US offshore oil and gas rigs at ‘significant’ risk of cyberattacks, warns government watchdog

U.S. offshore oil and gas infrastructure faces “significant and increasing” cybersecurity risks that require “urgent” attention, a U.S. government’s watchdog has warned.

The Government Accountability Office said in a new report that the network of over 1,600 offshore facilities that produces a significant portion of U.S. domestic oil and gas are at a growing risk of cyberattacks. The warning comes more than a year after ransomware actors targeted Colonial Pipeline, bringing the U.S. oil pipeline system relied on by millions of Americans to a standstill.

The watchdog warned that not only has the government identified the offshore oil and gas sector as a target of malicious state actors, particularly those backed by China, Iran, North Korea and Russia, but said operational technology (OT) — often used by these facilities to monitor and control physical equipment — contains multiple security flaws that could allow attackers to remotely take control of various functions, including those critical to safety.

U.S. cybersecurity agency CISA has released several advisories about OT vulnerabilities this year alone, detailing issues like weak encryption and insecure firmware updates, and urged impacted users to identify baseline mitigations for reducing potential risks.

The GAO noted in its new report that legacy OT infrastructure still in use at many facilities is also vulnerable due to a lack of both built-in cybersecurity measures and software security patches. The report notes that older devices “do not have the capability to log commands sent to the devices, making it more difficult to detect malicious activity.”

The U.S. watchdog is calling on the Department of the Interior’s Bureau of Safety and Environmental Enforcement (BSEE), which oversees offshore oil and gas operations, to address these growing security risks. It says that the agency had initiated efforts to address these cybersecurity risks as far back as 2015, but has yet to take any “substantial” action almost a decade later.

The GAO notes that the BSEE started another such initiative earlier this year and hired a cybersecurity specialist to lead it, but the agency later said the effort was put on hold until the specialist is “adequately versed in the relevant issues.”

“Absent the immediate development and implementation of an appropriate strategy, offshore oil and gas infrastructure will continue to remain at significant risk,” the GAO said, noting that a successful cyberattack on offshore oil and gas infrastructure could have catastrophic consequences, including “deaths and injuries, damaged or destroyed equipment, and pollution to the marine environment.”

The U.S. watchdog is urging the BSEE to urgently develop and implement a cybersecurity strategy that includes risk assessments, objectives, activities and performance measures; roles, responsibilities, and coordination; and the identification of required resources and investments.

BSEE “generally concurred” with the report and its recommendations. TechCrunch contacted BSEE for comment but did not hear back.