Oil and Gas Supply Chain Cybersecurity


As the green energy transition gathers pace, the world remains heavily dependent on the oil and gas supply chain. Most people tend to think of the oil and gas industry in segmented terms. There is upstream oil and gas, downstream pipelines and operations. Like most industries, however, the oil and gas supply chain has become increasingly integrated and complex over the past 20 years. The increased adoption of Industrial Internet of Things (IIoT)-based solutions is making it easier to integrate the supply chain and obtain data on all aspects of oil and gas operations, from the wellhead to the consumer. .

All of this increased integration and adoption of new technologies creates unique cybersecurity challenges, and cyberattacks on the oil and gas industry, which should be considered part of our critical infrastructure, are now a major source of downtime. unplanned shutdown. With oil surpassing $100 a barrel, the stakes are rising for oil and gas companies to secure their operations and create a resilient strategy for the future, both for themselves and their supply chain trading partners.

In North America, there are not many regulations governing cybersecurity in the oil and gas industry. The new TSA pipeline regulations are very basic and don’t provide much guidance on how to create a better cybersecurity organization, and many of them are not applicable in today’s factory, facility and pipelines. Fortunately, the industrial world has strong cybersecurity standards that they voluntarily follow in the form of the ISA/IEC 62443 series of standards. Unfortunately, there seems to be a disconnect between what is already an industry-accepted standard in the world of government regulations.

Colonial Pipeline: IT-Centric Attacks Have OT Consequences

The Colonial Pipeline cyberattack is a good example of how IT-level or enterprise-level attacks can have operational implications. OT-level systems controlling pipeline operations were not attacked. The primary attack vector was through corporate billing systems. This loss of visibility into financial operations forced Colonial to stop operating the pipeline.

The consequences of the attack were felt throughout the oil and gas supply chain. The pipeline shutdown caused fuel shortages at Charlotte Douglas International Airport, causing American Airlines to change flight schedules. Hartsfield-Jackson Atlanta International Airport, one of the busiest on the planet, has had to turn to other fuel suppliers, as have five other airports. TV screens were filled with images of panic buying at petrol stations as the shutdown dragged on for four days. On May 14, 87% of all gas stations in Washington DC were out of fuel. Fuel prices have in turn reached their highest level since 2014.

Such events have happened in the past, but a cyberattack was never the root cause until recently. In 2011, for example, the Alaskan pipeline was unexpectedly shut down due to a leak, immediately cutting off 12% of US oil supply and huge revenue losses. Today, cyberattacks have the same consequences.

Operations management in the context of OT

The Colonial Pipeline attack is also a good example of the vulnerability of so-called Tier III applications, as they are called in the Purdue reference model and the ISA95 standard. These are applications that do not directly control operations, but perform tasks such as operations management, scheduling, scheduling, and other functions that may inadvertently cause an incident of unplanned downtime if the visibility into these applications is lost. In Colonial’s case, operations were never directly affected, but despite being properly isolated, the attack on the billing system still brought everything to a halt. You should consider the relationships between OT systems and Tier III systems and plan your cybersecurity strategy accordingly.

ARC Advisory Group customers can view the full report on the ARC Customer Portal

If you would like to purchase this report or obtain information on how to become a client, please contact us

Keywords: Oil and Gas Supply Chain, Colonial Pipeline, TSA Pipeline Cybersecurity, Industrial Internet of Things (IIoT), Ransomware, ISA-IEC 62443, CISA, CYMANII, ARC Advisory Group.

Comments are closed.