Cybersecurity in the midstream oil & gas sector

Nov. 6, 2020
How the industry struggles to bridge the gap between awareness and action

The U.S. midstream oil and gas sector employs tens of thousands of people who collectively manage millions of miles of pipelines, countless terminals, and a vast array of hardware, software, and data management and communication tools. Each of these connection points — between people, technology, and equipment — represents a potential point of entry for cybercriminals, hackers, terrorists, shadow foreign government actors, and other threat actors.

In 2018, to help participants in the maritime industry better understand the risks they face, Jones Walker LLP surveyed maritime stakeholders and reported on that industry’s cybersecurity preparedness. Two years later, looking further down the nation’s literal energy pipeline, we turned our attention to midstream oil and gas companies, which together play a critical role in the U.S. energy infrastructure. We compiled what we learned in a new report that we believe will be of great utility to those operating in the midstream space.

Because the geographic and technological diversity of this sector presents significant cybersecurity challenges, our 2020 investigation had two principal goals. First, we wanted to establish an informed picture of the current state of cybersecurity preparedness and identify key weaknesses in the midstream space. Second, we sought to develop a clear, actionable set of breach-prevention and response strategies that take advantage of existing, practical, and affordable options available to companies during the current global economic downturn.

Pressure on Multiple Fronts

To fully reckon with any challenge, it must be understood within its broader context. Even before COVID-19 emerged late last year, midstream oil and gas companies were experiencing downward price pressures as a result of overproduction, price wars between OPEC+ member countries, and shifting consumer and industry demand. Since March 2020, as entire economies and the businesses and individuals they comprise have closed down and increasingly turned to remote work to slow the spread of infection, fuel needs have in turn decreased and further dampened commodity prices.

The sudden spike of remote-work arrangements due to the global pandemic has brought with it an increased reliance on autonomous systems to manage pipeline operations. The speed with which some companies have had to adjust to these new working conditions has further contributed to a more opportunistic environment for threat actors to initiate cyber attacks.

Such attacks can take any number of forms, including ransomware, phishing leading to denial-of-service, and outright theft, but they typically lead to predictable results: loss of control of confidential and proprietary data, negative impacts on the ability to conduct business as usual, a consequential decline in customer confidence, law-enforcement investigations, and even physical damage to facilities. Many reports suggest that a modern data breach can cause a victim to suffer a seven- or eight-figure loss.

Businesses, accordingly, should adopt cost-effective and proactive measures to improve their cybersecurity readiness and infrastructure. We believe it is especially important that companies address their cybersecurity readiness during the current economic slowdown. Cyber threats are increasing, so remaining vulnerable is simply not an option.

Cybersecurity Status of the Midstream Sector

To help midstream companies better understand their own cybersecurity landscape and make effective decisions, we surveyed 125 key executives, security and compliance officers, and general counsel from companies of all sizes and with operations and interests across this diverse sector.

Among our major findings, a key theme stood out: There are significant gaps between what respondents report knowing about cyber threats and what they are doing to prevent or prepare for them.

For example:

  • Although more than two-thirds of respondents said that their own companies and the industry as a whole were prepared for a cyber breach, 40% reported that their company had been targeted in an attack. Almost one-third of this latter group had experienced a successful breach.
  • Respondents perceived certain threats — including, for example, employee or third-party contractor behavior — as among top cybersecurity risks, yet only about one-third of companies reported providing cybersecurity training to their personnel at least once per year or more often. Even more striking, one-third of respondents reported that their companies provided no cybersecurity training at all. 
  • Nine out of 10 respondents indicated that their companies had a strategic plan and, of these, 97% said that cybersecurity was included as part of that plan or was the focus of a separate, stand-alone plan. However, a full 60% of respondents also said that their company had no dedicated cybersecurity leadership and had no plans to create such a position.
  • While many respondents recognized the presence of common, sector-wide threats, only 10% indicated that their companies participated in collaborative industry initiatives or public-private partnerships designed to share threat assessment, avoidance, and response information and best practices.

If there is one overarching takeaway from our findings, it is that executives and leaders at midstream companies must increase their efforts to bridge the gap between cybersecurity awareness and preventative action.

Bridging the Gap

In developing our list of best practices that can help midstream oil and gas companies increase their preparedness, protection, and response capabilities, we focused on the most practical options that offered the highest return at the lowest cost. We recognize that current economic challenges do not support pie-in-the-sky, unlimited-budget solutions. For many midstream companies, taking action cannot compromise business viability, but failing to take action could well be a bet-the-company proposition that most executives and leaders should not be willing to consider.

 The following are some of the best practices we identified:

  • Draw on reputable sources to identify potential threats. Self-assessments are notoriously subjective. Independent, outside consultants can help companies take a clear-eyed look at their unique threat landscape, identify top threat actors and vulnerabilities, test cybersecurity systems and protocols, and develop effective prevention and response programs.
  • Establish a cybersecurity team. Businesses that do not currently have designated cybersecurity leadership should consider appointing someone with the requisite knowledge and experience to lead the internal effort. Don’t stop there. An effective cybersecurity team should include knowledgeable outside professionals such as legal counsel, hardware and software vendors, public-relations experts, and insurance representatives, to name a few likely candidates.
  • Practice, practice, and practice again. Every company should have an incident response plan (IRP) based on a solid framework such as the one developed by the National Institute of Standards and Technology (NIST). Once the plan has been drafted, it should not be filed away in a drawer where it is no more effective than a four-leaf clover. Rather, the cybersecurity team should test, review, and update the IRP frequently.
  • Deploy high-value solutions. The most expensive solutions are not necessarily the most effective. Relatively straightforward tactics, such as encryption, cybersecurity training, and acquisition of cyber-breach insurance, can go a long way toward preventing, sustaining, and recovering from a cyber attack.
  • Take maximum advantage of shared knowledge and best practices. Industry consortia, public-private partnerships, and many federal and state initiatives have been developed to help companies stay informed about emerging threats and to share techniques and strategies for increasing cybersecurity. Any reservation about collaborating with competitors — particularly when it comes to reducing cyber threats — should be set aside in the face of common cyber-threat enemies.

In the modern economy, technology is a given. When economies are expanding, technological improvements help drive that growth. When economies are shrinking, technological adaptations can help stem potential losses.

But technology is not an unmitigated positive. Recent history has confirmed that the more businesses have come to rely on technology, the more vulnerable they have become to many of the world’s most sophisticated criminals, crime syndicates, and other threat actors. To push back against these threats and to help protect the nation’s critical energy infrastructure, midstream oil and gas companies must act to protect their physical assets, their proprietary data, and their customers.  

About the authors:

Andy Lee is a partner in Jones Walker LLP's Litigation Practice Group. He maintains an active national appellate and trial practice focused on business and commercial disputes; corporate, securities, and banking litigation; and fiduciary and officer liability litigation. As a member of the corporate compliance and white-collar defense group, Andy chairs the firm’s privacy and data security team and holds the CIPP/US designation from the International Association of Privacy Professionals.

Ewaen Woghiren is an associate on Jones Walker LLP's energy and natural resources litigation team. Ewaen represents clients in the midstream and upstream energy industry in both state and federal courts. He has experience litigating matters that arise from a broad range of disputes involving oil and gas liens, joint operating agreements, purchase and sale agreements, leases, and compliance with Environmental Protection Agency regulations. Over the course of his career, Ewaen has prosecuted and defended a diverse docket that includes construction defect, oil and gas lease disputes, business divorces, business torts, and products liability. Ewaen is a member of the firm’s privacy and data security team.