The network of offshore oil and gas facilities in the US is at serious and growing risk of a potentially devastating cyberattack, a government watchdog says. This has been announced by the Government Accountability Office (GAO). report found last week that if a cyberattack successfully hits the country’s offshore infrastructure, it could trigger a catastrophe with consequences similar to those of the Deepwater Horizon disaster.
According to the GAO, there are currently more than 1,600 outer continental shelf structures involved in oil and gas production spanning the Atlantic, Pacific, and the coasts of Alaska, as well as the Gulf of Mexico. Those structures are largely dependent on operational technology that is controlled remotely. These systems, the GAO found, are particularly vulnerable to being hacked or otherwise breached by malicious actors, especially older systems that have less security measures in place. In addition, past government efforts to strengthen industry cybersecurity have led to little action.
“Unless an appropriate strategy is developed and implemented promptly, offshore oil and gas infrastructure will continue to be at significant risk,” the GAO said in the report.
Last year, oil and gas infrastructure security came into the national spotlight after hackers with the group DarkSide breached the systems of the Colonial Pipeline, the largest gasoline pipeline in the world.United States. The attack shut down the pipeline for nearly a week, causing a small gas panic on the East Coast, and was the largest critical infrastructure breach in US history. The hack was especially embarrassing considering that the leak stemmed from a single compromised passwordand a technical audit has been carried out three years before the breach found Colonial’s system could have been hacked by “an eighth grader,” one of the auditors later said told AP. The attack caused a larger bill about the safety of oil and gas systems – as well as the federal government’s lax attitude towards those systems.
The national network of offshore oil and gas facilities and infrastructure is regulated by the Bureau of Safety and Environmental Enforcement (BSEE). In a comprehensive review of the BSEE policy, which included reviews of reports of what happened during previous operational technology failures at oil and gas facilities, as well as interviews with federal employees and industry stakeholders, the GAO found that oil and gas operations are increasingly being in motion. remote working and “unmanned oil and gas production is becoming more common.” At the same time, many operational technology systems are outdated or connect to larger business and IT systems within a company that can be accessed remotely.
Bad actors, such as other countries, transnational criminal groups or hackers, are increasingly accessing these types of systems through the business side, the report says, and they can more easily migrate those attacks to the platforms and drilling infrastructure themselves. While the BSEE made two attempts in 2015 and 2020 to address cybersecurity in drilling infrastructure, the report notes that “neither has resulted in substantial action”.
As far as we know, there has not yet been a deliberate attack on a US oil and gas drilling technology network by a malicious actor, officials told the GAO. But we’ve seen what the failure of an operational technology system can look like and how devastating it can be. The failure of an automatic safety system was part of the cascade of problems that led to the 2010 Deepwater Horizon explosion, the largest oil spill in US history that killed 11 people.
Threateners are increasingly able to launch attacks against critical infrastructure, including offshore oil and gas infrastructure. “At the same time, the infrastructure is becoming more vulnerable to attacks. More specifically, the [operational technology] in oil and gas infrastructure is becoming increasingly vulnerable to being exploited in cyber-attacks that can lead to serious damage to human security, the environment and the economy.”