Cyber-Attacks on the Oil & Gas Sector: A Survey on Incident Assessment and Attack Patterns

During the past two decades, oil and gas operational and information technology systems have experienced constant digital growth, closely followed by an increasing number of cyber-attacks on the newly interconnected systems. Adversaries exploit vulnerable accessible device or malware attacks networked services, in an attempt to gain access to critical systems and machinery that are interconnected over networks. Given the importance of the oil and gas sector on the global economy and the diversity of critical systems often being controlled over remote locations, it is highly important to understand and mitigate such attacks. In this paper, we survey cyber-attacks on all three domains of the oil and gas sector (upstream, midstream, downstream) starting from the early 90s up until 2020. For each domain, we document and analyze verified attacks based on real-world reports and published demo attacks on systems. We map and catalogue the attack types used in each case, in order to understand common and subliminal attack paths against oil and gas critical operations. Our aim is threefold, i.e., first, to assess documented attacks using standardized impact assessment techniques and highlight potential consequences of cyber-attacks on this sector, second, to build a vulnerability taxonomy based on technical knowledge gathered by all such incidents and connect each vulnerability with oil and gas systems and respective attack paths, and third, to map the documented knowledge and taxonomies with MITRE’s international knowledge base of Adversary Tactics and Techniques, so as to provide a general guide for analyzing and protecting against cyber-attacks at oil and gas infrastructures.


I. INTRODUCTION
Oil and Gas (O&G) infrastructures are divided in three broad categories: upstream, midstream and downstream infrastructures. Upstream infrastructures support operations for exploring and drilling operations, midstream is responsible for the transportation of oil and gas and for providing a link between upstream production and downstream dissemination, while downstream focuses on distributing assets to consumers, mainly for crude oil and raw/condensed natural gas.
The O&G sector is one of the most important Critical Infrastructure (CI) sectors for economy, housing and transportation. According to market reports, upstream oil investment reached USD 500B only for 2019, with the The associate editor coordinating the review of this manuscript and approving it for publication was Ilsun You . global oil demand stabilizing around 1M barrels/day [1], [2]. In Canada, 97% of oil and petroleum products are transported via pipelines. The consumption of natural gas worldwide was recorded to be around 140T cubic feet (Tcf) for 2018 alone [3], and is projected to increase to 203Tcf by 2040 [1]. According to American Petroleum Institute's report of 2019, the US pipeline system (midstream infrastructure) consists of 2.7M miles of pipelines transferring assets between locations [27]. Midstream infrastructure connects to refineries and facilities working to distribute oil and gas to the end-users (downstream infrastructure).
Like all other sectors, the O&G industry has been affected by the constant digital growth. Industrial Control Systems (ICS) used to operate in isolation, without bridging over IT infrastructures. Industry 4.0 enabled the integration of multiple industrial technologies in ICT, with engineers able to remotely maintain Supervisory Control and Data Acquisition (SCADA) systems [4] and monitor operations in real-time through actuators and smart sensors [5].
This digital evolution exposes Operational Technology (OT) infrastructures to multiple new attack surfaces and vectors. Current estimations state that, by 2020, connected devices may reach 50B globally [6]. Reports from numerous international bodies and organizations state that, even though attacks on interconnected industrial systems can lead to incidents with severe economic and societal impact [7]- [12], still the security readiness and resilience of such infrastructures is considerably low [13]- [19]. Reports from the National Institute of Standards and Technology (NIST) [7], the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) [19] and the European Agency for Network and Information Security (ENISA) [20] warn for numerous vulnerabilities in current OT systems in numerous CI. Attacks have occasionally affected power grids [21], smart cities [22], and the health industry [20].

A. MOTIVATION
Numerous publications exist on cyber-physical attacks and defenses, which cover numerous critical infrastructure sectors like the Energy, Health, and Telecommunications sector. MITRE has recently released the ATT&CK framework that covers generic attacks on ICS [23]. ENISA has numerous publications on OT systems [20] and NIST has a specific publication on OT security [7]. Still, to our knowledge, there has been no systematic approach to catalog, map, and classify cybersecurity attacks on the O&G sector. Modern history has already proven that oil and gas OT infrastructure is vulnerable against cyberattacks. A number of reported incidents support this, with the most recent taking place in Q1 2020 when a ransomware attack affected ''the control and communication assets on the OT network of a natural gas compression facility'' [24].
Reports clearly indicate that attacks on ICS of the O&G sector can have adverse effects to wide geopolitical areas and multiple countries. Even worse, the severity of some security incidents is likely to exacerbate due to cascading failures introduced by dependencies of other CI on the O&G infrastructure [25]. Interesting though, a subset of these attacks did not specifically target O&G OT infrastructures. Instead, some ICS were infected following random spread patterns of ransomware and similar malware.

B. CONTRIBUTION
The first step in creating an overall approach to protect the O&G OT infrastructure is to map, analyze, and understand current attacks and vulnerabilities in this sector. Concerning attacks on the OT infrastructure, we must examine attack vectors and vulnerabilities exploited by documented cases across all layers of an ICS architecture. After mapping attack surfaces, vectors, and common similarities, we must assess the importance and severity of each case, as well as model controls to prevent threats from reoccurring in similar systems.
In this paper, we survey cybersecurity attacks that occurred in all three O&G subsectors from the early '90s to Jan. 2020. In each case, we map their attack surfaces, detect the infiltration techniques along with present vulnerabilities and assets affected and classify each incident's impact and adverse effects according to a standardized impact scale.
We utilize two international cybersecurity information frameworks to (i) support our survey on O&G cyberattacks and (ii) develop an O&G cybersecurity vulnerability taxonomy. The frameworks are (a) MITRE's ATT&ACK framework [23] and (b) MITRE's Common Attack Pattern Enumeration and Classification (CAPEC). ATT&CK ''describes operational phases in an adversary's lifecycle, pre and post-exploit and details techniques used'' [26]. On the other side, CAPEC enumerates malicious attack patterns.
After gathering white and grey literature on O&G cyberattacks, we utilize these frameworks and our newly established vulnerability taxonomy to classify each attack per layer, per type of system, and per attack technique (i.e. exploit and vulnerability type used). We use CAPEC and ATT&CK complementarily, to aid readers determine which attacks occur most often, map attack types with ATT&CK's adversary tactics and techniques, and understand which assets are most vulnerable in each type of attack.
We also provide a qualitative impact analysis of each recorded attack based on the adverse effects and type of systems affected. To do this, we use a semi-qualitative impact assessment table, which is assembled by information taken from national bodies, such as NIST, and relevant reports from international companies that analyzed the impact of unavailability of systems in the O&G infrastructure.
We focus on attacks that had extensive or severe impact either to society or to the industry, and targeted infrastructures often supporting other infrastructures that may have consequently been affected. We only map attacks recorded by official bodies or valid organizations and researchers. Lab attacks or simulated attacks (e.g. such as attacks validated in Hardware-In-the-Loop (HIL) testbeds) are not included in this survey. This cumulates to: (1) A novel vulnerability taxonomy, specifically developed for O&G systems that is directly tied to MITRE's frameworks, (2) An extended catalog of real attacks on upstream, mid and downstream O&G systems, along with their impact analysis that utilizes the above-mentioned taxonomy and an O&G -specific impact assessment method to assess real attacks. As a result, the presented approach is directly applicable to any O&G situation by relevant experts. (3) A systematic catalog, analysis, and classification of attacks on all three O&G systems (upstream, midstream, downstream), as well as a thorough analysis of those that highlights commonalities, most used attack vectors and most common vulnerabilities currently being exploited in the O&G sector, presented per subsector and per vulnerability. VOLUME 8, 2020 C. STRUCTURE The following sections are structured as follows: Section II presents related surveys and analysis in the field of industrial cyberattacks, while Section III explains the survey methodology we used to detect, record, and classify cyber-attacks in the O&G sector through various reports, articles, and publications.
Section IV provides a typical model of the OT infrastructure in ICS, specifically for the O&G systems. Here, we map assets of O&G ICS per layer and create a reference connection of each one to ATT&CK's asset type levels.
Section V presents the developed taxonomies used in this paper to classify recorded attacks. First, we present a taxonomy of generic types of attacks on O&G systems. We rely on the Common Attack Pattern Enumeration and Classification (CAPEC) and MITRE ATT&CK taxonomies to introduce basic attack types for O&G systems. We then develop a taxonomy of vulnerabilities per layer, assembled from relevant literature and recorded attacks on O&G systems. We identify, map, and present different types of vulnerabilities that have affected the O&G sector. Last but not least, we introduce an impact assessment methodology for assessing the severity of attacks and briefly analyze its dimensions and evaluation attributes.
In Section VI, we present all identified cyber-attacks on the O&G sector and classify them using the above mentioned taxonomies. We also provide a brief presentation and assessment of the impact of each detected attack.
In Section VII we summarize security controls that can mitigate the impact or lower the threat of the presented attacks.
Finally, Section VIII discusses potential security controls that stem from all classified attacks and can be used for mitigating cyber-attacks in O&G infrastructures, while Section IX discusses identified security gaps and elaborates on potential future work.

II. LITERATURE REVIEW
Numerous publications exist, both in the academic and grey literature, that address diverse aspects of cybersecurity issues in critical infrastructures and operators of essential services. From an academic point of view, most surveys either tackle various threats and vulnerabilities common in multiple ICS types and CI sectors [4], [5], [8], [52], [115], [117] or emphasize on specific sectors, e.g. Energy or Telecommunications [93]. The field is densely published, even with a few meta-surveys that summarize and classify CPS domains, attacks, and research-trends [116].
In this section, we briefly present both types of articles and relevant surveys. We then highlight their differences in scope and goal with our survey.

A. ACADEMIC SURVEYS ON CRITICAL INFRASTRUCTURE SECURITY
Industrial control and SCADA system architectures are similar between infrastructures and usually apply to diverse systems and components. Thus, most surveys target ICS security in general, and group security concerns and mitigation mechanisms with generic SCADA models. These generic surveys combine several domains when addressing CPS security. Such approaches may provide a common overall picture for ICS cybersecurity and allow national bodies [7] and standards [111] to address issues, threats and vulnerabilities that are common to all CI; a useful approach when addressing cybersecurity threats and mitigation mechanisms for diverse operators.
Kim and Kumar [121] published one of the first surveys concerning CPS research efforts, while Krotofil and Gollmann [122] presented a survey on ICS security and discussed protocol-related (Modbus/TCP, DNP3, IEC 61850) and sensor/actuator-related vulnerabilities, along with potential security controls to mitigate their risk.
Kim et al. [93] were one of the first to publish an extended survey on CPS and smart grids, highlighting security challenges and approaches in the broad field of CPS security.
McLaughlin et al. [8] explore the ICS cybersecurity landscape and address key principles of ICS operation and testing. They provide an overview of ICS security assessment techniques and suggest a process for ICS vulnerability assessment.
Other surveys focus on the Industrial Internet of Things (IIoT), like [123] and [5]. In [5], authors assess the current IIoT landscape by analyzing representative attacks and assessing IoT-enabled cyber-incidents using a risk-like approach. In [123], authors delve into security and privacy concerns for the industrial Internet of things and propose mitigations.
Khan et al. [134] published research specifically about reliable IoT-based architectures for the Oil and Gas Industry. They propose alternate architectures for functional and business requirements applicable in both upstream, midstream and downstream oil field services that take into consideration security issues.
In [4], authors present identify vulnerabilities and potential threats in CPS, and describe solutions for mitigating the presented attacks. Sayegh et al. [52] present a test-bed for detecting vulnerabilities within SCADA protocols against internal attacks and present a comprehensive list of such vulnerabilities.
In [117] authors survey tools and techniques to detect SCADA system vulnerabilities in CPS common in numerous sectors, while Bhamare et al. [115] document major publications both from industry and academia that tackle the applicability of machine learning techniques on ICS cybersecurity.
Our work is close to [118], where authors review industrial systems using real cyber-security incidents against SCADA systems. Authors also classify the attacks based on similar criteria like the attack method and the potential impact of the attack. They too opt to provide a taxonomy that will be used in order to compare current and future SCADA incidents, although their analysis is of limited depth and does not correlate to international frameworks such as MITRE's ATT&CK, and is rather generic, without focusing on a specific sector. Thus, it cannot support the technicalities and consequence idiosyncrasies of the O&G sector.

B. RELATED WORK FROM INDUSTRY AND ORGANIZATIONS
Outside academia, various grey literature publications exist, mainly from industry and national organizations. Such publications usually neither analyze the effects of real-world attacks, nor allow for targeted analysis of events per sector. Rather, they aim to model types of threats and vulnerabilities along with mitigation measures for assets common in numerous ICS architectures. For example, special publication NIST 800-82 [7] examines such a range of security and privacy issues in ICS and addresses industrial IoT issues. Report SP800-82's content is applicable to all domains and CI sectors.
Still, some reports exist that briefly mention or catalog cybersecurity incidents on CI (e.g. [5], [16], [66], [79], [94]), although they mostly utilize events to support other types of analysis, such as statistics or trend analysis. To this end, such publications either do not focus on real-world events or are incomplete in their listings and only refer to real-world attacks for argument's sake, to support their analysis or conclusions on relevant subjects.
Kaspersky Labs frequently publish reports and case studies [11], [47] that identify security issues in ICS on all layers, i.e., from physical and network security to vendor-specific vulnerabilities, SCADA systems and Programmable Logic Controllers (PLC).
FireEye [18] also publishes annual or bi-annual ICS vulnerability surveys, identifying common vulnerabilities and issues present in CPS.
MITRE recently published the ATT&CK framework [23], a knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK has a separate section for ICS security, along with lists of ICS threats and techniques and documented adversary groups from ICS related incidents. Although not O&G-specific, most information therein is relevant to O&G cyberattacks and systems.
Dragos has published a comprehensive time frame of ICS attacks [55], along with numerous cataloguing of potential cyber-attacks on industrial systems. Although analysis is high-level, Dragos also publishes similar reports in a modular way, assessing different sectors and systems.
National bodies and organizations also publish reports that survey aspects of CPS security. Among those, the most important seem to be best practice reports and frameworks published from the United States, as well as some key Directives of the European Union.
The US Dept. of Homeland Security (DHS) has frequently published best practices on identifying common cybersecurity vulnerabilities and mitigation control in industrial control systems [9]. DHS has also published the US National Infrastructure Protection Plan (NIPP) [101] that highlights key concepts concerning threats, attacks and risk on all types of CI. NIST has relevant publications: Special Publication 800-82 [7] provides a thorough guide to industrial control systems (ICS) security, tackling ICS threats and vulnerabilities, recommended practices, and architectures. Other NIST publications that apply to CPS include publications from the Computer Security Division-Computer Security Resource Center [33], as well as Special Publication 800-63-3 [37] on technical requirements for implementing digital identity services, identity proofing and authentication of users in critical systems.
The US Dept. of Energy published a Risk Management Guide specifically for the Energy infrastructure that also covers the O&G sector [105]. The article provides a non-mandatory risk management approach for energy systems and does not correlate directly with cyber-attacks, although most of its procedures are applicable to our concepts.
ISO/IEC publish standardized guidelines for assessing risk and providing guidelines for information security risk management [59]. ISO's international standards support the general concepts specified in ISO/IEC 27001 which are also applicable to CPS and ISO/IEC TR 19791:2010 on the security evaluation of operational systems [119].
From an EU perspective, the European Commission has published numerous Directives that either highlight key cybersecurity issues concerning ICS similar to those in the O&G sector, or lay the groundwork for the publication of reports and best practices like those presented in this chapter. Briefly, the most important appears to be the Directive (EU) 2016/1148 of the European Parliament and of the Council 2016 ''concerning measures for a high common level of security of network and information systems across the Union'' [99]. Also, the EU published a regulation [100] 2019/881 of the European Parliament and of the Council on information and communications technology cybersecurity certification. Other relevant publications include the 2012/18/EU Directive from the European Parliament (SEVEZO-III) [102] which highlights key concepts of addressing hazards and consequences from various types of scenarios, including cyberattacks on industrial systems.
Modern reports also focus heavily on the digitization of the O&G sector, along with the use of IoT and smart meters to automate monitoring and control. EY [124] CISCO published a report together with Schneider Electric and AVEVA [128] on how to tackle security in real-time pipeline operations. Fortinet recently (2020) published an extensive independent study [125] on security trends on the digitization of critical infrastructure, and focused specifically to those who utilize IoT to manage and maintain; along with the O&G sector.

C. SURVEYS ON O&G CYBERSECURITY
To our knowledge, very few academic publications survey cybersecurity topics specifically for the O&G sector. Still, some grey publications exist that describe different cybersecurity issues that concern this sector. Companies, security vendors and O&G boards have published some approaches and reports that list potential security threats or highlight common vulnerability types that exist in O&G ICS.
Hacquebord and Pernet from TrendMicro have published a survey on threats that target the O&G Industry [77]. They support their analysis by also providing a list of known hacking groups and their cyberattacks on the O&G sector.
In [66], Dragos published a survey on O&Gas Cyber Threats, where authors assess activity groups affecting the global O&G Industry and provide ''a snapshot of the threat landscape and what is expected to change in the near future''. This publication effectively catalogues hacking groups and state actors that target O&G infrastructures, although they do not provide any analysis on systems or impact factors.
Another publication specifically targeting cyber security attacks for the O&G industry is presented by Radmand et al. in [92]. Authors present a taxonomy of wireless sensor network cybersecurity attacks in the O&G industries. They present common wireless network security requirements and tie them to potential attacks on wireless networks implemented in O&G ICS. This is a survey targeted specifically on O&G, although it only focuses on wireless technologies and do not refer to known cyber-incidents to extend their analysis.
Last but not least, authors in [94] published a comprehensive cyber risk technical review specifically for the upstream subsector in O&G sector. They provide an extensive analysis of threats, common attacks, and even catalog an extensive list of upstream cybersecurity incidents. To our knowledge, this is the only existing publication that addresses both threats and vulnerabilities for the O&G sector, while supporting their analysis using real-world documented incidents. However, their approach focuses only on upstream infrastructures and considers only systemic risks [94].

D. COMPARISON WITH THIS SURVEY
All mentioned publications, articles and reports cover numerous security concepts that are directly or indirectly relevant to the O&G sector. Even though some of them provide extensive analysis of major ICS security issues and vulnerabilities [8], [18], [21], [40], [47], [71], just a few actually support their impact assessment outcomes besides listing the consequences of attacks. Only three articles provide a thorough systematic analysis of real-world cybersecurity incidents [8], [47], [61], while none focuses specifically on the O&G sector. In addition, most publications that catalog real-world attacks are either incomplete or lack adequate substantial knowledge extraction from them to be used directly by O&G system operators. Some grey literature works [18], [66], [94] manage to catalog a number of O&G cybersecurity events, without providing further analysis of these events to draw useful risk assessment conclusions for O&G systems.
The methodology used in this article is conceptually close to [5] and [118] with relevant aspects also shown in [66] and [94]. The corresponding analysis studies documented attacks (real-world, as well as a few testbed attacks), but focuses specifically on the O&G sector. Thus, it is making our impact assessment and systematic analysis more thorough and useful for O&G operators. Also, our vulnerability taxonomy is created by analyzing the architecture of actual O&G ICS and supports results through the actual documented incidents that happened to them. We do not use generic, simulated or component-based attack assessment. In addition, we define a qualitative impact/consequences assessment method specifically for the O&G sector, taking into consideration relevant particularities of the sector through previous analysis of targeted attacks on O&G ICS infrastructures, network and PLC/RTU systems. Our vulnerability taxonomy is directly tied to MITRE's frameworks and is specifically developed for O&G systems. The presented impact analysis of real-world documented events follows as a proof-of-use of the taxonomy and assessment on real attacks. Thus, it is directly applicable to any O&G situation by relevant experts. Also, contrary to [94], we catalog, analyze and classify all three O&G systems (upstream, midstream, downstream) and detect commonalities and security issues per subsector and per vulnerability.

III. SURVEY METHOD
The method utilized to develop this survey is comprised of 4 steps: (1) Survey protocol and scope development, (2) Search and identification of selected studies based on scope, (3) Screening of literature based on quality, and (4) Reporting (extraction of information, synthesis and reporting of findings). Figure 1 depicts the overall survey framework and describes the flow of each aforementioned step. Presented steps offer a reproducible algorithm for managing scientific and industrial literature used in this article both for developing the O&G vulnerability taxonomy and for recording and classifying cyber-attacks at the O&G sector. Our approach is based on the survey methodology presented in [98].
First, we gathered all detected documents (455 files) both from academia and grey literature (reports, white papers, company publications etc.). We excluded articles written in languages we could not parse, removed duplicates and moved on to evaluate each detection. Some articles were excluded based on title (152), while other were excluded upon reading their abstract (111) or full text body (36). Most common issue we faced was to detect information that is tightly coupled with O&G, and not to a generic ICS system that applies to any OT infrastructure. Final inclusion addressed 135 articles.

A. OBJECTIVES AND STRATEGY
We first define the aims and scope of the survey. Then, we evaluate available vulnerability taxonomies and cybersecurity controls relevant with O&G infrastructures. These will aid in understanding underlying issues in recorded attacks, develop an O&G vulnerability taxonomy, and support the analysis of existing implementation gaps and areas open to improvement in the sector.
The objectives along with their supporting research questions are presented in Table 1. The table depicts our search goal, the relevant question posed to achieve this goal and the related key-word searches used to detect relevant material. Key-word searches were first based on the TITLE of each article, and were further refined by searching the ABSTRACT of each detected publication. To work on set goals and scope, we conducted a systematic literature search from Oct 2019 to Jan 2020.
Preliminary findings were subsequently recorded in Jan. 2020. Search engines utilized were Scopus, IEEE Xplore, Google, and Google Scholar. IEEE Xplore, Google Scholar, and Scopus supported the detection of scientific literature, while Google was used to locate international standards, technical reports, industry best practices, and articles for locating cyber-attacks and relevant incidents at the industry.
Searches used a variety of keywords and their combinations and were subjected to filtering and fine-tuning based on the context of results. Grey literature used and relevant articles were sampled from a total of 400 hits from Google. Additional articles and reports were detected through references of key articles pertaining the above-mentioned hits. Additional citations were also extracted from the google scholar algorithm that proposes relevant bibliography for each search.

B. PUBLICATIONS AND GREY LITERATURE
The search queries resulted in accumulating a plethora of publications and literature. To assess the validity of the content and reduce the total volume of articles and publications, we opted to define some inclusion and exclusion criteria. Exclusion criteria were applied both before, during, and after title and abstract screening; afterwards mostly excluded due to full-text reading.
The selection process for articles and publications met the following inclusion criteria: (a) relevance of title, (b) assessment of abstract and introduction for useful and relevant content, and (c) full-text reading of each article and publication.
Exclusion criteria consisted of: (a) research papers, book chapters, and scientific articles without peer-review processes, (b) non English-or French-written articles or papers, (c) articles missing abstracts and introduction, (d) irrelevant publications, (e) articles and publications from bodies or organizations without a valid national or international status, (f) generic articles without specific descriptions, (g) unreferenced news articles and publications or unknown authors that were not members of relevant scientific or industrial communities.
We considered related surveys if: (i) they addressed ICS security and had a similar aim and scope, or (ii) were directly or indirectly related with the cybersecurity of the O&G sector.
Any articles or publications that met one of the exclusion criteria were discarded from data. Full-text reading of some paper and reports also resulted in excluding them and recording their reason of exclusion. Table 2 summarizes the above.

IV. MODELING OF TYPICAL O&G INFRASTRUCTURES
There exist three categories of O&G infrastructures: upstream, midstream, downstream. Upstream refers to exploration and production, midstream refers to the transportation, and downstream refers to refinement and distribution facilities. This article records, classifies, and analyses attacks on all O&G subsectors. Upstream, mid and downstream infrastructures utilize ICS to monitor operational activities, record operations and make decisions; either automatically (i.e. closed loop) or manually. ICS are used to gather information from endpoint devices and monitor the current state of production.
Attacks analyzed in this paper mostly refer to closed-loop control systems also known as feedback control systems. Such systems implement one or more feedback loops between input and output data to support automatic decision making. This means that parts of the output data are fed back to the monitoring and control system as input to form a part of the systems decision making algorithm [28]. Feedback control systems are designed to automatically achieve and maintain desired infrastructure states without manual intervention. Closed-loop SCADA systems imply that a highly configurable set of industrial software applications is used to support the management of processes in production.
In the rest of this chapter we present a typical architecture of a closed-loop industrial system used in O&G infrastructures. It involves common types of assets (e.g. sensors, actuators, relays, SCADA system) and asset-specific installations present in downstream infrastructures. We also present typical layers used to describe the architecture of such systems. Information modeled in this chapter is used as reference for attack analysis and classification in the coming chapters.

A. A MODEL OF O&G SYSTEMS AND ASSETS
Figures 2a and 2b depict typical ICS SCADA and OT architectures for downstream (station dissemination) O&G ICS (Fig. 2a) and a high-level industrial system network for upstream and midstream (Fig. 2b) [5], [8], [23], along with brief examples of attack types that can be realized in each part of the architecture. Downstream O&G infrastructures, such as refueling stations, consist of the following components: Inlet systems, Condensate tanks, Dryer units (gas) or Dehydrators (oil), Compressor systems, Storage units (crude oil tanks, compressed tanks), Dispensers, Recovery systems, and Station control systems.
Downstream infrastructures utilize SCADA systems as a focal point for system input and control of all mentioned components. Either through closed loop architectures or using human intervention, SCADA controls analyze sensor input and send commands to actuators and other types of ''edge'' devices for dispersion monitoring and control.
Midstream and upstream attack types follow the same general architecture for relevant equipment. Typical midstream architectures are mostly below ground and/or have low ratios of ICS components per pipeline kilometers. Most components are pipeline sensors. In specific predefined locations, midstream infrastructures have Above Ground Installations (AGI) that may have numerous ICS assets installed. Block valve stations, primary and secondary pump, and metering stations, remote distribution stations, and critical distribution points are all considered AGI.
Upstream and midstream architectures ( Fig. 2b) depict high-level components and emphasize on networking instead of facility installations, since both follow similar CPS logic with downstream in terms of intelligent devices and communication mediums. In fact, midstream implementations are considered simpler in terms of devices and actuators (same SCADA HMI, protocols, sensors, and actuators, but no tanks or processing machinery). Upstream infrastructures deploy SCADA systems for similar monitoring purposes during well extraction, separation of oil and gas and exporting to pipes. Even though processes are different and safety checks vary in comparison to downstream, still the ICS architecture (e.g. PLC, RTU, relays, etc.), connectivity (protocols, routing devices, communications media) and use-cases (HMI, server types, etc.) largely remains the same for midstream AGIs and upstream facilities.
Such ICS mostly focus on humidity, pressure, temperature, CO2, flow and particle sensors to gather environmental and pipe or tank data for monitoring and decision support. Following the trend of Industry 4.0 systems, modern ICS are IoT-enabled, with smart meters and sensors in modern applications. Smart sensors and devices can be defined as any nonstandard computing device able to gather, analyze and send data over a network for decision support [5], [29]. In O&G, this mostly applies to automated tank gauges, smart sensors and valves used to monitor or influence fuel tank inventory levels and raise alarms [30].
Figures 2a and 2b also depict the most common attacks to inflict such systems. Attacks through IT and digital infrastructure refer to attacks that utilize common IT systems and networks (workstations, LAN, portable devices, PCs etc.). Man-in-the-middle (MITM) attacks refer to attacks on the communication mediums used by devices to exchange commands and data. There are mostly injection attacks that add malicious data or commands in a communication stream, or eavesdropping attacks that aim to steal corporate data. Direct attacks on actuators refer to digital, manual or remote injection attacks that aim to change the working state of a field device in an installation (e.g. close a valve, change temperature thresholds in sensors etc.). These attacks will be thoroughly analyzed in the coming sections.

B. ASSET INVENTORY
A typical ICS is comprised of three levels (plus an extra level for the company's internal IT infrastructure). In the O&G industry, each level includes specific asset types and relevant devices [18], [23] regardless of its subsector, as follows: Level 0: Sensors, Relays, Actuators, Level 1: PLC, RTU, Slaves, and Level 2: SCADA industrial control system (HMI, Historian, servers, etc.). Each level involves specific types of devices:

1) LEVEL 0 -EDGE DEVICES
This level includes ICS devices that work in the field, in remote installations or are directly connected to the engineering infrastructure are usually referred to as Edge devices. Their main purpose is to collect physical environment information or control physical engines with input; either automatically (closed loop) or manually through SCADA commands. Edge devices are usually sensors and actuators: a. Sensors: Most common sensors in O&G systems include: Temperature, Pressure, Humidity, Sound, RFID, Gas, Flow sensors. Smart sensors measure process physical environment signals and process variables to capture the state of components. Typically, O&G sensors are divided into 3 types: EX-IA sensors, ATEX sensors, and Normal sensors. O&G sensor equipment for potentially explosive atmospheres (ATEX) is standardized under the EU ATEX Directive 2014/34/EU. The directive covers equipment and protective systems intended for use in potentially explosive atmospheres [31]. O&G sensors are commonly classified as ATEX, EX-IA or normal based on their explosion protection and manufacturing. Similar to ATEX, [32] and other relevant sensor certifications are usually combined with Ex-IA or dual certification for sensor protection. All such sensors are considered Level 0 assets on the MITRE ATT&CK framework; lowest layer assets. 128448 VOLUME 8, 2020 b. Actuators: NIST defines actuators as ''devices for moving or controlling a mechanism or system. An actuator is the mechanism by which a control system acts upon an environment' ' 33].
2) LEVEL 1 -INTELLIGENT CONTROL DEVICES (RELAY, PLC, RTU) Remote Terminal Units (RTU) and Programmable logic controllers (PLC) transmit captured data to supervisory systems, control infrastructure components such as O&G actuators (e.g. valves) and reference component status for decision making. These controllers and slaves get data from sensors and can convert output into digital signals. Such devices are considered Level 1 assets on the MITRE ATT&CK framework, connecting Level 0 to Level 2 assets.

Human-Machine a. Interface (HMI)
Human machine interface is a user input system that allows a human operator to control the machinery, monitor systems and issue commands based on processed data. HMI refers to ''graphical, textual and auditory information the program presents to the user (operator)'' [34]. b.

ICS servers
Industrial control systems often utilize multiple servers for granular control and resilience. Supervisory systems, MTU and Database servers comprise the backbone infrastructure of the Control Center. Communication servers between the HMI software and field devices, MTU that serve as a supervisory or master system for SCADA command and relevant application servers supporting ICS software, all fall within this category.

4) LEVEL 2-NETWORK INFRASTRUCTURE
Network hardware is typically considered Level 1 assets on the MITRE ATT&CK framework, while communication protocols are Level 2, allowing information distribution on the application layer of an ICS.

a. Network Hardware
Communication between a field engine and the control center can be one-way (monitoring only) or two-way (monitor and control). Connected equipment (e.g. PLC and industrial controllers used as middleware between the substation and the control center can connect via leased lines (e.g. fiber cable) or wireless antennas (e.g. cellular/3G).

b. Communication Protocols
In O&G infrastructures, devices communicate with servers and actuators to pass critical real time information or commands through numerous protocols (e.g. DNP3, ZigBee, FINS, ModBus, RS-232, etc.) This asset mapping to ATT&CK type levels [23] is presented in Table 3.

C. IOT AND DIGITIZATION OF O&G SYSTEMS
The digitization of O&G infrastructures mostly involves the use of IoT smart meters (Level 0) that cooperate in closed loops with smart relays (Level 1) and relevant software (Level 2). The use of IoT in O&G offers several benefits. Studies suggest that smart devices can minimize operational risks during drilling, allows for real-time monitoring of infrastructure states [128] (pipelines, platforms etc.) and can improve production up to 8% using data mining and aggregation [124], [135]. Still, implementing smart assets at Levels 0 through 2 unifies control over several systems. Even though smart systems allow for centralized and/or remote control of multiple processes previously left on manual, close-proximity operation, still, this digitization also introduces major overhead in processing, storing and securing incoming data from multiple diverse sources. Such changes involve some significant cyber risks. Operating facilities like offshore rigs, pipelines, stations or refineries through unified, closed loop SCADA systems can pave the way to increased damage from security incidents, lengthier disruptions [94], [95], even result in injuries to employees or civilians and extended environmental hazards triggered from far away [114]. Also, the aggregation of big data from all O&G operations can result in increased privacy risks for business and personnel information [125].
Last but not least, smart meter implementation sometimes bypasses common architectural models in O&G OT systems and allows for indirect communication of devices from different layers (e.g. Layer 0 sensor speaking directly to Level 2 server over 4G without going through Level 1 equipment), or cross-communication of multiple data sources monitoring the same asset (e.g. different smart sensors on a gas tank monitoring the same asset with different data types).
Even though these implementations are mostly operator deployment decisions, still such conveniences make it harder to implement proper security measures across all assets.

V. TOOLS FOR MODELING O&G CYBER ATTACKS
In this section we present all tools that we will use in this paper in order to analyze and classify all detected O&G cyberattacks. We utilized two established cybersecurity information frameworks from MITRE: The Common Attack Pattern Enumeration and Classification (CAPEC) [26] ''describes common attributes and techniques employed by adversaries to exploit known weaknesses in cyber-enabled capabilities'' [26].
• The ATT&CK framework is a knowledge base of adversary tactics and techniques that ''describes the operational phases in an adversary's lifecycle, pre-and post-exploit (e.g., Persistence, Lateral Movement, Exfiltration) and details the specific tactics, techniques, and procedures'' [23]. • CAPEC's attack patterns are used by techniques described in the ATT&CK framework. We use CAPEC and ATT&CK complementarily, to map attack types with ATT&CK's adversary tactics and techniques and understand which assets are most vulnerable in each case. We build (i) a list of attack types for ICS, (ii) a taxonomy of potential O&G cyber-attacks types, (iii) an ICS layers table applicable to O&G, and (iv) a vulnerability taxonomy of potential O&G vulnerabilities per ICS layer.

A. GENERIC ATTACK TYPES
All attacks in industrial systems can be broadly categorized into two types or a combination of these. Attacks can either target physical security and safety (labeled with 'P') or target a facility's use of cyber space to attack the confidentiality, integrity and/or availability of a computing environment or infrastructure [35] (labeled as 'C'). Attacks can combine the above definitions and create chains of security events. For example, a physical tampering attack on a network device that injects a malware inside the network, able to steal data is a physical-to-cyber ('P-C') attack. On the other hand, malware infiltration able to manipulate a valve and cause gas leakage is an attack that stems from the ICS but has physical consequences (cyber-physical, 'C-P'). All acronyms and potential combinations are presented in Table 4. O&G ICS are cyberphysical systems [36]. Physical plant machinery and processes are monitored and controlled by the cyber section to distribute or transfer gas from production to the end-user. Thus, this survey emphasizes on C, C-P, P-C-P and P-C attacks, while considering purely physical attacks (P) out of scope.

B. CYBER-ATTACK TYPES
Attacks can be distinguished based on their starting point. For example, an attack caused by an employee is different than an attack from the outside of a CNG station. Thus, attacks are divided into internal and external. Internal (or insider threat) attacks stem from entities with authorized access to the domain of an information system [33]. These include, but are not limited to, disgruntled employees who may use their privileged access to damage their employers. External attacks try to exploit vulnerabilities in the facility's attack surfaces without prior knowledge or access. Two other commonly used facets when studying cyberattack types are the ''active'' and ''passive'' categories. Active attacks alter system or data [35], while passive attacks intercept data traveling along the network but do not alter them (i.e., eavesdropping) [37].
We utilize the Common Attack Pattern Enumeration and Classification (CAPEC) taxonomy to introduce the cyberattack subtypes for classification. CAPEC [26] ''provides a publicly available catalog of attack patterns'' and descriptions of common cyberattack approaches employed by adversaries. The tree like structure for categorizing O&G cyberattacks into CAPEC subtypes is shown in Fig. 3.

C. LIST OF CYBER-ATTACK TYPES PER ICS LAYER
All cyber-attacks that are applicable to O&G systems can be assigned to different ICS architecture layers. These layers are commonly used in frameworks and taxonomies to aid classification [7], [8], [23], [38] and will later allow us to effectively present and categorize vulnerabilities in O&G infrastructures. Table 5 summarizes applicable ICS layers and assigns common O&G assets per layer. The hardware layer is comprised of all tangible low-level equipment that connects to the ICS. This includes field devices and sensors, processors, volatile and non-volatile memory, slaves, RTU, PLC, Relays and other relevant components used in machinery. Hardware also includes tangible assets such as underlying network infrastructures such as routers and cables along with digital equipment, such as servers, workstations, laptops and components.
The firmware layer includes software that enables low-level control of devices and hardware. Firmware is typically stored in non-volatile memory and provides an interface between machinery and software. Nearly all modern ICS devices contain in-house or third-party firmware.
The software layer is comprised of all computer software used in an ICS for monitoring and control. This includes any and all programs and applications running on devices and servers that enable user interaction. The network layer contains any assets relevant to the communication medium used in an ICS, namely communication protocols, modems/routers and other network devices, such as firewalls and radio, wireless and similar communication antennas.
The process layer is the abstract layer that describes overall control systems and processes. It contains mappings of business logic, industrial processes and architecture that describes the use of ICS in connection with the business needs of a midstream or downstream infrastructure.

D. TAXONOMY OF COMMON O&G VULNERABILITIES PER LAYER
Expert knowledge, recorded attacks and relevant literature shows that each ICS layer has different security risks and relevant vulnerabilities that an adversary can discover and exploit. This is supported by various technical reports and state publications that define or model attacks on ICSs (e.g. supply chain attacks) [5], [7], [11], [23].
In this section we develop a body-of-knowledge of potential vulnerabilities per ICS layer, and connect them to MITRE's ATT&CK techniques to aid readers detect attack types, adversary tactics and techniques, and pinpoint vulnerable that are most assets. Table 6 assembles a vulnerability taxonomy for O&G ICS, with extensive information collected by filtered from articles, grey literature and government incident reports.

1) HARDWARE LAYER
The hardware layer contains devices and embedded components such as RTU, PLC and relays. This layer is susceptible to tampering attacks and other physical attacks [7], [23] meaning that someone in close proximity can cause alteration or destruction of field devices. Furthermore, hardware is vulnerable to supply chain attacks as hardware trojans can be injected in any stage of the supply chain [8], [39], [40]. In O&G, hardware vulnerabilities considered most critical include the use of legacy/end-of-life or unpatched equipment.
Physical attacks may cause damage to property like infrastructure, equipment, and the surrounding environment, due to the lack of safety mechanisms [7], [60], [111]. For example, physically altering/attacking industrial O&G systems without fail-safe or monitoring mechanisms can lead to extended leakage affecting nearby communities [42], [43]. Frequently there is inadequate protection on engineering workstations connected to the system for device programming and control adjustment. Using third-part devices or services may introduce unknown vulnerabilities, both in mid and downstream infrastructures, e.g. by installing devices with malicious hardware trojans [8].
Last but not least, ICS and especially field devices are rarely updated with modern hardware. Most infrastructures keep using old actuators, PLC and RTU, sometimes even if they contain critical vulnerabilities that cannot be patched. This is even worse in cases of midstream AGI, where the cost of upgrades is considerably higher [7]- [9], [18].

2) FIRMWARE & SOFTWARE LAYER
The firmware layer lies between hardware and software. It consists of the operating system that midstream and downstream controllers, systems and field devices use. This layer is mainly susceptible to malicious firmware injection [8], [44] attacks, in order to disrupt the ICS operation. The software layer consists of all the applications used in an ICS to monitor and control machines and peripheral systems, other software platforms and human machine interfaces. With the coming of Industry 4.0, this layer is susceptible to almost all common IT cyberattacks, including injection, malware attacks, remote code execution, etc. [7], [23], [60].
Unpatched operating systems are a common vulnerability both for ICS and IT systems [12]. Reports consider the lack of OS patching along with software patching as one of the top ICS vulnerabilities since 2016 [18]. This applies to the O&G sector too. Numerous reports consider the use of legacy software and the lack of software patching as one of the top ICS vulnerabilities since 2016 [7], [18], e.g. buffer overflows on ICS software are common [46], [47].
Software lacking proper input validation in its source code is one of the most frequent vulnerabilities at the software ICS layer [7], [9], [18], [48]. SQL injection, XSS and CSRF attacks which are common in Web applications, are also regarded as one of the top ICS software vulnerabilities [47]. Reports consider the use of legacy software and lack of software patching as one of the top ICS vulnerabilities since 2016 [7], [18]. For example, buffer overflows on ICS software have been known to cause serious impact to their processes [46], [47].
DoS attacks on OT equipment is another common attack technique. There are numerous incidents of unavailability attacks using software vulnerabilities found in ICS components [49]. Successful exploitation of vulnerabilities can render O&G systems unavailable which, in turn may cascade to more types of impact to individual organizations than DoS, depending on many factors, although unavailability attacks are common goals in ICS.
Improper access control or authentication processes in software used in ICSs may lead to compromised OT processes, commands and data [8], [18], [47]. Erroneous authentication processes may refer to a variety of errors, including errors in authentication processes, anonymous access to services, weak authentication on remote access to connected processes etc. [9]. This also applies to attack surfaces, i.e., Wi-Fi access points are shipped with a default SSID and passwords.

3) NETWORK LAYER
The network layer consists of the firewalls, modems, routers, remote access points and the underlying protocols used by field devices to communicate data (ZigBee, 6LoWPAN, etc.).  This layer is susceptible to unavailability, man-in-the-middle and spoofing attacks [7], [23], [60].
Typical wireless sensors use S-MAC, LMAC or B-MAC protocol and they have little to none protection against jamming. Encrypting the packets may help increasing the security level. Although patterns might be unraveled that the jammer can take advantage even if the packets are encrypted [50].
Field devices in O&G ICS may utilize network protocols with no authentication or security at any level. MODBUS also suffers from lack of secure channel [51]. Most OT network protocols lack embedded security mechanisms. On top of that, many O&G infrastructures do not implement extra security measures to mitigate this issue. Many field devices still utilize the MODBUS protocol to communicate, even though there is no authentication at any level of MODBUS. MODBUS suffers from lack of secure channel [51]. Also, the FINS protocol for PLC does not use any encryption in data exchanges [52]. In general, OT network protocols lack security mechanisms and O&G infrastructures usually do not implement any extra security measures to mitigate this. On top of these, modern ICS utilize IoT smart sensors. IoT-enabled field devices allow misconfigurations and many of these devices do not support any network layer security and they are completely exposed to network attacks [53].
Network design weaknesses is another vulnerability commonly found in O&G ICSs. ''Flat LAN'' or lack of network partitioning and/or DMZ allows attackers to reach field devices and make Control-related systems accessible [9]. Partitioning networks prevent the spread of malicious programs and contain the attacks [7], [18].

4) PROCESS LAYER
The process layer consists of the designed ICS business process model and operation logic. Every software in an ICS has a different business process, application-specific logic, which can be potentially exploited in an infinite number of combinations. The dynamic behavior of the ICS processes must follow the dynamic characteristics of the designed ICS model [54].
This layer is susceptible to business logic and ICS-centric attacks [55], including attackers leveraging bad configuration or erroneous security processes in handling machinery. Attacks include situations were malicious users operate machinery within acceptable bounds but still manage to deviate production or process from normal operation and cause economic losses or degrade performance [9], [56], [58].
Business logic validation testing verifies that the application does not allow the user to insert invalidated data or cause (series of) software flows to reach unintended states of operation [8], [57]. Data injection in multiple attack surfaces may affect the dynamic behavior of closed-loop systems and make them enter unwanted states. Sometimes, attacks on ICS may well make devices work within acceptable operational bounds but may still cause extended economic impact in an extended time period [58].
ICS operation is also severely affected by the lack of security training in O&G ICS employees. OT engineers and IT security officers frequently do not communicate properly and each has limited knowledge on potential vulnerabilities outside her/his field of expertise.

5) IOT CROSS-LAYER VULNERABILITIES
The industry 4.0 era along with the digitization of O&G infrastructures through the use of IoT may speed up processes but also paves the way to new security incidents. The use of such automation for monitoring and automatic decision support open the way to critical vulnerabilities. The lack of specific security frameworks or relevant standards from regulatory bodies pushes manufacturers to adopt publicly open source code for intra-device communication [124]. VOLUME 8, 2020 Also, contrasting priorities between availability (for field smart sensors and devices) and integrity and confidentiality (for ICT systems) [126], forcing smart sensors to work with legacy equipment and the use of tactical rather than strategic approaches to security from operators [125], [127] all contribute to the multiplication of vulnerabilities in modern IOTenabled O&G systems.
Contrary to other sectors, O&G IoT systems support realtime monitoring and control of operations across the entire value chain. As such, potential DoS or data integrity incidents will incur exacerbated effects due to the interconnected nature of modern systems and incur the ''biggest impact on the bottom line'' [124] to both the O&G sector and the entire infrastructure ecosystem due to its high dependency on O&G.
Most common vulnerabilities introduced from the use of IoT devices spread across all layers. Most important types of vulnerabilities involve: • Sensor misconfigurations that may lead to smart meters working against each other on closed loop systems, • Denial of Services due to malfunctions produced by the cooperation of smart devices with legacy equipment and • Vulnerabilities introduced at the software and network layer, mostly due to the use of insecure, open source code and implementations (e.g. lack of access control or encryption on IoT device links).

VI. ASSESSING THE IMPACT OF O&G CYBER ATTACKS
In an effort to assess all presented cyber-attacks on O&G ICS, we define a generic impact assessment method to supplement security incident classifications. Our method utilizes typical risk assessment concepts and notions, as defined in numerous standards and reports, e.g. ISO 27005:2005 [59] and NIST 800-53 [60]. According to these standards, risk metrics describe cybersecurity incidents and are modeled as factors of (i) threat, (ii) vulnerability, and (iii) impact. Threat metrics measure ''the potential of events to harm assets such as information, processes and systems and therefore organizations'' [59], while vulnerability metrics quantify the seriousness of flaws and weaknesses in a system. Impact measures the extent of potential damage that will occur, should a threat were to manifest during a security incident [59], [60].

A. ASSESSMENT GOALS AND RESTRICTIONS
In the presented analysis we are interested in the extent of the damage caused, rather on the seriousness of the vulnerability that triggered a security event or the underlying threat that caused the attack in the first place. Threat actors and vulnerabilities vary greatly in significance even between similar O&G infrastructures. This has to do with strategic analysis, geopolitical issues, type of implementation, or simply timing of the event. To this end, and without access to the necessary information, we opt to assess only the impact of each presented attack.
Since we analyze and classify security incidents in the O&G sector that have already taken place, we are more interested to rank the impact of these incidents along with their classification. This is also in line with numerous CI Directives and National plans, which prompt for detailed analysis of consequences of adverse effects in CI before other studies [99]- [102].
We do not attempt to provide a full risk assessment of the recorded attacks. This requires extensive in-house information to develop a proper study; something that should be performed by relevant regulatory bodies or infrastructure owners. Nowadays, all international bodies and organizations recognize economic, societal and environmental damages as parts of attacks on critical infrastructures [99]- [101]; The EU NIS Directive [99], as followed by the EU Cybersecurity Act [100] and the US Dept. of Homeland Security [101], clearly support the use of risk assessment for the characterization and analysis of potential threats and their impact on critical infrastructures. Current standards and best practices such as NIST's publications, ISO and EU directives like SEVESO-III [102] utilize impact scales to understand and model the impact from hazards and adverse effects in critical infrastructures. Such models and scales are implemented in a wide variety of tools for the analysis of risk and impact in operators of essential services and CI [62].
To describe the potential impact of the accumulated cybersecurity attacks, we opted for a semi-qualitative scale with 3 levels (low, medium, high), similar to those used in the above-mentioned literature [16], [61]. Semi-qualitative scales utilize both textual evaluation of scenarios (as used in qualitative risk assessment) along with a numerical ranking scale (used commonly in quantitative assessments) [103].
Each level is described by four (4) dimensions that represent different types of impact: (i) Economical, (ii) Societal, (iii) Environmental, and (iv) Operational. The three values quantify these dimensions. Such scales are in accordance to relevant specifications [59], [60] and are used by commonly accepted risk assessment tools for critical infrastructures, such as CRAMM [10], EAR/PILAR, or EBios [62]. As such, presented impact levels are deliberately simple, so as to provide a point-of-reference for readers. Table 7 presents the qualitative scale along with all dimensions of impact, as they scale over the three-level impact scale. To justify the numbers used inside the scale, we opted to review multiple sources of critical infrastructure impact [10], [59], [60], [62] along with the relevant, above mentioned standards and Directives like NIST, ISO and SEVESO- III 102]. This scale is used in the extended Table 10 to qualitatively rank each recorded incident ( Table 10 in Appendix presents the analysis of all recorded attacks).
Aligned with international literature, we too follow the common practice of taking into account the worst-case impact scenario for each potential outcome of such events (e.g. each documented attack will get an impact rank according to the worst consequence that occurred during each event).

C. CASCADING FAILURES BETWEEN INTERCONNECTED INFRASTRUCTURES 1) INFRASTRUCTURE DEPENDENCIES
Many security incidents frequently do not have only direct consequences. The interconnected nature of modern O&G infrastructures allows for some failures to affect external systems and facilities and cause indirect adverse effects over the course of time; a common issue when trying to quantify the impact of security incidents. Such disruptions are based on infrastructure interdependencies and are usually classified as cascading, escalating, or common-cause [129]- [131].
Common-cause disruptions refer to incidents where two or more infrastructures are simultaneously but disjointly affected due to the same event. Escalating disruptions refer to events where a failure in one facility ''exacerbates an independent disruption of another infrastructure'' [130], and cascading failures are defined as failures in one infrastructure (e.g A) that eventually lead to partial or total unavailability of resources and services to a different infrastructure (e.g. B) that is depended on A for providing its own services [129].
Cascading failures in particular are a common and unfortunately recurring issue in the O&G sector. The most common cascading failure in O&G involves the unavailability of a midstream infrastructure for transporting oil or gas (e.g. pipeline), which, if continued for a prolonged amount of time, eventually leads to sectorial cut off of resources in downstream (e.g. gas stations have shortage of fuel), which in turn may affect various other sectors (in our example, the entire transportation sector of an affected region).
Oil & Gas, is widely considered as one of the top critical infrastructures most relied upon by other infrastructures [133]. Consequently, O&G infrastructures may cause major cascading failures, especially to the transportation and housing sector.

2) COMPONENT DEPENDENCIES
Cascading failures also occur between components inside the same infrastructure. For example, IoT and interconnected devices within the same system may allow threats like malware cause malfunctions to equipment, which in turn may affect other components due to erroneous data reports, unavailability of service or injection of malicious code [5].
For internal analysis of interconnected components, proper risk assessment methodologies must take into account VOLUME 8, 2020 conditional probabilities of threat manifestation and calculate such attack paths using overall metrics.
This is an open issue in research, with many publications proposing various solutions, such as mathematical series over graph-based models of infrastructures [25], system dynamics that use top-down methods to analyze complex adaptive interdependencies (e.g. CIP/DSS [132]) and various other approaches.
Such complex methods require access to information that is not publicly available. Therefore, in this survey's Table 8 of recorded attacks, we do not provide quantitative estimations of the severity of each recorded cascading failure, but instead opt to only catalogue security incidents that involved cascading failures to other systems.
Most documented vulnerabilities used in such events involve unpatched systems, legacy equipment, and vulnerabilities in underlying networks. Still, the integration of smart sensors, remote monitoring and control in closed loop systems over thousands of miles introduced novel attack vectors and vulnerabilities previously unknown to the O&G sector.
During the early 2000s, we witnessed attacks on infrastructures that had limited damage due to the fact that back then systems still remain on manual and were not connected to wide networks [94].
O&G upstream infrastructures support operations for exploring and drilling operations, midstream is responsible for the transportation of oil and gas and for providing a link between upstream production and downstream dissemination, while downstream focuses on distributing assets to consumers, mainly for crude oil and raw/condensed natural gas.
All infrastructures are mainly controlled using SCADA systems over actuators and relays. SCADA systems are widely known to focus on increased availability and have limited to no security measures in place [20], [52]. ICS are used to monitor the state of machinery, implement automatic control of processes and provide real-time monitoring of process states. This functionality gave rise to information theft attacks with financial motives [109], [110].
In this survey, we document and classify attacks on all types of O&G infrastructures according to their domain type (upstream, midstream, downstream). We also document their initial input technique and the type of impact they had on the infrastructure using MITRE's ATT&CK framework. Finally, we examine the range of impact from each attack using the semi-qualitative impact assessment scale (Section III.B) using international standards. Attacks can target all types of O&G infrastructures. Still, significant differences occur when examining prior security incidents, with differences mainly focusing on the type of impact from each event. Table 8 provides a broad overview of statistics from recorded and analyzed real-world cyberattacks and for all types of O&G infrastructures, using the taxonomies and frameworks as presented above (full Table 10 in Appendix with extended classification on all recorded incidents).

A. ATTACKS ON UPSTREAM SYSTEMS
Upstream infrastructures are often erroneously considered to be less targeted than downstream ones, in terms of cybersecurity. This was true in the past, due to the remote and disconnected nature of most upstream infrastructures. Also, attack surfaces able to allow unintended access to upstream infrastructures only include telecommunications, either satellite or cellular [66], which at first seems to be an inhibiting factor for attacks on upstream. Still, modern infrastructures are digitized and interconnected in their majority, with companies deploying ICT and OT systems that are frequently used in diverse sectors simultaneously. As depicted by our analysis of recorded attacks, more often than not, we see that attacks may infiltrate from specific systems but eventually affect multiple, sometimes all O&G sectors.
Analysis of recorded attacks shows that modern upstream operations are not safe against cyberattacks. A number of cases have been reported were upstream systems were directly or indirectly compromised by malicious insiders or malware, causing a number of adverse effects on operations and machinery [15], [94]. Even though there exist no known hacking groups that specifically target upstream infrastructures and target exploration and drilling operations [66], eventually we managed to document 24 major cybersecurity attacks and events on upstream systems, especially during the first decade (2000-10).
One of the first documented cybersecurity attacks on upstream infrastructures was a malware attack that hit the Gazprom company in 1999 [94]. Records state an insider executed a malware file on purpose. The attack's consequences included having the entire gas flow control system of the Russian gas supplier under direct control of the attackers for a number of hours. Attack presumably performed with malware brought inside the ICS using the employer's own access control rights granted.
Three years later, in 2002, the Venezuelan oil company PDVSA reported to have several of their computers hacked, which reduced their oil production by 87.6% per day [114]. Assumed attackers were employees participating in a strike at that time.
In 2009, a disgruntled tech employee purposely impaired an industrial system for monitoring pipeline leaks at 3 oil derricks near Southern California [15], [94]. The leak-detection system was ''rendered inoperable for a period of time'', exposing the entire California area to environmental disasters [94].
In 2010, a rig en route from South Korea to Brazil was infected with computer malware [94], [95]. Infection reached such extent that it took IT stuff 19 days to make resume operations.
In December 2012, a hacking attack shut down an oil rig off the coast of Africa by tilting it [94], [95] 17 degrees. Attack was attributed to manipulation of the ballast control that led to equipment failure [96], probably through PLC-actuator command-and-control. Attack caused injuries to 89 workers involved in building the rig. This is the only documented cyberattack which directly resulted to the physical injury of multiple employees.
During the Gaza Cybergang attacks on O&G industry in 2017, adversaries were discovered inside O&G organization in the MENA region. Attackers extracted data continuously for more than one year using the CVE 2017-0199 vulnerability [88].
In 2016, attackers extracted data continuously for more than a year using the CVE 2017-0199 vulnerability. Dubbed as the OilRig malware attacks, they targeted O&G institutions in Saudi Arabia [17]. Similar scripted malware TwoFace Webshell was also used to break into and infect systems to the Ministry of Oil of a Middle Eastern country [85]. Attacks used credential dumping tools, such as Mimikatz, and stole credentials to accounts. TwoFace used to access the victim's network and establish presence for lateral movement.
In 2019, the LYCEUM hacking Group was known to mainly target Middle East oil and gas facilities [14]. Attacks relied on password spraying and spear phishing. Remote access Trojan used DNS and HTTP-based communication to provide remote access capability for executing arbitrary commands and additional modules and uploading files [14]. Attack compromised email accounts of employees and stole information and credentials.

B. ATTACKS ON MIDSTREAM INFRASTRUCTURE
Midstream ICS processes connect the upstream production with downstream facilities and refining. Midstream facilities mostly include pipelines and storage, along with maritime and rail transportation. Since rail and maritime transportation are parts of different critical infrastructure sectors (namely, the Maritime and Transportation sectors), in this article we will only present attacks on pipelines and intermediary facilities on land.
From O&G infrastructures, midstream demonstrates the smallest number of documented security events, with only the XENOTIME hacking group documented as a threat to midstream [66]. The most probable target in midstream infrastructures is the pipeline network and their AGI installations used to manage and control operation flow and transport. The APT33 hacking group is also known to have targeted, amongst others, the oil supply chain of companies in Europe and Asia. Spear phishing campaigns specifically targeted oil tanker companies, IT specialized in the oil industry, online magazine for news on oil, and several manufacturers of O&G equipment. Attacks targeted the supply chain of facilities [77].
Only seven (7) documented ICS security events exist against midstream pipeline networks. Even though the first cyber-attack took place back in 1982, when an allegedly CIA malware caused a pipeline explosion at the Siberian Oil Pipeline, still the first documented event using actual networks to attack midstream infrastructures was back in 1999, when an unintended series of database queries caused an availability attack on systems and services. This, together with a misconfigured PRV that failed to open resulted in the rupture and explosion of the Olympic Pipeline Company's gasoline pipeline at Washington, USA. 3 people died and 8 were injured. Property damage was estimated at $58.5 million and the legal settlement was $112 million [94].
In 2008, the Japan Oil, Gas and Metals Corporation (JOGMEC) server was compromised by SQL injection (2008) [48]. Computers that accessed the falsified website VOLUME 8, 2020 were redirected to a server set up by the attackers for information theft Again in 2008, state-sponsored cyber actor successfully compromised servers of the Baku-Tbilisi-Cheycan pipeline. Attack exploited Internet connections or wireless networks for access to camera network. Attack caused temporary disruption in pipeline transfers using overpressurization [13], [80].
In another attack in 2013, malformed commands injected in the network of a gas network operator in southern Germany and also reached the Austrian energy network]. Effect was probably an unintended event when unspecified processing of commands by O&G components caused an endless loop to trigger and disrupt controls in all flow operators [82].

C. DOWNSTREAM AND CROSS-SECTOR ATTACKS
Downstream infrastructures are presumed to be the most common target of cyberattacks, especially refining operations, storage and dissemination facilities. Reports state that this is mostly due the centralization of systems and operations along with technical complexity of multiple machinery and a higher value for attackers [66].
Many documented attacks that affected downstream operations, administration and/or business processes, are also indirectly or directly connected with midstream and upstream systems, like in the case of Chevron back in 1992, when a malicious former employee hacked the warning controls of the management systems and reconfigured them to crash, eventually leading to an environmental pollution around the area of Richmond, California.
The first documented attack with effects purely on downstream operations was back in 2001, when a US-companyowned gas plant suffered an attack from one of its suppliers. The supplier hacked three of the company's computers and caused a gas provision outage to homes and businesses in a European country, in order to create a distraction and cover up an error they had caused [114].
In 2011, several vulnerabilities on Microsoft Windows resulted in the Night Dragon attack on downstream infrastructures of oil, energy and petrochemical companies around the globe, including Exxon Mobil Corp and BP Plc [113]. Data stolen focused on operational O&G field production systems. The attack exploited vulnerabilities in proxy setting in Windows to steal data from operational O&G field production systems [72], [94]. In one of the worst attacks in upstream infrastructures, attackers exfiltrated files of interest for years, including operational O&G field production systems (including ICS) and financial documents related to field exploration and bidding data on O&G assets of many O&G companies (incl. supermajors).
TRITON/TRISIS malware attacked Saudi oil Petro Rabigh in 2017 by the Xenotime hacking group. It modified behavior of Triconex Safety Instrumented System (SIS) from Schneider Electric [83], [84]. SIS are used in 18,000 different plants around the world [86]. Triton ''was designed to sabotage operations and trigger an explosion'' and force controllers to enter fail-safe mode, that automatically shut down processes.
The same attack that affected German midstream infrastructures in 2013 cascaded to downstream operations through the Austrian network [82].
In 2011, the Night Dragon attack exploited vulnerabilities in the proxy settings of Microsoft Windows operating systems. The series of attacks targeted global oil, energy and petrochemical companies including Exxon Mobil Corp and BP Plc [113]. Data stolen focused on operational O&G field production systems [72], [94]. Attackers exfiltrated files of interest for years, including operational O&G field production systems (including ICS) and financial documents related to field exploration and bidding data on O&G assets of many O&G companies (including supermajors).
In April 2012, the Flame malware affected Iran's oil industry [72], [91]. Flame spread itself via either USB, or using Windows Update exploiting Microsoft's erroneous security techniques in updates. Officials stated impact was low due to oil services and exports relying on systems primarily mechanical and not connected to LAN or the Internet [91].
Another attack happened during 2018 at the Energy Services Group (ESG). ESG handled customers' transactions for natural gas pipelines owned by several energy firms [61]. Customers during the ESG attack did not have access to transactions for a substantial amount of time. Attack stemmed probably from collateral damage from the unavailability of ESG systems led to gas outages, since at least five major energy companies had to disable operating processes [89].
HEXANE attacks target O&G telecommunications in Africa, Middle East, and Southwest Asia (2018) [66]. Attack used malicious documents to drop malware [66] and perform information gathering against ICS entities [66].
In 2012, one of the most famous attacks took place. Dubbed as ''Shamoon'' from the CHRYSENE hacking group, the attack targeted national oil companies including Saudi Arabia's Saudi Aramco and Qatar's RasGas. Attackers sent a spear phishing email with a Microsoft Office document as an attachment containing powershell malicious code [90]. The attack affected 35,000 Saudi Aramco workstations, causing the company to spend more than a week restoring their services [77]. It also left computers inoperable. It aimed to disrupt oil and gas production in Saudi Arabia and prevent resource flow to international markets. Attack did not spread to industrial network areas.
During the same period, the Stuxnet worm, although intended to target centrifuges at nuclear facilities in Iran, also seriously affected oil refineries, gas provision systems and power plants and has therefore been included in this list. Stuxnet exploited Microsoft Windows to seek out Siemens Step7 software and cause fast-spinning centrifuges at Iranian nuclear enrichment facilities to over-speed, tearing themselves apart.
Numerous other controlled simulated attacks on low-cost Wireless Sensor Networks (WSN) used in modern oil and gas infrastructures were demonstrated in controlled environments [92]. Researchers Critical investigated WSN security issues in all layers (from hardware to application layer) showing potential issues on such wireless smart sensors [92]. Effects vary according to attack vector and vulnerability, but include numerous events such as exposing sensitive information and data, inject false information to affect actuator state, cause DoS in processes and systems and even cause network devices to crash, shutdown, restart, or even require reprogramming.
The DYMALLOY hacking group has continuously targeted various O&G infrastructures, in Turkey, Europe, and North America [66]. Most attacks were spear phishing attacks and malware attacks on connected systems. Associated Groups are reported to be Dragonfly 2.0 and Berserk Bear10 [66]. Attacks resulted mostly in information theft for ICS operations, credentials and process details.
In 2017, an employee used a USB drive to download and view a movie on a critical infrastructure computer in the Middle East. The user did not realize that this action released a malware later dubbed as Copperfield by Nyotron, the company responsible for detecting it. Copperfield resulted in data leakage, network scanning and remote control of an ICS workstation [65].
In August 2017, Xenotime caused the disruption at an O&G facility in Saudi Arabia by using the TRISIS framework. This malware had a specific target, the Triconex safety controllers [66]. It used backdoor code and caused the industrial systems of the facility to shut down.
Last but not least, a cross-sector spear-phishing attack targeted all O&G sectors by impersonating an Egyptian contractor with experience in relevant projects in oil and gas or a shipment company. Based on Bitdefender [87], attackers abused the contractor's and company's reputation to target facilities in Malaysia, the United States, Iran, South Africa, Oman and Turkey, among others. The attack aimed at dropping the Agent Tesla spyware Trojan.

D. RESEARCH AND TESTBED ATTACKS
Although to date no recorded cyberattacks exist that affected the O&G sector through hardware trojans, still researchers have proven that hardware trojans in integrated circuits of systems commonly used in O&G can undermine security, allow remote access or simply disrupt operations when triggered [8], [39], [40].
The use of selective laser melting known commonly as 3D printing, which is a type of additive manufacturing, is increasing in O&G industry [67]. Some organizations within the industry have incorporated metal 3D printing in their business processes as a cost-efficient way to build machinery parts [68]. A report 3D Printing in O&G by Thematic Research estimates that the 3D printing market will be worth $32bn by 2025 and over $60bn by 2030. Related publications state that 3D printing procedures might be vulnerable to cybersecurity attacks and introduce novel attack surfaces, even though currently no attacks have hit 3D printing operations. Still, judging from other sectors and considering the fact that 3D printing is being used in O&G, adversaries may be able to alter blueprints-code [69] leading to faulty manufactured parts that may trigger serious failures [67], [69].
Injection attacks refer to a broad class of attack vectors that an attacker uses in order to supply untrusted input to a program. One of the types is fault injection. Hardware implemented fault injection uses additional hardware to introduce faults to the target system's hardware. Disruptive signals, such as clock glitches electromagnetic pulses are some techniques the adversary can use to systems reported to be used in O&G infrastructures [70].
According to sources [12], [97], in 2018 and 2019 researchers continuously detected a total of more than 50 vulnerabilities in the Siemens SPPA-T3000 distributed control system, a system also used in O&G infrastructures. As reports state, most vulnerabilities could be exploited for DDoS attacks. From 2018 until March 10 2020, US-CERT has been issuing updates on a technical alert [97] composed by the Dept. of Homeland Security and the Federal Bureau of Investigation that highlighted the above-mentioned issue.
Several publications both from the research community [4], [5], [8], [12], [38], [39], [50], [56], [57] and the industry [112] continuously demonstrate adverse potential effects from attacking commonly used networks and systems, like PLC, RTU and SCADA protocols like MODBUS. Such vulnerable systems and network connections are the most effective attack vector to compromise the O&G sector [11], [16], [61]. Recent publications highlight many security concerns and challenges related to hardware, supply chain, and way of monitoring operations. In [39] and [40], authors demonstrate ways to expose the vulnerability of untrusted computing platforms and avoid detection of hardware trojans; these attacks are also applicable to O&G equipment. In [58] authors present attacks able to cause severe financial damage by affecting the performance of plants while remaining within operational bounds. Although the attack was presented on a desalination plant, its ICS architecture is applicable to O&G facilities.

VIII. MITIGATING CYBER ATTACKS IN O&G INFRASTRUCTURES
Following up on the classification of impact, type of attack, and potential vulnerabilities in O&G ICS, in this chapter we examine potential security controls able to mitigate the risk in most common patterns detected in the above scenarios. However, this is not a full risk management plan, since we only focus on basic gaps commonly detected by real-world cyberattacks. Security controls presented here often mitigate more than one threats or reduce the vulnerability in multiple systems, while at the same time cannot be seen as a full list of necessary security controls by system administrators. For optimal results, security officers are advised to conduct a full VOLUME 8, 2020 risk assessment based on international standards [59], [60] and develop a security plan tailored to the needs of each CI.
An analysis of the presented attacks shows that, even though impact varies depending on systems affected, still attack surfaces, infiltration techniques, and types of vulnerabilities exploited follow patterns common to all ICS and relevant IT environments. The number of interconnected devices that are internet accessible increases the attack surface, while the lack of basic security controls in most cases exposes systems to a wide range of potential attack paths. Table 9 depicts all controls presented in this subsection, along with their categorization per type. Security control categorization follows a common pattern, grouping controls into two categories: (a) technical or administrative, and (b) preventive, detective or deterrent. We also introduce a prioritization factor (low, medium, high) for each control. The prioritization factor number is calculated based on the number of recorded incidents of Table 8. Numbers next to each priority level depict the number of recorded incidents in which infrastructures attacked would have benefited in real-world, should this control be in place/working as intended during incident manifestation. (see Table 9, PRIORITY column).
By analysing Table 9, we see that numerous attacks were performed by insiders (disgruntled employees, human error etc.) or third-parties (contractors, service providers) with partial access to systems. This calls for extended segregation of duties and minimum privileges measures to all employees. Also, strong authentication and access control procedures with help minimize the damage from such threats.
Spear phishing attacks were also one of the top techniques used by attackers in O&G incidents. Spear phishing attacks are difficult to mitigate, with employee training and awareness along with strong security procedures and internal audits being the only viable solutions.
The use of legacy equipment and the lack of proper patching procedures is one of the top cybersecurity issues in O&G infrastructures. This issue is recorded in numerous relevant reports [7], [18], [124]- [126] and also emerged during our own analysis of recorded incidents.
O&G infrastructures that aim to digitize their processes need to invest and update old equipment with modern devices that support extended security measures. Also, critical security patches must be installed the moment they are released by official vendors.
Obviously, listed security measures are not exhaustive but rather focuses on the most important and/or most frequently missing security controls, as extracted from the attack vectors used in all documented events and attacks.

A. VULNERABILITY MITIGATION
In this section, we present the most common practices and controls missing from O&G ICS and that are directly related to the most common vulnerabilities, as identified in Section IV.C. The following measures are usually implemented by system operators and asset owners.
• Tamper resistance controls on field devices: Field devices must implement hardware security controls to prevent physical tampering.
• Trusted procurement procedures: COTS components (not custom-made) must follow strict procurement procedures that only allow installing certified devices that follow strict security standards.
• Patching and updating: Support stuff must install critical updates as soon as they are available, both for operating systems and ICS software.
• Encryption: Devices must implement end-to-end encryption and include embedded security in their processes. In some cases, certificate pinning (SSL pinning) must be required to avoid spoofed devices. It includes protection from side channel attacks that can compromise encryption keys (e.g. electromagnetic side channel attacks).
• Authentication and access control procedures: Facilities should implement strict authentication and authorization procedures for their employees and for all software entities.
• Penetration testing and internal audit: All facilities must implement rigorous vulnerability assessment and penetration testing audits in regular bases, to ensure continuous analysis of operational systems.
• Employee training and awareness: All employees working on critical systems must have proper training and/or certifications to support the elevated threat level of their position. Human error and phishing attacks can be most effectively avoided through proper employee awareness, rather through technical means.

B. IMPACT MITIGATION
Since the impact in O&G cyberattacks often stems from the manipulation of physical machinery, which in turn results to real-world hazards, the following list of measures emphasizes on the security controls able to increase resilience of critical systems, mostly by disconnecting them from generic networks and services.
• Network segmentation: All facilities must deploy proper network segmentation, with DMZ configured and network isolation to protect critical systems. Whenever possible, ICS should be must not share the same network with internet accessible devices.
• Use of different technologies: Implemented ICS should use devices and systems from different vendors in an effort to reduce the number of compromised assets per vulnerability. Although this measure introduces management complexity, still it is proven to be a vital control for increasing resilience of critical systems [120].
• Segregation of duties and minimum privileges: Staff must have discrete credentials and relevant privileges, according to their job description and needs. The least privileges principle must be implemented in all accounts used in CI.
• Catalogue and reduce system dependencies: Critical systems must identify and minimize dependencies on other systems and services (such as third-party processes).
• Minimize unified closed loop: Although closed loop systems facilitate monitoring and control and it is true that manual control exacerbates workload, still operators should complement on the idea to minimize the use of automatic controls over critical machinery, or at least implement heavy monitoring and break closed loop systems down to individual procedures.

IX. CONCLUSION
In our survey we presented a systematic cataloguing, analysis and classification of cybersecurity attacks and techniques in oil and gas infrastructures: both for upstream, midstream and downstream systems. We analyzed relevant best practices, industry reports and publications and developed a taxonomy of vulnerabilities specifically for O&G CPS, which we tied directly to MITRE's attack framework. This allows readers to further extend the knowledge gained by the survey, by directly referring to MITRE to better describe postcompromise adversary behavior and potential solutions. Using this taxonomy and an impact assessment method that we developed using current standards, we presented an analysis and assessment of an extended catalog of cybersecurity incidents in O&G ICS. The analysis extracted attack patterns, techniques, subliminal issues that may have gone unnoticed during the incidents, and connected them with historical consequences, thus creating a web of knowledge for O&G ICS operators. Analysis included both scientific and grey literature to highlight commonalities, trends and technical issues of current cybersecurity practices in O&G implemented systems.
Results from this procedure highlighted a couple of issues that still remain to be solved, mainly an increasing number of dependencies and interconnections of O&G ICS with third-party services and operators. A decade ago, most security weaknesses stemmed from the lack of basic security controls, even in critical systems. Even though CPS in the O&G sector have come a long way and nowadays most infrastructures follow basic cybersecurity concepts, it is still evident that most security weaknesses stem from poor security designs, lack of systematic use of information security management systems, as well as critical dependencies of equipment to third-party components and services, mainly telecoms.

A. GAP ANALYSIS
By analyzing documented attacks using our vulnerability taxonomy, the presented impact assessment method and MITRE's ATT&CK techniques, we identified a number of research and implementation gaps that complement the mitigation measures presented in Section VIII. Current best practices and common defense strategies go along way towards mitigating cybersecurity attacks. Still, analysis of attacks shows that existing strategies have issues when it comes to protecting facilities from insider threats and spear phishing attacks that exploit the human factor to cause adverse effects. Also, technical incoherencies coupled with internet access to field devices inhibit proper protection from security measures such as firewalls, intrusion detection systems and minimum privileges access controls.
To this end, we identify and present gaps in today's cybersecurity implementations that can serve as a ''to-do'' list of defense strategies for oil and gas infrastructures, so as to be able to properly resist the cybersecurity attacks currently not fully mitigated.

1) VULNERABILITY ASSESSMENT
Most attack techniques used by threat actors against O&G CPS follow the statistics of regular ICT systems (see Table 8). They can be properly mitigated to a degree through the implementation of controls and standardized procedures documented in relevant best practices and standards. The fact that most infrastructures lack basic security procedures and controls affect the amount of vulnerabilities present and the severity of potential attacks. This is supported by the fact that most worst-case scenario attacks that have happened involved critical systems and procedures that were insecurely interconnected to remote networks through telecom or third-party services.
O&G software vulnerabilities can often directly affect machinery. This an important factor to consider during impact assessment. Spillovers, tilting rigs and pipeline unavailability are only a few of the documented examples of such vulnerabilities. Operators should specifically take into account software vulnerabilities in critical systems and that may be inherited through third-party components.
Also, proper network segregation and isolation of critical machinery and procedures seems to be a very effective way to reduce the number of vulnerabilities and attack paths for adversarial groups. Network monitoring seems ineffective due to the high number of false-positives and the distributed nature of processes in the O&G infrastructure. Instead, monitoring third-party services and isolating critical equipment has literally saved operators times, as documented in Iran and the US.
Employee awareness is one of the top issues in ICS security and seems to be as important for the O&G sector. Email phishing and information spoofing seems to be the most frequent attack technique in this sector, followed closely by insider threats and disgruntled employees. Even though it is common knowledge that such systems must have proper cybersecurity and safety training in place and always strictly follow segregation of duties, still history shows that most O&G infrastructures either lack proper employee training that focuses both on OT and IT systems, or assign too many privileges to staff.
One of the most alarming issues in O&G systems is the extended and regular use of legacy equipment and software in CI. Although operators seem to be in a process of updating systems and services, still many infrastructures deploy old components that have either no support (end-of-life) or limited ratios of patches issued per vulnerabilities detected. Also, some of these components lack basic security measures, such as encryption or access control. This situation introduces numerous vulnerabilities that either cannot be fixed on time, or require complex work-arounds to enable secure use, which sometimes lead to erroneous implementations of controls. Most frequent example is the lack of encryption and segregation of connections in local SCADA systems that still use unencrypted MODBUS/TCP protocols to manipulate equipment.

2) IMPACT ASSESSMENT AND RESILIENCE
Assessing the potential impact from vulnerability exploitation in each instance is based on evidence gathered by the documented attacks on O&G systems and infrastructures. A basic remark here is that impact (and risk) assessment procedures in O&G infrastructures should take into account subliminal and indirect dependencies of their systems on external thirdparty operators, services, and equipment. History has shown that most attacks were expected in terms of techniques, but operators greatly underestimated the potential impact that the lack of resilience on their systems.
Current impact assessment methods do not adequately represent the evolution of consequences over time, nor do they properly depict estimations of cost during system unavailability. This, coupled with the fact that most resilience analysis in the O&G sector does not take into consideration inherent dependency loops (i.e. situations were unavailability of a service leads to the exacerbation of consequences in another department inside the infrastructure, which in turn does not allow for the first service unavailability to be fixed) further provides an erroneous sense of safety since major consequences are left unnoticed. An example was the cyber-attack on the refinery that lead to loss of access and loss of control on remote components, which in turn did not allow operators to stop the malware from using equipment due to the remote nature of the ICS.
Even though numerous publications exist that tackle cybersecurity issues for industrial systems, current literature seems fragmented and does not focus on the O&G sector, despite its importance.

B. CURRENT ATTACK TRENDS
By summarizing findings, there is a clear indication that current attacks in oil and gas systems follow similar attack trends for common ICT systems. Specifically, most common attack vectors against O&G infrastructures include spear phishing through email, external attack (malware or injection) to exposed devices and user execution of some sort, either intentionally (malicious insiders) or erroneously (e.g. employee opening an email, or wrong command execution).       Most attacks involve information theft and/or industrial espionage (42% of recorded cases). A total of around 32% of current attacks aim to take control of OT infrastructures, while about 45.1% aim to cause some sort of Denial of Service or unavailability of systems. Both types of recorded cases almost always aim to incur economic losses to companies or regions. This indicates that O&G attackers do not aim to create direct profit, but rather seems to want to create issues to competitors and/or competitive countries.

C. LIMITATIONS
Our survey follows a systematic approach to catalog incidents, extract knowledge and present its analysis, but, still, some limitations exist that may have prevented this article from reaching full potential. For example, during the search process we opted to study articles written in English, French and German languages only. Other articles were not included.
Also, search strings used to identify relevant work may be restricted and not capture the entire present body of knowledge in the area. Some bias on publications may also be present. Any article review process is prone to the reader's bias and, as such, may lead to erroneous inclusion and/or exclusion of relevant articles.
To cope with this, we opted to discuss multiple articles in group meetings so as to avoid one-sided views of content. This, coupled with our effort to only include articles from peer-reviewed publishing houses and companies aims to reduce such issues to a minimum.

D. FUTURE DIRECTIONS
If we follow the trends of all recorded incidents, we can safely conclude that the ongoing digitization of O&G systems will further increase the likelihood of cyberattacks, although it seems that attacks nowadays have smaller environmental and societal impart than 10 years ago. This is intuitively true. The upcoming digitization and decentralization of O&G systems in Industry 4.0 increases the amount of attack surfaces (i.e. increases the likelihood of threat manifestation), but on the other hand, companies and states are starting to issue strict rules, certification and guidelines for cybersecurity. Up until early 2000s, most certifications and technical guides aimed at protecting against safety hazards. This is the reason why major attacks that occurred in previous decades caused extensive damages, while very few aimed at information theft; a trend that seems to be reversing. Table 10 presents the detailed analysis of all recorded attacks on O&G sectors, together with a mapping of each attack to MITRE's ATT&CK techniques, types of impact and impact rankings along with potential cascading indicators.