Strengthening cybersecurity in the oil and gas industry

The oil and gas industry uses a range of complex systems and interconnected technologies to extract, transport and refine oil and gas products. While these these technologies are necessary to support the delivery of energy services and products, they are increasingly vulnerable to cyberattacks thus making cybersecurity critical to collective resilience.

The World Economic Forum's Centre for Cybersecurity launched in 2020 the Cyber Resilience in Oil and Gas initiative as part of its efforts to strengthen cybersecurity across multiple industries. The initiative comprises of a community of over 40 public and private organizations working together to drive forward collective action on cyber resilience.

One of the key initiatives of the community is the Cyber Resilience Pledge. A first-of-its-kind, the pledge is endorsed by 21 oil and gas chief executives committed to taking a common approach to cyber resilience and protecting digital infrastructure and assets in the sector.

Pledge endorsers include Aker, Check Point Software Technologies, Claroty, Cognite, Dragos, Ecopetrol, Eni, EnQuest, Galp, Global Resilience Federation, Institute for Security and Safety (ISS), KnowBe4, Maire Tecnimont, Occidental, OT-ISAC, PETRONAS, Repsol, Shell, Saudi Aramco, Schneider Electric and Suncor Energy.

By signing the Cyber Resilience Pledge, all parties endorsed the cyber resilience principles to guide leadership and board members through the process of cultivating a cyber-aware and resilient corporate culture.

The oil and gas industry powers the global economy and is vital to national security. For this reason, protecting this part of the critical infrastructure is fundamental for maintaining the security of people and stability of societies.

With a heavy reliance on technology and information systems to operate, a successful cyberattack against an oil and gas company could have serious consequences, such as operational disruptions, economic losses, reputation damage and even environmental harm.

To illustrate, an attack against a major US pipeline system in 2021 not only resulted in the disruption of operations and financial losses for the company, but also had a cascading effect on other industries. For example, the aviation sector saw disruptions due to jet fuel shortages, and the fear of a gasoline crisis caused panic buying, which in turn led to price spikes at gas stations across the US.

Additionally, during times of geopolitical conflict, the oil and gas sector, as the owner and operator of critical infrastructure, is a target for nation-state actors, hacktivists, and other attackers motivated by political, economic, or strategic interests. For example, prior to the Ukraine crisis, at least 21 gas producers in the US experienced cyberattacks targeting the production, exportation and distribution of liquified natural gas.

The Cyber Resilience in Oil and Gas initiative is a programme that brings together a multistakeholder community of more than 100 senior executives and practitioners from the oil and gas and ICT industries. By involving a diverse group of stakeholders from multiple industries, the initiative aims to foster collaboration and information sharing.

The Cyber Resilience Pledge was launched at the Annual Meeting in Davos in 2022. It is based on six guiding principles for cyber resilience that are specific to the oil and gas industry. These principles are designed to help boards of directors take action on cybersecurity within their organizations.

In addition to the Cyber Resilience Pledge, the initiative has also developed several other resources and tools. One of these is a harmonized and streamlined approach for managing third-party cyber risks. With the increasing use of third-party vendors and service providers in the oil and gas industry, managing these risks has become a critical issue. The initiative has provided a framework for companies to assess and mitigate these risks in order to help them ensure the protection of their digital infrastructure and assets.

Another key area of focus is the zero-trust model in cybersecurity which has been subject to a lot of confusion and misunderstanding. To develop a shared understanding of the security model, the community has outlined a set of guiding principles for its successful implementation, providing a valuable resource for companies looking to improve their cybersecurity readiness.

The initiative has also launched a guidebook to help organizations and their cyber leaders along a cyber secure and resilient energy transition journey. This guidebook is intended to support executives manage the energy transition while embedding cybersecurity and resilience into corporate processes and in the design of green technologies.

The Cyber Resilience in Oil and Gas initiative is led by the Forum’s Centre for Cybersecurity and Centre for Energy and Materials.

Organizations are invited join this initiative and bring their expertise to collaborate and strengthen the cyber resilience of the global oil and gas infrastructure.