Strategy 'urgently needed' to address cybersecurity risks to oil and gas infrastructure: report

A network of over 1,600 offshore facilities that produce a significant portion of U.S. domestic oil and gas faces a growing risk of cyberattacks, and the Interior Department has taken insufficient steps to address this risk, according to a new report by the Government Accountability Office.

"Offshore oil and gas infrastructure faces significant and increasing cybersecurity risks in the form of threat actors, vulnerabilities, and potential impacts," states the report, titled "Offshore Oil and Gas: Strategy Urgently Needed to Address Cybersecurity Risks to Infrastructure."

Last year, leases in the Gulf of Mexico and off the coasts of California and Alaska produced approximately 628 million barrels of oil and 824 trillion cubic feet of natural gas, according to data published by the Department of the Interior's Office of Natural Resources Revenue. This accounted for approximately 62% of the oil and 20% of the natural gas produced on federal property.

But this production is vulnerable, under growing risk of being sabotaged by cyberattacks. One reason why is the ability of potential attackers to inflict harm.

"Threat actors are becoming increasingly capable of carrying out attacks on critical infrastructure, including offshore oil and gas infrastructure," the report states. "The federal government has identified the oil and gas sector as a target of malicious state actors."

The 2022 Annual Threat Assessment of the U.S. Intelligence Community found that China, Russia, Iran, and North Korea pose the greatest cyber threats to American interests. However, the Government Accountability Office (GAO) also listed transnational criminal groups, hackers and so-called hacktivists, and insiders — employees, contractors, vendors with authorized access to potentially sensitive information — as other potential threats.

Hacktivists may pose an especially acute threat to the oil and gas industry amid a widespread push by environmentalists to stop using fossil fuels and turn instead to renewable energy.

"Hackers and hacktivists no longer need a great amount of skill to compromise business IT systems because of the growing availability of public and commercial cyberattack tools," the report states. "Additionally, in 2022, the Federal Bureau of Investigation observed that
several ransomware groups had developed code designed to stop critical infrastructure or industrial processes. Furthermore, threat actors may become even more capable — particularly with advances in artificial intelligence."

At the same time, offshore oil and gas facilities are more vulnerable than ever.

"According to agency officials and industry representatives, OT [operational technology] in offshore oil and gas infrastructure is becoming increasingly vulnerable to cyberattacks," wrote the GAO. "Most notably, OT systems were once largely isolated from internet and business IT systems but are now frequently connected with those systems both within a company and accessible by internet systems globally. As a result, cyberattacks are now more likely to originate in business IT systems and migrate to OT."

As oil and gas facilities become vulnerable and potential attackers become more capable, the likely impact of a successful cyberattack could be catastrophic.

"Successful cyberattacks against offshore oil and gas infrastructure could have potentially severe effects on safety, the environment, and the economy," the report states. "These can include deaths and injuries, damaged or destroyed equipment, and pollution to the marine
environment. However, in a worst-case OT failure scenario, all these impacts can occur simultaneously at a catastrophic scale."

The GAO cited the example of the 2010 failure of the Deepwater Horizon offshore drilling rig, which led to its explosion and sinking as well as 11 deaths, serious injuries, and the largest marine oil spill in the history of the U.S. (approximately 4.9 million barrels)." 

Cyberattacks against pipeline OT could also disrupt the production and transmission of oil and gas, negatively affecting energy supplies, markets, and the broader economy.

The Interior Department's Bureau of Safety and Environmental Enforcement (BSEE) regulates and is responsible for overseeing offshore oil and gas infrastructure. However, the GAO chided the agency for taking insufficient steps to tackle the cyber threat.

"BSEE has taken few actions to address cybersecurity risks to the more than 1,600 oil and gas facilities and structures on the OCS [outer continental shelf of the U.S.]," the report states. "This creates significant liability, given that a successful cyberattack on such infrastructure could have potentially catastrophic effects. Since recognizing the need to take action in 2015, the scale and scope of cybersecurity risks have continued to increase, creating even greater urgency for the bureau to respond. However, BSEE has struggled to address cybersecurity risks to offshore oil and gas infrastructure and only recently has taken steps to start a new initiative."

But this effort remains in "the earliest stages of development," according to the GAO, which recommended the BSEE "should immediately develop and implement a strategy" to implement its cyber initiative and address offshore infrastructure risks.

The GAO said it provided a draft copy of its report to the Interior Department, which informed the GAO in an email that it "generally concurred with our findings and recommendation."