Oil and Gas Upstream Security: Onshore and Offshore Operations | CloseProtectionHire

The security risks facing upstream oil and gas operations – exploration, drilling, and production – are more varied, more persistent, and more potentially severe than those facing most other commercial sectors. The combination of remote location, high-value assets, critical infrastructure status, expatriate workforce, and operations in some of the world’s most challenging political environments produces a threat picture that demands a security programme built specifically for the context, not a generic corporate security framework with oil-field language added.

The Threat Environment by Region

West Africa: Niger Delta and Gulf of Guinea

The Movement for the Emancipation of the Niger Delta (MEND) was the dominant non-state actor affecting oil operations in Nigeria between 2006 and 2016, responsible for pipeline attacks, facility sabotage, and kidnap of expatriate workers. The political negotiated settlement and amnesty programme of 2009 reduced but did not eliminate the threat. Successor armed groups and criminal networks in the Delta continue to carry out pipeline vandalism (often to enable oil theft through illegal bunkering rather than for political purposes), kidnap for ransom, and attacks on logistics vessels.

The Gulf of Guinea more broadly – including operations in Ghana, Equatorial Guinea, Gabon, Cameroon, and the waters offshore – records the highest incidence of seafarer kidnapping globally. The ICC International Maritime Bureau’s 2023 report recorded that the Gulf of Guinea accounted for a disproportionate share of maritime kidnap incidents globally, with victims typically held for ransom for periods of days to weeks.

Iraq and Kurdistan Region

Iraq’s oil industry – the world’s third-largest proven reserves – operates in an environment that has never fully stabilised following the 2003 invasion and the subsequent insurgency cycles. The Kurdistan Region of Iraq (KRI) offers a significantly more permissive operating environment than central and southern Iraq, but is not without risk: the area saw Iranian ballistic missile attacks on Erbil in early 2022.

For operators in Basra and the southern fields, threat actors include Iranian-aligned militia groups whose posture towards Western energy companies fluctuates with the political cycle, criminal networks involved in oil theft and extortion, and the residual presence of ISIS-affiliated cells in disputed territories. Convoy movement from Basra airport to field facilities requires armoured vehicles, route planning updated against current threat intelligence, and military or armed private security escort depending on the specific route and period.

Colombia

Colombia’s security environment for oil operations has improved markedly since the 2016 FARC peace agreement, but the dissidents of FARC (FARC-EP), ELN (National Liberation Army), and criminal successor networks continue to operate in oil-producing departments including Arauca, Putumayo, and Meta. The primary threat modalities are pipeline bombing (used as a political and extortion instrument), extortion of contractors and local employees, and selective targeting of security and management personnel.

Regulatory Framework for Offshore Security

PFEER Regulations 1995

The Prevention of Fire and Explosion and Emergency Response Regulations 1995 (SI 1995/743) apply to offshore installations. They require the duty holder to take appropriate measures to protect persons on the installation from the effects of fire and explosion, to secure effective evacuation, escape, and rescue, and to establish emergency response procedures. Security incidents that could produce fire, explosion, or mass casualty outcomes fall within the scope of PFEER emergency planning obligations.

Offshore Installations (Safety Case) Regulations 2015

The Offshore Installations (Safety Case) Regulations 2015 (SI 2015/398) require operators to produce a safety case accepted by the Health and Safety Executive before an installation begins production. The safety case must identify all major accident hazards and demonstrate that the management system is adequate to control them. HSE’s guidance confirms that security events with major accident potential are within scope.

ISPS Code and Mobile Offshore Drilling Units

The International Ship and Port Facility Security (ISPS) Code, which entered force in 2004 following the SOLAS amendments of 2002, applies to offshore installations that are classified as ships – including mobile offshore drilling units (MODUs) and floating production storage and offloading vessels (FPSOs). IMO Circular 1387 clarifies the application of ISPS to these vessel types. The code requires a vessel security plan, a company security officer, and a vessel security officer with defined responsibilities.

The ASIS Guideline and the UN Voluntary Principles

The ASIS International Guideline for the Management of Privately Contracted Armed Security Personnel in Upstream Oil and Gas Operations (2012) is the primary industry-specific standard for armed security contractor management. It requires operators to:

• Assess the security risk environment before deploying armed contractors
• Define rules of engagement (ROE) that are proportionate to the threat, legal under the jurisdiction’s law, and consistent with international human rights standards
• Ensure armed contractors are vetted, trained, and competent to the required standard
• Monitor contractor performance against the ROE and investigate all use-of-force incidents
• Maintain records demonstrating the above

The UN Voluntary Principles on Security and Human Rights (2000) extend the framework to public security forces (military and police) contracted or relied upon for facility protection. Operators are expected to communicate their human rights standards to public security forces, investigate alleged abuses, and not make payments to forces credibly linked to human rights violations.

IFC Performance Standard 4, applied to companies seeking International Finance Corporation funding, incorporates both the ASIS guideline and the Voluntary Principles as due diligence requirements.

Close Protection in the Upstream Environment

Close protection for expatriate senior personnel in upstream environments involves different operational planning from the corporate executive protection model:

Duration: An upstream CP programme typically covers a posting of weeks to months, not a visit of hours or days. The team needs logistics, relief cover, and operational security for extended periods.

Isolation: Operating at a remote field site or offshore platform means the team cannot rely on police response, hospital facilities within useful range, or the infrastructure of a city environment. Medical capability, communications redundancy, and self-sufficiency are baseline requirements.

Vehicle movement: Most casualty-producing security incidents in upstream environments involve vehicles in transit between the secure site and the nearest transport hub. Route planning, vehicle specification, convoy protocols, and the use of armed escort require specific operational planning – not adaptation of a generic vehicle movement protocol.

Handover to local security: At the field site perimeter, the close protection team interfaces with local security contractors. Clarity about roles, handover procedures, communication protocols, and the allocation of authority in an emergency is essential and must be established during the site security planning process, not improvised at the gate.

For the vehicle security principles that apply to movement in high-threat upstream environments, see our hostile vehicle mitigation guide. For the kidnap prevention and personal security measures that should accompany all high-risk upstream postings, see our kidnap prevention and personal security guide.