Cyber-informed engineering is a new priority for offshore oil & gas security

    April 30, 2025
    In the offshore oil and gas industry, where safety and operational uptime are critical to success, integrating cybersecurity directly into engineering processes is not just a recommendation but an essential requirement.
    ,
    Related To:
    ID 324725495 © Cherezoff | Dreamstime.com
    offshore cybersecurity

    By Victor Atkins and Tim Gale, 1898 & Co., part of Burns & McDonnell

     

    As offshore oil and gas operations continue to digitize and integrate remote and automated systems, their exposure to cyber threats grows more critical. The 2024 State of Operational Technology and Cybersecurity Report published by Fortinet revealed that 52% of organizations experienced operational technology (OT) cyber intrusions that affected revenue—an increase from 39% the year prior. To ensure safe, reliable and resilient operations, the industry must adopt cyber-informed engineering by embedding cybersecurity principles directly into the design, configuration and maintenance of offshore OT systems.

    The evolving threat landscape in energy infrastructure is becoming increasingly complex as automation and remote operations expand. While improving efficiency, these advancements also increase exposure to cyber threats by creating more entry points for attackers. Sophisticated threat actors, including state-sponsored groups, increasingly target OT systems that control critical energy assets. Unlike traditional IT environments, OT systems are often outdated, lack robust cybersecurity measures and are not designed to withstand modern cyberattacks. This evolving environment underscores the need for specialized OT cybersecurity strategies beyond conventional IT protections to safeguard essential energy infrastructure from evolving threats.

    Offshore operations face heightened cybersecurity risks due to their remote and harsh environments, which complicate essential security measures such as patching, continuous monitoring and physical access control. These process operations rely on real-time data for critical functions like drilling, production and safety systems, making them prime targets for cyberattacks. The extensive use of third-party vendors and complex supply chains further widens the attack surface, introducing additional vulnerabilities. The consequences of a successful attack on offshore facilities can be catastrophic, leading to potential risks to human safety, environmental disaster, significant financial loss and extended operational downtime. These unique challenges necessitate robust, specialized cybersecurity strategies.

    Embedding cybersecurity into the design

    Cyber-informed engineering is the practice of integrating security principles directly into the engineering design and operation of critical systems. Unlike traditional cybersecurity, which often focuses on IT professionals managing networks and software, cyber-informed engineering involves engineers who design and build OT systems with security in mind. This approach ensures that systems are inherently resilient against cyber threats.

    Examples of cyber-informed engineering include designing secure architectures that isolate critical components, implementing segregation between operational and corporate networks, and enhancing hardware resilience to withstand attacks. By integrating security into engineering processes, cyber-informed engineering strengthens the overall security posture of the operational environment.

    The practical shift to cyber-informed engineering begins by embedding cybersecurity considerations in the conceptual design phase. For example, manual overrides and redundant technologies can help ensure resilience against potential attacks. Establishing multidisciplinary teams that include engineers, cybersecurity experts and operational personnel fosters collaboration and ensures comprehensive security integration throughout the system life cycle. Conducting thorough risk assessments throughout the design phase allows all stakeholders to understand the consequences of compromise and consider them in every decision.

    Building a sufficient budget and schedule to support these activities is imperative. Equally important is cultivating a culture of cybersecurity awareness at all organizational levels, empowering every team member to recognize and respond to cyber risks effectively.

    Conclusion

    Offshore operators must prioritize cyber-informed engineering concepts quickly, rather than waiting for a cyber incident. Proactively integrating security principles into engineering practices is essential to safeguard critical offshore infrastructure. The objective extends beyond mere protection; it’s about ensuring resilient operations, creating safer environments and securing the long-term viability of offshore activities. Embracing cyber-informed engineering will help prevent costly disruptions, severe health and safety incidents, and environmental harm, positioning the industry for a secure and sustainable future.

    About the Author

    Victor Atkins

    Victor Atkins is the global director of executive advisory services for industrial cybersecurity at 1898 & Co., part of Burns & McDonnell, and is based out of Washington, D.C.

    Prior to joining 1898 & Co., he managed the cyber intelligence mission for the US Department of Energy’s Office of Intelligence and Counterintelligence. He also led programs at the US National Laboratories to discover and characterize sophisticated foreign cyberthreats that would disrupt energy sector operations. Atkins has also served at the Central Intelligence Agency and the White House National Security Council, focused on countering both nuclear terrorism and the proliferation of nuclear weapons.

    He also was named as one of nine inaugural Nonresident Senior Fellows within the Atlantic Council’s Indo-Pacific Security Initiative, which works with US allies and partner governments to develop programs and policies addressing security challenges in the region while finding opportunities for collaboration.

    About the Author

    Tim Gale

    Tim Gale is a director of industrial cybersecurity at 1898 & Co., part of Burns & McDonnell, with a background in industrial control system (ICS) deployment across numerous industries. 

    With more than 30 years of experience, he has held key roles in ICS deployment and security. He is a certified ISA/IEC 62443 cybersecurity expert and instructor, and he has contributed to influential publications like the US Department of Energy’s “Cyber Informed Engineering Implementation Guide” and “Top 20 PLC Secure Coding Practices.” 

    He leads a team that develops robust security and resilience strategies tailored for operational technology environments, leveraging ISA/IEC 62443 and cyber-informed engineering principles across all project phases. 

    Continue Reading