Oil and gas industry scrutinized for weak cyber defenses

As U.S. industries gear up for possible Russian cyberattacks amid the war in Ukraine, experts say the oil and gas industry is particularly vulnerable because it is not subject to government mandated cybersecurity standards and investments.

Unlike the power sector, which has developed sophisticated cyber defenses over the years and is heavily regulated by the government, the oil and gas industry is lagging behind in part because industry lobbyists pushed back against stricter regulations, said Peter Lund, a cyber expert and chief technology officer at Industrial Defender. 

“Oil and gas has always been a little bit behind mostly because they’re not as friendly when it comes to regulations,” Lund said, adding that although the industry has invested in cybersecurity, it’s not at the level it should be compared to other regulated energy sectors.

On the other hand, Lund said that the power sector has very prescriptive guidance that requires it to know its assets, understand its network and evolve as technology advances. “It has a very robust set of security and compliance standards,” he said. 

Lund said that the Colonial Pipeline ransomware attack was a wake-call for the oil and gas industry to invest more in cybersecurity and bolster its cyber defenses.

The attack, which occurred last year, caused the company to shut down operations for nearly a week. It was forced to pay a ransom of $4.4 million in bitcoin. The incident also caused gas shortages in several states as fuel prices spiked. 

U.S. regulators, and even lawmakers, have pushed the oil and gas industry to adopt stricter cybersecurity standards administered by the Federal Energy Regulatory Commission (FERC). Rep. Bobby Rush (D-Ill.), chair of the House energy subcommittee, introduced a bill in December that would direct FERC to create “much-needed” mandatory cybersecurity standards for the oil and gas industry. 

“Putin’s war in Ukraine has brought the issue of energy security to the forefront yet again. It is crucial that we have energy and cybersecurity experts at the wheel setting cybersecurity standards for energy infrastructure,” Rep. Rush said in a statement to The Hill.  

“My bill, the Energy Product Reliability Act, would do this by creating a reliability organization that would be empowered by FERC to set much-needed mandatory cybersecurity standards for American pipelines.” 

Lund explained that industries like oil and gas would rather be cost-effective than invest in cybersecurity, especially knowing that there is always a possibility of a cyberattack against its networks.

“[Cybersecurity] is something that you have to spend a bunch of money on knowing that there’s not a 100 percent guarantee” to avoid an attack, Lund said, adding that there is no question that the frequency of cyberattacks will continue to increase.

Industry leaders, however, pushed back against those assertions, arguing that just because an industry is not federally regulated doesn’t mean that it is not investing in cybersecurity and keeping up with government cyber guidance. 

“You don’t need regulations to have a robust cyber program,” said Suzanne Lemieux, director of operations security and emergency response at the American Petroleum Industry. 

Lemieux said that API’s members have been closely coordinating with government agencies and the private sector to ensure they receive up-to-date information on cyber threats. She added that private cybersecurity firms have also been helping the members secure and upgrade their networks.

“You can’t stay in business these days if you don’t have a robust cybersecurity program,” she said.

Lemieux added that although there are no specific or credible threats at the moment, their members have increased their level of vigilance and resilience as they continue to monitor the ongoing situation in Ukraine.  

“Our companies are trying to work with as many players as they can to make sure that as a sector, we are resilient and that we can prevent and mitigate as much as we can with those partnerships including with the federal government and the private sector,” Lemieux said.

“It’s in everyone’s interest to make sure that we are as safe as possible,” she said. 

A spokesperson for the Interstate Natural Gas Association of America (INGAA), echoed Lemieux’s point, arguing that the oil and gas industry is no more vulnerable to cyberattacks than other industries, which is largely “due to its connectivity with the global markets.”

The INGAA spokesperson also said that its members have adopted the “Shields Up” guidance implemented by the Cybersecurity & Infrastructure Security Agency (CISA), as well as other recommendations introduced by the FBI and the TSA.

The spokesperson added that although the latest cyber threats have mainly focused on Russia, the Office of the Director of National Intelligence have repeatedly cited China as the “broadest, most active, and persistent” cyber threat to U.S. private sector networks.

“While INGAA members are in a heightened security posture due to the crisis in Ukraine and potential counterattacks to U.S. critical infrastructure, we are not overlooking other actors who may seek to disrupt our networks,” the spokesperson said.