Building Resilience in Oil & Gas Supply Chain Cybersecurity

By Larry O'Brien


While the green energy transition accelerates, the world remains highly dependent on the oil and gas supply chain. Most people tend to think of the oil and gas industry in segmented terms. There’s upstream oil and gas, pipelines, and downstream operations. Like most industries, however, the oil and gas supply chain has become increasingly integrated and complex over the past 20 years. Increased adoption of Industrial Internet of things (IIoT)-based solutions is making it easier to integrate the supply chain and obtain data from all aspects of oil and gas operations from the wellhead to the consumer.

All this increased integration and new technology adoption creates some unique cybersecurity challenges, and cyberattacks against the oil and gas industry, which should be considered as part of our critical infrastructure, are now a major source of unplanned downtime. With oil exceeding $100 a barrel, the stakes are getting higher for oil and gas companies to secure their operations and create a resiliency strategy for the future, both for themselves and their supply chain business partners.

In North America, there aren’t a lot of regulations governing cybersecurity in the oil and gas industry. The new TSA pipeline regulations are very basic and don’t give a lot of guidance on how to build a better cybersecurity organization, and many of them are not actionable in today’s plant, facility, and pipeline environments. Fortunately, the industrial world has solid cybersecurity standards they have been following voluntarily in the form of ISA/IEC 62443 series of standards. Unfortunately, there seems to be a disconnect between what is already an industry accepted standard in the world   of government regulations.

Colonial Pipeline: IT-centric Attacks Have OT Level Consequences

The Colonial Pipeline cyberattack is a good example of how IT-level or business level attacks can have implications for operations. The OT level systems controlling the pipeline operations were not attacked. The primary attack vector was through the company’s billing systems. This loss of visibility into the financial operations required Colonial to shut down pipeline operations.

The consequences of the attack were felt throughout the oil and gas supply chain. The pipeline shutdown caused fuel shortages at Charlotte Douglas International Airport, which caused American Airlines to change flight schedules. Hartsfield–Jackson Atlanta International Airport, one of the busiest on the planet, had to look to other fuel suppliers, as did five other airports. TV screens were filled with images of panic buying at gas stations as the shutdown dragged on for four days. On May 14, 87 percent of all gas stations in Washington DC were out of fuel. Fuel prices in turn rose to their highest level since 2014.

Such events have occurred in the past, but a cyberattack was never the root cause until recently. In 2011, for example, the Alaska Pipeline unexpectedly shut down due to a leak, immediately cutting off 12 percent of US oil supply and huge revenue losses. Today, cyberattacks have the same consequences.

Operations Management in the Context of OT

The Colonial Pipeline attack is also a good example of the vulnerability of so-called Level III applications, as they are called in the Purdue reference Model and ISA95 standard. These are applications that do not control operations directly, but they do things like operations management, planning, scheduling, and other functions that could inadvertently cause an unplanned downtime incident if visibility into these applications is lost. In the case of Colonial, operations was never directly affected, but even though it was properly isolated, the attack on the billing system still shut everything down. You need to consider relationships between OT systems and Level III systems and plan your cybersecurity strategy accordingly.

Oil & Gas Supply Chain Cybersecurity

ARC Advisory Group clients can view the complete report at  ARC Client Portal

If you would like to buy this report or obtain information about how to become a client, please  Contact Us

Keywords: Oil and Gas Supply Chain, Colonial Pipeline, TSA Pipeline Cybersecurity, Industrial Internet of Things (IIoT), Ransomware, ISA-IEC 62443, CISA, CYMANII, ARC Advisory Group.

Engage with ARC Advisory Group