In a new report, the US Government Accountability Office (GAO) warns that offshore oil and gas infrastructure face cybersecurity risks that the Department of Interior should immediately address.
Risks to this oil and gas offshore infrastructure are “significant and increasing” according to the GAO. These risks could stem from threat actors, vulnerabilities, unpatched systems and more.
The Department of the Interior’s Bureau of Safety and Environmental Enforcement (BSEE), which oversees the offshore oil and gas operations, has provided some tips for mitigating these risks, but Global Director of Cyber-Ecosystem at Hexagon Asset Lifecycle Intelligence, Edward Liebig, warns that these steps are oversimplified:
"In the report, the GAO states: According to BSEE officials, the severity of these impacts could be mitigated by on-site manual controls that can override automated systems. Specifically, these officials stated that operators have the ability to manually shut down operations, in the event of an emergency, to prevent the worst outcomes.
While this may be a “feel-good” statement, and comforting for laymen to know the capability exists, as any seasoned operators realize, a “shutdown” may not be immediate nor simple to execute. There are residual actions such as purging pipelines, pressures and systems that need to take place to truly “stop” a process. There remains a real and present physical, ecological and supply chain danger whenever a “shutdown” command is performed. By the time a cyber attack manifests into a “detectable event,” it is too late in the attack cycle to “start to react.” The system failures that are an indication of attack come well after malware or C&C has taken root. Short of a full plant shutdown, stopping processes is like playing “Whack-a-Mole” to keep in front of potentially serious consequences." ###