Cybersecurity in the Nigerian Energy Sector

The energy sector is the primary driver of Nigeria’s economy, accounting for the largest portion of the nation’s foreign exchange revenues and GDP. The industry is experiencing a faster digital change, which has made it more susceptible to cyberattacks. Electric power systems worldwide have reportedly been subject to an upsurge in cyber software threats, with the fragility of the power systems extending beyond simple physical system safeguarding to include cyber security issues. This demonstrates how susceptible power systems and the electric sector are to cyberattacks, which might lead to loss of profits and inefficient electrical networks. New stakeholders, investment, and technology have recently entered the Nigerian power sector, focusing on transforming and modifying the country’s power infrastructure. As a result, a rise in vulnerability to cyberattacks results from incorporating new Information Technology (IT) and Operational Technology (OT) into the country’s power facilities, making cybersecurity essential for safeguarding sensitive data and ensuring the sector runs smoothly.[2] Moreover, large volumes of sensitive data, such as financial records, customer information, exploration data, and intellectual property, are handled by oil and gas businesses.

‍

The oil and gas sector places a high premium on cybersecurity since it is a prime target for cyberattacks.[3] Physical attacks have been the most common type of attack on oil and gas infrastructure across Nigeria. However, as systems get more computerised, cyberattacks on pipeline infrastructures also increase in frequency. Widespread cyber interdependencies are often the result of critical infrastructures (CIs) becoming more automated and computerised.[4] Because cyberattacks are increasingly targeting CIs, there is a great deal of concern about safeguarding these infrastructures due to the substantial losses, consequences, and effects that the industry may experience. This article aims to give insight and raise the necessary much-needed consciousness of the dangers of a weak cybersecurity framework to prevent such occurrences and encourage the energy sector to take proactive steps in protecting their CIs.

‍

The Escalating Cyber Risks Facing the Global Energy Sector:

‍

The ransomware attack on U.S. pipeline operator Colonial Pipeline in May 2021 raised public awareness of the potential for a cyberattack on the oil and gas sector. This most recent instance demonstrates how attacks are growing increasingly common and complex.[5] Digital technologies like cloud computing, artificial intelligence (AI), and the Internet of Things (IoT) have transformed the energy sector. Increased productivity and innovation in the sector have resulted from these developments, which have significantly boosted efficiency in operations, decision-making procedures, and supply chain oversight. Unfortunately, there are significant risks associated with the digitization of operations as well. According to a 2016 Deloitte report, 68% of North American energy corporations had been the victim of at least one hack, highlighting the sector’s increased exposure. A single cybersecurity breach can affect whole operations and cause significant financial damage to reputation, and its impact is heightened as the sector grows more interdependent. These digital risks go beyond financial losses to include serious safety and environmental issues. Breach of these protocols, can have disastrous effects on the environment and operational security.[6]

‍

Major Cyberattack Hits in the International Oil and Gas Industry:

‍

In 2022, the oil and gas sector was the target of 21 ransomware attacks worldwide, according to Statistics. In the past year, it has been the fifth most hit business sector by ransomware.

‍

Furthermore, in 2022, the Accountability Office of the US Government published a report.[7] It explained that there are serious cybersecurity threats to oil and gas facilities offshore. Threat actors, weaknesses, and possible consequences are the sources of these hazards.

‍

1. Colonial Pipeline Attack by Darkside: The Darkside hacker collective launched a ransomware attack against Colonial Pipeline on May 8, 2021. The biggest operator of oil pipelines in the United States was forced to cease operations due to the attack. The 5,500-mile pipeline owned by the firm was shut down. Forty-five percent of the diesel, petrol and jet fuel supplied to the East Coast comes from this pipeline. In several US states, the shutdown caused panic purchasing and fuel shortages. Colonial Pipeline’s CEO confirmed that he approved a US$4.4 Million ransom payment. The executives had no idea how serious the cyberattack was or the amount of time required to get the pipeline back up.[8] The attack is among the most disrupting ransomware attempts ever recorded, according to Reuters. It brought enormous attention to the US energy sector’s vulnerability.[9]
2. Saudi Aramco Attack by Triton Malware: A brand-new, lethal malware known as “Triton” wreaked havoc in 2017. The largest oil business in the world, Saudi Aramco, had its safety systems targeted. It was the first time a malware specifically targeted a critical infrastructure facility’s safety system. Despite Aramco’s denials that the attack ever happened, a classified dossier named Aramco as the cyber-attack’s victim. Area 1 Security, a computer security company started by former National Security Agency employees, wrote the paper, which Foreign Policy was able to get.[10] The incident also signalled a frightening and important turning point in critical infrastructure cybersecurity. As the final point of defence against potentially fatal catastrophes, safety systems intended to avoid catastrophic industrial mishaps can be rendered inoperable by the Triton malware. Utilising it at a petrochemical facility such as Aramco would have resulted in explosions or the discharge of harmful hydrogen sulphide gas. Both within the building and outside, this would have endangered life. Luckily, the plant’s production systems were stopped by a fault in the attacker’s computer code before it could seriously harm the infrastructure and operational assets.
3. Ekans Attack on Chevron: Industrial Control Systems (ICS) and Operational Technology (OT) are the targets of the Ekans ransomware, sometimes referred to as snake ransomware. In 2020, one of the biggest oil and gas corporations in the world, The Chevron Corporation, fell prey to a cyberattack. Although the attack’s specifics are unknown, it is thought that the attackers used a flaw in Chevron’s VPN software to access the company’s computers. It is unknown if the Chevron cyberattack involved the Ekans malware.[11]
4. Exxonmobil Attack by Ryuk Ransomware: One of the biggest publicly traded oil and gas corporations in the world is ExxonMobil. The Ryuk ransomware assault on ExxonMobil in December 2019 caused a major disruption in the business’s operations. It particularly affected the company’s downstream operations, which include petroleum product distribution, chemical manufacturing, and refining. Files on the target’s computer are encrypted by a specific type of ransomware known as Ryuk, making them unreadable until the attacker is paid a ransom. The perpetrators in the ExxonMobil case requested a Bitcoin ransom of US$1.6 Million.[12]
5. ‍Petrobras Attack by WannaCry Ransomware: At least 100,000 organisations across 150 countries were impacted by the WannaCry ransomware variant in 2017. The Brazilian state-owned oil corporation, Petrobras, was one of them. In reaction to the cyberattack, the corporation reportedly shut down its systems as a precaution. All of these attacks are significant, but in a world where there are so many cyberthreats, it’s vital to feel empowered. Every day, cybersecurity frameworks and measures are developed and improved worldwide to support the advancement of oil and gas security systems.[13]

‍

Some forms of Cyberattacks that can affect the Energy Sector

‍

1. Advanced cyberthreats: These may come from criminal syndicates, hackers, or state-sponsored attackers. Sophisticated advanced persistent threats (APTs) target the industry to obtain unauthorised access to important intellectual property, including strategic planning, reservoir data, and drilling methods.
2. Weaknesses in industrial control systems: Cyber-attacks can affect operational technology (OT) systems, such as distributed control systems (DCS) and supervisory control and data acquisition (SCADA). Given its lengthy lifespan and absence of security features, this is particularly true for the latter. These antiquated systems frequently lack appropriate segmentation and regular security updates, if any; their weak security measures leave them open to abuse. Additionally, many of them are difficult to update or patch, making them vulnerable to known vulnerabilities.[14]
3. Insider threats: Systems may be tampered with or destroyed if unauthorised individuals gain physical access to vital infrastructure. Disgruntled employees, contractors, or others who have previously been granted authorised access may purposefully or inadvertently undermine vital data and systems, making other so-called insider threats a serious problem.
4. Remote operations: New security issues are brought about by the industry’s growing reliance on IoT devices and remote operations. Strict security measures are, therefore, necessary to reduce hazards since using remote access technologies and connecting devices expands your attack surface.
5. Risks associated with the supply chain: The oil and gas industry’s interdependence creates vulnerabilities through outside suppliers and vendors. Those with privileged access could undermine systems, take advantage of weaknesses, or unintentionally reveal important information. Furthermore, malicious software or hardware components may be introduced because of a corrupted supply chain, potentially resulting in security breaches.

‍

Legal Framework for Cybersecurity in Nigeria:

‍

The Cybercrimes (Prohibition, Prevention, Etc) Act, 2015 was enacted by the Nigerian government in 2015 and is described as “an effective, unified, and exhaustive legal, regulatory, and institutional framework to prohibit, prevent, detect, prosecute, and punish cybercrimes in Nigeria.” The Act was also passed in order to protect vital national information infrastructure and to advance cybersecurity, which includes safeguarding computer systems and networks, data, computer programs, intellectual property, and privacy rights, according to the explanatory memo. Other legislations that relate to cybersecurity in Nigeria include the following:

‍

1. Cybercrimes (Prohibition and Prevention etc.) (Amendment) Act 2024—Some key provisions of the Cybercrimes Act include the following:
   • Unlawful Access (Hacking): The Act makes it an offence for anybody to purposely gain unauthorised access to a computer system in whole or in part for fraudulent purposes in order to get material that is essential to national security. In Nigeria, offenders are liable to pay a fine of up to ₦5 Million, a maximum sentence of five years in jail, or both. Also, obtaining safe access to any software, computer data, and trade or business secrets, or confidential information without authority with the aim to commit an act is also an offence. In Nigeria, this offence attracts a penalty of either a fine of up to ₦7 million, a maximum sentence of imprisonment for seven years, or both.[15] A fraud ring consisting of eight men was charged in March 2023 by the Nigeria Police before the Federal High Court, Lagos with the offence of stealing ₦435.3 Million by breaking into the server of ITEX Limited, an electronic platform.[16] Two Nigerian university students were charged by the Police Special Fraud Unit in August 2024 before the Federal High Court, Lagos with the offence of breaking into the computers of MTN Nigeria Communication Plc and stealing data and airtime worth ₦1.9 billion. The charge is still pending.[17]
   • System Interference (Denial of access attack): It is an offence for anyone without legal authority to purposely or dishonestly perform an act that seriously impairs a computer system’s ability to function, either directly or indirectly, by entering, sending, destroying, erasing, deteriorating, changing, or suppressing computer data, or by interfering in any other way with the computer system that stops the system or any component of it from operating as intended. The punishment for this type of offence is either a fine of up to ₦5 million, two years in prison, or both these penalties.[18]
   • Phishing and Spamming: It is an offence for anybody to pretend to be a reliable source in electronic communications in an effort to obtain private information, including credit card numbers, usernames, and passwords. This involves impersonating someone via email or instant messaging, tricking users into changing their password, or revealing one’s identity with the goal of utilising it to perpetrate fraud later. The maximum punishment for this offence is either a fine of ₦1 million, three years imprisonment, or both.[19]
   • Infection of IT systems with malwares and viruses: Under the Act, it is an offence for anybody to intentionally or maliciously distribute viruses or other malware that corrupts important data on computers owned by businesses, financial institutions, or the public. The maximum punishment for this offence is either a fine of ₦1 million, three years imprisonment, or both.[20]
2. Constitution of the Federal Republic of Nigeria (CFRN) 1999 (As Amended): The 1999 Constitution serves as the initial argument in favour of cyber protection under Nigerian law. The Constitution guarantees and protects citizens’ privacy with regard to their residences, mail, phone conversations, and telegraphic interactions.[21] The Constitution upholds the inalienable right to privacy of every citizen. Only laws enacted by democratically empowered public authorities can restrict it for the sake of national security, public safety, or the nation’s economic well-being, to stop disorder or crime, to protect people’s health or morals, or to protect other people’s rights and freedoms.
3. The Economic and Financial Crimes Commission (EFCC) Act, 2004: The Economic and Financial Crime Commission Act also provides the legal framework for the establishment of the Commission and protection of economic and financial crimes. Some of the major responsibilities of the Commission under the Act include:
   • The investigation of all financial crimes, including advanced fee fraud money laundering, counterfeiting, illegal charge, transfers, futures market fraud, fraudulent encashment of negotiable instruments, computer credit card fraud, contract scam amongst others;
   • The coordination and enforcement of all laws against economic and financial crimes with a view to identifying individual, corporate bodies, or groups involved;
   • Conducting research and related activities in order to ascertain the manifestation, scope, size, and consequences of economic and financial crimes and to advise the government on suitable intervention steps to combat them, the;
   • Takes charge of, supervises, controls and coordinates all duties, functions, and actions associated with the ongoing investigation and prosecution of any offences related to or associated with economic and financial crimes in consultation with the Attorney General of the Federation.[22]
4. Criminal Code Act (CCA) 1990: All kinds of financial crimes, in any form, are criminalised and attract different penalties under the Act. Despite not being specifically addressed in the Act, cybercrime is a kind of offence that is subject to the Criminal Code’s penalties. The Act addresses obtaining property by false pretence.[23] While section 418 of the Act defines false pretence, the provisions of section 419 can also apply to cybercrime. Any representation of a fact, made by a person past or present, made by speech, writing, or conduct that is untrue that the maker is aware is incorrect or does not believe its veracity is considered a false pretence.[24]

‍

Cybersecurity Strategies for Nigeria’s Energy Sector:

‍

Protecting Nigeria’s electrical grid against potential cyberattacks requires the implementation of efficient cybersecurity measures. This calls for an integrated plan that takes into account processes, technology, and human resources. Creating and implementing advanced safety precautions is essential for systems and technologies to prevent and reduce cyber threats. Despite notable advances in technology since unbundling, the Nigerian electricity industry continues to encounter obstacles because of insufficient IT logistical help and a lack of improvement in local safety standards. Improving these areas can aid in limiting cyber threats’ ability to access computers and machinery controls. To reduce risks, it is important to develop thorough and efficient security measures on the operational front. Cyberattacks on the electric power grid can be prevented by implementing strong security procedures and controls. To further lessen insider threats and human errors, improving employee welfare and training is essential. Enhancing the workforce’s credentials, pay, and morale will ensure that employees are prepared to tackle cyber threats.[25]

‍

Emergency Response and Planning:

‍

For Nigeria’s electrical infrastructure to be strong, cyberattacks must be prevented and countered in an organized way. Detection and evaluation, confinement, elimination and recovery, organizing, and post-event activities are some essential elements of an emergency response and planning. To avert malicious attacks, preparations include putting warning systems into place and boosting physical safety precautions at generating, dissemination, and distribution substations. The goals of monitoring and evaluation are to identify cyberattacks, prioritize actions, and analyze incident reports to recognize and mitigate them. The stages of containment, removal, and restoration entail stopping the spread of malware, getting rid of security risks, and recovering deleted files and systems. To enhance and improve the response plan, post-event actions include examining the reasons for and conditions underlying cyberattacks. The resistance of Nigeria’s energy sector against cyber-attacks can be greatly increased by putting into practice a thorough cybersecurity framework and an efficient emergency response plan, guaranteeing a safer and more reliable supply of energy for the country.[26]

‍

The Importance of Robust Cybersecurity Measures:

‍

Strong cybersecurity defenses are essential for safeguarding invaluable digital information from cyberattacks, guaranteeing continual operations, and upholding compliance with regulations. Frequent risk evaluations and security inspections help with detecting potential threats in a company’s electronic systems, enabling them to prioritize cybersecurity efforts and establish effective security initiatives. A strong cybersecurity system is built around an efficient network design, which consists of firewalls, systems to prevent attacks, and encrypted portals. Where there is a breach in security, quick action and recovery are crucial to limiting damage. An emergency response strategy offers an organized approach for handling the fallout, guaranteeing industry operation and decreasing recovery expenses and effort. Workforce awareness and training seminars are essential because they inform workers about possible cyber threats and the significance of following security procedures, as human mistake is a major contributor to breaches of security. Not only is adherence to cybersecurity rules and sector standards required by law, but it is also a crucial part of a company’s cybersecurity approach, with routine compliance inspections and reviews assisting in the early detection and repair of security control gaps.[27]

‍

The Role of Strategic Partnerships:

‍

Strategic partnerships greatly aid in the successful deployment of cybersecurity precautions because they offer the knowledge and assistance required to effectively tackle the difficult waters of cybersecurity. Organizations like Snapnet Solutions, one of Nigeria’s leading IT consulting firms, are great examples of how specific experience and knowledge may be used to improve a company’s cybersecurity stand. These partners help companies create and execute broad cybersecurity policies that are carefully designed to meet specific needs and overcome sector-specific challenges. The energy sector can learn more about the best ways to mitigate cyber threats and their constant evolution by working with these specialists. To reduce the effect of any breaches, strategic partners offer an array of expertise in risk evaluations, safeguarded network layouts, and emergency recovery and response schemes. Additionally, they provide beneficial staff training courses that increase knowledge of cyberthreats and encourage compliance with security protocols, hence lowering the possibility of human mistake. In general, the establishment of strategic partnerships plays a vital role in cultivating a robust cybersecurity system that safeguards digital information, preserves continuous operation, and adheres to regulatory requirements, eventually preserving the sector’s credibility and profitability.

‍

Recommendations and Conclusion:

‍

Nigeria’s energy sector is growing increasingly susceptible to cyberattacks as it goes through a digital revolution. Therefore, cybersecurity procedures need to be prioritised and reinforced in order to safeguard the nation’s critical infrastructure. The history of the industry and its adoption of contemporary technologies show how urgently a robust cybersecurity system that addresses both current weaknesses and potential threats is needed.  Regular risk assessments, secure network architecture, employee training, and conformity to industry standards are all essential components of an effective cybersecurity system. By implementing a comprehensive strategy involving technology, processes, and personnel, Nigeria’s energy industry may successfully lower cyber-attacks, ensure uninterrupted operations, and support the country’s security and economic growth. By following these procedures, the sector will be better prepared to protect vital infrastructure and combat new cyberthreats. As it confidently marches into a technologically advanced future, the nation’s unshakeable commitment to cybersecurity will clear the path for a secure and lucrative energy environment, maintaining the nation’s vitality and securing its position on the international scene.

‍

‍

‍

‍

_{[1] Dr. Ngozi Chinwa Ole is a Consultant (Director) at Alliance Law Firm, Lagos, while Lilian Adat and Atake Anthonia are Senior Associate and Associate respectively at the same law firm.}

_{[2] Ibikunle Ogundari and others, “Cyber Security Assessment of Nigeria’s Electric Power Infrastructure” (2021) 1 (2) African Journal of Science Policy and Innovation Management; 87-104 Access Article accessed 22 July 2024.}

_{[3] Otorio, “Why is Cybersecurity Important for Oil and Gas” Read More accessed 11 November 2024.}

_{[4] Eric J. Byres, “Cybersecurity and the Pipeline Control System” PDF Document accessed 17 January 2025.}

_{[5] Nina Terp, “How Cyber-ready is the Oil and Gas Industry?” Read More accessed 11 November 2024.}

_{[6] Gabrielle Desarnaud, “Cyber-Attacks and Energy Infrastructures: Anticipating Risks” (2017) Ifri Centre for Energy Read Report accessed 21 November 2024.}

_{[7] GAO, “Offshore Oil and Gas: Strategy Urgently Needed to Address Cybersecurity Risks to Infrastructure” (GAO 2022) Access Report accessed 11 November 2024.}

_{[8] Sangfor Technologies, “Igniting Attacks: Cybersecurity in the Oil and Gas Industry” (Sangfor 2023) Read Article accessed 11 November 2024.}

_{[9] Christopher Bing and Stephanie Kelly, “Cyber Attack Shuts Down U.S. Fuel Pipeline ‘Jugular,’ Biden Briefed” (Reuters 2021) Access Article accessed 11 November 2024.}

_{[10] Elias Groll, “Cyberattack Targets Safety System at Saudi Aramco” (Foreign Policy 2017) Read More accessed 11 November 2024.}

_{[11] Darktrace, “OT Cyber-Attacks: The Impact of EKANS Ransomware” (Darktrace 2020) Read More accessed 11 November 2024.}

_{[12] ACEC, “‘Ryuk’ Malware Attacked 5 Oil and Gas Facilities, Says Report” (ACEC 2020) Read Report accessed 11 November 2024.}

_{[13] Sangfor note 7.}

_{[14] Otorio note 2.}

_{[15] Cybercrimes Amendment Act, 2024, s 6.}

_{[16] Onozure Dania, “Fraudsters Hack Company’s Server, Steal N435.3m” (Punch 2023) Read Article accessed 12 November 2024.}

_{[17] Onozure Dania, “[ICYMI] Two Students Arraigned for Hacking MTN Computers” (Punch 2024) Read Article accessed 12 November 2024.}

_{[18] Cybercrimes Amendment Act, 2024, s 8.}

_{[19] Cybercrimes Amendment Act, 2024, s 32 (1 and 2).}

_{[20] Cybercrimes Amendment Act, 2024, s 32 (3).}

_{[21] CRFN 1999 (as amended), s 37.}

_{[22] EFCC Act 2004, Pt 2, s 6.}

_{[23] CCA Cap C 38 LFN 2004, Chapter 38.}

_{[24] Ibid s 418.}

_{[25] Ceeman Vellaithurai and others, “CPIndex: Cyber-Physical Vulnerability Assessment for Power-Grid Infrastructures” (2015) 6 (2) IEEE Transactions on Smart Grid, 566-575 Access Document accessed 11 November 2024.}

_{[26] Ibid.}

_{[27] Ibid note 1.}

‍

‍

‍

--

Read the original publication at Alliance Law Firm

‍