Introduction
The oil and gas sector has long been a primary target for state-sponsored threat actors and purpose-driven adversaries alike. As the backbone of global energy supply, a disruption to oil and gas operations can jeopardize national economies, public welfare, and the downstream industries that depend on it (such as electricity generation, transportation, water treatment, and telecommunications).
Nation-State Actors and the Oil & Gas Sector
As the world’s most critical energy supply chain, a disruption to oil and gas operations can jeopardize national economies, public welfare, and the downstream industries that depend on it — electricity generation, transportation, water treatment, and telecommunications among them.
The Middle East, the world’s largest crude oil exporting region, has been a focal point for nation-state cyberattacks since at least 2010. The pattern is well-documented. Stuxnet — the first known malware capable of targeting ICS devices — was deployed against Iran’s nuclear facilities. Flame was used for targeted espionage across Middle Eastern countries.
Shamoon, deployed against Saudi Aramco in 2012, incapacitated over 30,000 workstations for a week. Triton, discovered in 2017, marked an unprecedented escalation: the first known direct assault on a Safety Instrumented System (SIS), the failsafe layer that keeps industrial processes within safe operating parameters. A successful compromise of an SIS goes beyond operational disruption and removes the last line of defense against physical damage, injury, and environmental harm.
By 2023, the tactics had shifted. The Volt Typhoon group — widely attributed to state sponsorship — moved away from high-profile destructive malware toward quiet, long-term persistence. Rather than attacking critical infrastructure directly, Volt Typhoon compromised low-profile SOHO edge devices and used them as relay points to infiltrate internal networks, maintaining covert access for up to two years undetected. The objective was not immediate disruption but positioning — establishing footholds that could be activated during a future conflict or crisis.
The implication for oil and gas operators is significant. The threat is not limited to opportunistic ransomware actors. Nation-state adversaries are conducting reconnaissance and pre-positioning inside OT environments now, with the patience to wait for the right moment to act. As the sector continues to digitalize — expanding connectivity across upstream rigs, midstream pipelines, and downstream refineries — the attack surface grows, and so does the strategic value of these systems as targets.
Figure 1: Cyberattack Incidents in the Critical Infrastructure Sector
Legacy Assets
Historical incidents targeting Industrial Control Systems (ICS) serve as stark reminders of the vulnerabilities these systems possess. Once attackers breach the control network, they can easily exploit inherent service vulnerabilities to escalate their attacks. Ransomware continues to plague various industries, often proliferating by exploiting known 1-day vulnerabilities. Notorious variants like Bad Rabbit, LockerGoga, Revil, Ryuk, and WannaCry predominantly propagated through the SMB (Server Message Block) service. Many oil and gas facilities, built decades ago, epitomize the looming threats posed by these legacy assets.
Beyond ransomware, programmable assets common in digital OT environments present their own risks. These assets — defined by their capability to autonomously execute physical operations based on compiled programs — are tempting targets for malicious actors, given their ability to directly impact the physical realm.
- PLC (Programmable Logic Controllers): Both open-source and proprietary service vulnerabilities offer potential gateways to directly manipulate PLCs.
- CNC (Computer Numerical Control): Remote interaction services coupled with legacy Windows systems may grant attackers unmediated control over CNC machines.
- Industrial Robots: Assailable services and legacy components can potentially allow attackers to take over robot controllers directly, leading to manufacturing defects or physical harm to operators.
Even contemporary installations are not immune. A vulnerability exploit executed against an up-to-date Windows Server 2022 via an MS-RPC (Microsoft Remote Procedure Call) breach demonstrated that attacks analogous to Stuxnet remain feasible today.
Repelling Threats Against the Oil and Gas Industry
Figure 2: Attack Path to Control Network
Initial Access
Initial access techniques give attackers entry points into ICS environments, targeting OT assets, IT resources in OT networks, remote services, and privileged third parties such as suppliers, maintenance crews, and external integrators.
- Low Earth Orbit (LEO) Terminal: Many terminal devices inherently possess Ethernet-level vulnerabilities — hardcoded credentials and backdoor entry points among them. Asset owners should evaluate their network exposure and implement effective network segmentation. It’s advisable to restrict specific traffic patterns to mitigate low-speed wireless RF hijacking. As a longer-term solution, QPEP technology — an open-source encrypted hybrid of PEP/VPN — can encrypt satellite traffic without ISP involvement.
- OPC: OPC UA products vary widely in how precisely they implement security features, particularly around trust list enforcement. Choosing products with verified security implementations and employing a DMZ structure with external firewalls can defend against a range of unknown attacks.
- SOHO: SOHO devices sitting at network perimeters are frequently under-secured and running outdated firmware. Ensure these devices have advanced security features enabled, monitor continuously for security patches, and limit connection permissions.
Lateral Movement
Once inside a control network, attackers will attempt to expand their reach. Three strategies can limit this:
- Lock Down: Establish trust lists for endpoints and networks, allowing only listed programs or traffic to function.
- Segment: Network segmentation for unrelated areas prevents attackers from moving laterally after initial access.
- Reinforce: Protect assets at the network level, rendering vulnerabilities in legacy and unpatched devices remotely inaccessible without disrupting continuous operations.
Impair and Impact
The impair and impact phase involves adversaries tampering with active procedures, control logic, or reporting mechanisms. Disruptions may initially go undetected but eventually manifest in the product or surrounding environment, endangering operators and downstream users.
- Network Segmentation and Advanced Analysis: Segment operational assets by functional role. This limits blast radius so that a breach in one zone cannot move freely into adjacent systems handling more critical functions. Prioritize stringent isolation for critical control and operational data, and monitor ICS management protocols for anomalies, unexpected parameter modifications, or deviations from baseline behavior.
- Authorization for Execution: Restrict program modifications on all field controllers to specific authorized users such as engineers or field technicians, ideally through role-based access control.
- CPS Asset Detection and Response: Enhance anomaly detection for endpoint operational behaviors. Implement operational lockdown to ensure integrity, minimize downtime, and reduce service interruptions. This is particularly valuable for non-patchable systems. Strengthen controls around portable media such as USB devices to prevent unauthorized access.
Conclusion
The threat to oil and gas infrastructure is not hypothetical, and it is not new. Nation-state actors have been targeting this sector for over a decade quietly, patiently, and with intent. Every new digital connection across upstream rigs, midstream pipelines, and downstream refineries is another potential entry point, and OT environments were not built with that reality in mind.
The stakes extend beyond the facility fence. Oil and gas infrastructure feeds electricity grids, transportation networks, water systems, and communications. A disruption does not stay contained. Operators are protecting more than their own systems, they are protecting the critical infrastructure that runs their countries’ daily lives. Lock down trust lists, segment networks, strengthen access controls, and monitor anomalies. Start with visibility and follow up with prevention.
Note: This piece is an updated and condensed version of TXOne’s 2023 whitepaper, Oil and Gas: A Comprehensive Analysis of Offensives Against Perimeter Devices, distilled to surface the most operationally relevant guidance for those seeking to strengthen their cybersecurity posture in the current environment. For the full technical analysis — including in-depth asset vulnerability tables, Open Platform Communications Unified Architecture (OPC UA) security research, and Small Office/Home Office (SOHO) device exploit demonstrations — fill out the form and download the resource.
Business Email*
First Name*
Last Name*
Company Name*
Job Title*
Country*
Tags
