The energy sector is no stranger to a cyber attack. For many American families and businesses, the most personally disruptive incident in recent memory came in May 2021 with the ransomware attack that shut down the Colonial Pipeline, a major U.S. oil and gas pipeline responsible for supplying nearly half of the East Coast's petroleum.

With industrial device connections expected to reach 37 billion by 2025, digitization is rapidly transforming the oil and gas industry from a commodity-based business run on analogue equipment into an automated, remote-controlled and artificial intelligence (AI)-driven industry that makes risk-based decisions with internet-like speed. This rapid pace of digitalization comes at a cost, however; as oil and gas companies digitize operations, they simultaneously expose their companies to cyber risks.

Malicious actors increasingly view the energy industry as a ripe target to launch cyberattacks for financial, criminal or geopolitical gain. Recent studies from IBM indicate, the volume of attacks against operational technology-connected assets increased over 20 times from 2018 to 2019. Further studies from the IBM Security and Ponemon Institute show the average energy sector data-breach cost has risen more than 13% since 2019, to $6.39 million – a higher cost than the global average of $3.86 million.

To prepare for the new normal of more frequent and sophisticated cyber attacks on energy and critical infrastructure, energy sector CEOs and corporate board members must take the best practices and key lessons learned from a decade of both successfully addressing – and learning from – the failures of addressing cyber risk.

The World Economic Forum (WEF) boils down current best practices principles in a useful publication titled Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers. Oil and gas industry leaders looking to address cyber attack risks will find guidance on how to implement key recommendations within their organizations and how to level up security practices throughout the value chain and the broader energy ecosystem.

The WEF's six cyber resilience principles for oil and gas infrastructure are drawn from the shared real-world experience of leading companies in the oil and gas sector, to include:

  1. Cyber resilience governance – Cybersecurity efforts count on broad participation within an organization. Aligning efforts and setting clear accountability are fundamental to success.
  2. Resilience by design – Including cybersecurity as a design parameter and as part of corporate culture helps improve outcomes.
  3. Corporate responsibility for resilience – Recognizing that sophisticated, frequent threats are likely to continue or escalate, organizations should be examining their cyber risks, and taking responsibility for managing those risks.
  4. Holistic risk management approach – As with other risks, managing a cyber attack requires a mandate, funds, resources and accountability. In the oil and gas sector, it's especially important to discover and mitigate risks to all parts of the value chain, so that one weak link doesn't bring production to a halt.
  5. Ecosystem-wide collaboration – Weak links in defenses may lie outside of an organization. Intentional efforts to share cyber threat information, use best practices and improve cybersecurity maturity across the whole sector help industry-wide stability.
  6. Ecosystem-wide cyber resilience plans – Recognizing that a cyber attack could continue to occur, organizations should build resilience plans to help mitigate damage from those that succeed in whole or in part. Cybersecurity exercises enable defenders to test and improve defenses – including how they will cooperate with other industry partners.

Oil and gas sector leaders will need to build cyber resilience into their organizations and partnerships to continue providing reliable, timely fuel deliveries to their customers in a future full of cyber threats.

For more information on protecting your business from a cyber attack, explore more cyber topics on our blog or contact INSURICA today.

This is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2022 Zywave, Inc. All rights reserved.

About the Author

Adam Ewing
Adam Ewing
INSURICA Content and Web Specialist

Share This Story

Stay Updated

Subscribe to the INSURICA blog and receive the latest news direct to your inbox.

Related Blogs

Making an Acquisition? Why the EMOD Shouldn’t Be Overlooked

August 18th, 2025|Blog, Construction, southwest, Trending|

When acquiring another company, there’s no shortage of factors to consider. From valuing physical assets to estimating potential synergies, the due diligence process can be complex. However, one critical element often overlooked is the EMOD.

2026 Employer Mandate Update

August 14th, 2025|Blog, Employee Benefits, Trending|

In July 2025, the IRS released new guidance increasing both the affordability percentage and penalty amounts under the Affordable Care Act’s employer mandate for the 2026 plan year. These changes will affect how Applicable Large Employers (ALEs) determine affordability and assess compliance risk moving into the next benefits cycle.

Facility Rental: Best Practices for Non-School Use

August 13th, 2025|Blog, Education|

As community hubs, school districts often open their doors to outside organizations for events, activities, and gatherings. This facility rental for non-school use can benefit the community, but it also comes with potential risks. School administrators must take proactive steps to protect district property, reduce liability exposure, and ensure compliance with state laws.

Go to Top