U.S. Government Accountability Office (GAO) Issues Stark Warning to Oil and Gas: Cybersecurity Catastrophe Looming If OT Measures Not Taken

The U.S. Government Accountability Office (GAO) has published a report warning that offshore oil and gas industry is vulnerable to “catastrophic-scale” cyber vulnerabilities due to its increasing dependence on remotely connected Operational Technology (OT) and outdated infrastructure that has fewer cybersecurity measures. The GAO has further recommended more government action to address U.S. offshore cybersecurity. Due to old technology, many OT systems in the industry lack built-in safeguards that could protect against advanced cyberattacks. The report stresses that a cyberattack on these systems could cause disruptions to the supply of energy as well as environmental and physical harm. The report emphasizes that the industry’s weak link is OT systems that were once isolated from Internet and Information Technology (IT) systems but that are now increasingly online and connected to IT systems. This means most cyberattacks will originate in IT systems and then move to OT systems, wreaking havoc through physical controls. OT systems in the oil and gas industry are especially vulnerable because of weak cybersecurity measures, including shortcomings in encryption, path management, configuration management, and access control and authentication.

The report reminds us that the BP Deepwater Horizon oil spill occurred because of a failure of a blowout preventer valve—an OT component that monitors and controls wells to prevent the uncontrolled flow of oil and gas during drilling. If these systems are controlled by malicious actors due to a cyberattack, the same incident can be replicated. The 2010 Deepwater incident led to 11 deaths and 4.9 million barrels of oil spilling into the Gulf of Mexico. 

This is not the first time a government organization has warned the industry of vulnerabilities in OT and Industrial Control Systems (ICSs). In September 2020, the U.S. Bureau of Safety and Environmental Enforcement (BSEE) issued a safety alert from the U.S. Cybersecurity and Infrastructure Security Agency that “highly skilled remote attackers” could take control of ICSs, including valves that control oil and gas flow pressure. Reiterating such threats after the February 2022 Russian invasion of Ukraine, the BSEE once again issued a safety alert in March, directly addressing offshore energy operators and asking them to improve their cybersecurity defenses.

However, the recent GAO report also criticizes the BSEE for taking “few actions” and asking the BSEE to do more. The GAO strongly recommends that the BSEE “should immediately develop and implement a strategy to address offshore infrastructure risks.” They ask that the BSEE director assess cyber risks and define roles and responsibilities regarding cybersecurity. Thus, the sector could expect increasing regulation around OT systems that could create opportunities for OT solution providers. The GAO also asks the BSEE for the development of “objectives, activities, and performance measures,” meaning that OT vendors could assist the oil and gas industry in achieving such measures.

The oil and gas sector is traditionally the focus of hacktivists with environmental concerns while its historical depiction as a sector with deep pockets will lure financially driven bad actors. Based on the GAO report, a successful large-scale cyberattack on the sector is imminent; this means that companies need to enhance their OT security measures. A reluctance to do so could result in unexpected and successful threats, leading to long downtimes and legal and reputational risks. It is not a feasible strategy for the oil and gas industry to rely on in-house solutions after they only just recently have embraced OT/IT convergence and Industry 4.0. Given the complexity of recent attacks on ICSs and an acute shortage of skilled OT cybersecurity professionals, outsourcing security to specialized vendors or managed security services providers can more effectively fortify cybersecurity defenses. OT cybersecurity vendors, especially those concentrating on the security of remote monitoring and control systems, need to market their solutions as tailored for the offshore energy sector. The energy sector’s special needs and the increasing use of remotely connected OT technology further justifies this marketing strategy.