The oil and gas industry is spending billions on cybersecurity — and much of it is pointed in the wrong direction.
Network monitoring tools, vulnerability scanners, and vendor questionnaires are the pillars of most operators’ OT security programs. They’re necessary. They’re also insufficient. Because none of them answer the one question that matters most—what is actually running inside the firmware of the controllers, RTUs, and SCADA systems keeping your pipelines flowing and your refineries processing?
That question, paired with the industry’s collective failure to answer it, is the most dangerous blind spot in critical infrastructure security today.
The Numbers Are Moving the Wrong Way
The threat landscape isn’t abstract. In 2024, Halliburton suffered a ransomware attack that cost $35 million. CISA reported a 145% surge in OT-targeted cyberattacks that same year. Dragos documented an 87% increase in ransomware groups targeting industrial organizations. The average cost of a single OT security incident in oil and gas has reached $4.4 million.
These aren’t outliers. They’re a pattern. And the pattern that stems from decades where operational technology lived in isolation, running proprietary protocols on air-gapped networks. IT/OT convergence changed that. Remote monitoring, predictive maintenance, and real-time optimization connected those systems to networks that threat actors have been probing for years. Over this time, however, the underlying equipment stayed the same. I’m referring to fifteen-year-old controllers, firmware that was never designed to face the internet and protocols that predate modern encryption.
The attack surface expanded. The software inside the devices didn’t change. And almost nobody has looked inside it.
What’s Actually in the Firmware
Here’s a real-world example that illustrates the gap. A deep binary analysis was recently performed on firmware from a major RTU vendor widely deployed across upstream oil and gas operations. This is a reputable vendor whose product has passed every compliance audit it has faced.
The vendor’s own security documentation listed approximately 30 software components. Binary analysis found 247. Among those 217 invisible components were following:
- 55 CVEs completely undetected by conventional scanning.
- Three deprecated cryptographic algorithms still in active use.
- An eight-year-old end-of-life Linux kernel serving as the foundation for the entire firmware stack.
The vendor wasn’t negligent, and they weren’t lying. They simply didn’t have visibility into their own supply chain at the binary level. Their software bill of materials was generated from build manifests and source code records, which captured what they deliberately included and missed everything pulled in transitively, including the dependencies of dependencies, the statically linked libraries, and the remnants of build toolchains embedded in the final binary.
This isn’t a vendor problem. It’s an industry problem. And it’s the difference between what you think is running your critical infrastructure and what’s actually running it.
The Regulatory Reckoning
Regulators are no longer accepting the status quo. The TSA’s Security Directive SD02F, effective May 2025, requires pipeline operators to demonstrate component-level understanding of the software running on their critical systems. Not just at the application layer, but at the firmware level. North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards are converging with IEC 62443 in ways that push firmly toward verifiable, evidence-based supply chain integrity. NIST 800-82 Rev. 3 establishes clear expectations for software component-level risk management in OT environments.
The direction is unmistakable. Annual vendor questionnaires and self-attestation are no longer sufficient evidence of control. What regulators, and increasingly, cyber insurers, want is demonstrated visibility. Organizations that can produce comprehensive, validated bills of materials for their OT firmware are ahead of the curve. Those waiting for the mandate will be scrambling to build capabilities their competitors established years earlier.
A Practical Path Forward
The good news is that the technology to close this gap exists today, and it’s faster than most people expect. Modern binary analysis platforms can decompose a firmware image in minutes. A comprehensive software bill of materials for an operator’s most critical assets is achievable in weeks, not months.
The approach is straightforward. Start with discovery. That entails analyzing the firmware running on your highest-consequence assets and finding out what’s actually there. Use those findings to prioritize remediation intelligently, focusing resources on the vulnerabilities that pose the greatest operational risk. Then embed binary analysis into ongoing operations, with every firmware update analyzed before deployment and every new OT product inspected before procurement.
This also transforms the vendor relationship in ways that matter. Presenting a vendor with specific, evidence-based findings produces action in a way that questionnaires never have. For example, you can report “we found 55 unpatched CVEs in your firmware, including three critical vulnerabilities in your TLS implementation.” This is what good vendors want: specific, actionable feedback, and binary analysis provides it.
The Bottom Line
The biggest breaches in this industry have consistently happened to organizations that believed they were protected. Think of Colonial Pipeline and Halliburton, which have invested heavily in security but only in seeing the threats that were visible, missing the ones that were hidden. The blind spot is real. The question isn’t whether you can afford to look inside your OT firmware. It’s whether you can afford not to.
_______
About:
Matt Gyde serves as Chief Revenue Officer at ReversingLabs, where he leads the company’s global sales organization and is responsible for all revenue-generating initiatives across the business.
Matt brings extensive experience in building and scaling global technology and cybersecurity enterprises. He began his career at Dimension Data and, following its merger with NTT Security, served as CEO, where he successfully unified eight companies into a $2B global business operating across 58 countries. He also served as CEO of Foresite Cybersecurity and vArmour Networks, guiding both organizations through successful SaaS transformations and periods of accelerated growth.
Originally from Australia and having spent more than two decades in Singapore, Matt brings a truly global perspective and a leadership style rooted in collaboration, customer value, and results. He is deeply passionate about empowering teams and driving sustainable growth through innovation and disciplined execution.
Join our LinkedIn group Information Security Community!
