The US Government Accountability Office says that US Offshore Oil “faces significant and increasing cybersecurity risks” from both threat actors and vulnerabilities.
Although oil and gas companies will face specific, large-scale threats to their critical infrastructure many small businesses won’t, many of the attack vectors – such as business email compromise – are the same.
But taking advantage of technology like password managers, to use one example, is only worthwhile if done as part of a wider cybersecurity strategy, something the report recommends.
US Offshore Oil and Gas: a Sitting Duck?
In the US, a network of more than 1,600 offshore oil and gas facilities produces a large proportion of the gas and oil that the country uses domestically.
In recent years, the GAO’s report says, they’ve all relied on technology to monitor and control technology remotely. But that wasn’t always the case.
Systems “once largely isolated from internet and business IT systems”, are now “frequently connected with those systems both within a company” and accessible via the internet.
The report notes that hackers could cause damage by exploiting internet-accessible devices with malware, “manipulating products or delivery mechanisms” and spearphishing.
A large-scale attack on any of the 1,600 facilities would likely have catastrophic effects.
“A cyberattack on these facilities could cause physical, environmental, and economic harm,” the GAO says, while also noting that “disruptions to oil and gas production and transmission could affect supplies and markets”.
Who’s Posing the Threat?
The GAO identifies four different types of groups posing a threat. The first is nations, such as China, Russia, and North Korea, which already have a long, documented history of attacking critical US infrastructure.
There's now an entire ecosystem of transnational criminal groups that “seek to use cyberattacks for monetary gain” on a regular basis.
The report notes the Colonial Pipeline cyberattack that took place in May 2021, which caused the company to disconnect certain systems that monitor and control physical pipeline functions “to ensure the safety of the pipeline”, which led to all pipeline operations being halted and shortages in the South-east of the US.
The report also talks of hackers and hacktivists, namedropping Anonymous specifically. Insiders – any individual with authorized access to systems – are also identified as a major threat.
Protecting Yourself with a Cybersecurity Strategy
When working out how to protect your business or organization, there are a number of things you have to take into consideration.
There’s software to consider, for instance, and choosing the right business VPN or password manager isn’t always plain sailing. But rolling out comprehensive training programs for employees is equally as crucial.
The point is, and what the report strongly recommends, is that you need an all-encompassing cybersecurity strategy that involves risk assessments, objectives and performance measures, and properly planned and costed resources.
Cyber attacks, unfortunately for all of us, will keep on coming – but what you can do is ensure you’re well-placed to defend against them.