After being asked to review cybersecurity of offshore oil and gas infrastructure, the US Government Accountability Office (GAO) has created a report that examines the cybersecurity risks facing offshore oil and gas infrastructure and the extent to which the Bureau of Safety and Environmental Enforcement (BSEE) has addressed them.
The report resulted on one recommendation from the GAO: BSEE should immediately develop and implement a strategy to address offshore infrastructure risks. Such a strategy should include an assessment and mitigation of risks and identify objectives, roles, responsibilities, resources, and performance measures, among other things.
The GAO reviewed relevant federal and industry reports on offshore oil and gas cybersecurity risks and analyzed relevant BSEE documentation. This documentation included a draft strategic framework, a potential regulatory framework, safety alerts, and budget justifications.
The GAO interviewed officials from agencies with offshore and cybersecurity responsibilities. It also obtained the perspectives of nonfederal stakeholders representing the offshore oil and gas industry.
What the GAO Found
Offshore oil and gas infrastructure faces significant and increasing cybersecurity risks in the form of threat actors, vulnerabilities, and potential impacts.
Threat actors. State actors, cybercriminals, and others could conduct cyberattacks against offshore oil and gas infrastructure. The federal government has identified the oil and gas sector as a target of malicious state actors.
Vulnerabilities. Modern exploration and production methods are increasingly reliant on remotely connected operational technology—often critical to safety—that is vulnerable to cyberattack. Older infrastructure is also vulnerable because its operational technology can have fewer cybersecurity protection measures.
Potential impacts. A successful cyberattack on offshore oil and gas infrastructure could cause physical, environmental, and economic harm, according federal officials. For example, officials said that the effects of a cyberattack could resemble those that occurred in the 2010 Deepwater Horizon disaster. Disruptions to oil and gas production or transmission also could affect energy supplies and markets.
The BSEE has long recognized the need to address cybersecurity risks but has taken few actions to do so. In 2015 and 2020, BSEE initiated efforts to address cybersecurity risks, but neither resulted in substantial action. In 2022, BSEE again started another such initiative and hired a cybersecurity specialist to lead it. However, bureau officials said the initiative will be paused until the specialist is adequately versed in the relevant issues. Absent the immediate development and implementation of an appropriate strategy, offshore oil and gas infrastructure will continue to remain at significant risk. Such a strategy would call for, among other things, an assessment of cybersecurity risks and mitigating actions and the identification of objectives, roles, responsibilities, resources, and performance measures.
The GAO also recommended that the BSEE director immediately develop and implement a strategy to guide the development of its most recent cybersecurity initiative; such a strategy should include a risk assessment; objectives, activities, and performance measures; roles, responsibilities, and coordination; and identification of needed resources and investments.