Electronics Design Factory: Portrait of Handsome Male Engineer

Oil and gas sector must reprioritize cybersecurity, adjust approach

Photographic portrait of Brian Masch
Brian Masch

EY Americas Cybersecurity Oil, Gas and Chemicals Leader

6 minute read 09 Sep 2025

Amid significant M&A and technology adoption, cybersecurity must be fit for purpose to safeguard operations and protect the enterprise.

In brief
  • How can organizations better integrate cybersecurity into organizational strategies?
  • How are technology systems and processes evolving, and what practices should organizations adopt?
  • How can the cyber team rethink infrastructure, tools and processes after an M&A?

This article is co-authored by:

  • Jamie Bass - EY Americas Energy Cybersecurity Principal
  • Geneva Roach, CISSP – EY Americas Cybersecurity Oil, Gas and Chemicals Specialist

As oil and gas organizations expand, their technology infrastructure similarly evolves. The US Oil and Gas Reserves, Production and ESG Benchmarking Study underscores the continuing consolidation in oil and gas operations, bringing a greater volume of activity under single entities, and driving a greater reliance on new approaches to management, oversight and operations.

With a growing digital footprint in all these areas, the requirement for robust cybersecurity measures is similarly expanding. However, cybersecurity often takes a backseat, leading to vulnerabilities that can jeopardize critical operations and risk the resilience of the entire enterprise. Furthermore, the wave of consolidation is creating a significant challenge for cybersecurity teams to provide adequate protection to critical operations that had been previously supported by different IT systems, platforms and digital tools, and protected by different means as well.

The oil and gas sector has averaged 246 M&A transactions annually just in the US market, making integration of IT systems a persistent challenge.¹

Traditionally, companies struggle with cybersecurity on the back of mergers and acquisitions (M&A), or as technology adoption soars, because they rely on outdated, legacy approaches that treat cybersecurity as an add-on rather than a core element of their strategy. This oversight creates significant protection gaps.

In contrast, leading companies recognize that, as organizations change and technology becomes more complex and cross-functional, their cybersecurity organizational approaches and strategies must evolve to effectively counter emerging threats. Cybersecurity teams and CIOs: ideally in close coordination with COOs — can strengthen their organizations' defenses and drive sustainable growth by prioritizing four key steps.

1

Chapter 1

Recognize that traditional approaches to cybersecurity are no longer “fit for purpose” amid a changing IT landscape

The potential for disparate systems and inconsistent security protocols emerging from M&A creating exploitable weaknesses is akin to the visible tip of the “cyber-iceberg.” Often less immediately perceptible is the fact that rapid technological advancements: such as cloud computing, artificial intelligence (AI) and the Internet of Things (IoT) — are transforming business operations. These innovations boost efficiency but also introduce new risks, compelling organizations to rethink their cybersecurity strategies.

The oil and gas sector is undergoing a significant digital transformation, with spending expected to surge from US$72.23 billion in 2025 to US$124.94 billion by 2030.²

Additionally, an organization’s cybersecurity approaches were often initially developed in a very different IT environment. While some incremental changes may have been adopted as the digital footprint of the enterprise evolved, the complexities of modern technology paired with expanding organizations demand a new mindset with proactive cybersecurity integration. A transformational acquisition or a transformational agenda for operations provides a clear opportunity for a reassessment of cybersecurity approaches and procedure to confirm these fit with the expanded enterprise’s infrastructure and the nature of current and foreseeable threats.

2

Chapter 2

Increase visibility into technology infrastructure, assets and data, while monitoring and logging threats

How EY can help

  • Cybersecurity

    Cyber threats are evolving and escalating at an alarming rate for mining and metals, and other asset-intensive industries.

    Read more

Many organizations have unmonitored assets and data that are inadequately protected based on their risk profile. This challenge is exacerbated when companies merge or acquisitions are completed, or when new technologies are adopted. To scale cybersecurity, organizations must effectively manage and secure their assets, data and technologies.

 

For cybersecurity, threats are ever-present, constantly probing for vulnerabilities. The rise of AI has empowered even novice cybercriminals to launch sophisticated attacks. Real-world incidents, such as breaches in SCADA systems managing oil pumps, highlight the urgency of addressing these challenges. And state actors are increasingly turning to cyber activities targeting the critical infrastructure of real and perceived enemies.

 

Implementing advanced monitoring tools and maintaining an updated inventory of critical assets will improve visibility and facilitate timely threat identification. COOs and cybersecurity leaders should collaborate with business leaders to prioritize critical elements and align on protective outcomes. For example, cybersecurity teams may not have complete awareness or knowledge of all the remote sensors present at a facility. This is especially true in cases of an acquisition. Should companies conduct a complete inventory of these sensors, or are there alternative approaches? What strategies can a company implement to close this knowledge gap and strengthen their cybersecurity posture?

 

Continuous monitoring is crucial for evaluating cybersecurity effectiveness. Organizations should deploy real-time monitoring tools and conduct regular security assessments to promptly identify and reduce threats. While logging data helps businesses identify trends and resolve potential incidents efficiently, it also leads to informed decision-making.

 

Staying ahead of trends like AI in cybersecurity is also essential for addressing emerging challenges. AI and machine learning can enhance threat detection and response capabilities. As the adoption of IoT and connected devices increases, organizations must implement robust strategies to secure these devices and protect the data they generate.

3

Chapter 3

Simplify security architecture; rationalize tools to boost efficiency and cut organizational costs

Acquisitions often come with the promise of realizing efficiency synergies for shareholders, and this is often achieved via standardization and simplification of complex processes. On the IT side, this can also mean standardization and simplification of digital platforms, tools and approaches.

Leading companies in terms of cybersecurity see a coordinated approach led by the CISO, CIO and business unit leaders to confirm that not only does this approach help improve digital efficiency and effectiveness but also does so in a secure and resilient manner. A key to this approach is a recognition that incorporating security concerns into this collaboration is not a constraint, but rather than standardizing security requirements in conjunction with IT and operational requirements, it allows organizations to adapt quickly to scaling technology needs. This simplification fosters efficiency and automation. Organizations should review and standardize architecture requirements, integrating security measures into design and development phases to embed security into the foundation.

Additionally, as organizations focus on cost-cutting, aligning cybersecurity with operational goals can streamline processes without stifling innovation. This approach can help improve user experiences and reduce the burden of redundant systems while safeguarding critical operations.

4

Chapter 4

Educate and raise awareness so cybersecurity is recognized as a priority from leadership to employees

Many organizations struggle with cybersecurity due to competing priorities, particularly in the M&A environment where cost synergies often take precedence. This legacy approach results in insufficient visibility and poor collaboration between business leaders and IT.

Training and awareness are vital as organizations grow. Comprehensive programs help leadership and employees recognize and respond to threats. Collaborating with cybersecurity teams to gamify training: using leaderboards and phishing simulations —boosts engagement and fosters a positive security culture.

Educating C-suite executives about cybersecurity is also essential. Cybersecurity must be a priority in strategic decision-making, with leaders understanding the potential impact of cyber threats on operations. Our research indicates that while 80% of boards prioritize cybersecurity, only 44%–45% of business leaders grasp key concepts.3 Strengthening these connections empowers leadership to make informed decisions that align with business strategy.

To succeed in this environment, the C-suite executives must prioritize cybersecurity as a core element of their business strategy. By adopting innovative practices and fostering a culture of awareness: as well as a recognition of the potential role of cybersecurity as a complement to standardization and cost-effectiveness of IT approaches — organizations can bolster their defenses and drive sustainable growth. The time to act is now. Rethink your cybersecurity approach, align it with your business objectives and prepare your organization to tackle the challenges of today and tomorrow.


Summary 

As oil and gas companies grow and their technology infrastructure expands, they must adapt to rising demands and cybersecurity threats. To safeguard critical operations, companies must adapt by improving visibility of the IT footprint, streamlining security architecture and educating their employees. By aligning cybersecurity initiatives with business objectives, organizations can improve resilience and support growth in a dynamic environment. A proactive cybersecurity strategy is vital for protecting operations and fostering innovation.

About this article

Photographic portrait of Brian Masch
Brian Masch
EY Americas Cybersecurity Oil, Gas and Chemicals Leader
Risk assessor. Threat detector. On the front line of cybersecurity in Canada and beyond.
Related topics
Energy and resources
Oil and gas
Cybersecurity

Related article

Why resilience requires a strategic shift for US oil and gas

The US oil and gas sector faces critical challenges. Explore strategies that can help companies navigate these obstacles and enhance profitability.

Patrick Jelinek + 1

How to turn planning churn into integrated clarity in oil and gas

Discover how integrated planning can enhance agility and responsiveness in the oil and gas sector. Take steps to unlock new growth opportunities.

Manu Rao + 1

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.