly manage old software and hardware

Old software creates new problems. How are you maintaining old software, and what flexibility do you have to update it when it becomes a problem? Many organisations build software into their operations in a way that makes it almost impossible to remove. And inflexible software can become dangerous or costly to revert.

Think of offshore and onshore as a single ecosystem

Some organisations see offshore and onshore as two separate entities, linked by a few systems for operational efficiency, but left to run separately. But this is wrong. Your offshore and onshore systems and processes should act as one giant ecosystem. If you find a breach in one, a breach is happening in the other.

If you’re unsure about anything we raised in this article, our seasoned security experts can help. Our Aberdeen team can come out and meet decision-makers in your Oil & Gas organisation to help you understand your current position. From there, we’ll improve the security of your systems and the safety of the people around them.