The Government Accountability Office (GAO) is calling for the Department of the Interior to immediately develop and implement a cybersecurity strategy for offshore oil and gas facilities.
A network of over 1,600 offshore facilities produce a significant portion of U.S. domestic oil and gas. The federal government has identified the oil and gas sector as a target of malicious state actors. Along with other critical infrastructure, these offshore facilities, which rely on technology to remotely monitor and control equipment, face a growing risk of cyber attacks. Modern exploration and production methods are increasingly reliant on remotely connected operational technology (OT)—often critical to safety—that is vulnerable to cyber attack. Older infrastructure is also vulnerable because its OT can have fewer cybersecurity protection measures. An attack could cause physical, environmental, and economic harm. Subsequent disruptions to oil and gas production and transmission could affect supplies and markets.
The effects of a successful cyber attack would likely resemble that of other incidents related to OT systems that have occurred. These could include deaths and injuries, damaged or destroyed equipment, and pollution to the marine environment. However, in a worst-case OT failure scenario, all these impacts can occur simultaneously at a catastrophic scale. For example, in 2010, the failure of the mobile offshore drilling unit Deepwater Horizon’s blowout preventer—an OT system—contributed to its explosion and sinking, as well as 11 deaths, serious injuries, and the largest marine oil spill in the history of the U.S.
During the course of its review, GAO found that in 2015, a U.S. Coast Guard official made statements regarding a cybersecurity incident where malware was unintentionally introduced onto a mobile offshore drilling unit. According to the Coast Guard, the malware affected the dynamic positioning system, which resulted in the need to maneuver to avoid an accident.
A new GAO report says the Department of the Interior’s Bureau of Safety and Environmental Enforcement (BSEE) has long recognized the need to address cybersecurity risks but has taken few actions to do so. GAO noted in its report that BSEE initiated efforts to address cybersecurity risks in 2015 and again in 2020, but that neither resulted in substantial action.
Since then, BSEE has issued two safety alerts to industry recommending that operators follow Cybersecurity and Infrastructure Security Agency (CISA) guidance. Specifically, in September 2020, BSEE warned that CISA was aware of multiple vulnerabilities that could allow a highly skilled attacker to remotely take control of various OT, such as those that open and close valves or control system flow rates and pressures. Subsequently, in March 2022, because of the potential for increased threats to U.S. infrastructure associated with the war in Ukraine, BSEE encouraged OCS operators to strengthen and systematize their cybersecurity defenses and regularly monitor the guidance issued by CISA.
Earlier this year, in its fiscal year 2023 budget justification, BSEE proposed developing a foundational cybersecurity capability in the form of an offshore cybersecurity safety threats program to work with industry on decreasing cybersecurity risks to OT and offshore infrastructure.
The watchdog found that in May this year BSEE started a new cybersecurity initiative and hired a specialist to lead it. However, bureau officials told GAO that the initiative will be paused until the specialist is adequately versed in the relevant issues. The officials said the program is in the very early stages of development and that BSEE does not expect to begin making key programmatic decisions or drafting programmatic documents and policies until sometime in fiscal year 2023.
GAO concluded that “BSEE’s commitment of minimal resources and lack of urgency in addressing cybersecurity risks reflect cybersecurity’s relatively low priority within the bureau.”
According to the 2022 Annual Threat Assessment of the U.S. Intelligence Community, China, Iran, North Korea, and Russia pose the greatest cyber threats. Of particular concern, these countries possess the ability to launch cyber attacks that could have disruptive effects on critical infrastructure. For example, according to the Cybersecurity and Infrastructure Agency (CISA) and the Federal Bureau of Investigation, from December 2011 to 2013, state-sponsored Chinese actors conducted a spearphishing and intrusion campaign targeting U.S. oil and gas pipeline companies. Of the 23 targeted pipeline operators, 13 were confirmed compromises. Hackers, hacktivists and insiders also pose significant cyber threats to offshore oil and gas infrastructure. Without an appropriate strategy, this infrastructure remains at significant risk. GAO wants a new strategy that would call for, among other things, an assessment of cybersecurity risks and mitigating actions; and the identification of objectives, roles, responsibilities, resources, and performance measures.
GAO reported that it was informed, via email, that Interior generally concurred with the watchdog’s findings and recommendation.