Cybersecurity Year in Review: Maritime, Logistics, Oil & Gas, and Beyond

As we closed the chapter on 2024, the narrative of cybersecurity across critical industries was one of escalating threats, transformative lessons, and a glimpse into the evolving battlefront of the digital age. From maritime logistics and oil and gas to LNG facilities, refineries, TSA-regulated surface pipelines, and rail systems, the year spotlighted vulnerabilities that are not merely technical but deeply intertwined with economic stability, national security, and global interdependence.

Cyber adversaries, both state-sponsored and otherwise, have exploited weaknesses in both IT and operational technology (“OT”) systems, targeting everything from cranes in bustling ports to pipelines transporting energy across continents. The campaigns by advanced persistent threat (“APT”) groups like Volt Typhoon and Salt Typhoon exemplify this year's challenges, demonstrating a new level of sophistication that blurs the lines between espionage and sabotage. This review delves into critical incidents, emerging patterns, and actionable strategies to strengthen resilience against increasingly persistent and adaptive threats.

Maritime Logistics and Cybersecurity

Rising Threats to the Maritime Domain

The maritime sector remains the lifeblood of global commerce, with nearly 80% of world trade transported via sea routes. This indispensable role makes it a prime target for cyber adversaries. In 2024, the U.S. Coast Guard reported an unprecedented rise in cyber incidents targeting port operations, vessel navigation systems, and associated logistics networks. The convergence of IT and OT systems in maritime operations has created a perfect storm of vulnerabilities. State-sponsored actors, particularly Volt Typhoon, exploited maritime IT networks, gaining long-term access with their "living off the land" strategy, using legitimate tools already present in systems. These sophisticated methods have highlighted the inadequacy of traditional cybersecurity models, emphasizing the need for advanced detection techniques and rapid response capabilities.

Ports as Targets of Opportunity

Modern ports rely heavily on automated cranes, IoT devices, and advanced logistics software for efficiency. However, this digital transformation has exposed them to significant risks. ZPMC cranes, used in ports worldwide, became a focal point in 2024 due to their potential for remote exploitation. Reports of adversaries leveraging vulnerabilities in these cranes for espionage or operational disruption led to extensive mitigation efforts, including network segmentation, physical inspections, and enhanced monitoring. These incidents underline the necessity for a comprehensive cybersecurity strategy that secures both IT systems and OT environments, thereby protecting the critical role of maritime sectors in global trade.

Increased Regulatory Oversight

At the national level, there was a greater call for increased government oversight of critical infrastructure.  With updates to the Transportation Security Administration (“TSA”) directive for pipelines to the Notice of Proposed Rule Making (“NPRM”) by the U.S. Coast Guard to officially bring cyber into the Code of Federal Regulations, the emphasis is on preventive measures to improve critical infrastructure resiliency.

We can look back at what has occurred and strategically prepare for what is about to come.  The last two administrations took efforts to improve cybersecurity resiliency. Increased regulatory oversight in maritime and oil/gas industries' cybersecurity represents a significant shift in how these critical sectors approach digital security. While the new regulations pose compliance challenges and increase operational complexities, they also drive improvements in cybersecurity practices, fostering greater resilience against evolving cyberthreats.

With the release of the NPRM and a handful of Maritime Security Bulletins that address cybersecurity, combined with the efforts by the Cybersecurity and Infrastructure Security Agency’s (“CISA”) publishing their NPRM to meet the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”), more emphasis has been placed on collaboration with government organizations.

The success of these regulatory efforts will depend on continued collaboration between industry stakeholders and regulatory bodies, as well as the ability to adapt to the rapidly changing threat landscape. As cyber risks continue to evolve, it is likely that regulatory oversight will continue to intensify, requiring ongoing adaptation and investment from companies in these vital sectors.

Oil and Gas, and Specialty Gases: The Cybersecurity Frontline

Increasing Threats to Energy Infrastructure

Energy infrastructure remains a prime target for cyber adversaries, as evidenced by the persistent attacks on the oil and gas sector throughout 2024. From ransomware incidents to advanced infiltration attempts, the sector faced relentless challenges. Volt Typhoon’s campaigns revealed the evolving threat landscape, targeting pipeline control systems and refinery operations to gain footholds for potential sabotage. The interconnected nature of oil and gas networks, often dependent on aging infrastructure, continues to expose vulnerabilities. Coupled with the strategic importance of energy infrastructure, these weaknesses underscore the critical need for strong cybersecurity measures.

Refineries and product pipelines, including gas pipelines, are key targets for cyber sabotage due to their pivotal roles in energy supply chains, economic stability, and national security. These facilities represent essential components of global energy infrastructure, making them a high-value focus for adversaries intent on causing widespread disruption, leveraging geopolitical advantage, or profiting from ransomware and theft of intellectual property. The deep integration of OT with IT networks creates exploitable vulnerabilities, posing risks to production, safety, and the environment. Potential consequences include process safety incidents, loss of containment, shelter-in-place scenarios, and compromised emergency response capabilities.

LNG Facilities, Refinery Challenges, and Threats to Transportation Infrastructure

Although no confirmed ransomware attacks directly impacted refinery or LNG facility operations in 2024, the industry remains highly exposed. Past incidents and hypothetical scenarios highlight how a single breach can ripple through IT and OT environments, derailing operations, supply chains, and financial stability. The Transportation Security Administration has responded with strict cybersecurity directives that emphasize access controls, timely patching, and well-developed incident response plans. However, balancing operational uptime with the need for enhanced security measures remains a significant challenge in an industry where downtime carries high financial costs. Preparing for potential attack scenarios is essential for protecting these critical infrastructures.

The transportation sector, including surface pipelines and rail systems, also saw an increase in cyber threats in 2024. These infrastructures, critical for moving goods and energy, are increasingly targeted by adversaries aiming to disrupt operations and undermine national security. Volt Typhoon’s activities against pipelines and rail systems revealed an intentional effort to infiltrate critical infrastructure and exploit vulnerabilities during times of geopolitical tension. These threats highlight the importance of a coordinated cybersecurity strategy across the transportation sector.

The Role of TSA Security Directive SD-02E

Security Directive SD-02E, issued by the TSA, outlines cybersecurity measures for critical pipeline operators. It requires operators to conduct risk-based assessments, implement effective incident response plans, report cyber incidents promptly, and secure both OT and IT systems against emerging threats. SD-02E takes a performance-based approach, focusing on achieving outcomes rather than prescribing specific technologies or methods. This flexibility allows operators to adopt measures tailored to their unique environments while meeting the directive’s security objectives.

Halliburton Cybersecurity Impact in 2024

One of the most significant developments in 2024 was the cybersecurity impact experienced by Halliburton, a major oilfield services company. The company confirmed a cyberattack in August 2024 that led to unauthorized access to some of its systems, causing disruptions at its Houston campus and affecting global connectivity networks. To contain the breach, Halliburton took certain systems offline and engaged external cybersecurity experts to address the issue and mitigate further risks.

The attack resulted in data theft, with subsequent financial reports referencing costs related to the incident. While Halliburton has not disclosed specific details about the stolen data or the broader implications, these developments raised significant concerns about vulnerabilities in its supply chain. Reports indicated that some attacks reached their OEM systems deployed in asset owner-operator environments, underscoring the ripple effects of compromising OEM technologies and the risks posed to critical operational systems managed by their clients.

Halliburton, which has long prioritized security, faced a stark reminder that even mature, security-focused organizations are not immune to sophisticated cyberattacks. For many asset owner-operators relying on OEM-provided and site-hosted technologies, these breaches amplified concerns about the integrity and security of embedded systems critical to drilling, production, and maintenance operations.

The incident highlighted the urgency for OEMs to adopt secure-by-design and secure-by-default principles, enforce stringent vendor access controls, and bolster the security of software and firmware updates. It also underscored the need for improved incident response measures and proactive risk management across the supply chain.

In financial terms, the cyberattack led to an immediate drop in Halliburton's stock price, with a more pronounced impact seen in the week following the disclosure. The initial 6% decline in stock price directly after the attack equated to an estimated $1.69 billion drop in market capitalization, based on the stock’s price at that time, according to a Reuters report published on August 21, 2024. Over the longer term, Halliburton’s stock continued to face pressure, as market dynamics and investor confidence were influenced only initially by the fallout of the attack. Analyst reactions included adjustments to ratings and price targets, reflecting concerns about the company’s vulnerabilities and operational impact.

For asset owner-operators and financial stakeholders, this incident serves as a stark reminder of the importance of trust in third-party providers. Beyond the immediate operational and financial repercussions, the long-term restoration of trust among asset owners, operators, and investors hinges on Halliburton’s commitment to transparency, enhanced security measures, and sustained resilience in the face of evolving cyberthreats.

Despite the initial setbacks caused by the cyberattack, Halliburton has made strides in financial performance, delivered shareholder returns, and has seen its stock price stabilize and show signs of recovery. However, by December 2024, the stock price had not yet returned to its pre-attack levels.

The Role of Emerging Technologies

Emerging technologies are reshaping operations and cybersecurity by offering innovative solutions to enhance both across various sectors. AI-driven monitoring and predictive analytics stand out for their ability to detect anomalies in real-time, helping mitigate threats proactively by analyzing patterns in network behavior and system operations. Drones are also becoming vital for physical security in large infrastructures like ports and refineries, spotting unauthorized access or monitoring for cyber physical threats. While these advancements bring great promise, their adoption is hindered by challenges such as integration with legacy systems, budget constraints, data privacy concerns, and a shortage of skilled professionals.

Despite the potential, the path to widespread adoption remains complex. Integrating AI and predictive tools often requires significant upgrades to existing systems, which can be costly and challenging, especially for smaller organizations. Additionally, the need for large datasets to train AI systems raises privacy concerns, and there’s a skills gap that leaves these tools underutilized. Technologies like quantum computing, blockchain, and 5G offer both opportunities and risks, particularly as 5G expands attack surfaces and quantum computing challenges encryption methods. As these technologies evolve, the focus must be on overcoming these barriers to fully unlock their potential in strengthening cybersecurity.

The Role of Advanced Threat Actors

Volt Typhoon and Salt Typhoon: A New Era of Cyber Warfare

APT groups like Volt Typhoon and Salt Typhoon have reshaped the cybersecurity landscape, blending espionage with sabotage. Volt Typhoon targeted critical infrastructure across multiple sectors, revealing a strategic intent to disrupt entire supply chains. Salt Typhoon focused on telecommunications, exploiting legacy systems to intercept sensitive communications.

Lessons from Their Campaigns

These campaigns highlight several critical lessons for cybersecurity professionals:

• Securing OT Environments: Often overlooked in traditional approaches, OT systems must be as rigorously monitored and protected with trained and competent staff.
• Proactive Threat Detection: Leveraging AI and machine learning for real-time risk identification and mitigation is essential.
• International Collaboration: Combating state-sponsored threats requires cooperation across borders to share intelligence and best practices.

The campaigns of 2024 highlight several critical lessons for cybersecurity professionals working to safeguard critical infrastructure. As cyber threats become more sophisticated, securing operational technology environments has become an imperative. Traditional security models, which often focus primarily on IT, must evolve to include OT systems, ensuring they are rigorously monitored and protected with trained, competent staff. The need for a defense-in-depth strategy is evident, with security layers designed to work together, detecting and mitigating risks in real time. This proactive approach, supported by AI and machine learning, allows organizations to identify potential threats before they escalate into full-scale attacks.

A key focus is the importance of securing all points of entry and communication within OT environments. The integration of continuous monitoring, network segmentation, and anomaly detection across both IT and OT systems is critical in preventing adversaries from exploiting vulnerabilities. The experience of 2024 also highlights the necessity of ensuring that both internal and external connections are properly secured, with robust authentication and access control mechanisms in place. In this context, cybersecurity initiatives must be holistic and strategic, considering the long-term security needs while addressing immediate risks.

Preparing for the Future

Building Resilience

The events of 2024 underscore the need for resilience across sectors. Key strategies include:

• System Segmentation: Reducing the risk of lateral movement within networks.
• Strengthened Access Controls: Limiting human error through advanced technologies and comprehensive training.
• Regular Updates and Backups: Ensuring systems are patched and capable of swift recovery.
• Continuous Education: Embedding cybersecurity awareness into organizational culture.
• Incident Response and Intelligence Sharing: Establishing robust response plans and promoting cross-sector collaboration.

One essential strategy is furthering system segmentation, zones, conduits, and defense in depth helps limit the potential for lateral movement within networks. By compartmentalizing systems and isolating critical assets, organizations can contain attacks and prevent them from spreading throughout the infrastructure. This approach, when combined with strong access controls, significantly reduces the risk of human error and minimizes the opportunity for unauthorized access. Advanced technologies and comprehensive training ensure that employees understand the importance of access security and are equipped to prevent and detect potential threats.

Another fundamental aspect of resilience is ensuring systems remain up-to-date and capable of swift recovery. Regular vendor approved and vetted updates are necessary to patch vulnerabilities, strengthen defenses, and maintain continuity in the event of an incident. This proactive measure ensures that critical systems are not only protected but can also be quickly restored if attacked. Backup, backups, backups; protected online and offline and are quickly available for restoration. However, backups are only one piece of resilient data and systems recovery.  The other part is the testing of the backups through disaster recovery or incident recovery drills. Verify that you can get back to an operational state when an incident/disaster occurs.

Equally important is fostering a culture of continuous education. Cybersecurity awareness must be deeply embedded within the organizational culture to effectively reduce risk. By regularly training employees on the latest threats and best practices, organizations empower their workforce to contribute actively to the security of the network.

The Role of Policy and Governance

The White House administration under Donald Trump is anticipated to elevate cybersecurity to a critical national security issue. This shift in policy could lead to a significant reduction in reliance on foreign technology, particularly following incidents like those involving ZPMC cranes and the Salt Typhoon campaign. By promoting domestic production and innovation, the administration might encourage "security by design" in tech development, reducing vulnerabilities from supply chains and foreign-made equipment. This approach would also likely see an enhancement in public-private partnerships, establishing or expanding collaborative frameworks for real-time threat intelligence and incident response, alongside offering incentives for companies to bolster their cybersecurity measures.

Additionally, there's an expectation of increased funding for cybersecurity initiatives, potentially leading to more robust budgetary support for research, development, and education in cybersecurity. This could mean the creation or strengthening of federal cybersecurity centers, with a focus on sector-specific strategies for critical infrastructure like oil and gas, maritime, and transportation. The administration might also prioritize policy innovation, introducing regulatory reforms to keep pace with technological advancements and advocating for international cybersecurity norms to combat state-sponsored cyber activities. The emphasis on education and workforce development would aim to address the cybersecurity skills gap through comprehensive strategies from K-12 to professional levels, promoting diversity to enrich the cybersecurity workforce and thereby enhancing national cyber resilience.

Conclusion

The cybersecurity landscape of 2024 was a wake-up call for industries worldwide. From the maritime sector to energy infrastructure, the lessons of the past year highlight the urgency of adopting a proactive and holistic approach to security. In 2025, the focus must remain on resilience, innovation, and international collaboration to safeguard the infrastructures that underpin modern life.

Addressing state-sponsored threats requires cooperation beyond borders. International collaboration is essential, as cyber adversaries operate globally, exploiting vulnerabilities in interconnected systems. Sharing intelligence, best practices, and lessons learned will enable organizations across sectors to collectively improve their defense capabilities. By fostering a culture of collaboration, the cybersecurity community can better address the challenges of an increasingly interconnected world. Building resilience requires well-established incident response and intelligence-sharing frameworks. Effective response plans, combined with cross-sector collaboration, enable organizations to react promptly to cyberthreats and share valuable information to strengthen collective defense.

For those committed to securing our nation’s critical infrastructure, joining the Houston InfraGard Members Alliance, where industry leaders and experts collaborate to drive resilience in our communities, can make a tangible impact. Special recognition goes to the Greater Houston Port Bureau and Houston Ship Channel Security District for their support of cybersecurity awareness in the Houston area and their dedication to fostering resilience in the maritime domain.

About the Authors

Marco Ayala

Chris Wolski

chris@appsecconv.com

This article was authored by Marco (Marc) Ayala, president of InfraGard Houston, chair of Threat Intelligence and Cybersecurity AMSC Gulf of Mexico - Outer Continental Shelf and Chris Wolski, sector chief for the Maritime Domain, AMSC Houston-Galveston and CEO of Applied Security Convergence, LLC, with the aim to inspire action and foster collaboration to meet the evolving challenges of cyberscurity head-on.