A recent analysis conducted by Cybernews Business Digital Index (BDI) has unveiled critical cybersecurity deficiencies among the world’s leading oil and gas companies. Alarmingly, 69% of these corporations received grades of D or F, highlighting significant vulnerabilities across their cybersecurity measures. Moreover, over half of the firms faced at least one data breach within a mere 30-day period.
The Cybernews research team scrutinized the cybersecurity frameworks of 391 of the largest 400 oil and gas companies globally, based on market capitalization. Leveraging publicly available data, the BDI used tailored scans along with Internet of Things search engines and domain/IP reputation databases to uncover digital weaknesses inherent in these organizations.
According to the index, a substantial 35% of the assessed companies were rated F, the lowest score possible, while another 34% received a D, indicating severe deficiencies in their security posture. Only a scant 10% achieved an A rating, underscoring the overall lack of robust protective measures within the sector.
The average security score across these companies was recorded at 72 out of 100, categorizing them as high-risk for potential cyberattacks. “The significant percentage of companies scoring D or F in cybersecurity clearly illustrates the vulnerability of the industry,” stated Vincentas Baubonis, head of security research at Cybernews. He pointed out that these ratings reflect pervasive weaknesses that could expose critical infrastructure to cyber breaches and ransomware attacks, emphasizing that just one incident could precipitate cascading impacts—ranging from operational disruptions to a drastic decline in stock values and investor confidence.
Common vulnerabilities were identified among the oil and gas companies in several cybersecurity dimensions. A notable portion of these organizations displayed persistent software patching issues, with 32% demonstrating general patching shortcomings and 20% facing critical, unpatched vulnerabilities that could enable attackers to exploit known security flaws and infiltrate their systems.
Email security emerged as another major area of concern, with 48% of the entities examined lacking essential protections against phishing attacks, spoofing, and unauthorized access. Such vulnerabilities allow malicious actors to deceive employees, acquire sensitive credentials, or propagate malware across their networks.
Furthermore, configuration weaknesses in system hosting were apparent in 74% of the firms studied, indicating the presence of insecure settings within the servers or cloud platforms integral to their operations. The analysis also revealed that an overwhelming 91% of organizations had issues related to secure sockets layer/transport layer security configuration, suggesting widespread failures in encrypting data transmissions adequately, thus exposing sensitive information to potential interception or alteration.
The findings also indicated that corporate credentials had been compromised in over 80% of the surveyed companies, while 38% of domains were vulnerable to email spoofing attacks. These glaring deficiencies underscore the inconsistent implementation and maintenance of foundational cybersecurity protocols across the industry.
The tactics and techniques outlined by the MITRE ATT&CK framework, including initial access, persistence, and privilege escalation, potentially relate to how these breaches occurred, reflecting broader trends in cybersecurity weaknesses within the sector. With the oil and gas industry facing escalating threats, the emphasis must be placed on enhancing cyber defenses to mitigate exposure to similar risks in the future.
