The US pipeline attack shows the energy sector must act now on cybersecurity. Here are 6 ways how

Part of the Colonial Pipeline infrastructure recently targetted by hackers using ransomware.

Part of the Colonial Pipeline infrastructure recently targetted by hackers using ransomware. Image: Reuters/Drone Base

Leo Simonovich
Vice-President; Global Head, Industrial Cyber and Digital Security, Siemens Energy
Filipe Beato
Lead, Centre for Cybersecurity, World Economic Forum
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


Listen to the article

• The recent ransomware attack on a major US pipeline owner outlines the vulnerability of critical infrastructure.

• The energy sector cannot wait for governments to regulate on cybersecurity.

• It must prepare for frequent, sophisticated cyberattacks as the new normal.

Strong cybersecurity requires a collaborative approach. In the oil and gas sector, supply chains are interconnected and interdependent – making it important to advance cybersecurity maturity as a community.

The recent ransomware attack striking Colonial Pipeline, a major pipeline owner and operator responsible for transporting nearly half of transportation fuel to the eastern United States, should be a startling lesson in the vulnerability of critical infrastructure to cyber-risks. Reliable energy supply chains depend on getting cybersecurity right – now, and in the future.

Like it or not, governments and businesses must adjust to a continually escalating threat landscape. As governments contend with the geopolitics of cyberattacks, we can expect many will explore new regulations, expanded cooperation between governments and the private sector, and enhanced technological protections for critical infrastructure. Yet oil and gas executives cannot wait on government to forge ahead with the daunting task of reducing cyber-risk across their expansive and complex organizations.

Have you read?

Intense market pressure continues to drive a digital revolution in the oil and gas sector. The COVID-19 pandemic added a surge of remote work arrangements to the growing wave of digitized, networked systems that maximize efficiencies and minimize emissions. The clear competitive advantages of digital assets means the digital revolution will continue. More and more of the industrial processes crucial to the oil and gas sector will rely on networked, digitally controlled equipment. Yet the very nature of digitized equipment brings increased cyber-risk. The same tools that help oil and gas infrastructure run efficiently and support remote operation are potential points of exposure for cyberattacks.

In part because of the expanded and altered attack surface offered by digitized equipment, the frequency and sophistication of attacks continues to rise, and has shifted focus. Where past attacks focused on information technologies (IT), attacks on operating technologies (OT) are now common.

This threat environment is the new normal for oil and gas infrastructure. Whether attackers are criminals motivated by financial gain or nation-state actors playing geopolitics, digitized oil and gas infrastructure makes a tempting target. Board members – and the information security officers they hold accountable – should be preparing for frequent, sophisticated attacks to be an ongoing operational risk.

Even for industry leaders keenly aware of the risks and trends facing the oil and gas industry, building robust cybersecurity can be a daunting challenge.

The World Economic Forum White Paper Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers provides a new blueprint to secure critical infrastructure to help oil and gas industry leaders address cyber-risk and implement key recommendations within their organizations, as well as to champion standards across the energy ecosystem. This new playbook is a result of discussions and collaboration of the World Economic Forum community of oil and gas industry partners – including Siemens Energy and Saudi Aramco – that prompted and produced a guide to help oil and gas industry leaders address cyber-risk and implement key recommendations within their organizations, as well as to champion as standards across the energy ecosystem.

A new World Economic Forum White Paper outlines specific provisions for oil and gas cybersecurity
A new World Economic Forum White Paper outlines specific provisions for oil and gas cybersecurity Image: World Economic Forum

The WEF working group combined experiences to develop a set of six industry-specific principles to help boards at oil and gas companies govern cyber-risks and strengthen their organization’s cyber-resilience:

1. Cyber-resilience governance

Cybersecurity efforts count on broad participation within an organization. Aligning efforts and setting clear accountability are fundamental to success.

2. Resilience by design

Including cybersecurity as a design parameter and as part of corporate culture helps improve outcomes.

3. Corporate responsibility for resilience

Recognizing that sophisticated, frequent threats are likely to continue or escalate, organizations should be examining their cyber-risks, and taking responsibility for managing them.

4. Holistic risk management approach

Like other risks, managing cyber-risks requires a mandate, funds, resources and accountability. In the oil and gas sector, it’s especially important to discover and mitigate risks to all parts of the value chain, so that one weak link doesn’t bring production to a halt.

5. Ecosystem-wide collaboration

Weak links in defences may lie outside of an organization. Intentional efforts to share cyberthreat information, best practices and improve cybersecurity maturity across the whole sector help industry-wide stability.

6. Ecosystem-wide cyber-resilience plans

Recognizing that cyberattacks will continue to occur, building resilience plans helps mitigate damage from those that succeed in whole or in part. Cybersecurity exercises enable defenders to test and improve defenses – including how they will cooperate with other industry partners.

To help board members and corporate officers envision these principles in action, the playbook lays out concrete examples of best practices, along with implementation strategies. The adoption of these principles will support the industry in its efforts to continue delivering safe, affordable and low-carbon energy for decades to come.


How is the Forum tackling global cybersecurity challenges?

Only together can we all build a stable, efficient, reliable oil and gas ecosystem that secures our shared future against ongoing cyberthreats.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Related topics:
CybersecurityFourth Industrial Revolution
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

US-led operation takes down global botnet, and other cybersecurity news to know this month

Akshay Joshi

June 14, 2024

About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum