GAO reports offshore oil and gas infrastructure faces cybersecurity risks from threat actors, vulnerabilities, potential impacts

The U.S. Government Accountability Office (GAO) revealed in a recent report that offshore oil and gas infrastructure faces significant and increasing cybersecurity risks coming from threat actors, vulnerabilities, and potential impacts. The threat comes as most offshore oil and gas platforms have personnel onsite, though unmanned oil and gas production is becoming increasingly common. With OT (operational technology) systems in the oil and gas sector becoming increasingly vulnerable to being exploited in cyberattacks, it could lead to serious harm to human safety, the environment, and the economy.

GAO said in its report that state hackers, cybercriminals, and others could potentially conduct cyberattacks against offshore oil and gas infrastructure. “The federal government has identified the oil and gas sector as a target of malicious state actors. Additionally, modern exploration and production methods are increasingly reliant on remotely connected operational technology—often critical to safety—that is vulnerable to cyberattack. Older infrastructure is also vulnerable because its operational technology can have fewer cybersecurity protection measures,” it added.

The GAO report also revealed that a successful cyberattack on offshore oil and gas infrastructure could cause physical, environmental, and economic harm. “For example, officials said that the effects of a cyberattack could resemble those that occurred in the 2010 Deepwater Horizon disaster. Disruptions to oil and gas production or transmission could also affect energy supplies and markets.”

From February to October this year, the U.S. watchdog conducted a performance audit to assess the extent to which the Department of the Interior’s Bureau of Safety and Environmental Enforcement (BSEE) addressed cybersecurity risks to offshore oil and gas infrastructure. GAO reviewed documentation regarding actions that the BSEE has taken and plans to take to identify and respond to cybersecurity threats to offshore oil and gas infrastructure. These documents included a draft strategic framework, a potential regulatory framework, budget justifications, bureau statements, press releases, and safety alerts. 

While the BSEE is responsible for overseeing offshore oil and gas operations. Its regulatory programs advise various offshore activities and facilities, including drilling, well completion, production, pipeline, and decommissioning operations. The bureau implements technological advancements and conducts onsite inspections to assure compliance with regulations, lease terms, and approved plans. However, to date, BSEE’s regulations do not explicitly mention cybersecurity, though the bureau has determined that addressing cybersecurity risks to offshore oil and gas infrastructure aligns with its mission to promote safety and protect the environment. 

The U.S. watchdog made one recommendation calling upon the BSEE to immediately develop and implement a strategy to address offshore infrastructure risks. “Such a strategy should include an assessment and mitigation of risks; and identify objectives, roles, responsibilities, resources, and performance measures, among other things. In an email, we were informed that Interior generally concurred with our findings and recommendation,” the report added.

GAO also interviewed officials from the BSEE and other key federal agencies regarding past and planned bureau actions to address cybersecurity risks. “We then compared BSEE’s actions to address cybersecurity risks against National Institute of Standards and Technology (NIST) cybersecurity guidance and GAO criteria for developing and implementing effective program strategies,” it added in the report. 

The GAO report also finds that modern offshore oil and gas operations rely on OT systems to support activities across the life cycle of offshore operations and monitoring of temperature and pressure during those processes. In addition, remote access capabilities in the OT systems allow system operators to monitor and control operations from onshore control centers. 

The report identified that nations, including nation-states, state-sponsored, and state-sanctioned groups or programs, use cyber tools as part of their efforts to further economic, military, and political goals. “Chinese and Russian cyber threat actors have previously targeted the U.S. energy sector, including oil and gas companies. In addition, Iran has previously targeted foreign oil and gas companies, using cyberattack techniques,” it added.

The GAO report also highlighted transnational criminal groups, including organized crime organizations, which seek to use cyberattacks for monetary gain. Further, cybercriminals are increasing the number, scale, and sophistication of ransomware attacks that threaten to cause greater disruptions of critical services.

The GAO report also covered hackers breaking into networks for reasons including challenge, revenge, stalking, or monetary gain. In contrast, hacktivists are ideologically motivated actors who use cyberattack tools to further political goals. According to U.S. Coast Guard officials, the agency considers environmental groups opposed to petroleum development to be a threat actor that could potentially target offshore oil and gas infrastructure.

It also identified insiders, including employees, contractors, or vendors, with authorized access to an information system or enterprise and who have the potential to cause harm, wittingly or unwittingly, through the destruction, disclosure, or modification of data or denial of service. Bureau of Safety and Environmental Enforcement officials indicated that insiders, such as a disgruntled employee, could cause issues on an offshore oil and gas facility.

The GAO report also said that, in 2022, the Federal Bureau of Investigation (FBI) observed that several ransomware groups had developed code designed to stop critical infrastructure or industrial processes. Furthermore, hackers may become even more capable, particularly with advances in artificial intelligence.

According to MITRE’s widely accepted framework for classifying cyberattacks, threat actors can use multiple techniques to gain initial access to OT used to control offshore oil and gas infrastructure. These include attackers who may exploit internet-accessible devices in OT systems and adversaries who may compromise the supply chain of OT systems by manipulating products (such as hardware or software) or delivery mechanisms before receipt by the end consumer. Attackers may also send a specific individual, company, or industry a ‘spearphishing’ email with links or attachments that include malicious code to gain access to a corporate network.

Additionally, attackers may exploit services that allow users to connect to network resources from a remote location such as virtual private networks. The attackers then use these services to access and attack OT networks.

The GAO report said that the BSEE has taken a few measures to address cybersecurity risks to the more than 1,600 oil and gas facilities and structures on the outer continental shelf (OCS). “This creates significant liability, given that a successful cyberattack on such infrastructure could have potentially catastrophic effects. Since recognizing the need to take action in 2015, the scale and scope of cybersecurity risks have continued to increase, creating even greater urgency for the bureau to respond. However, BSEE has struggled to address cybersecurity risks to offshore oil and gas infrastructure and only recently has taken steps to start a new initiative. This effort remains in the earliest stages of development,” it added. 

Accordingly, it is not guided by an overarching strategy that identifies cybersecurity risks; relevant practices to address those risks; the bureau’s role in addressing them; milestones for activities such as formalizing relationships with other federal agencies and industry organizations; resource needs, such as appropriate staffing levels; and performance measures to assess results, the GAO said. 

“Without a strategy to guide the development and implementation of its new cybersecurity program that incorporates these key features, the effectiveness of any cybersecurity program that BSEE ultimately establishes could be constrained, GAO said. “This, in turn, would jeopardize the bureau’s ability to address the significant and increasing cybersecurity risks facing offshore oil and gas infrastructure on the OCS,” it added.

Last week, the GAO called upon the U.S. Department of Defense (DOD) to increase attention to ensure cyber incidents are appropriately reported and shared. The move came as GAO found that the DOD has not fully implemented its processes for managing cyber incidents, does not have complete data on cyber incidents that staff report and fails to document whether it notifies individuals whose personal data is compromised in a cyber incident.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.