Securing the Backbone: Cybersecurity Obligations Across the Oil & Gas Sector

Cybersecurity has become a fundamental pillar of modern infrastructure, impacting everything from national security to personal privacy. As the attack surface expands and digital transformation accelerates, it has become necessary to implement cybersecurity measures across all sectors and industries.

1. What are critical infrastructure sectors?

Singapore defines Critical Information Infrastructure (CII) under the Cybersecurity Act 2018 [1] as:

the computer or computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and
the computer or computer system is located wholly or partly in Singapore.

The Cybersecurity Act 2018, administered by the Cyber Security Agency of Singapore (CSA), is the main instrument for cyber protection for CII. The 11 sectors designated for CII are: Energy, Water, Banking & Finance, Healthcare, Transport (Land, Maritime, Aviation), Infocomm, Media, Security & Emergency Services, and Government. It was passed and amended in 2024 (and effective 31 October 2025) to broaden coverage, enhance reporting requirements, and extend oversight to virtual and third-party systems.

The aim of these rules is to ensure designated CII owners adopt structured cyber risk programmes, incident reporting, and resilience measures. Supported by governance expectations and overlapping sectoral laws, they promote resilience and national security.

In addition to the Cybersecurity Act 2018, CII owners are also required to comply with the Cybersecurity Code of Practice (CCoP 2.0) [2], which includes mandatory OT security practices. Non-compliance with CII obligations can lead to regulatory penalties, enforcement directives, and potential personal liability for company officers.

2. Key Sectors and Industries to Focus On for Cybersecurity

Data from the European Repository of Cyber Incidents (EuRepoC)[3], a politically independent research consortium, shows that ransomware is the most intense type of cyber incident across all countries between 1 January 2000 and 28 January 2026. The critical infrastructure sectors most affected by cyber incidents are Health, Finance, Telecommunications, and Transportation.

Chart 1: Data from European Repository of Cyber Incidents (EuRepoC) showing the main types of cyber incidents from 01-01-2000 to 28-01-2026 (https://www.swp-berlin.org/en/swp/about-us/organization/swp-projects/european-repository-on-cyber-incidents-eurepoc)

Chart 2: Data from European Repository of Cyber Incidents (EuRepoC) showing the top sectors targeted by cyber incidents from 01-01-2000 to 28-01-2026 (https://www.swp-berlin.org/en/swp/about-us/organization/swp-projects/european-repository-on-cyber-incidents-eurepoc)

As the energy sector underpins the operation and resilience of Health, Finance, Telecommunications, and Transportation sectors, it has become a foundational component of modern society. As such, we will focus on the cybersecurity of the oil and gas industry in this article, as it is the most significant component of the global energy sector [4], and holds great importance for national security and public well-being.

The oil and gas industry comprises three key segments [5], each having a unique role to play from extraction to consumer delivery.

2.1. Upstream

Companies involved in the upstream segment work on the exploration and production of oil and gas by searching for reservoirs of raw materials and drilling to extract the materials.

Assets (such as drilling rigs, production platforms, etc.,) in the upstream segment are geographically dispersed in remote or offshore locations. OT systems and legacy systems were originally designed for isolated operation and lack built-in security for today’s connected threat landscape. Remote systems such as IoT sensors, digital twin platforms, satellite communication, and Industrial Internet of Things (IIoT) sensors used by companies in the upstream segment increase the attack surface, making it difficult to monitor cybersecurity.

2.1.1. Why should we place focus on cybersecurity for the upstream segment?

Access controls for proprietary data such as geological survey data, seismic data and exploration data needs to be implemented and safely transmitted to protect against industrial espionage.

Cyberattacks on the assets in the upstream segment can cause safety hazards, physical damage, or catastrophic equipment failures when data transmitted between remote locations and onshore teams is intercepted or manipulated.

2.2. Midstream

Companies in the midstream segment focus on transportation and storage of oil and gas. Pipelines and storage terminals are part of the critical infrastructure and are responsible for storing the extracted raw materials and transporting them to the refineries.

Operations in this segment often combine IT systems with real-time control systems (e.g., Supervisory Control and Data Acquisition (SCADA)) managed by third party vendors.

2.2.1. Why should we place focus on cybersecurity for the midstream segment?

Access points to critical infrastructure used for monitoring of the transportation and/or storage levels, e.g., flow rates in pipelines and storage terminal levels, need to be secured as attacks on this segment can cause widespread service disruption and environmental risk, taking the Colonial Pipeline incident [6] as an example.

2.3. Downstream

Companies in the downstream segment focus on refining crude oil and processing natural gas into end-user products such as gasoline, jet fuel, and heating oil for the consumers. They are also deeply involved in the marketing, distribution, and retail of the end products, ensuring that these products reach the consumers in a timely and cost-effective manner.

2.3.1. Why should we place focus on cybersecurity for the downstream segment?

The transformation of raw materials into end-user products is highly automated. Distributed Control Systems (DCS) and edge computing are used to manage throughput and emissions. These systems, if compromised, can trigger safety and system failures, leading to unsafe and volatile conditions, e.g., explosions and toxic gas releases. Robust cybersecurity is thus necessary to prevent unauthorised access and control of the automated systems, and disruptions to logistics.

3. Which Segment Should Be Prioritised?

Operations of the oil and gas infrastructure rely heavily on OT for machinery and highly complex processes, and IT for communication and business activities [7]. Fundamentally, they warrant the same level of attention as all three segments are interconnected. A cyberattack on one or two systems can have a ripple effect on the supply chain.

However, a 5-day operational shutdown of the Colonial Pipeline System in 2021 not only caused the US East Coast to grapple with fuel shortage, but also highlighted the widespread, significant effects brought by a cyberattack. Hence the midstream segment with critical infrastructure (large pipeline-control networks, compressor stations, LNG terminals and storage facilities), and long-distance communication links, should be prioritised, as it has immediate economic and social impacts.

The prioritisation of the upstream segment should then follow closely due to the presence of cyber-physical risks that can cut the feedstock of the whole supply chain. Remote and often isolated sites are attractive to the attackers planning an attack. The upstream segment also holds high-value intellectual property (geological survey data, seismic data and exploration data), making it a prime target for industrial espionage.

Operations in the downstream segment are often structured and, in many ways, comparable to advanced manufacturing. Coupled with the need for efficiency, operational excellence, and proximity to the end-consumer, these operations typically have modern IT infrastructure supporting loyalty programmes, payment processing, and consumer data analytics. As a result, the downstream segment is generally the lowest priority, given its comparatively mature IT environment. However, this does not mean that it will not be exposed to ransomware and supply chain attacks.

Conclusion

The oil and gas industry is a critical infrastructure sector because of its crucial contribution to national economies and societal operations, encompassing the exploration, extraction, production, processing, transportation, and distribution of energy resources, including petroleum, natural gas, coal, and renewable energy sources. As these activities support energy provision and industrial functions globally, the industry relies heavily on dependable and secure operational systems.

An effective cyberattack on the oil and gas industry can interrupt supply chains, cause energy price fluctuations, and possibly lead to physical damage or environmental disasters. Therefore, cybersecurity approaches need to be customised to fit the operational traits of every segment in the industry. In the upstream sector, a breach can stop exploration or production efforts and compromise intellectual property like geological information. In the midstream sector, attacks on transportation or storage facilities can threaten service continuity by disrupting critical logistics networks. In the downstream segment, impacts are often concentrated on highly automated processing plants, customer interaction systems, operational profit margins, and brand image. To tackle these risks effectively, the oil and gas industry needs to implement strategic cybersecurity measures, including multi-layered defences, modern security frameworks, and targeted mitigation efforts to boost resilience and minimise operational hazards.

References: