Digital Exclusive: How to build cyber resilience in the oil and gas supply chain
Author: T. OWEN, VikingCloud
Society’s dependence on the oil and gas supply chain is well-documented. However, this reliance has given rise to concerning new trends in cyber threats—vital businesses along that chain must be more vigilant than ever about their security postures.
High-profile cyberattacks in recent years, such as the Colonial Pipeline ransomware incident in 2021 (learn more), have brought the costs and impacts of digital terrorism on the global supply chain into public focus. Now is not the time for business owners to rest on their laurels.
The rising threat: Why oil and gas supply chains are under attack. The continued evolution of cyberattacks [e.g., via generative artificial intelligence (GenAI) threats, which affect up to 97% of companies] is just one reason energy supply chain attacks appear to be escalating.1
A core, more worrisome reason for the rise of ransomware in the industry, for example, is the criticality of oil and gas supply. Disruption via cyberattacks can affect global economies and even impact everyday health: criminals know they can extort such critical businesses by holding them ransom.
Additionally, the ongoing digital transformation in the industry—while necessary in the name of efficiency—opens up more opportunities for sophisticated attack vectors. By adopting new technologies, companies on the chain open the doors to new hacking opportunities.
Unique cybersecurity challenges in oil and gas supply chains. Typical challenges oil and gas supply chains face include third-party security risks (discussed in more detail below), Internet of Things (IoT) exploitation, and operational technology (OT) and industrial control system (ICS) weaknesses.
Many companies on the supply chain rely on IoT devices to monitor pipeline product and safety, and to ensure equipment is running efficiently (FIG. 1). These devices communicate with each other and deliver in-depth reports that would otherwise take extensive human hours to reconcile.
However, IoT reliance poses a large cybersecurity risk. Criminals target the IoT by brute-forcing passwords and exploiting network weaknesses: worrying research suggests that malware attacks through these devices are increasing by up to 400%, year on year.2
FIG. 1. Cyberattacks can reduce visibility over critical components and safety measures, therefore putting people at risk.
Beyond this, supply chain firms rely on OT networking and control systems to ensure processes remain stable; however, hackers often target these assets purely to disrupt day-to-day operations.
Disrupting control systems in such a way not only poses service and product delivery challenges, but may also pose health risks. Cyberattacks can reduce visibility over critical components and safety measures, therefore putting people at risk.
Third-party risk: Strengthening the weakest link. Many hackers target smaller third parties involved with gas and oil distribution and management, because vendors and suppliers with security weaknesses can allow easy access to everyone on the chain.
It has been discovered that > 40% of energy sector breaches occurred in connection with third-party vendor weaknesses.3 They are, in the broader chain, the weakest links—mainly because business operators cannot completely control their security activities.
However, it is still vital for all companies on energy chains to thoroughly vet and audit any vendors or third-party suppliers they choose to work with. Regular auditing, in fact, can also help to ensure ongoing confidence in partnerships.
It is also crucial for businesses in gas and oil supply to establish clear rules on how they expect third parties to manage themselves while in partnerships. No companies should enter into agreements with such parties until they are completely certain that their operations and customers are adequately protected.
In fact, some companies take broader steps to manage the third-party problem by setting up dedicated risk management systems, consisting of service monitoring, penetration testing and open, transparent communication between parties.
Incident response planning for supply chain disruptions. Planning for incident response to supply chain disruptions can vary significantly from one company to another. However, incident response plans (IRPs) give operators a reliable playbook to help them bounce back from cyber threats every time.
All IRPs on the supply chain should start with a robust detection system that accurately identifies threats, and which efficiently reports to human personnel and other assets.
With that in mind, a robust plan should clearly identify who is accountable for specific areas of the company infrastructure, and what protocols are in place for internal and public communications.
Determining accountability helps to build a clear chain of command—e.g., there are various specialists in control of locking down systems, removing malware, contacting the media and alerting third parties elsewhere on the supply chain.
There should, of course, also be resources and tools in place to ensure that decisions are made swiftly to prevent further damage caused by an attack. Are there analytics suites in place to offer real-time breakdowns of damage caused, or from where the threat emerged? Is there a data backup and restoration plan in place to trigger once malware is removed?
Above all, an effective supply chain IRP should be realistic and record both the positives and negatives of incident responses, regardless of the outcomes. These teaching moments can help incrementally improve IRPs as time progresses.
Building a culture of cyber resilience: Proactive security for a predictably unpredictable industry. Cybersecurity in the gas and oil supply chain is complex, and no one company’s needs will be the same as the next. However, the key to preventing and remedying cyber attacks is to be proactive, plan ahead and raise awareness of (and competence in handling) breaches.
Research shows that effective cybersecurity awareness training, in general, can lead to 70% fewer security risks.4 While this is a generalization, it is important for companies reliant on control technology to ensure all personnel both respect and understand the worst-case scenarios that might arise.
Gas and oil supply chain parties should harness technology and cybersecurity planning to build strong preventive walls against evolving threats. However, these walls will be set up in vain if the people behind them fail to act proactively and responsibly.
This industry is notoriously difficult to predict, particularly from a cyber threat perspective, which is all the more reason to prepare and maintain security and personnel for the worst.
LITERATURE CITED
1 VikingCloud, “185 cybersecurity stats and facts for 2025,” February 17, 2025, online: 185 Cybersecurity Stats and Facts for 2025.
2 Mascellino, A., “IoT device traffic up 19% as malware attacks surge,” Infosecurity Magazine, November 25, 2024, online: IoT Device Traffic Up 18% as Malware Attacks Surge 400% - Infosecurity Magazine.
3 Chapman, T., “Why U.S. energy sector is at high risk of supply chain attacks,” SupplyChain digital, October 25, 2024, online: Why US Energy Sector is at High Risk of Supply Chain Attacks | Supply Chain Magazine
4 keepnet, “2025 security awareness training statistics,” January 23, 2024, online: 2025 Security Awareness Training Stats and Trends - Keepnet.
ABOUT THE AUTHOR
Tyler Owen serves as the Senior Director of Product Management for Managed Security Services at VikingCloud. His extensive experience encompasses the entire lifecycle of information security infrastructure projects, from pre-sales and planning through implementation, daily maintenance and management. Owen's expertise includes overseeing people, processes, policies, budgets and resources, ensuring comprehensive security measures that protect and enhance IT infrastructures.
Comments