Hackers could cause the next Deepwater Horizon-wide disaster

The Deepwater Horizon rig burns on April 21, 2010.

The Deepwater Horizon rig burns on April 21, 2010.
photo: Gerald Herbert (ap)

The network of offshore oil and gas facilities in the United States is at serious and growing risk of a potentially devastating cyber attack, says a government watchdog. The Government Accountability Office (GAO) has released a new report last week by discovering that if a cyberattack successfully affects the nation’s offshore infrastructure, it could cause a catastrophe with impacts similar to those of the Deepwater Horizon disaster.

According to the GAO, there are currently more than 1,600 structures on the outer continental shelves involved in oil and gas production that dot the Atlantic, Pacific, and the coasts of Alaska, as well as the Gulf of Mexico. Such facilities are overwhelmingly dependent on remotely controlled operating technology. These systems, the GAO found, are particularly vulnerable to being hacked or otherwise compromised by bad faith actors, especially older systems that have fewer security measures in place. Additionally, previous government efforts to strengthen the industry’s cybersecurity have resulted in little action.

“Absent the immediate development and implementation of an appropriate strategy, offshore oil and gas infrastructure will continue to remain at significant risk,” the GAO said in the report.

Last year, the security of oil and gas infrastructure was thrust into the national spotlight after hackers from the DarkSide group breached the systems of the Colonial Pipeline, the largest natural gas pipeline in the cUnited States. The attack resulted in the pipeline being shut down for nearly a week, spurring a little gas panic on the East Coast, and was the largest critical infrastructure breach in US history. The hack was especially embarrassing given that the leak was the result of a single compromised passwordand conducted a technical audit three years before the breach found that Colonial’s system could have been hacked by “an eighth grader,” one of the reviewers later he told the AP. The attack resulted in a wider reckoning on the safety of oil and gas systems, as well as the federal government’s lax attitude towards those systems.

The national network of offshore oil and gas facilities and infrastructure is regulated by the Bureau of Safety and Environmental Enforcement (BSEE). In an extensive review of BSEE policies, which includes reviews of reports of what occurred during previous operational technology failures on oil and gas facilities, as well as interviews with federal employees and industry stakeholders, GAO found that oil and gas are increasingly moving to remote work and “unmanned oil and gas production is becoming more common”. At the same time, many operating technology systems are outdated or connect to larger business and IT systems within a company that can be accessed remotely.

Bad actors, such as other nations, transnational criminal groups or hackers, can increasingly gain access to systems like these through business, the report said, and can more easily migrate those attacks to rigs and the drilling infrastructure itself. While the BSEE made two efforts in 2015 and 2020 to address cybersecurity in drilling infrastructure, the report notes that “neither resulted in substantive action.”

As far as we know, there hasn’t yet been a deliberate attack on a US oil and gas drilling technology network by a bad guy, officials told the GAO. But we have seen what the failure of an operating technological system can look like and how devastating it can be. The failure of an automatic safety system was part of the cascade of problems that led to the 2010 Deepwater Horizon explosion, the largest oil spill in US history that killed 11 people.

“Threat actors are becoming increasingly capable of carrying out attacks on critical infrastructure, including offshore oil and gas infrastructure,” the report notes. “At the same time, infrastructure is becoming more vulnerable to attack. More precisely, the [operational technology] in the oil and gas sector is increasingly vulnerable to exploitation in cyber attacks that could cause serious damage to human safety, the environment and the economy.


Leave a Comment

%d bloggers like this: