Cybersecurity risks to offshore oil and natural gas facilities such as those from state actors and cyber criminals are on the rise.
In a new report, the U.S. Government Accountability Office (GAO) said the federal government has identified the oil and gas sector as a target of malicious state actors. Exploration and production (E&P) operations today require reliance on remotely connected operational technology, and this is vulnerable to cyberattack.
Potential impacts could “resemble those that occurred in the 2010 Deepwater Horizon disaster. Disruptions to oil and gas production or transmission could also affect energy supplies and markets,” GAO researchers said.
[Shale Daily: Including impactful news and transparent pricing for shale and unconventional plays across the U.S. and Canada, Shale Daily offers a clear snapshot of natural gas supplies for analysts, investors and global LNG buyers. Learn more.]
BP plc’s deepwater Macondo well explosion in 2010 killed 11 men, destroyed the Deepwater Horizon drilling rig and led to the largest oil spill in U.S. history. An extensive investigation by BP and federal officials found that Macondo’s blowout preventer had failed, and that there were safety lapses.
Despite the Department of the Interior’s Bureau of Safety and Environmental Enforcement (BSEE) long recognizing the need to address cybersecurity risks, little has been done, according to the GAO report. In 2015 and 2020 BSEE initiated efforts to address cybersecurity risks, but neither resulted in substantial action.
Earlier this year, BSEE hired a cybersecurity specialist to lead a new initiative. However, bureau officials said it will be paused until the specialist is adequately versed in the relevant issues.
“Absent the immediate development and implementation of an appropriate strategy, offshore oil and gas infrastructure will continue to remain at significant risk,” the GAO researchers said.
In undertaking the report, GAO reviewed federal and industry reports on offshore oil and gas cybersecurity risks, and interviewed officials from agencies with offshore and cybersecurity responsibilities. It also obtained the perspectives of nonfederal stakeholders representing the offshore oil and gas industry.
Last year, Colonial Pipeline Co.’s servers were hacked in a prime example of energy infrastructure vulnerabilities. The attack forced the 5,500-mile pipeline to shut down the main lines of its system, which supplies about 45% of the East Coast’s gasoline, diesel and jet fuel.
Colonial reportedly paid hacking group DarkSide, a criminal ransomware group based in Eastern Europe, $5 million in untraceable cryptocurrency for a decrypting tool to restore the company’s IT network.
The report said that “GAO is making one recommendation: BSEE should immediately develop and implement a strategy to address offshore infrastructure risks. Such a strategy should include an assessment and mitigation of risks; and identify objectives, roles, responsibilities, resources, and performance measures, among other things. In an email, we were informed that Interior generally concurred with our findings and recommendation.”