- The U.S. Government Accountability Office published a report about U.S. offshore oil and natural gas facilities and found that the facilities may face cyberattacks.
- A successful cyber attack could potentially result in catastrophic consequences on a scale of security, economic stability, public health, or public safety for the U.S.
- According to the report, it is the matter of a network of more than 1,600 offshore oil and gas facilities that produce a significant amount of domestic oil and gas in the U.S.
The U.S. Government Accountability Office reported that the network of over 1,600 offshore facilities including drillships, production facilities, pipelines, and related equipment, a significant portion of U.S. domestic oil and gas is at an increased risk of cyberattacks. The warning comes after GAO examined the cybersecurity risks that offshore oil and gas infrastructure are facing.
Operations heavily rely on OT systems
The GAO says today’s offshore oil and gas operations heavily rely on OT (Operational Technology) systems to support activities across every level of offshore operations. These are including processes to extract and separate fluids such as water, oil, and natural gas as well as the monitoring of temperature and pressure during those processes. The remote technology capabilities in the OT systems let system operators watch and control operations from onshore control centers. The report notes that although most offshore oil and gas platforms have personnel onsite, unmanned oil and gas production is becoming increasingly common.
During their analysis, GAO found that the organization that is responsible for overseeing offshore oil and gas operations does not explicitly mention cybersecurity in its regulatory programs. According to the GAO, this creates significant vulnerability and may result in a successful cyber attack on such infrastructure could have potentially catastrophic effects. The organization says in the report;
« The Department of the Interior’s Bureau of Safety and Environmental Enforcement (BSEE) has long recognized the need to address cybersecurity risks but has taken few actions to do so. In 2015 and 2020 BSEE initiated efforts to address cybersecurity risks, but neither resulted in substantial action. Earlier this year, BSEE again started another such initiative and hired a cybersecurity specialist to lead it. However, bureau officials said the initiative will be paused until the specialist is adequately versed in the relevant issues. Absent the immediate development and implementation of an appropriate strategy, offshore oil and gas infrastructure will continue to remain at significant risk. Such a strategy would call for, among other things, an assessment of cybersecurity risks and mitigating actions; and the identification of objectives, roles, responsibilities, resources, and performance measures. »
It is reported that the older infrastructure is also vulnerable because its operational technology can have fewer cybersecurity protection measures. The watchdog adds that the systems and assets, whether physical or virtual, are so vital to the U.S. Disabling or destruction of them would have a paralyzing impact on U.S. security, economic stability, public health or safety, or any combination of these factors. Offshore oil and gas are one of the 16 critical infrastructure sectors identified in the 26 Presidential Policy Directive 21.
The report noted that offshore oil and gas facilities are not the only sectors that may face malicious cyberattacks, particularly backed by China, Iran, North Korea, and Russia. The operational technology systems which are used to monitor and control have various security flaws and face cyberattack threats as well. That could allow attackers to remotely take control of functions, including those critical to public safety.