pgj_logo
SUBSCRIBE LOGIN
  1. Home
  2. Magazine
  3. 2025
  4. November 2025, Vol. 252, No. 11
  5. Cybersecurity in Oil and Gas: Defending Critical Infrastructure from Evolving Digital Threats
Feature November 2025, Vol. 252, No. 11

Cybersecurity in Oil and Gas: Defending Critical Infrastructure from Evolving Digital Threats

By S. TUMA, Spencer Fane LLP, Dallas, Texas (U.S.) 

(P&GJ) — Cybersecurity is challenging, and the odds are stacked against owners/operators from the beginning, requiring defenders to do everything correctly 100% of the time, while attackers only need one lucky shot. Cybersecurity in the oil and gas industry is even more difficult. While cyber criminals are usually motivated by money, the oil and gas sector faces threats not only from financially motivated criminals, but also from nation-state actors, hacktivists and others seeking to disrupt or damage critical infrastructure. 

The Colonial Pipeline cyber incident is only one example of the sector’s vulnerability.1 The cyberattack, which occurred on May 7, 2021, targeted computerized equipment managing the pipeline, leading to a shutdown of operations.The pipeline, which carries gasoline and jet fuel mainly to the Southeastern U.S., was forced to halt operations to contain the attack. On May 8, 2021, the company paid a ransom to the hacker group Darkside—75 Bitcoin ($4.4 MM at the time of the transaction)—to restore their systems. Approximately 12,000 gas stations were affected until operations were restored on May 13, 2021.  

Cyber criminals will try to disrupt operations through ransomware attacks, steal sensitive operational data and threaten to publish confidential information if ransom demands are not met. Smaller- and mid-size oil and gas companies are as much of a target as industry giants because attackers know these companies usually have fewer resources for cyber defense, yet their operations are often interconnected with larger players in the industry. 

Even worse, cybersecurity is not a static problem that can be fixed, like a technical glitch such as Y2K; instead, it is more like warfare, where an active adversary is continuously attacking. Each time new defenses are implemented, the attackers counter by adapting, changing tactics and finding other ways to circumvent those defenses. This is particularly critical in oil and gas operations where a successful attack could lead to environmental disasters, safety incidents or the disruption of essential energy supplies. 

Reality, not a feel-good message. Unfortunately, this article does not present a pleasant "feel good" message: the reality and the only way responsibilities can be fulfilled to stakeholders, employees and the communities served is by having a realistic understanding of the challenges. Many things that can be done to make oil and gas companies much more difficult and resilient targets. 

As breach counsel, the author has offered advice on thousands of cyber incidents and hundreds of ransomware attacks. Serving in that detached role and seeing the overall process from a neutral, strategic perspective has revealed several things that organizations could have done differently to avoid those situations. These observations are particularly relevant for the oil and gas sector, where operational technology (OT) and information technology (IT) systems are increasingly interconnected. 

Threat actors are continuously adapting and changing their tactics. The only way to defend critical energy infrastructure is to implement an ongoing cybersecurity process that is evolving and maturing along with the threat actors. Tips for ongoing surveillance include:  

  • Conduct risk assessments: Every organization's risks are unique and depend on various factors. Because you cannot protect against what you do not know, you must understand your unique risks, not only from a technical standpoint but also from an operational safety and environmental perspective. This risk assessment is essential for prioritizing mitigations efforts. 
  • Monitor data: Your objective includes protecting operational data and intellectual property. This means you must know what sensitive data you have, and not collect or maintain more than is needed. When data is no longer needed, securely archive or dispose of it.  
  • Reduce data availability: If you want to reduce risk, reduce the data available to threat-actors. The same principles apply to employee data and other forms of sensitive operational information. 
  • Know the law: Cybersecurity, and especially compliance, is a legal issue that requires a thorough understanding of the laws and regulations that are applicable to your organization, including environmental and safety regulations. Do not forget contracts—many organizations have far more laws governing them through their contracts than any other source. 
  • Know your service providers: Your organizational risk assessment should include third parties you rely on for services or that have access to your operational systems. As the Colonial Pipeline attack showed, a successful attack on one service provider in the energy sector can shut down operations across multiple organizations and regions. What service providers does your organization depend on and how will you continue to operate if something happens to them? 

Cyber risk is an overall organizational risk, not just an IT risk. Organizations must have a team-oriented approach to managing cyber risk, both internally and externally (with the partners you rely on or will rely on if you have an incident). Your team's different perspectives are invaluable.  

At a minimum, no matter the size of the organization, the risk team should include members (internal or external) that focus on information security, operational technology security, industrial control systems, legal compliance, environmental health and safety, audits, operations, human resources and communications. 

For smaller organizations, one person may wear a lot of hats in an attempt to fulfill many of those roles, but each organization must have access to external partners with specific expertise who can fill the gaps that inevitably appear. 

LITERATURE CITED 

1 U.S. Department of Energy (DOE), “Colonial Pipeline cyber incident,” online: https://www.energy.gov/ceser/colonial-pipeline-cyber-incident#:~:text=On%20May%207%2C%202021%2C%20the,to%20mitigate%20impacts%20to%20consumers 

About the Author 

SHAWN TUMA is a partner at Spencer Fane LLP in the firm's Plano, Texas, office. He helps businesses protect their information and protect themselves from their information, representing a wide range of clients, from small to midsize companies to Fortune 100 companies, across the U.S. and globally in dealing with cybersecurity, data privacy, data breach and incident response, regulatory compliance, computer fraud related legal issues and cyber-related litigation. He can be reached at stuma@spencerfane.com. 

related articles