Home
Resource Library
Cybersecurity: The next frontier of safety in oil and gas
two people analysing code on a computer screens

Cybersecurity: The next frontier of safety in oil and gas

Published: 12/12/2025

Diego Santana
by  Diego Santana

Digital transformation and the increasing convergence of information technology (IT) and operational technology (OT) are fundamentally transforming the risk landscape in oil and gas. Cyber intrusions are no longer just a data privacy concern. They pose a physical threat to people, equipment, and the environment. Within organizations, cybersecurity should be addressed with the same sense of urgency and focus as health, safety, and the environment (HSE). A strong cyber framework and culture is now a competitive differentiator—enabling digital innovation, business continuity, and operational excellence.

7 min read
Global
Digital, Oil & Gas

Key takeaways

  • As IT and OT systems converge across the oil and gas value chain, cyber threats are becoming a core safety concern, posing a physical risk to people, assets, and the environment.
  • The same principles that have underpinned traditional HSE for decades—vigilance, reporting, learning, and blameless incident management—can accelerate adoption of effective cybersecurity behaviors.
  • Executives have an important role to play in helping their companies move up the cyber maturity curve by establishing governance and ensuring cyber considerations shape decisions across operations, investments, and partnerships.
  • With the proper technology, culture, and framework, cybersecurity can be a competitive differentiator, allowing organizations to safely capitalize on advanced digital capabilities like autonomous operation, cloud-based analytics, and artificial intelligence (AI) optimization tools.

Across the oil and gas industry, there is one question that elicits the same answer from virtually every C-level executive, field supervisor, and plant manager: “What is your company’s top priority?” Almost always, and without hesitation, their response will be “safety”.

Decades of hard-earned lessons have put HSE at the forefront of nearly all procedures and operational decisions. This collective mindset has served the industry well, driving a steady reduction in both near misses and actual incidents over the years.

However, as digital transformation accelerates, a new type of risk is emerging that threatens to stall progress if it is not urgently addressed: cyberattacks.

From technical nuisance to real-world risk

Cybersecurity in oil and gas and energy is no longer just about protecting data and maintaining privacy—it’s about preventing physical harm to people, assets, and the environment.

IT and OT systems are becoming increasingly integrated. And while this affords many advanced capabilities that the industry now relies on, including cloud-based predictive analytics, digital twins, autonomous operation, remote support, etc., it also provides an entry point for malicious actors to disrupt operations, posing a risk to personnel safety, equipment, and even corporate profits .

Cybersecurity is a natural extension of HSE culture in the digital domain.

And this risk is no longer hypothetical. There are now numerous instances where malicious actors have successfully gained access to industrial networks, forcing operators to shut down their critical infrastructure. The most well-known example was the ransomware attack on the Colonial Pipeline in 2021, which triggered a multiday outage, leading to regional fuel shortages across the U.S. East Coast.

These types of attacks are unfortunately becoming more prevalent. A recent report found that over 90% of the world’s top 400 oil and gas companies experienced at least one data breach in 2025. More than half said they had been breached in the last 30 days.

Leveraging traditional HSE practices to accelerate cyber maturity

HSE in oil and gas has evolved dramatically over the years. What once centered on compliance checklists, warning posters, and basic training has transformed into a deeply embedded culture that is part of every decision, from the office to the rig floor.

The industry can follow a similar path with its cybersecurity approach by anchoring it within the established HSE mindset.

Compliance should be treated as the baseline. Leaders can frame digital safety as “the next evolution of company safety culture” and encourage employees to apply the same principles that have underpinned HSE—such as vigilance, reporting, and learning—to data, systems, and digital behaviors.

When employees see that good cyber practices directly protect colleagues, assets, and the environment—not just IT systems—engagement increases and resistance drops.

As with physical health and safety, success relies on removing fear and blame. People must feel safe reporting incidents early, even if they made a mistake.

The industry made tremendous progress when near-miss reporting became normalized. Cyber requires the same ecosystem: structured reporting channels, blameless investigations, transparent lessons learned, and continual improvement loops.

Some practical actions executives and managers can take to foster a robust cybersecurity culture include:

  • Integrating cyber scenarios into physical safety meetings and drills. Run tabletop exercises that simulate cyber incidents, similar approaches used for HSE.
  • Formally recognize “cyber safety champions” and reward early reporting of suspicious emails and behaviors.
  • Align training with real operational context (e.g., use of field tablets, allowing vendors to access networks, etc.)
  • Have senior leaders consistently model secure behaviors and share personal cyber stories for relatability.
  • Deepen HSE analogy by showing how “stop work authority” could empower staff to pause potentially risky digital activities.
  • Embrace a “secure by design” mindset, where cybersecurity is embedded into projects from day one, as opposed to being bolted on after a facility or project is up and running.

An effective cybersecurity strategy starts at the top

As cyber threats become operational threats, leadership must own cybersecurity in the same way they own HSE, financial health, or asset integrity. This does not mean becoming a computer science expert or making time to personally parse through intrusion detection logs. Rather the goal should be to affirm the company’s commitment to cybersecurity by establishing a framework that defines accountability and expectations.

Step one is appointing a chief information security officer (CISO) or equivalent leader who has enterprise-wide responsibility, along with direct access to senior executives and the board. The CISO should be encouraged to communicate regularly with HSE leaders and business stakeholders to ensure that cybersecurity initiatives are trickling down from the top and being implemented in the field or plant.

Leadership alignment ensures that cybersecurity supports, not conflicts, with business priorities, operational strategies, and HSE objectives.

To maintain transparency, companies should mandate regular reporting to the board and executive committee on cyber risk posture, key incidents, and progress toward goals. Using simple nontechnical indicators such as phishing simulation participation, time to response, etc. can help demonstrate to leaders that policies are having the desired effect.

Executives have an additional role to play by integrating cyber considerations into decisions related to capital allocation, mergers and acquisitions (M&A), and vendor selection. As many industry partnerships now involve interconnected platforms and shared data, cyber due diligence has become essential to protecting investment value and mitigating risk.

Pragmatic steps for starting down the right path

A common concern among leadership at many companies is that cybersecurity will slow down digital transformation initiatives. But practical experience shows that it does just the opposite.

With the right technology and culture, cybersecurity becomes an enabler of innovation by allowing personnel to capture the full range of benefits from advanced capabilities like remote operations, autonomous workflows, predictive analytics, and AI-based optimization.

Security done right does not restrict innovation—it enables it.

Many executives also lament that they do not know where to begin the cyber journey, fearing that technology implementation or change management will negatively impact operational or financial performance.

While the optimal approach to cybersecurity will ultimately look different for every company, there are simple and pragmatic steps any organization can take to progress along the cyber maturity curve.

  1. Assess and diagnose: Conduct a business-oriented assessment of current cyber posture across IT, OT, and cloud environments. Prioritize findings by safety, environmental, and financial impact. Engaging qualified third-party experts to perform assessments is recommended if internal resources are inadequate.
  2. Prioritize risk: Once vulnerabilities have been identified, leaders can then begin targeting investment and efforts to protect the most critical assets—those where a cyber incident could cause operational disruption or physical harm. As an example, an unsegmented OT–IT network connection in a refinery would take priority over a known security gap on a nonessential office workstation.
  3. Establish governance: As previously discussed, it’s important to clearly define roles and responsibilities, reporting lines, key performance metrics (KPIs), and establish a clear vision for how cybersecurity will integrate within the existing HSE framework.
  4. Address low-hanging fruit: Improving cyber readiness does not always have to be expensive or complicated. In some instances, an action as simple as requiring multifactor authentication (MFA) for network access may be the difference between a successful intrusion and an attempted one. Companies should adopt a “zero-trust architecture” principle, which assumes that no user or device is trustworthy by default, even if it is inside the network.
  5. Foster cyber awareness and get employees to “buy in”: Technology alone cannot secure an organization. People remain the first line of defense and often the biggest exposure. Leaders should work to instill a sense of responsibility in employees. A simple example would be introducing a recognition program that incentivizes reporting of suspicious behavior or potential cyber threats.
  6. Embrace collaboration and apply best practices from other industries: Peer-to-peer exchanges—whether through information centers, joint exercises, or informal engineering networks—allow companies to learn from real incidents and avoid repeating mistakes that have already been made. Similarly, collaborative development of standards for OT segmentation, asset visibility, or incident response helps harmonize defenses across operators, service companies, and equipment vendors. Energy companies should also apply lessons learned from other industries where cybersecurity frameworks are more mature, including finance and aviation.
  7. Continuously iterate: Cyber threats are evolving rapidly. Systems that are secure today may not be secure tomorrow. Stakeholders should embrace the idea that cybersecurity is not a one-time project; it’s an ongoing process that requires constant monitoring and iteration to avoid complacency.

Viewing cybersecurity as an opportunity, not a cost

For years, cybersecurity in the oil and gas industry has been framed as a necessary expense—an insurance policy against rare but catastrophic events. That mindset, however, is outdated.

In an increasingly digital, interconnected, and automated energy system, cybersecurity is a strategic enabler of operational excellence, business growth, and competitive differentiation. It shouldn’t be viewed as a cost, but as an opportunity.

A strong cybersecurity strategy signals to stakeholders that the business can protect its people, assets, and the environment. It’s a license to operate.

The importance of cybersecurity to business continuity will only grow as oil and gas increasingly moves into new energy ventures. Renewable installations, energy storage solutions, hydrogen production facilities, carbon capture systems (CCS), etc. are inherently more digital, connected, and data-dependent than many legacy energy assets. They often rely on cloud platforms, remote monitoring, and autonomous operations. Cybersecurity is a precondition for scaling these projects safely and profitably.

Organizations that successfully fuse their deeply rooted HSE culture with modern cybersecurity disciplines won’t just be more resilient. They’ll be better positioned to compete, comply, and thrive in the energy system of the future. For this, I encourage all leaders to proactively own and advance cybersecurity as a strategic business priority.

Popular Articles
Contributors
Diego Santana

Diego Santana

Awarded for contributing to the cybersecurity field

Diego Santana, CISSP, is a Cyber Security Practice Manager and Métier, with over 29 years of experience in SLB. His career spans various digital fields, including cybersecurity, automation, and IT management, along with being the organization’s former Cyber Security Operations Manager. He continues to help develop and mature the company’s worldwide long-term cyber security strategy, now focusing on talent management.

Previous
Next

Enjoyed this article?

Follow Diego