Cybersecurity in Oil & Gas Mergers and Acquisitions

Author: Chase Snyder, Sr. PMM, Xage Security

When major, multibillion dollar organizations such as oil and gas companies merge, their financial risks are closely scrutinized by regulators. But their risk of cyberattack goes up in ways that are difficult to predict, measure, and protect against. The impact of the Colonial Pipeline attack in 2021 showed the gravity of cyber risk in oil and gas. Measuring and accounting for any source of risk in this industry is paramount.

The Oil and Gas industry sees a large volume of mergers and acquisitions, with $51 billion in overall value across 84+ transactions in Q1 of 2024. With that boom, and the increase in cyberattacks against critical infrastructure in general, which includes the oil and gas industry, it is time to put more focus on the specific cyber risks of O&G M&A.

cybersecurity-oil-and-gas-mergers-and-acquisitions

Mergers and acquisitions in any industry are rife with cyber risk, but oil and gas companies have specific challenges, including:

Heavy use of Operational Technology (OT) and industrial control systems (ICS) which are built to last and often difficult to secure using traditional IT security tools.
Highly distributed operations, with offshore oil rigs, continent-spanning pipelines, and pump jacks in faraway locations that need monitoring and maintenance. Read more about OT remote access from Xage
Tightening regulatory environment with the TSA continuing to sharpen the regulations on pipeline operators.

Place all this in a world that felt the impact of the Colonial Pipeline ransomware on everyday people’s lives. Balancing the benefits of M&A with the often under-emphasized cyber risks is a growing challenge.

Visibility Challenges when Merging IT and OT Environments

When a merger occurs, it is common for the organizations to merge IT and OT systems. Employees of the acquired organization will need new email addresses. Duplicate systems will need to be merged, or one system will need to be decommissioned. These types of activities have a tendency to uncover or create visibility gaps. Maintaining a current inventory of all OT and IT assets is difficult in the best cases. When two organizations merge, the acquiring organization is not likely to have visibility into the full range of assets. The cybersecurity posture of the acquired company may or may not meet the standards of the acquirer. Even with due diligence done ahead of time, mergers and acquisitions may uncover risks that neither organization was previously aware of.

Secure Remote Access and Third Party Vendor Access Challenges

Oil and gas organizations often make use of contractors and third party software and service providers to provide management and maintenance services and other necessary parts of the business. These third parties often have access to critical business assets, including operational technology.

Likely, organizational changes will occur that require many access permissions to be altered or revoked. Amid the many other challenges of a merger, these tasks may occur on an accelerated timeline, or even slip through the cracks.

To mitigate remote access security risks associated with these transitions, secure vendor remote access is necessary.

Join Our O&G M&A Cybersecurity Webinar Series

Visibility, remote access, and third party access are just a few of the risk areas that must be carefully managed in a merger and acquisition situation.

Xage produced a three part series of in-depth conversational presentations about the cyber risks and challenges in oil and gas mergers and acquisitions to provide rich insights into these challenges. You can find the first episode and subsequent episodes here.