Escalating global political tensions have made operational technology (OT) systems a prime target for cyber adversaries. As nations seek to influence oil markets, the ability to produce and distribute energy becomes a strategic vulnerability. Defenders, like refineries, pipelines and floating liquefied natural gas (FLNG) facilities, must now prioritize defenses against state-sponsored actors, who often employ stealthy tactics to enumerate defenses and gain footholds to use during politically opportune moments.
While tactics vary between actors, the overarching strategy is clear: adversaries aim to strike when it’s most advantageous, especially in response to major political events. Famous examples include the 2015 and 2016 Ukrainian power grid attacks and the recent discovery of persistent access in US critical infrastructure by the group known as Volt Typhoon.
But state actors aren’t the only threat. Criminal organizations have become increasingly sophisticated, recognizing OT environments as lucrative targets. The shutdown of Colonial Pipeline from a ransomware attack, that resulted in a USD $4.4 million ransom payment, changed drastically the landscape—demonstrating that these once obscure systems can now be exploited for significant financial gain.
Cyber adversaries are constantly seeking low-risk methods to gain access to OT environments with minimal alarming. Campaigns like Volt Typhoon have leveraged vulnerable network equipment, especially devices that have reached end-of-life status, to obfuscate and carry out attacks. Frequently, such equipment is excluded from security and information event manager (SIEM) log collection due to cloud costs concerns or to avoid alarm fatigue. Defenders should assess which systems are not being monitored and analyze how adversaries could exploit these gaps. When risks are identified, defenders should expand monitoring and develop tailored incident response protocols.
In the Industrial Control Systems (ICS) Kill Chain framework, attacks on OT start with an adversary assessing the environment before delivering a specifically tuned attack. Defenders, who believe their environments haven’t been scanned, run the risk of becoming dependent on ‘security by obscurity’.
A robust security program should proactively search for signs of adversary reconnaissance and establish a well-defined incident response (IR) plan. IR planning starts with identifying the organization’s key operational processes and the assets required to keep them running. When an attack is detected, personnel must be prepared to follow the assigned responsibilities to first identify the scope of the attack and then mitigate its effects on operational continuity and safety.
In the case of the Colonial Pipeline incident, it was shut down due to loss of visibility of the scheduling software—not the controllers, remote terminal units (RTUs) or any other OT equipment running the pipeline itself. This underscores the importance of understanding dependencies between physical processes and supporting information systems—and ensuring both are protected.
In 2023, the US Department of Energy developed cyber-informed engineering (CIE) as an extension of secure by design (SbD) principles into the cyber-physical domain. Organizations should give extra attention to developing ways to bring physical consequences out of the cyber realm. Physical safeguards, such as limiting command capabilities to only those necessary for normal operations, can prevent adversaries from executing harmful actions.
Despite the increasing sophistication of attacks, defenders hold a critical advantage: they know their systems best and attackers must be flawless to succeed. By focusing on active threat identification, comprehensive incident response planning and security-driven engineering, dedicated defenders can stay ahead of adversaries and safeguard the future of oil and gas operations.
Black & Veatch’s Cyber Asset Lifecycle Management (CALM) services support oil and gas organizations to stay ahead of evolving threats. By embedding cyber-informed engineering best practices into every phase of the asset lifecycle, CALM helps you ensure that physical and digital controls work together to protect your critical assets, enhance operational resilience and deliver peace of mind—so your operations remain secure, reliable and future-ready.
