- The nation’s offshore oil and gas industry faces a significant and growing risk of a malicious cyberattack that could result in a catastrophic incident rivaling the deadly Deepwater Horizon incident in 2010, according to a report from the U.S. Government Accountability Office.
- The industry includes about 1,600 offshore oil and gas facilities that are highly dependent on remotely connected operational technology, the report said. Many of these systems rely on aging technology, which lack many of the built-in safeguards that protect facilities against modern cybersecurity risks.
- The Department of Interior, which oversees the industry, needs to urgently develop a plan to mitigate such a threat, the report warns. Department officials have been aware of such a risk for years, however multiple attempts to take corrective action have fallen short or failed to get off the ground.
The 2021 Colonial Pipeline ransomware attack disrupted much of the nation’s supply of gasoline for nearly a week, causing runs on fuel, temporary price spikes and outages in stations across the Southeast and Mid-Atlantic states.
Following that incident and the later ransomware attack on meatpacking firm JBS USA, the Biden administration highlighted the risk of cyberattacks or breaches across a core group of 16 critical infrastructure sectors. The offshore oil and gas industry is part of a larger risk to the U.S. energy sector, which has come under scrutiny in part due to Russia's invasion of Ukraine, which has led to even greater pressure on global oil and gas prices and attacks on energy facilities.
The Bureau of Safety and Environmental Enforcement at the Interior Department previously launched efforts in 2015 and 2020 to address cybersecurity risks, but failed to take substantive action in both cases, according to the report.
The BSEE launched another plan earlier this year to address cybersecurity and hired a specialist to lead the effort, but later put that plan on pause to offer more time for the official to get up to speed on the issues, the report stated.
“Interior officials, specifically the [BSEE] leadership, has been aware of cyberthreats to offshore infrastructure, but have simply not acted on those threats in a sufficient or timely fashion,” Frank Rusco, director of national resources and environment at GAO, said via email.
While Rusco said the agency cannot specifically rank what type of cybersecurity attack poses the biggest risk, he reiterated “environmental and worker safety damages are potentially very large” in light of the multi-billion dollar cost of the Deep Water Horizon disaster.
The explosion and 87-day oil spill resulted in 11 deaths and 134 million gallons of oil leaked into the Gulf of Mexico. A federal judge in 2016 approved a record $20.8 billion settlement in the case.
A spokesperson for the National Ocean Industries Association, which serves offshore oil, gas, wind and ocean minerals industries, said cybersecurity is a “critically important issue” for the group, but they were in the process of reviewing the report.
A spokesperson for BSEE said the agency does not have any further comments beyond what was printed in the report.
Correction: This article has been updated to clarify the nature of the Deepwater Horizon incident.