As the United States has become the world’s largest producer of oil and natural gas, cybersecurity concerns in the sector have shifted from primarily protecting intellectual property to guarding against potential attacks from rival nations, an expert told NGI.

“Intellectual property theft is still a concern; it could be from a criminal element or a nation state,” said American Petroleum Institute’s (API) Suzanne Lemieux, manager of operations security and emergency response policy.

But the “geopolitical aspect is relevant today” as critical infrastructure to discover, produce, transport and refine U.S. hydrocarbons gas become increasingly reliant on advanced technology and automation to reduce costs, Lemieux said Wednesday.

The domestic oil and gas industry has been actively addressing cybersecurity issues for at least 20 years and last week, the Washington, DC-based API trade group hosted its 15th annual cybersecurity conference for the oil and gas industry.

The conference was held virtually this year because of the Covid-19 pandemic but still drew a large audience of 300, Lemieux said. Last year’s in-person conference had 800 attendees.

One area of potential improvement that was discussed at last week’s conference was better information sharing, Lemieux said. Antitrust laws sometimes prohibit companies from sharing relevant information and the U.S. government “has a long way to go” in improving the sharing of classified or unclassified information with the industry.

Another area of improvement is helping smaller companies enhance their cybersecurity, as large companies for years have taken extensive measures, Lemieux said. “We don’t expect every company to have the same program. A smaller company doesn’t have the same level of risk. I don’t think it’s a one-size-fits-all.”

The evolving nature of potential intrusions would “require constant vigilance and change,” she added. “It’s not a finish line but continual evolution as companies are adapting to the threat.”

Technology plays an integral role in the entire value chain of the oil and gas industry, according to Lemieux. The complex modeling to identify upstream resources “is extremely well protected” intellectual property. Offshore wells, as onshore wells in remote areas, are often operated remotely. Midstream companies, meanwhile, extensively use control systems to operate the country’s vast pipeline networks and the increasingly important shipping sector also extensively relies on technology, she said.

Refining and manufacturing facilities, which often have hazardous chemicals on site, use advanced technology to operate efficiently and safely, she said.

[On the go? Tune in to NGI’s Hub & Flow podcast for a quick take on what’s moving the markets.]

The threat to the domestic gas industry came to the fore in February when the U.S Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) announced that a domestic natural gas pipeline had been forced to shut operations for two days because of a cyberattack that affected control and communication assets on the operational technology (OT) network of a compression facility. The pipeline and compression station were not identified.

FERC staff and electric utility regulators last month outlined in a report best practices on how to effectively respond to and recover from such attacks. API is collaborating with the Federal Energy Regulatory Commission, CISA and other stakeholders to update cybersecurity guidelines for pipelines and other infrastructure, Lemieux said.

In addition, the Department of Energy’s Office of Energy Efficiency and Renewable Energy (EERE) on Wednesday announced a multi-year plan to accelerate cybersecurity research and development in the renewable energy, manufacturing, buildings and transportation sectors, as well as to increase stakeholder awareness.

“Cyber threats targeting EERE technologies present an immediate risk to the integrity and availability of energy infrastructure and other systems critical to the nation’s economy, security and well-being,” said Deputy Assistant Secretary for Energy Efficiency Alex Fitzsimmons. “New technologies must be designed with cybersecurity as a requirement.”

Among other goals, the strategy would facilitate more engagement among EERE with industry, academia and other government offices to avoid duplicating efforts.

Manufacturing Attacks Rise

Publicly reported ransomware attacks against the manufacturing sector – including oil, gas and petrochemical companies – this year have more than tripled compared with the same time last year, Hanover, MD-based cybersecurity company Dragos Inc. said in a report earlier this month.

In the first 10 months of this year, Dragos researchers said they had validated 108 advisories with 262 vulnerabilities impacting industrial equipment used in manufacturing.

The most common threat to the sector is ransomware that can stop industrial processes, according to Dragos researchers. Ransomware is malware that may steal proprietary data or interfere with technology unless the company pays a ransom to the attackers.

“Cyber risk to the manufacturing sector is increasing, led by disruptive cyberattacks impacting industrial processes, intrusions enabling information gathering and process information theft, and new activity from industrial control systems (ICS)-targeting adversaries,” Dragos management said.

Dragos in the last two years has observed a significant increase in the number of ransomware attacks that impact ICS environments, including the ability to “kill,” or stop, industrial processes, management said.

The manufacturing sector is especially vulnerable to cyberattacks because many companies share network connections between information and operational technology segments.

CISA and the National Security Agency (NSA) in July encouraged asset owners and operators to take immediate actions to restrict the exposure of operations technology assets to the internet.

“Adversaries are quick to weaponize and exploit vulnerabilities in internet-facing services including remote desktop protocol (RDP) and VPN services,” the Dragos report said.

Dragos publicly tracks five ICS-focused cyberattack groups that target the manufacturing sector, with at least three of those posing known threats to the oil and gas sector.