Connect with Us


During the last quarter of a century, the global energy sector has relied on the protection offered by standalone and closed industrial control systems (ICS) as the primary barrier to IT security threats. Today, however, with energy facilities worldwide generally aging, upgrades and expansion projects are ushering in a wave of new ICS and supervisory control and data acquisition (SCADA) systems built on openness and interoperability. While the sector has been quick to take advantage of these new internet-connected systems to reduce cost, improve efficiency, and streamline operations, they have exposed it to a host of IT security risks that are only just beginning to be understood.

Brier & Thorn's energy practice serves all areas of the industry, providing IT risk advisory services to major and independent nuclear power plants; commercial oil companies; petrochemical producers; renewable energy companies; upstream. midstream, and downstream oil sector companies; oil field service firms; and private equity investors and sovereign wealth funds. Our risk advisors have worked in both permissive and semi-permissive environments, including conflict areas, for clients requiring both technological and physical security risk assessments, from the Western Siberian Basin of Russia to other basins domestically and around the globe. Our advisory teams of conventional and unconventional oil and gas E&P, midstream, refining and marketing, oil field service, and equipment manufacturing oil and gas experts combine global experience and proprietary approaches and insights to unlock significant value for our clients.

Risk Assessments

Demystifying IT Risk Assessments in Oil and Gas

IT risk assessments in conventional and unconventional oil and gas exploration and production

Oilfield Exploration

Industrial Espionage in Oilfield Exploration

Industrial espionage in E&P is growing year over year. This article uncovers indicators of compromise and what E&P companies are doing to address this global threat.

Historically, numerous cyber attacks directed towards the global energy sector have largely been targeted and data-driven, as companies and individuals have attempted to gain access to personal or sensitive financial data, purposely crash systems and harvest data using APT malware, and attempt to gain valuable oilfield exploration and production data, especially in unconventional E&P methods. The nature of the threat is beginning to change, however, and companies across virtually all industry sectors have begun to witness much more intelligent and complex attacks that seek to take charge of systems and data in order to inflict damage to brand, property and operations.

Although the global energy sector has yet to experience catastrophic physical damage to facilities or disruption to supply as a result of a cyber-related event, publicly at least, the disproportionate rate at which it is a target for cyber attacks makes it appear that it’s only a matter of time before this trend is broken.

The energy sector’s resiliency to date is certainly not due to a lack of effort on the part of hackers. In August of 2012, the world’s largest state-owned oil and gas supplier, Saudi Aramco, was the victim of a malicious attack intended to halt the company’s crude oil and gas supplies using malware dubbed Shamoon by investigators. It destroyed the hard drives of more than 30,000 desktop computers and 2,000 servers, forcing IT systems to be disconnected from the internet for two weeks.

Just recently, Ukraine experienced a targeted malware attack against one of its utility companies causing an electrical blackout dubbed BlackEnergy.

Just as the cyber threat has grown in its complexity, so too have the possible motivations behind the attacks. Whereas cyber-attacks have previously tended to stem from lone hackers, today, they may originate from companies seeking to cause disruption to a rival’s operations in the hopes of gaining competitive advantage, or from nation-state actors intending to benefit from resulting commodity price fluctuations due to restricted supply; or from a rogue government as part of a cyber warfare campaign to damage or disable critical infrastructure.

Brier & Thorn’s energy practice is at the forefront of advising energy companies in risk issues impacting operational success. Our network of energy specialists in risk management is globally coordinated from our numerous overseas offices. Our wealth of expert knowledge is augmented by market-leading IT risk management services to meet our clients’ toughest risk management issues.

Technology is a critical enabler for delivering enduring change. We help our energy clients with securing their IT architecture, enterprise applications (SAP, Oracle and PeopleSoft), outsourcing advisory, and information security project management. High quality master data on customers, products, or employees are paramount to a company’s success. The majority of companies have understood this and are investing in IT security controls to lower the risk to their master data management (MTM) system. Still, business processes are not free of mistakes and weaknesses. We help our clients assess their information security requirements around their technical infrastructure, aligning conceptual and logical architectures with the appropriate security controls that helps build a complete roadmap to achieve our clients’ desired IT risk management goals.

Companies of all sizes, in all countries, in all industries now operate in an interconnected ecosystem – as do highly sophisticated and economically motivated adversaries. IT security has become a major threat, particularly to energy companies. We bring together the breadth of our global capability and a joined-up package of business, cyber threat intelligence, technical, behavioral change, forensic, legal and crisis management capability to assess maturity, implement improvements, and respond to data breaches.

The hard-hat world of energy and the hard-ball world of financial trading have progressively become more intertwined. Greater liquidity, increased participation of financial players, new types of exchanges and new types of commodities, such as emission rights, have all contributed to the growing importance of the use of financial instruments, and in some sectors trading.

These changes are producing new types of IT risk for companies that require a re-examination of their risk strategies and the way they conduct their risk management programmes. We help our clients:

  • Set the right strategy by developing clear policies and strategies to understand and engage in ways that are consistent with their commercial imperatives and acceptable risk profile. We help our clients align their activities to fit with a structured enterprise and IT risk management framework.
  • Managing risk effectively by advising on the risk frameworks, controls, and systems that need to be in place to manage risks and opportunities effectively.
  • Governance and compliance – we advise on a wide range of requirements to ensure our clients are compliant with regulatory requirements, have effective IT risk governance in place and understand and manage risk impacts on the business

We work alongside our energy clients, at all levels of the organization, to evaluate the risks and opportunities inherent in the industry and to implement solutions that produce enduring results for our clients.

How We Do It

This simple 6-step plan, distinctive to our firm lays out:

  • Established IT risk governance that establishes a governance framework for managing the company’s IT risks by deciding who will be on each of the teams, sets up operating processes and a reporting structure, and connects risk programs such as disaster recovery, business continuity, and crisis management.
  • Understanding of IT organizational boundaries by identifying the company’s IT vulnerabilities which extend to all locations where sensitive data is stored, transmitted, and accessed.
  • Identification of critical business processes and assets that determines what comprises our clients’ most valuable revenue streams, business processes, assets, and facilities.
  • Identification of threats that creates an effective IT risk monitoring environment that focuses on building a sustainable and resilient approach to putting intelligence inputs from various teams under a common risk lens to quickly identify, correlate, and respond to threats in real time. Our oil and gas clients establish a robust threat-analysis capability built on shared intelligence, data, and research from our Security Operations Centers and external sources that effectively analyzes threat context in its entirety.
  • Improvement of collection, analysis, and reporting of information that our oil and gas clients are provided as part of our managed security services, which implements robust cyber and technical threat intelligence capabilities. These are: collection and management, processing and analyzing, and reporting and action.
  • Planning and Response actions through a formal design and implementation of prepared responses – playbooks – which are a necessary step in adequately planning and preparing responses to cyber events. Using the intelligence gathered throughout the playbook development process, each playbook says who should take action, what their responsibilities are, and exactly what they should do. Executive leadership will frequently revisit our firm’s cyber intelligence gathering techniques, leverage and update cyber insurance options, and upgrade IT security controls.

Client Results

We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.

How an E&P company secures its data with Brier & Thorn

Large oilfield exploration and production company secures its biggest assets with Brier & Thorn’s risk advisory services.

Upstream, Midstream, and Downstream liquids metering technology company secures SaaS infrastructure with Brier & Thorn.

Badger Meter launches software-as-a-service (SaaS) platform for utility companies leveraging smart meter technology monitored and secured by Brier & Thorn after ISO 27001 certification and SOC2 attestation. How IT risk management has been institutionalized into the culture at Badger Meter across all global facilities and driven by its CEO and executive leadership team.