A recent report from the U.S. Government Accountability Office warns that there’s an urgent need to address cybersecurity risks to offshore oil and gas infrastructure.
The findings came after GAO was asked to review the cybersecurity of the more than 1,600 U.S. offshore oil and gas facilities that produced significant amounts of domestic oil and gas. Arguably stating the obvious, the main finding in the report was that offshore oil and gas infrastructure faces significant and increased cybersecurity risks in the form of threat actors, vulnerabilities and potential impacts.
Offshore oil and gas exploration and production methods were found to be increasingly reliant on remotely connected operational technology critical to safety, leaving them vulnerable to cyberattacks. Older infrastructure was highlighted as particularly vulnerable because older OT can have fewer cybersecurity protection measures.
As demonstrated in the attack on Colonial Pipeline Co. in May 2021, the report notes that a successful cyberattack could cause physical, environmental and economic harm. The report specifically mentions that a cyberattack could result in a repeat of the 2010 Deepwater Horizon disaster, a disaster that resulted in the largest oil spill in the history of the petroleum industry.
While not holding back, GAO also noted that the Department of the Interior’s Bureau of Safety and Environmental Enforcement has long recognized the need to address cybersecurity risks but has taken few actions to address the issue. BSEE initially made efforts in 2015 and 2020 to address cybersecurity in oil and gas production but “neither results in substantial actions.” BSEE is said to have started a new initiative earlier this year but this was then paused.
“Absent the immediate development and implementation of an appropriate strategy, offshore oil and gas infrastructure will continue to remain at significant risk,” the report states. “Such a strategy would call for, among other things, an assessment of cybersecurity risks and mitigating actions; and the identification of objectives, roles, responsibilities, resources and performance measures.”
Edward Liebig, global director of cyber-ecosystem at information technology company Hexagon AB’s Asset Lifecycle Intelligence division, told SiliconANGLE that the report claims that the severity of these impacts could be mitigated by onsite manual controls that can override automated systems. But he said that a shutdown’may not be immediate or simple to execute.
“There are residual actions such as purging pipelines, pressures and systems that need to take place to truly ‘stop’ a process,” Liebig explained. “There remains a real and present physical, ecological and supply chain danger whenever a ‘shutdown’ command is performed. By the time a cyber attack manifests into a ‘detectable event,’ it is too late in the attack cycle to ‘start to react.’”
Liebig added that “system failures that are an indication of attack come well after malware or command and control has taken root” and that “short of a full plant shutdown, stopping processes is like playing ‘Whac-A-Mole’ to keep in front of potentially serious consequences.”