Photo: Illustration; Source: the U.S. Government Accountability Office (GAO)

Are U.S. offshore oil & gas assets in danger of cyberattacks?

The U.S. Government Accountability Office (GAO) has advised that further actions are needed to address the growing cybersecurity risks that a network of over 1,600 offshore facilities, producing a significant portion of U.S. domestic oil and gas, are facing as they rely on technology to remotely monitor and control equipment.

GAO recently pointed out that a cyberattack on these offshore facilities could cause physical, environmental, and economic harm while disruptions to oil and gas production and transmission could affect energy supplies and markets. The effects of a cyberattack could resemble those that occurred in the 2010 Deepwater Horizon disaster.

The Department of the Interior (DOI), which is responsible for overseeing this infrastructure, has taken a few steps to address cybersecurity risks. Moreover, the Department of the Interior’s Bureau of Safety and Environmental Enforcement (BSEE) previously recognised the need to address cybersecurity risks, but GAO says that few actions were taken. While BSEE initiated efforts to address cybersecurity risks in 2015 and 2020, neither of these attempts resulted in substantial action.

To amend this, BSEE started another such initiative earlier this year and hired a cybersecurity specialist to lead it. Still, officials said the initiative would be paused until the specialist is adequately versed in the relevant issues.

To promote safety and protect the environment, BSEE regulates offshore oil and gas infrastructure including drillships, production facilities, pipelines, and related equipment. In line with this, GAO was asked to review the cybersecurity of offshore oil and gas infrastructure. Therefore, GAO’s report examines the cybersecurity risks facing offshore oil and gas infrastructure and the extent to which BSEE has addressed them.

To this end, the U.S. Government Accountability Office reviewed relevant federal and industry reports on offshore oil and gas cybersecurity risks and analysed relevant BSEE documentation such as a draft strategic framework, a potential regulatory framework, safety alerts, and budget justifications. In addition, GAO interviewed officials from agencies with offshore and cybersecurity responsibilities and obtained the perspectives of nonfederal stakeholders representing the offshore oil and gas industry.

Cybersecurity risks for offshore oil & gas infrastructure

GAO’s report highlights that offshore oil and gas infrastructure faces “significant and increasing” cybersecurity risks in the form of “threat actors, vulnerabilities, and potential impacts.” Regarding threat actors, GAO underlined that state actors, cybercriminals, and others could potentially conduct cyberattacks against offshore oil and gas infrastructure since the federal government identified the oil and gas sector as “a target of malicious state actors.”

The U.S. Government Accountability Office underscored that modern exploration and production methods’ increasing reliance on remotely connected operational technology, which is often critical to safety, makes them vulnerable to cyberattacks. Additionally, older infrastructure is also considered to be vulnerable to such attacks due to its operational technology usually having fewer cybersecurity protection measures.

After careful consideration, the Government Accountability Office made one recommendation, stating that “BSEE should immediately develop and implement a strategy to address offshore infrastructure risks.”

Based on GAO’s statement, a strategy to address this would call for, among other things, an assessment of cybersecurity risks and mitigating actions; and the identification of objectives, roles, responsibilities, resources, and performance measures.

Taking all this into account, the U.S. Government Accountability Office concluded that without the immediate development and implementation of an appropriate strategy, offshore oil and gas infrastructure will continue to remain at “significant risk.”

This embedded content is only visible after accepting cookies.