Today the Bureau of Safety and Environmental Enforcement (BSEE) published a proposed rule in the Federal Register (78 FR 52239-52284) that would revise the regulation of production safety systems for Oil and Gas and Sulphur Operations on the Outer Continental Shelf. This is a very complex rule with most of it being outside my professional comfort zone, but I am concerned that I can find no mention of any requirements for cybersecurity to protect these critical safety systems.
There are numerous references to various control systems and monitoring systems that are integral parts of the safety systems controlled by these regulations. Because much of the monitoring and control involved in these systems is done remotely these systems are potentially vulnerable to remote cyber-attacks. A successful cyber-attack on these safety systems, either in conjunction with other attacks on the platforms or as stand-alone attacks on the safety systems could have catastrophic consequences.
The failure to specifically address the electronic and physical security of these safety systems makes no sense, particularly when there have been well documented efforts made to compromise control systems in the oil and gas industry.