The US Government Accountability Office (GAO) has warned that the time to act on securing the US’s offshore oil and natural gas installations is now because they are under “increasing” and “significant risk” of cyberattack.
A report to Congress looked at a network of “more than 1,600 offshore oil and gas facilities,” which the federal watchdog pointed out produce a “significant” amount of America’s domestic oil and gas – and the operational technology (OT) tech that looks after and controls the physical equipment.
The study also warned of a potential ecological (and energy) disaster on par with the 2010 Deepwater Horizon disaster.
Striking an air of desperation, the report adds that in 2015 and 2020 the Department of the Interior’s Bureau of Safety and Environmental Enforcement (BSEE) initiated efforts to address cybersecurity risks, but “neither resulted in substantial action.”
Earlier this year, BSEE “again started another such initiative,” hiring a cybersecurity specialist to lead it. But bureau officials have apparently put this on pause while the specialist is brought up to speed with “the relevant issues.” In the meantime, the report urges, BSEE should “immediately” get a strategy together to “address offshore infrastructure risks.”
Curiously, the report mentions neither the physical attack on gas lines under the Baltic Sea owned by Russia’s Nord Stream energy firm, nor Stuxnet – which is perhaps the most well known SCADA system malware of all time. The famous worm was widely credited with crippling the Iranian nuclear weapons program for several years, and according to researchers found its way onto the air-gapped network of the plant on an infected USB stick.
Supervisory Control and Data Acquisition (SCADA) systems provide a graphical user interface for operators to check on the status of an industrial control system; receive any alarms that units are offline or compromised; or enter adjustments to manage the processes on the system itself.
The GAO did mention the USB as an infection vector, though, pointing to a 2018 alert by Schneider Electric about some system monitoring devices that were packaged with USB removable media that one of its suppliers contaminated with malware during manufacturing.
In a worst case scenario, the report suggested cyberattacks on Operational Technology Systems in the offshore oil and gas sector could result in a disaster on the scale of the 2010 failure of mobile offshore drilling unit Deepwater Horizon’s blowout preventer. The report points out the semi-submersible offshore drilling rig’s crippled operation tech (OT) system contributed to its explosion and sinking “as well as 11 deaths, serious injuries, and the largest marine oil spill in the history of the US (approximately 4.9 million barrels).”
And the economy…
According to officials at the Pipeline and Hazardous Materials Safety Administration, cyberattacks against pipeline OT – such as valves that control oil and gas flow – could “disrupt production and transmission and, thereby, negatively affect energy supplies, markets, and the economy.”
The report [PDF] also noted that the 2021 ransomware attack on the Colonial Pipeline Company had led to temporary disruption in the delivery of gasoline and other petroleum products across much of the southeast US. Not only was the operator caught off guard in terms of cybersecurity defenses, its operators are said to have paid $5 million to regain control of their systems and get the pipeline pumping oil again. The company at the time carried 100 million gallons a day of refined fuels between Houston, Texas, and New York Harbor – 45 percent of all fuel needed on the US East Coast.
Although it never mentioned Europe explicitly, clearly the report has an eye on the energy price shocks currently being suffered in Europe, where Russia’s war on Ukraine has interrupted natural gas supplies. European nations, some more than others, were already very reliant on Russian gas because of the slowness of their shifts to clean energy and the move by some to close their nuclear power plants.
When Russia cut off the juice, this contributed to rising global inflation as well as extreme energy budgeting – and the unexpected revival of coal plants – with Germany, Austria, France, and the Netherlands all announcing plans to reactivate them or prolong their operations.
Some of the cyberthreats cited by the federal watchdog included those posed by Russia’s online state-sponsored attackers. In the 2015 attacks on Ukraine, according to a CISA alert, Russian-sponsored miscreants issued unauthorized commands to open the breakers at substations managed by three regional electricity utilities, causing a loss of power to about 225,000 customers.
The report concludes that the lack of action to address cybersecurity risks to the more than 1,600 oil and gas facilities and structures on the outer continental shelf creates “significant liability,” given that a successful cyberattack on such infrastructure could have potentially catastrophic effects. It wants a strategy to guide the most recent cybersecurity efforts that includes a risk assessment; performance measures; coordination of efforts; and an assessment of needed resources. ®