CISA Warns Oil and Gas Sector: Exposed Control Systems Pose Growing Operational Risk

ISC West featured several sessions highlighting how securing physical critical infrastructure is more challenging due to increasing cyber threats against the systems that control those facilities.  More recently, federal officials have alerted oil and gas operators about a growing risk: control systems that manage physical infrastructure—like pipelines, compressors, and storage facilities—are increasingly exposed and vulnerable to tampering.

According to a joint warning from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the Department of Energy, and the EPA, even unsophisticated actors are finding and accessing these systems online. While the tools being used are simple, the consequences can be serious—ranging from system defacement and configuration changes to full operational disruptions or damage to physical assets.

The advisory focuses on industrial control systems (ICS) and SCADA technology commonly used in energy and transportation sectors, particularly oil and natural gas. These systems are designed to manage physical processes but, when left exposed or misconfigured, can be manipulated by outside actors.

What Operators Should Know

Many facilities unknowingly have critical systems connected to the public internet or secured only by default settings. These exposed systems can be located quickly using widely available tools, making them easy targets for intrusion—even by actors with limited technical knowledge.

While the advisory does not cite specific incidents, it highlights a trend of increasing attempts to interfere with operational technology that supports essential services.

Immediate Steps to Reduce Risk

The federal agencies are recommending several actions for asset owners and facility operators to help reduce the risk of unauthorized access or disruption:

1.  Disconnect systems that don’t need internet access.
   If a control device or system isn’t meant to be accessed remotely, ensure it is not online. Internet-connected control systems are far more vulnerable to tampering.
2. Replace default or weak passwords.
   Basic credentials are often used to gain access to systems. Strong, unique passwords should be used across all devices, especially those with remote capabilities.
3. Reassess remote access setups.
   If remote access is necessary, ensure it is limited to essential personnel and requires multiple layers of authentication. Review who has access and whether it’s still needed.
4. Keep operations segmented.
   Where possible, separate control systems from administrative networks. This helps prevent issues in one part of the facility from affecting others.
5. Maintain manual backup plans.
   Operators should have procedures in place to manually run systems in the event of a disruption. These should be regularly tested to ensure readiness.
6.  Consult with integrators and vendors.
   Many systems come with default settings that may leave them exposed. It’s important to work with system providers to confirm configurations are secure and up to date.