US Offshore Oil Vulnerable to Hackers and Foreign Cyberattacks

The GAO claims the Department for the Interior has so far taken "few steps" to address cybersecurity risks.
Aaron Drapkin

The US Government Accountability Office says that US Offshore Oil “faces significant and increasing cybersecurity risks” from both threat actors and vulnerabilities.

Although oil and gas companies will face specific, large-scale threats to their critical infrastructure many small businesses won’t, many of the attack vectors – such as business email compromise – are the same.

But taking advantage of technology like password managers, to use one example, is only worthwhile if done as part of a wider cybersecurity strategy, something the report recommends.

US Offshore Oil and Gas: a Sitting Duck?

In the US, a network of more than 1,600 offshore oil and gas facilities produces a large proportion of the gas and oil that the country uses domestically.

In recent years, the GAO’s report says, they’ve all relied on technology to monitor and control technology remotely. But that wasn’t always the case.

Systems “once largely isolated from internet and business IT systems”, are now “frequently connected with those systems both within a company” and accessible via the internet.

The report notes that hackers could cause damage by exploiting internet-accessible devices with malware, “manipulating products or delivery mechanisms” and spearphishing.

A large-scale attack on any of the 1,600 facilities would likely have catastrophic effects.

“A cyberattack on these facilities could cause physical, environmental, and economic harm,” the GAO says, while also noting that “disruptions to oil and gas production and transmission could affect supplies and markets”.

Who’s Posing the Threat?

The GAO identifies four different types of groups posing a threat. The first is nations, such as China, Russia, and North Korea, which already have a long, documented history of attacking critical US infrastructure.

There's now an entire ecosystem of transnational criminal groups that “seek to use cyberattacks for monetary gain” on a regular basis.

The report notes the Colonial Pipeline cyberattack that took place in May 2021, which caused the company to disconnect certain systems that monitor and control physical pipeline functions “to ensure the safety of the pipeline”, which led to all pipeline operations being halted and shortages in the South-east of the US.

The report also talks of hackers and hacktivists, namedropping Anonymous specifically. Insiders – any individual with authorized access to systems – are also identified as a major threat.

Protecting Yourself with a Cybersecurity Strategy

When working out how to protect your business or organization, there are a number of things you have to take into consideration.

There’s software to consider, for instance, and choosing the right business VPN or password manager isn’t always plain sailing. But rolling out comprehensive training programs for employees is equally as crucial.

The point is, and what the report strongly recommends, is that you need an all-encompassing cybersecurity strategy that involves risk assessments, objectives and performance measures, and properly planned and costed resources.

Cyber attacks, unfortunately for all of us, will keep on coming – but what you can do is ensure you’re well-placed to defend against them.

This article was last updated on:
Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol three years ago. As a writer, Aaron takes a special interest in VPNs and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, The Week, and Politics.co.uk covering a wide range of topics.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals