UPDATED 19:32 EDT / NOVEMBER 22 2022

SECURITY

Report warns of urgent need to address cybersecurity in offshore oil and gas infrastructure

A recent report from the U.S. Government Accountability Office warns that there’s an urgent need to address cybersecurity risks to offshore oil and gas infrastructure.

The findings came after GAO was asked to review the cybersecurity of the more than 1,600 U.S. offshore oil and gas facilities that produced significant amounts of domestic oil and gas. Arguably stating the obvious, the main finding in the report was that offshore oil and gas infrastructure faces significant and increased cybersecurity risks in the form of threat actors, vulnerabilities and potential impacts.

Offshore oil and gas exploration and production methods were found to be increasingly reliant on remotely connected operational technology critical to safety, leaving them vulnerable to cyberattacks. Older infrastructure was highlighted as particularly vulnerable because older OT can have fewer cybersecurity protection measures.

As demonstrated in the attack on Colonial Pipeline Co. in May 2021, the report notes that a successful cyberattack could cause physical, environmental and economic harm. The report specifically mentions that a cyberattack could result in a repeat of the 2010 Deepwater Horizon disaster, a disaster that resulted in the largest oil spill in the history of the petroleum industry.

While not holding back, GAO also noted that the Department of the Interior’s Bureau of Safety and Environmental Enforcement has long recognized the need to address cybersecurity risks but has taken few actions to address the issue. BSEE initially made efforts in 2015 and 2020 to address cybersecurity in oil and gas production but “neither results in substantial actions.” BSEE is said to have started a new initiative earlier this year but this was then paused.

“Absent the immediate development and implementation of an appropriate strategy, offshore oil and gas infrastructure will continue to remain at significant risk,” the report states. “Such a strategy would call for, among other things, an assessment of cybersecurity risks and mitigating actions; and the identification of objectives, roles, responsibilities, resources and performance measures.”

Edward Liebig, global director of cyber-ecosystem at information technology company Hexagon AB’s Asset Lifecycle Intelligence division, told SiliconANGLE that the report claims that the severity of these impacts could be mitigated by onsite manual controls that can override automated systems. But he said that a shutdown’may not be immediate or simple to execute.

“There are residual actions such as purging pipelines, pressures and systems that need to take place to truly ‘stop’ a process,” Liebig explained. “There remains a real and present physical, ecological and supply chain danger whenever a ‘shutdown’ command is performed. By the time a cyber attack manifests into a ‘detectable event,’ it is too late in the attack cycle to ‘start to react.'”

Liebig added that “system failures that are an indication of attack come well after malware or command and control has taken root” and that “short of a full plant shutdown, stopping processes is like playing ‘Whac-A-Mole’ to keep in front of potentially serious consequences.”

Photo: Berardo62/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.