Tracy W. Krohn distinctly remembers April 20, 2020, as a “multiple Martini night” — and not just because WTI plunged to a bizarre -$40.32/bbl. That same day, W&T Offshore was hit with a ransomware attack.

“They threatened to put a bunch of our data out over the internet, and some of it they did,” Krohn, the company’s founder, chairman, CEO and president recalled during a presentation at Enercom in Denver.

W&T was able to corral its data and protect itself without any meaningful impacts, Krohn said.

“We certainly didn't pay any ransom,” he said. “I'm not daring anybody, but truth is, we handled it pretty well.”

If high seas and hurricanes weren’t enough to contend with, cybersecurity has become an urgent matter for offshore oil and gas producers.

A Government Accountability Report (GAO) released this year warned that cybercriminals or state actors could trigger the equivalent of another 2010 Deepwater Horizon disaster.

The GAO report found that despite explicitly identifying the need to address cybersecurity risks to offshore infrastructure seven years ago, the Bureau of Safety and Environmental Enforcement (BSEE) remains in the early stages of establishing a program to do so.

“Offshore oil and gas infrastructure faces significant and increasing cybersecurity risks in the form of threat actors, vulnerabilities and potential impacts,” the October report said. “Threat actors are becoming increasingly capable of carrying out attacks on critical infrastructure, including offshore oil and gas infrastructure.”

At the same time, offshore infrastructure is becoming more vulnerable to attacks as operational technology (OT) used by offshore oil and gas producers is increasingly vulnerable to exploits by cyberattacks that could cause serious harm “to human safety, the environment and the economy,” the report found.

Uncharted cyber risks

No one is sure about the extent of past cyberattacks on offshore infrastructure. None of the federal officials or industry representatives GAO contacted were aware of any cyberattacks or specific requirements to report them if they occur. W&T, which is publicly traded, has disclosed in Securities and Exchange Commission reports that it has experienced cybersecurity incidents to its systems but that it did not suffer any material impacts to its business as a result.

GAO identified two cybersecurity incidents involving offshore oil and gas infrastructure during its review.

In 2009, a grand jury indicted an offshore oil and gas company's former employee on allegations of temporarily disabling a computer system for detecting pipeline leaks for three oil derricks off the southern California coast.

And in 2015, a U.S. Coast Guard official made statements regarding a cybersecurity incident where malware was unintentionally introduced onto a mobile offshore drilling unit. According to the USCG, the malware affected the dynamic positioning system, which resulted in the need to maneuver to avoid an accident.

Other publicly reported cyberattacks have demonstrated the risk from successful cyberattacks, including shutting down industrial furnaces, overriding an oil refinery’s safety devices and cutting off power to hundreds of thousands of people.

 

Source: GAO

Exploits: How cybersecurity vulnerabilities caused real-world harm

Impact

Description

Example

Property Damage

Damage or destroy infrastructure,
equipment, and the surrounding environment when attacking
control systems. This may result in device and operational
equipment breakdown or represent tangential damage from other techniques used in an attack.

In December 2014, a cyberattack resulted in the mis-operation of an OT system, including the improper shutdown of a furnace and physical damage to a German steel mill’s
facilities.

Productivity, revenue loss

Attackers may cause a loss of productivity and revenue by damaging or disrupting the availability or integrity of industrial control systems operations, devices, and related processes.

In December 2019, a form of ransomware named EKANS infected various OT devices, reportedly in the U.S., Europe, and Japan, by encrypting files and displaying a ransom note, which impaired operations.

Safety

Attackers may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur.

In 2017, Russian cyber actors manipulated a foreign oil refinery’s safety devices, which resulted in the refinery shutting down for several days.

Loss/denial of control

Malicious actors may seek to prevent operators and engineers from interacting with process controls.

In 2015, Russian attackers uploaded malicious software to certain devices in Ukraine, with the intent of ensuring that utility operators could not issue remote commands to bring electricity substations back online.

Manipulation of control

Command messages are used in OT networks to give direct instructions to devices. Attackers may send unauthorized command messages to instruct industrial control systems devices to perform actions outside their desired functionality for process control.

In the 2015 Ukrainian attacks, Russian attackers issued unauthorized commands to open the breakers at substations that three regional electricity utilities managed, causing a loss of power to about 225,000 customers.

Growing cyber threats

U.S. intelligence officials have assessed that China, Iran, North Korea and Russia pose the greatest cyber threats of disrupting critical infrastructure, according to the 2022 Threat Assessment of the U.S. Intelligence

But cybercriminals are also increasingly a hazard, increase the number, scale,and sophistication of ransomware attacks. The GAO also said that hackers and hacktivists, as well as company insiders, pose significant cyber threats to offshore oil and gas infrastructure.

Deepwater Horizon cybersecurity
Source: U.S. Coast Guard 

In 2013, the hacker activist group Anonymous threatened to target the oil and gas sector in a June 20th operation. The group said that it would target several countries, including the U.S., China and Russia. Press reports indicated that the threats did not result in significant disruptions.

Coast Guard and Bureau of Safety and Environmental Enforcement told the GAO the effects of a successful cyberattack would likely resemble that of other incidents related to OT systems that have occurred in the outer continental shelf (OCS).

According to BSEE incident investigation documentation, these can include “deaths and injuries, damaged or destroyed equipment and pollution to the marine environment.”

But the worst-case scenario would be multiple attacks that simultaneously cripple an operator’s OT.

“For example, the failure of the mobile offshore drilling unit Deepwater Horizon’s blowout preventer—an OT system—contributed to its explosion and sinking, as well as 11 deaths, serious injuries and the largest marine oil spill in the history of the U.S.,” the report said.

Pipeline and Hazardous Materials Safety Administration (PHMSA) officials have also indicated that cyberattacks against pipeline OT—such as valves controlling oil and gas flow—could disrupt production and transmission.

In a now infamous attack, in 2021 criminals extorted Colonial Pipeline, which was forced to shut down a major pipeline system because of a ransomware attack. Disruptions to the pipeline resulted in a temporary halt to operations, which led to gasoline shortages throughout the southeast U.S.

BSEE slow to act

BSEE has taken few actions to address cybersecurity risks to the more than 1,600 oil and gas facilities and structures on the OCS, GAO found.

“This creates significant liability, given that a successful cyberattack on such infrastructure could have potentially catastrophic effects,” the report said.

BSEE officials say the severity of cyberattacks could be mitigated by on-site manual controls that can override automated systems, although they could not point to any specific analysis supporting that conclusion.

“Specifically, these officials stated that operators have the ability to manually shut down operations, in the event of an emergency, to prevent the worst outcomes,” GAO reported, noting that the statements were generally based on the professional experience of the BSEE officials who “were not aware of any assessments confirming that manual controls could mitigate the impacts of cyberattacks.”

Since recognizing the need to act in 2015, the scale and scope of cybersecurity risks have continued to increase, creating even greater urgency for the bureau to respond.

BSEE has struggled to address cybersecurity risks to offshore oil and gas infrastructure and only recently has taken steps to start a new initiative, the GAO said.

“This effort remains in the earliest stages of development,” the report said.

According to the report, BSEE should be guided by an overarching strategy that identifies:

  • Cybersecurity risks and relevant practices to address them;
  • BSEE’s role in addressing them;
  • Formalizing relationships with other federal agencies and industry organizations;
  • Identifying resource needs, such as appropriate staffing levels; and
  • Performance measures to assess results.

Without a strategy to guide the development and implementation of its new cybersecurity program that incorporates these key features, the effectiveness of any cybersecurity program that BSEE ultimately establishes could be constrained, GAO warned.

“This, in turn, would jeopardize the bureau’s ability to address the significant and increasing cybersecurity risks facing offshore oil and gas infrastructure on the OCS.”