Why Offshore Facilities Are at Particular Risk of Cyberattack
Offshore facilities’ place in the energy production chain makes them vulnerable in a way their grounded counterparts usually aren’t. They may be up to 200 miles beyond the coastline of the United States and up to two miles underwater. Their remote location limits them in practical terms — less availability of physical security, longer response times to emergencies and threats — even as their increased connectivity means that they face the same threats as other parts of the sector.
One of the biggest risk factors for offshore facilities is their outsize impact. Economically and logistically, they share the same risks as the sector at large: An attack on the energy sector could amount to a national catastrophe, causing public safety concerns, severe supply disruptions and financial loss.
Physically and environmentally, however, offshore facilities carry their own unique impact, as the case of the 2010 Deepwater Horizon disaster shows. When a blowout triggered an explosion on the oil rig off the coast of Louisiana, 11 workers were killed, and the rig leaked approximately 134 million gallons of oil into the Gulf of Mexico, causing enormous environmental damage.
How Is the U.S. Government Protecting Offshore Facilities?
As part of the energy sector, offshore facilities are considered critical infrastructure, making them one of 16 sectors designated by the government as “so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof,” according to the U.S. Cybersecurity and Infrastructure Security Agency.
The industry and the government are working toward solutions. In March, the U.S. Department of the Interior indicated that the Bureau of Safety and Environmental Enforcement had started work on a cybersecurity strategy that follows the recommendations of a November 2022 report from the GAO. This strategy includes assessment of risk; objectives, activities, and performance measures; roles, responsibilities, and coordination; and identification of needed resources and investments. The BSEE’s goal is to have the strategy ready for implementation by early 2024.
What Are the Resiliency Solutions for Offshore Facilities?
Modernizing legacy infrastructure carries inherent risks of its own because it broadens the cyberattack surface, but it’s a measured risk that will boost offshore facilities’ cybersecurity exponentially. Overhauling infrastructure may be the biggest security step that facilities can take to protect themselves, the sector as a whole and the public.
This can be a part of an overall technological transformation, as in the case of a national Asian oil company that developed a three-year roadmap including an upgrade of its IT and operational technology (OT) architecture and an overhaul of its cybersecurity policies, McKinsey reports.
Bringing in hallmarks of digital transformation (Internet of Things devices, digitization, mobile apps) may be key to improving cybersecurity, but the bedrock of protection for offshore facilities remains threat detection, anticipation, monitoring and response.
Zero-trust security architecture approaches, firewalls, access and identity control measures, patch management, recovery plans, and continuous monitoring: All of these combine to make offshore facilities more resilient to vulnerabilities.
Network segmentation, following a full assessment of a facility’s connectivity framework, is another valuable step. When Shell overhauled its cybersecurity a few years ago, it worked with an “inside-out” approach, in which each piece of OT was protected individually instead of establishing firewalls around the infrastructure. The result, according to Drilling Contractor: a system that passed penetration tests without issue.
Third-party solutions such as managed detection and response services can play a role in this ongoing protection. But whatever solution offshore facilities opt for, its outsize impact means that the sector as a whole will be watching.