There's a howling gap in offshore oil and gas cybersecurity oversight
A federal watchdog is not pulling punches
The US regulator responsible for overseeing offshore oil and gas (O&G) infrastructure has systematically failed to develop a cybersecurity strategy for the 1,600 production facilities in the Gulf of Mexico and off the Californian and Alaskan coasts – a failure that could have “catastrophic” consequences, say federal auditors.
They warned that malicious hackers could potentially trigger an attack as devastating as the Deepwater Horizon incident in 2010, “disrupt production, and transmission and, thereby, negatively affect energy supplies, markets, and the economy” – pointing to an unhealthy marriage of increased remote operations/networked Operational Technology (OT), legacy operating systems and high demands for uptime meaning little patching.
The risk has been flagged by the Government Accountability Office (GAO) which took aim at the Bureau of Safety and Environmental Enforcement (BSEE) which is responsible for offshore oil and gas production oversight.
See also: The Pipeline Hack: 2 (just 2!) key takeaways
In a blistering report GAO said: “In 2015 and 2020 BSEE initiated efforts to address cybersecurity risks, but neither resulted in substantial action efforts… More than seven years have elapsed since BSEE explicitly identified the need to address cybersecurity risks to offshore oil and gas infrastructure,” GAO added, arguably generously, that despite this “the bureau remains in the early stages of establishing a program to do so.”
Earlier this year, BSEE again started another such initiative and hired a single cybersecurity specialist to lead it but it told the GAO that “until the specialist is adequately versed in the relevant issues and entities, formal program development and implementation will be paused” – GAO added in a late October 2022 report.
(The report was first spotted by Bloomberg.)
But… the private sector has it under control!
The optimistically minded may believe that the private sector companies responsible for running these 1,600 facilities have cybersecurity under control. Frankly, GAO suggests, nobody would know if that were true.
“No federal officials or industry representatives we contacted were aware of any cyberattacks against offshore oil and gas infrastructure or specific requirements to report them if they occur” GAO said (our italics.)
In an audit conducted between February 2022 and October 2022 the watchdog said that whilst BSEE had developed a draft oil and gas cybersecurity framework in 2020 that recommended it “coordinate with other federal agencies to assess and promote more effective management of cybersecurity risks to the OT of
industry on the OCS [offshore continental shelf]. However, BSEE officials we interviewed described the draft framework as an internal white paper to inform the bureau of the importance of addressing cybersecurity risks.
“These officials told us that BSEE never formally adopted or implemented the framework.”
(Private sector oil and gas leaders looking to reinforce their own cybersecurity as OT threats grow should ensure that they have a CISO, ideally reporting directly to the CEO, as well as security-savvy board members.)
The Stack has contacted the BSEE for comment.
Offshore oil and gas cybersecurity: What’s the fear?
The GAO report, authored by Frank Rusco Director, Natural Resources and Environment, and Marisol Cruz Cain, Director, Information Technology and Cybersecurity emphasised the “OT in oil and gas infrastructure is increasingly vulnerable to being exploited in cyberattacks that could result in serious harm to human safety, the environment, and the economy” – noting that OT systems to support activities across the life cycle of offshore operations, including processes to extract and separate fluids (e.g., water, oil, and natural gas), and the monitoring of temperature and pressure during those processes. In addition, remote access capabilities in the OT systems allow system operators to monitor and control operations from onshore control centers.
Increased automation and OT networking has heightened risk, they said, adding: “Although most offshore oil and gas platforms have personnel onsite, unmanned oil and gas production is becoming increasingly common.”
Without the “immediate development and implementation of an appropriate cybersecurity strategy, offshore oil and gas infrastructure that produced 628 million barrels of oil and 824 trillion cubic feet of natural gas in fiscal 2021 “will continue to remain at significant risk” GAO said. BSEE is responsible for offshore oil and gas from design and installation through to decommissioning. Whilst its regulations “do not explicitly mention cybersecurity, but the bureau has determined that addressing cybersecurity risks to offshore oil and gas infrastructure aligns with its mission to promote safety and protect the environment” GAO said.
In the US’s sprawling, sometimes baroque and often overlapping/underlapping world of federal organisations, it may well be that the BSEE thinks and hopes that this is someone else’s problem. Whilst in 2015, the Department of Homeland Security (DHS) issued the National Infrastructure Protection Plan to further integrate critical infrastructure protection efforts between government and private sectors, that plan does note that sectors benefit from being overseen by federal regulators that bring key capabilities to the critical infrastructure partnership, including ensuring sector resilience through oversight.” BSEE, clearly, doesn’t.