International Journal of Trend in Scientific Research and Development (IJTSRD)

Volume 8 Issue 5, Sep-Oct 2024 Available Online: www.ijtsrd.com e-ISSN: 2456 – 6470

Cybersecurity in Oil and Gas Industry

Matthew N. O. Sadiku1, Paul A. Adekunte2, Janet O. Sadiku3
1
Roy G. Perry College of Engineering, Prairie View A&M University, Prairie View, TX, USA
2
International Institute of Professional Security, Lagos, Nigeria
3
Juliana King University, Houston, TX, USA

ABSTRACT How to cite this paper: Matthew N. O.

Oil and gas (O&G) companies deal with vast amounts of sensitive Sadiku | Paul A. Adekunte | Janet O.
information, and protecting it is vital to prevent financial loss, Sadiku "Cybersecurity in Oil and Gas
reputational damage, and regulatory non-compliance. Playing a vital Industry" Published
in International
role in the global economy, the oil and gas industry is a prime cyber
Journal of Trend in
threat target. A cyberattack on O&G critical infrastructure could Scientific Research
cause physical, environmental, and economic harm and broad and Development
disruptions to oil and gas supplies and markets. Cybersecurity is (ijtsrd), ISSN:
paramount for the oil and gas industry as it plays a critical role in 2456-6470, IJTSRD69459
securing the sensitive data and operational technology that enables Volume-8 | Issue-5,
the industry to extract, produce, and transport oil and gas. The paper October 2024, pp.830-838, URL:
focuses on systematically exploring cybersecurity and safety www.ijtsrd.com/papers/ijtsrd69459.pdf
challenges of the O&G sector.
Copyright © 2024 by author (s) and
KEYWORDS: oil & gas industry, petrochemical industry, security, International Journal of Trend in
cybersecurity Scientific Research and Development
Journal. This is an
Open Access article
distributed under the
terms of the Creative Commons
Attribution License (CC BY 4.0)
(http://creativecommons.org/licenses/by/4.0)

INTRODUCTION
The oil and gas industry is a prime target for cyber- severe, leading to physical damage, production
attacks due to the high value of the data and systems disruptions, environmental disasters, and significant
they control. Cyber attacks on the oil and gas industry financial losses.
are growing because the sector is becoming OVERVIEW ON CYBERSECURITY
increasingly dependent on technology and Cybersecurity refers to a set of technologies and
automation. The industry’s production, transportation, practices designed to protect networks and
and refining processes rely heavily on control systems
information from damage or unauthorized access. It is
connected to the Internet, making them vulnerable to vital because governments, companies, and military
cyber threats [1]. Oil and gas companies, being organizations collect, process, and store a lot of data.
critical infrastructure, can become prime targets for As shown in Figure 1, cybersecurity involves multiple
state-sponsored or politically motivated cyber groups issues related to people, process, and technology [3].
aiming to disrupt operations, steal sensitive data, or Figure 2 shows different components of cybersecurity
cause economic damage. Gas producers may face a [4].
range of security risks, from production shutdowns to
inaccessibility. This could result in long-term A typical cyber attack is an attempt by adversaries or
shortages [2]. cybercriminals to gain access to and modify their
target's computer system or network. Cybercriminals
Cybersecurity is a critical aspect of the oil and gas or ethical hackers are modern-day digital warriors,
industry because it protects the sensitive data and possessing extraordinary skills and knowledge to
operational technology that the industry relies on. Oil breach even the most impregnable systems. A typical
and gas operations involve critical infrastructure such cybercriminal is shown on Figure 3 [5]. Cyber attacks
as refineries, pipelines, and drilling rigs. These are becoming more frequent, sophisticated,
operations are vulnerable to cyberattacks. The dangerous, and destructive. They are threatening the
consequences of successful cyberattacks can be
operation of businesses, banks, companies, and

@ IJTSRD | Unique Paper ID – IJTSRD69459 | Volume – 8 | Issue – 5 | Sep-Oct 2024 Page 830
 International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470
government networks. They vary from illegal crime  Phishing: Criminals trick victims into handing
of individual citizen (hacking) to actions of groups over their personal information such as online
(terrorists) [6]. passwords, social security number, and credit card
The cybersecurity is a dynamic, interdisciplinary field numbers.
involving information systems, computer science, and  Denial-of-Service Attacks: These are designed to
criminology. The security objectives have been make a network resource unavailable to its
availability, authentication, confidentiality, intended users. These can prevent the user from
nonrepudiation, and integrity. A security incident is accessing email, websites, online accounts or
an act that threatens the confidentiality, integrity, or other services.
availability of information assets and systems [7].
 Social Engineering Attacks: A cyber criminal
 Availability: This refers to availability of attempts to trick users to disclose sensitive
information and ensuring that authorized parties information. A social engineer aims to convince a
can access the information when needed. Attacks user through impersonation to disclose secrets
targeting availability of service generally leads to such as passwords, card numbers, or social
denial of service. security number.
 Authenticity: This ensures that the identity of an  Man-In-the-Middle Attack: This is a cyber attack
individual user or system is the identity claimed. where a malicious attacker secretly inserts
This usually involves using username and him/herself into a conversation between two
password to validate the identity of the user. It parties who believe they are directly
may also take the form of what you have such as communicating with each other. A common
a driver’s license, an RSA token, or a smart card. example of man-in-the-middle attacks is
 Integrity: Data integrity means information is eavesdropping. The goal of such an attack is to
authentic and complete. This assures that data, steal personal information.
devices, and processes are free from tampering. These and other cyber attacks or threats are shown in
Data should be free from injection, deletion, or Figure 4 [9].
corruption. When integrity is targeted,
The social and financial importance of cybersecurity
nonrepudiation is also affected.
is increasingly being recognized by businesses,
 Confidentiality: Confidentiality ensures that organizations, and governments. Cybersecurity
measures are taken to prevent sensitive involves reducing the risk of cyber attacks. Cyber
information from reaching the wrong persons. risks should be managed proactively by the
Data secrecy is important especially for privacy- management. Cybersecurity technologies such as
sensitive data such as user personal information firewalls are widely available [10]. Cybersecurity is
and meter readings. the joint responsibility of all relevant stakeholders
 Nonrepudiation: This is an assurance of the including government, business, infrastructure
responsibility to an action. The source should not owners, and users. Cybersecurity experts have shown
be able to deny having sent a message, while the that passwords are highly vulnerable to cyber threats,
destination should not deny having received it. compromising personal data, credit card records, and
This security objective is essential for even social security numbers. Governments and
accountability and liability. international organizations play a key role in
cybersecurity issues. Securing the cyberspace is of
Everybody is at risk for a cyber attack. Cyber attacks high priority to the US Department of Homeland
vary from illegal crime of individual citizen (hacking) Security (DHS). Vendors that offer mobile security
to actions of groups (terrorists). The following are solutions include Zimperium, MobileIron Skycure,
typical examples of cyber attacks or threats [8]: Lookout, and Wandera.
 Malware: This is a malicious software or code CYBERSECURITY IN OIL AND GAS
that includes traditional computer viruses, INDUSTRY
computer worms, and Trojan horse programs. The oil and gas industry relies on complex
Malware can infiltrate your network through the technological systems to facilitate worldwide
Internet, downloads, attachments, email, social operations, making it highly vulnerable to cyber
media, and other platforms. Spyware is a type of threats. Imagine the vast scope of the oil and gas
malware that collects information without the industry: millions of miles of pipes, tankers traveling
victim’s knowledge. between ports, hundreds of refineries, rigs, production

@ IJTSRD | Unique Paper ID – IJTSRD69459 | Volume – 8 | Issue – 5 | Sep-Oct 2024 Page 831
 International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470
sites, and headquarters. The oil and gas supply chain mitigate cyber risks for the most vulnerable
is a globally interconnected environment, moving operations but also enable all three of an upstream
millions of barrels of crude oil and billions of cubic company’s operational imperatives: safety of
feet of natural gas on a daily basis. The complexity of people, reliability of operations, and creation of
the O&G systems is typically demonstrated in Figure new value. Apart from the upstream industry’s
5 [11]. The oil and gas infrastructure is a tightly-knit “critical infrastructure” status, a complex
network of extraction, production, refining, and ecosystem of computation, networking, and
distribution. The oil and gas industry is a prime target physical operational processes spread around the
for cyber-attacks because of the value of the data and world makes the industry highly vulnerable to
systems it controls. Any disruption can have major cyber-attacks. Figure 6 shows cyber vulnerability
socioeconomic consequences due to cyber threats by upstream operations [12].
ranging from a data leak to tampering with control
 Downstream Segment: Cyber attacks can
systems. Cyber breaches can compromise safety
specifically impact the company's downstream
systems, leading to accidents, injuries, and potential
business, which includes refining, chemical
environmental disasters.
production, and distribution of petroleum
Five common cyber attacks on the oil and gas products. Implementation of new technical and
industry include [1]: operational solutions in upstream and downstream
1. Phishing: This type of attack involves sending processes was identified as the way forward
emails or messages that appear to come from a towards digital oil fields since the early 2000s.
legitimate source. For example, in downstream refineries, OT
2. Ransomware: This type of attack involves updates typically work around outage schedules
malware that encrypts the victim’s files and so changes take much longer to implement in the
demands payment or ransom in exchange for the oil & gas industry since facilities often operate
decryption key. 24/7.

3. Advanced Persistent Threats (APTs): These are ROLES OF CYBERSECURITY IN OIL AND
long-term, targeted attacks often conducted by GAS
nation-states or other highly-skilled actors. As critical national infrastructure, oil and gas
companies are key targets for cybercriminals.
4. Distributed Denial of Service (DDoS) Attacks: Cyberattacks are becoming more and more frequent
These attacks involve overwhelming a website or and more sophisticated. These attacks is not only
network with traffic to make it unavailable to planned to disrupt operations, but also to cause
legitimate users. physical damage threatening human lives.
5. Industrial Control Systems (ICS) Attacks: These Cybercriminals continue to look for new and
attacks target the control systems that operate innovative ways to infiltrate organizations. Their
industrial processes, such as those used in oil and most common motive is to make money. Other
gas production. motives of hackers range from cyberterrorism to
industry espionage to disrupting operations to stealing
The O&G industry faces many challenges in the field data.
service sectors of exploration and production. It is
segmented into (upstream); processing, storage and Cyberattacks can compromise the availability,
transport (midstream); refining and processing integrity, and confidentiality of oil and gas
(downstream). companies. They can endanger lives. Information
systems (IT) and operational technology (OT) are
 Upstream Segment: Upstream stages (exploration, also at risk. Their protection is crucial since it ensures
development, and production and abandonment) the safety of people, systems, and data. The roles of
have a distinct cyber vulnerability, and severity oil and gas cybersecurity can be summarized as
profile. Among the upstream operations, follows [13]:
development drilling and production have the
highest cyber risk profiles. The oil and gas  Insider Threats: Cyber threats are not strictly
production operation ranks highest on cyber external; internal threats pose a significant risk as
vulnerability in upstream operations, mainly well. Unauthorized physical access to critical
because of its legacy asset base, which was not infrastructure can result in tampering or
built for cybersecurity but has been retrofitted and destruction of systems. Other so-called insider
patched in bits and pieces over the years. A threats pose a significant challenge, as disgruntled
holistic risk management program could not only employees, contractors, or others who have been
granted prior authorized access can intentionally

@ IJTSRD | Unique Paper ID – IJTSRD69459 | Volume – 8 | Issue – 5 | Sep-Oct 2024 Page 832
 International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470
or unintentionally compromise critical systems security. In some cases, certificate pinning must
and data. Cybercriminals regularly target workers be required to avoid spoofed devices and this
with deceptive emails (i.e., phishing), includes protection from side channel attacks that
compromising their credentials or tricking them can compromise encryption keys.
into installing malware.
BENEFITS
 Supply Chain Risks: Oil and gas professionals Companies in the oil and gas industry are attractive
rank inadequate oversight of the vulnerabilities of targets to cybercriminals because energy
supply chain partners connected to their infrastructure is critical to modern economies. The
organization’s environment as the greatest disruption of an oil or gas pipeline has dire ripple
challenge in enhancing OT cybersecurity. A effects on fuel prices, supply chains, and large-scale
supply chain attack on an oil and gas company is manufacturing. Building cyber resilience for your
a cyber attack that targets the company’s organization refers to its ability to survive and protect
suppliers, vendors, or other partners to gain itself of a cyber-attack. By embracing these best
access to the company’s systems and sensitive practices, oil and gas companies will be well-
information. This can be done by compromising positioned to fortify their cyber defenses, securing
the security of a supplier or vendor and then using their critical infrastructure from would-be attackers.
that access to move deeper into the company’s Energy companies must take strict measures to
network. The interconnected nature of the oil and counter security threats. Benefits of these measures
gas industry introduces weaknesses through third- include the following [14]:
party vendors and suppliers. Those armed with
 Automation: Automate routine security tasks and
privileged access can exploit vulnerabilities,
orchestrate responses to reduce the burden on
compromise systems, or inadvertently expose
security teams, enabling them to focus on critical
critical information.
incidents and respond more efficiently.
 Layered Defense: There is the need for active Implementing a security information and event
defenses and layers of protection for their most management system to consolidate and correlate
important assets. Companies can implement security events across your organization helps to
layers of protection for their most important significantly streamline alert management.
assets. A layered defense, also called “defense in Implementing automation and machine learning
depth,” is a proven concept based on various will filter alerts based on their severity and
types of overlapping cybersecurity controls. The relevance. Your team is then able to analyze them
idea is that if one control fails or gets bypassed by in real-time, reduce false positives, and prioritize
the attacker, another layer offers protection. critical alerts for immediate attention.
Companies can also implement active defenses
 Safety: Increasing focus on safety integrity and
like cyber intelligence, vulnerability awareness,
the need for new preventative measures to
and asset monitoring. Understanding the primary
safeguard against new safety risks have resulted
cybersecurity threats comes as the first step in
in some new interests lately on both fault and
building a robust defense.
failure diagnosis processes related to safety
 Data Security: Security-related data naturally critical systems and equipment of offshore assets.
claims for an extremely high degree of sensitivity.
 Security: In the industrial world, productivity
This has resulted in major practical limitations in
drives business. Today, there are security devices
sharing data related to historical events and
with industrialized hardware and advanced
incidents related to cybersecurity in most cases.
configuration options can provide a defense-in-
Oil and gas companies store large amounts of
depth option for critical applications. These
sensitive data, including intellectual property,
devices have sophisticated security capabilities
financial records, exploration data, and customer
including firewalls with integrated router and
information. Protecting this data is essential to
VPN. Leading the charge in the oil and gas
prevent financial loss, reputational damage, and
security and service market are major players
regulatory non-compliance. Sensitive data related
such as Cisco Systems Inc., Honeywell
to operations, production, and financial
International Inc., and Siemens. To avoid
information needs to be protected from breaches,
disruption of services and serious consequences,
as this could expose valuable trade secrets and
it is important to take a proactive stance on
impact market competitiveness.
security, which starts with mitigating the risk of
 Encryption: End-to-end encryption on all devices insignificant issues, long before they become
should be required and include embedded major incidents. Companies should try to

@ IJTSRD | Unique Paper ID – IJTSRD69459 | Volume – 8 | Issue – 5 | Sep-Oct 2024 Page 833
 International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470
implement a platform that integrates physical  Reducing Alert Fatigue: Security alert fatigue is a
security (CCTV, access control) with network common challenge for organizations juggling a
security (firewalls, intrusion detection) and edge large volume of warnings. In the oil and gas
device management. This allows for continuous industry, reducing alert fatigue is an important
monitoring and detection of anomalous activity factor in ensuring legitimate threats are promptly
across all layers. identified and addressed. Reduce alert fatigue by
 Monitoring: For oil and gas organizations, educating all workers, including upper
modern video surveillance, which can be installed management, about best practices for oil and gas
at any location, is required to better protect security, thereby raising awareness about the
employees, assets, and the natural environment. potential consequences of being inattentive to the
Ideally, video surveillance is integrated with wide variety of cyber threats your organization
systems, such as access control, video analytics, regularly faces.
and intrusion detection to detect threats faster. It  Standard: Oil and gas companies need to
is also important to deploy high-definition IP constantly raise their standards. They must ask
cameras and thermal imaging cameras to detect themselves whether they are learning and whether
what can go unnoticed by regular surveillance. they are doing the right things. This internal
CHALLENGES scrutiny can be a source of confidence for
The oil and gas industry faces significant companies. In 2018, the National Institute of
cybersecurity challenges due to its reliance on Standards and Technology (NIST) proposes a
increasingly interconnected IT and OT systems. cybersecurity framework (CSF) constituting of
Addressing these challenges and enhancing oil and five steps: identify, protect, detect, respond and
gas cybersecurity is crucial to safeguard critical recover from a security incident. The CSF
infrastructure, protect intellectual property, ensure approach provides an effective framework for the
safety, ensure business continuity, prevent cyber simple integration of various standards,
threats, and manage supply chain risk. Although guidelines, and practices within the domains of
emerging technologies will have a major impact on industrial asset management and cyber risk
cybersecurity, they can be used for good and also for management. Protecting control systems will be
bad. Other challenges include the following [13]: an ongoing responsibility that everyone must
share by following standards and implementing a
 Worker Awareness: Knowledge lays the defense-in-depth approach to cybersecurity.
foundation for secure processes and successful
access management, and it also raises the  Regulation: Regulatory requirements are the
awareness of all personnel. Raising oil and gas foremost driver of investment in cybersecurity
cybersecurity awareness among your staff helps within the oil and gas sector and the wider energy
foster a culture of safety, ensuring everyone industry.
understands their roles and responsibilities. With  Collaboration: It is paramount that oil and gas
regular training programs, everyone should be companies stay one step ahead of potential risks.
periodically tested to eliminate complacency and Critical to staying ahead is fostering a culture of
inertia. industry-wide collaboration. Frequently
 Cybersecurity Culture: A new cybersecurity exchanging threat intelligence with international
culture is an important industrial need that should bodies and developing robust cybersecurity
be developed based on central attributes from defenses can effectively mitigate cyber risks. To
different domains. The need for such a well- create a secure network, control engineers and
cultivated cybersecurity culture is immediate in plant managers must work together with the IT
all high-risk industrial sectors, such as the department and the technology they use.
offshore O&G industry. Threats are constantly CONCLUSION
evolving and administering a culture of The oil and gas companies play a crucial role in a
continuous improvement is one key step toward functional, modern society. The companies face cyber
adopting a cybersecurity strategy that really threats daily, from hydrocarbon installation terrorism
works. Human factor is often considered as a to industrial espionage. They are also vulnerable to
weak point in the cybersecurity domain and hence theft and sabotage. Cybersecurity is paramount for the
the traditional approach of establishing oil and gas industry as it plays a critical role in
cybersecurity culture often has a focus on raising securing the sensitive data. Ensuring the integrity,
human and organizational alertness. confidentiality, and availability of the sensitive data

@ IJTSRD | Unique Paper ID – IJTSRD69459 | Volume – 8 | Issue – 5 | Sep-Oct 2024 Page 834
 International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470
and systems is of utmost importance. Cybersecurity Research and Engineering, vol. 3, no. 8, Sept.
of industrial control systems is multidisciplinary and 2017, pp. 71-74.
involves multiple stakeholders, including operator
[7] M. N. O. Sadiku, M. Tembely, and S. M. Musa,
companies, vendors, service providers, authorities,
“Smart grid cybersecurity,” Journal of
adversaries, and sometimes the public. Holistic
Multidisciplinary Engineering Science and
cybersecurity ensures people, systems, critical
Technology, vol. 3, no. 9, September 2016,
infrastructure, and data are kept safe from
pp.5574-5576.
cyberattacks.
[8] “FCC Small Biz Cyber Planning Guide,”
Oil and gas companies that maintain cybersecurity as
https://transition.fcc.gov/cyber/cyberplanner.pd
a central tenet of their digital strategy stand to gain
f
the most. Emphasizing cybersecurity today means a
more secure and resilient oil and gas infrastructure [9] “The 8 most common cybersecurity attacks to
tomorrow. The defense against cyberattacks in oil and be aware of,” https://edafio.com/blog/the-8-
gas will have to be taken more seriously in the future. most-common-cybersecurity-attacks-to-be-
More information on cybersecurity in O&G industry aware-of/
is available from the books in [15-18] and the [10] Y. Zhang, “Cybersecurity and reliability of
following related journals: electric power grids in an interdependent cyber-
 Energy and AI physical environment,” Doctoral Dissertation,
 The AI Journal University of Toledo, 2015.
REFERENCES [11] “Strengthening cybersecurity in the oil and gas
[1] “Cyber threats for the oil and gas industry,” industry,” September 2024,
https://meriplex.com/cyber-threats-for-the-oil- https://www.weforum.org/impact/cyber-
and-gas-industry/ resilience-oil-and-gas/
[2] G. Lewis, “Mideast oil & gas facilities could [12] “Protecting the connected barrels:
face cyber-related energy disruptions,” Cybersecurity for upstream oil and gas,”
November 2023, https://www2.deloitte.com/content/dam/insight
https://www.darkreading.com/ics-ot- s/us/articles/3960-connected-
security/mideast-oil-gas-facilities-could-face- barrels/DUP_Protecting-the-connected-
cyber-related-energy-disruptions barrels.pdf
[3] P. Singh, “A layered approach to cybersecurity: [13] “Why is cybersecurity important for oil and
People, processes, and technology- explored & gas?” July 2024,
explained,” July 2021, https://www.otorio.com/blog/why-is-
https://www.linkedin.com/pulse/layered- cybersecurity-important-for-oil-and-gas/
approach-cybersecurity-people-processes-
singh-casp-cisc-ces [14] P. Murchland, “Cybersecurity challenges in the
energy industry – Are you ready?” July 2024,
[4] M. Loi et al., “Cybersecurity in health – Unknown Source.
disentangling value tensions,” Journal of
Information, Communication and Ethics in [15] M. N. O. Sadiku, Cybersecurity and Its
Society, June 2019, Applications. Moldova, Europe: Lambert
https://www.emerald.com/insight/content/doi/1 Academic Publishing, 2023.
0.1108/JICES-12-2018-0095/full/html [16] D. J. Lester, Securing Oil and Natural Gas
[5] M. Adams, “Unlocking the benefits of ethical Infrastructures in the New Economy. National
hacking: The importance of ethical hackers in Petroleum Council, 2001.
cybersecurity,” April 2023, [17] C. Sundararaman, Development of
https://www.businesstechweekly.com/cybersec Cybersecurity Mandate For Oil And Gas
urity/network-security/ethical-hacking/ Industry. Self Publisher, 2023.
[6] M. N. O. Sadiku, S. Alam, S. M. Musa, and C. [18] A. Lamba, Protecting 'Cybersecurity &
M. Akujuobi, “A primer on cybersecurity,” Resiliency' of Nation's Critical Infrastructure -
International Journal of Advances in Scientific Energy, Oil & Gas. SSRN, 2019.

@ IJTSRD | Unique Paper ID – IJTSRD69459 | Volume – 8 | Issue – 5 | Sep-Oct 2024 Page 835
 International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470

Figure 1 Cybersecurity involves multiple issues related to people, process, and technology [3].
Justice Beneficence

Equality Nonmalefience

Cost-awareness Cybersecurity Trust

Innovation Privacy

Efficiency Autonomy

Figure 2 Different components of cybersecurity [4].( Green: supportive; red: in tension)

Figure 3 A typical cybercriminal [5].

@ IJTSRD | Unique Paper ID – IJTSRD69459 | Volume – 8 | Issue – 5 | Sep-Oct 2024 Page 836
 International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470

Figure 4 Common types of cybersecurity threats [9].

Figure 5 The complexity of the O&G systems [11].

@ IJTSRD | Unique Paper ID – IJTSRD69459 | Volume – 8 | Issue – 5 | Sep-Oct 2024 Page 837
 International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470

Figure 6 Cyber vulnerability by upstream operations [12].

@ IJTSRD | Unique Paper ID – IJTSRD69459 | Volume – 8 | Issue – 5 | Sep-Oct 2024 Page 838