The energy sector is no stranger to a cyber attack. For many American families and businesses, the most personally disruptive incident in recent memory came in May 2021 with the ransomware attack that shut down the Colonial Pipeline, a major U.S. oil and gas pipeline responsible for supplying nearly half of the East Coast’s petroleum.
With industrial device connections expected to reach 37 billion by 2025, digitization is rapidly transforming the oil and gas industry from a commodity-based business run on analogue equipment into an automated, remote-controlled and artificial intelligence (AI)-driven industry that makes risk-based decisions with internet-like speed. This rapid pace of digitalization comes at a cost, however; as oil and gas companies digitize operations, they simultaneously expose their companies to cyber risks.
Malicious actors increasingly view the energy industry as a ripe target to launch cyberattacks for financial, criminal or geopolitical gain. Recent studies from IBM indicate, the volume of attacks against operational technology-connected assets increased over 20 times from 2018 to 2019. Further studies from the IBM Security and Ponemon Institute show the average energy sector data-breach cost has risen more than 13% since 2019, to $6.39 million – a higher cost than the global average of $3.86 million.
To prepare for the new normal of more frequent and sophisticated cyber attacks on energy and critical infrastructure, energy sector CEOs and corporate board members must take the best practices and key lessons learned from a decade of both successfully addressing – and learning from – the failures of addressing cyber risk.
The World Economic Forum (WEF) boils down current best practices principles in a useful publication titled Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers. Oil and gas industry leaders looking to address cyber attack risks will find guidance on how to implement key recommendations within their organizations and how to level up security practices throughout the value chain and the broader energy ecosystem.
The WEF’s six cyber resilience principles for oil and gas infrastructure are drawn from the shared real-world experience of leading companies in the oil and gas sector, to include:
- Cyber resilience governance – Cybersecurity efforts count on broad participation within an organization. Aligning efforts and setting clear accountability are fundamental to success.
- Resilience by design – Including cybersecurity as a design parameter and as part of corporate culture helps improve outcomes.
- Corporate responsibility for resilience – Recognizing that sophisticated, frequent threats are likely to continue or escalate, organizations should be examining their cyber risks, and taking responsibility for managing those risks.
- Holistic risk management approach – As with other risks, managing a cyber attack requires a mandate, funds, resources and accountability. In the oil and gas sector, it’s especially important to discover and mitigate risks to all parts of the value chain, so that one weak link doesn’t bring production to a halt.
- Ecosystem-wide collaboration – Weak links in defenses may lie outside of an organization. Intentional efforts to share cyber threat information, use best practices and improve cybersecurity maturity across the whole sector help industry-wide stability.
- Ecosystem-wide cyber resilience plans – Recognizing that a cyber attack could continue to occur, organizations should build resilience plans to help mitigate damage from those that succeed in whole or in part. Cybersecurity exercises enable defenders to test and improve defenses – including how they will cooperate with other industry partners.
Oil and gas sector leaders will need to build cyber resilience into their organizations and partnerships to continue providing reliable, timely fuel deliveries to their customers in a future full of cyber threats.
For more information on protecting your business from a cyber attack, explore more cyber topics on our blog or contact INSURICA today.
This is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2022 Zywave, Inc. All rights reserved.
About the Author
Share This Story
Related Blogs
OSHA Announces Top 10 Violations for 2025
OSHA recently revealed its top 10 most frequently cited standards in the 2025 fiscal year using preliminary data. This information is valuable for businesses of all kinds, as it helps them identify common exposures that affect their workforce and gives them the information they need to plan their compliance programs.
Cyber Hygiene for Schools: Teaching Digital Safety to Students
Cyber hygiene for schools is more important than ever in today’s digital learning environment. Teaching digital safety to students not only protects their personal information but also strengthens overall school cybersecurity. With increasing online access in classrooms, cyber hygiene for schools must become a routine part of curriculum planning and student behavior expectations.
Mental Health Benefits Go Mainstream: What Employers Need to Know
Once considered a niche offering or a reactive add-on, mental health benefits have now moved to the center of the employee experience. In 2025, nearly half of U.S. employers offer some form of mental health support beyond traditional EAPs—a sharp rise from just 30% in 2023. This shift isn’t just cultural; it’s strategic.