BLOG

Author
Denrich Sananda

Date
20-04-2026

Oil & Gas

How OT Cybersecurity Protects Upstream Oil & Gas Operations from Pipeline Attacks

Upstream oil and gas operations run on operational technology. From the wellhead to the gathering system to the pipeline transmission network, every critical function - production flow control, pressure monitoring, compressor station management, and emergency shutdown - is managed by industrial control systems that were designed for reliability and availability, not for cybersecurity.

The threat environment has changed faster than the technology. Adversaries targeting North American oil and gas infrastructure in 2024 and 2025 are not running generic IT attacks against corporate networks and hoping for a lucky bounce into OT. They are targeting SCADA systems, RTUs, and Safety Instrumented Systems with tools and techniques built specifically for industrial environments. The Colonial Pipeline shutdown in 2021 was a warning. The adversary groups active against North American energy infrastructure today are more capable and more persistent than the ransomware operators who forced that shutdown.

This post explains how OT cybersecurity works in upstream oil and gas environments - what systems need protection, what attack vectors are being actively used against this sector, and what controls are most effective given the operational constraints of remote field sites, legacy equipment, and continuous production requirements.

 

Oil and gas was the 3rd most targeted sector for OT cyberattacks globally in 2024

behind only manufacturing and energy/utilities. Dragos tracked multiple threat groups with demonstrated capability and intent to cause physical disruption to upstream oil and gas operations in North America - including groups with technical overlap with nation-state actors targeting pipeline and LNG infrastructure.

Source: Dragos 2025 OT/ICS Cybersecurity Year in Review

 

The Upstream OT Attack Surface: What Is Actually at Risk

Before defining the controls, it is necessary to be precise about the systems that need protecting. Upstream oil and gas operations have one of the most geographically distributed OT attack surfaces of any industrial sector. A single operator may have hundreds of wellheads, dozens of compressor stations, and thousands of miles of gathering and transmission infrastructure - all communicating with central SCADA systems through a combination of cellular, satellite, and leased-line communications.

Every communication link is a potential entry point. Every remotely connected RTU is a potential pivot point. The table below maps the key OT systems in upstream operations to their function and their primary cyber risk.

 

OT System

Function in Upstream Operations

Key Cyber Risk

SCADA / DCS

Monitors and controls wellhead production, gas lift, and separation processes

Remote exploitation of internet-facing interfaces; lateral movement from IT network

RTUs / PLCs at wellheads

Automates valve control, pressure regulation, and safety shutoffs at remote sites

Default or weak credentials; limited authentication capability on legacy units

Pipeline SCADA systems

Controls flow rates, compressor stations, and custody transfer metering across transmission lines

Insecure vendor remote access; protocol vulnerabilities in Modbus and DNP3

Historian servers

Aggregates operational data from field assets to corporate systems

Direct IT/OT bridge; frequently targeted for lateral movement into OT

Safety Instrumented Systems (SIS)

Triggers emergency shutdowns when process parameters exceed safe limits

Highest-consequence target; Triton/TRISIS malware specifically targeted SIS hardware

Control room workstations

Operator HMIs providing real-time visibility and manual override capability

Phishing entry point; dual IT/OT connectivity makes these high-risk assets

 

The Safety Instrumented System row deserves specific attention. SIS platforms execute emergency shutdown functions - they are the last line of defense against a physical process failure. In 2017, the Triton/TRISIS malware was used to attack the SIS of a Middle Eastern petrochemical facility. The attacker's goal was to disable the SIS so that a subsequent attack on the process control system would cause an unmitigated physical incident. That malware has since been observed in scanning activity against North American oil and gas targets.

 

RISK

A compromised Safety Instrumented System does not just create a cybersecurity incident. It removes the automated protection that prevents a process upset from becoming a physical catastrophe. Protecting the SIS is not an IT security project. It is a process safety obligation.

 

How Pipeline Attacks Actually Work: The Active Threat Vectors in This Sector

Remote Access Exploitation at Field Sites

The most consistently observed initial access vector in oil and gas OT incidents is exploitation of remote access pathways to field assets. Upstream operators rely heavily on remote access for well monitoring, compressor station management, and vendor maintenance - and that access is frequently implemented as persistent VPN connections with shared credentials and no MFA.

TSA Security Directives for pipeline operators - issued following the Colonial Pipeline incident - specifically mandate the replacement of default credentials, implementation of MFA for remote access, and network segmentation between IT and OT systems. Compliance with these directives has improved the baseline, but enforcement gap analysis in the sector consistently identifies facilities where the mandated controls are documented but not fully operational.

SCADA Protocol Vulnerabilities on Transmission Networks

Pipeline SCADA systems communicate with field devices using industrial protocols including Modbus, DNP3, and ICCP. These protocols were designed for reliability in bandwidth-constrained environments - they have minimal authentication and no native encryption. An adversary with access to the communication network between a SCADA server and its field devices can inject commands that appear legitimate to the receiving device.

Protocol-level attacks are not theoretical. The Industroyer malware family, used against Ukrainian energy infrastructure in 2022, included modules specifically designed to send malicious commands using legitimate industrial protocols including IEC 104 and IEC 61850. The same protocol manipulation techniques are applicable to the DNP3 and Modbus environments that are standard across North American pipeline SCADA systems.

Supply Chain Attacks Targeting OT Vendor Software

Upstream oil and gas operators depend on a concentrated set of OT software vendors for SCADA platforms, historian software, and engineering tools. A software supply chain compromise targeting any of the major upstream SCADA vendors would give an adversary access to the OT environments of a large number of operators simultaneously. CIP-013 supply chain security requirements apply to electric utility operators - but oil and gas operators without equivalent mandatory requirements need to implement equivalent supply chain security practices voluntarily.

Nation-State Pre-Positioning for Infrastructure Disruption

VOLTZITE, the threat group tracked by Dragos with technical overlap with the Chinese state-sponsored group Volt Typhoon, conducted sustained reconnaissance activity against US electric, water, and energy sector infrastructure throughout 2023 and 2024. The group's activity pattern - extended dwell time, minimal footprint, focus on understanding operational systems rather than immediate impact - is consistent with pre-positioning for potential infrastructure disruption rather than near-term operational attacks. Oil and gas pipeline infrastructure is explicitly within the sectors this group has been observed targeting.

 

The distinction between nation-state pre-positioning and active attack is operationally important. Pre-positioned adversaries may be present in OT environments for months before triggering any visible activity. OT network monitoring that establishes behavioral baselines is the primary tool for detecting this type of low-and-slow intrusion.

 

OT Cybersecurity Controls Built for Upstream Operations

The operational constraints of upstream oil and gas - continuous production requirements, remote and unmanned sites, legacy field devices that cannot support modern authentication, and communication networks that span thousands of miles - shape what security controls are actually implementable. The following are the controls that deliver the most risk reduction within those constraints.

1. Network Segmentation Designed for Distributed Pipeline Architecture

The IT/OT boundary in upstream operations is not a single control point. It is a set of boundaries that span the corporate office, the central control room, the SCADA server infrastructure, and hundreds of geographically distributed field sites. Effective segmentation in this environment requires a tiered approach.

 

Control Point

What It Protects

Implementation Approach

Corporate IT / OT boundary (Industrial DMZ)

Prevents IT compromises from propagating to upstream control systems

Dedicated firewall DMZ with brokered historian and patch management flows only; no direct IT-to-OT connections

Field site perimeter (RTU / wellhead)

Limits remote exploitation of geographically distributed assets

Encrypted communication tunnels, certificate-based device authentication where supported, application-layer filtering

Control room to SIS boundary

Protects Safety Instrumented Systems from control system compromises

Unidirectional gateway (data diode) from DCS to SIS monitoring; no bidirectional connectivity

Remote access gateway

Controls all vendor and engineering access to OT systems

Secure access gateway with MFA, session recording, and just-in-time provisioning; replaces persistent VPN

SCADA server zone

Isolates pipeline SCADA from both corporate IT and field network segments

Dedicated SCADA zone with strict ingress/egress firewall rules; OT-native monitoring on all SCADA traffic

 

2. OT-Native Network Monitoring at the SCADA Level

In upstream environments where field devices cannot support endpoint agents, network-level visibility is the primary detection capability. OT-native monitoring solutions deployed at the SCADA server tier and at communication aggregation points can establish baselines for normal device communication patterns and alert on deviations - including unexpected commands sent to field devices, new connections to SCADA servers, and anomalous protocol behavior.

This is the control that catches pre-positioned adversaries and protocol-based attacks that perimeter firewalls cannot detect. It is also the control most consistently absent in upstream environments that have invested in perimeter security but not internal visibility.

3. Secure Remote Access Replacing Persistent VPN for Field Site Management

TSA Security Directives mandate MFA and access control for remote access to pipeline OT systems. Implementing this in a distributed upstream environment means deploying a centralized secure access gateway that brokers all remote sessions to field sites, requiring MFA for every session, limiting access to specific assets for specific time windows, and recording every session. This replaces the persistent vendor VPN model that has been the primary remote access vector exploited in oil and gas OT incidents.

4. Safety Instrumented System Isolation and Integrity Monitoring

The SIS must be treated as a physically and logically separate system from the process control network. Communication from the DCS to the SIS should be unidirectional where operationally possible - allowing the DCS to send setpoints to the SIS but preventing the SIS from receiving arbitrary commands from the control network. File integrity monitoring on SIS engineering workstations and application whitelisting on SIS servers detects unauthorized modification attempts consistent with the Triton/TRISIS attack pattern.

5. Incident Response Planning Specific to Upstream Operations

An OT incident response plan for an upstream operator must account for the specific decision trees that apply when a control system incident occurs in a production environment. When does the operator halt production versus continuing under manual control? Who authorizes an emergency shutdown? How are field operations personnel notified when the SCADA system is unavailable? These decisions cannot be improvised during an active incident. They must be documented, rehearsed, and understood by both security and operations personnel before an incident occur

 

Upstream oil and gas operations face a specific and well-documented threat environment. The adversaries targeting this sector are not opportunistic - they are deliberate, patient, and technically capable of causing physical operational impacts. The controls that protect upstream OT are implementable within production constraints. The organizations that have not implemented them are not facing a technology problem. They are facing a prioritization problem.

 

 

Frequently Asked Questions - OT Cybersecurity for Oil & Gas

Does TSA Pipeline Security apply to upstream oil and gas operators?

TSA Security Directives on pipeline cybersecurity apply primarily to critical pipeline owners and operators as designated by TSA - which includes owners and operators of hazardous liquid and natural gas pipelines above defined criticality thresholds. Upstream operators whose gathering systems connect to TSA-designated transmission pipelines may have indirect compliance obligations through their transmission operator relationships. All upstream operators, regardless of TSA designation, face the same threat environment and benefit from the same security controls that the Directives mandate.

What makes oil and gas OT security different from general industrial cybersecurity?

Three factors distinguish upstream oil and gas OT security from other industrial sectors. First, the geographic distribution of assets - hundreds of wellheads and remote sites communicating over public networks creates an attack surface that no other sector matches in scale. Second, the presence of Safety Instrumented Systems in high-consequence process environments makes the potential impact of a successful OT attack qualitatively different from a manufacturing plant outage. Third, the combination of aging legacy field devices and the communication protocols they use - Modbus, DNP3 - creates specific vulnerabilities that require OT-native detection to address because perimeter firewalls cannot inspect these protocol streams at the application layer.

How do we prioritize OT security investments across hundreds of remote field sites?

Prioritization in a distributed upstream environment should be consequence-driven, not asset-count-driven. The first priority is always the assets whose compromise would cause the highest safety, environmental, or operational impact: Safety Instrumented Systems, central SCADA servers, and the communication infrastructure that connects them to field devices. The second priority is the highest-exposure remote access pathways - the vendor VPN connections and field site internet gateways that are most likely to be the initial access vector in an incident. Remote wellhead RTUs at the far end of the gathering network, while potentially numerous, are lower priority for initial investment because their compromise does not provide direct access to high-consequence process control systems.

What happened at Colonial Pipeline and what does it mean for upstream operators?

In May 2021, the DarkSide ransomware group compromised the IT network of Colonial Pipeline - the largest refined products pipeline system in the US - through a compromised VPN credential with no MFA. The operator voluntarily shut down the OT pipeline operations for six days, not because OT systems were directly compromised, but because the operator could not verify the integrity of the IT/OT boundary and did not want to risk operating the pipeline with an active IT compromise. The incident caused fuel shortages across the US East Coast and triggered the TSA Security Directives that now apply to designated pipeline operators. The lesson for upstream operators is not primarily about ransomware - it is about the cost of IT/OT boundary uncertainty. An operator who cannot confidently verify that their IT compromise has not reached their OT systems will face the same decision Colonial faced: halt production until you can be certain, or continue operating with unknown risk.