The Government Accountability Office said in a new report that the network of over 1,600 offshore facilities that produces a significant portion of U.S. domestic oil and gas are at a growing risk of cyberattacks. The warning comes more than a year after ransomware actors targeted Colonial Pipeline, bringing the U.S. oil pipeline system relied on by millions of Americans to a standstill.
The watchdog warned that not only has the government identified the offshore oil and gas sector as a target of malicious state actors, particularly those backed by China, Iran, North Korea and Russia, but said operational technology (OT) — often used by these facilities to monitor and control physical equipment — contains multiple security flaws that could allow attackers to remotely take control of various functions, including those critical to safety.U.S. cybersecurity agency CISA has released several advisories about OT vulnerabilities this year alone, detailing issues like weak encryption and insecure firmware updates, and urged impacted users to identify baseline mitigations for reducing potential risks.
The GAO noted in its new report that legacy OT infrastructure still in use at many facilities is also vulnerable due to a lack of both built-in cybersecurity measures and software security patches. The report notes that older devices “do not have the capability to log commands sent to the devices, making it more difficult to detect malicious activity.”
The U.S. watchdog is calling on the Department of the Interior’s Bureau of Safety and Environmental Enforcement (BSEE), which oversees offshore oil and gas operations, to address these growing security risks. It says that the agency had initiated efforts to address these cybersecurity risks as far back as 2015, but has yet to take any “substantial” action almost a decade later.
The GAO notes that the BSEE started another such initiative earlier this year and hired a cybersecurity specialist to lead it, but the agency later said the effort was put on hold until the specialist is “adequately versed in the relevant issues.”