GAO Report: Interior Department Bureau Falls Short on Offshore Oil Rig Cybersecurity
The Government Accountability Office said a bureau within the Department of the Interior has done little to address cybersecurity risks across offshore oil and gas facilities.
According to a GAO report concerning the DOI’s Bureau of Safety and Environmental Enforcement, which oversees over 1,600 offshore oil and gas facilities, a cyberattack on the offshore sites could cause catastrophic harm to people and equipment and affect oil production and distribution. GAO also noted that while BSEE sought to initiate cybersecurity efforts in 2015 and 2020, no action was ultimately taken.
BSEE hired a specialist to address cybersecurity gaps, but GAO had to put the individual on hold until the specialist is well-informed about the issues and the entities involved, CyberScoop reported Thursday.
GAO recommended that BSEE immediately develop and implement a strategy to address offshore infrastructure risks that should include risk mitigation and the identification of objectives, roles, responsibilities, resources and performance measures. The Interior Department concurred with the oversight body’s recommendations.
Oil and gas infrastructure security has been one of the focus areas for the Biden administration following the Colonial Pipeline ransomware attack. A White House press release issued in October stated that the Transportation Security Agency issued performance-based directives to increase cyber resilience for the pipeline and rail sectors.
Chris Grove, director of cybersecurity strategy at Nozomi Networks, said a cyberattack on offshore rigs comes with major consequences, including the difficulty of assistance. He noted that the isolated nature of offshore oil and gas rigs makes it difficult for cyber experts to apply network patches.
Grove suggested that there should be another agency to oversee offshore rig cybersecurity, noting that the sector is not BSEE’s core competency.
Tags: Bureau of Safety and Environmental Enforcement Chris Grove CyberScoop cybersecurity Department of the Interior Government Accountability Office Nozomi Networks