Grady Hurley,Jones Walker LLP
The UnitedStates is becoming an exporter of energy products, enabled by the successful exploration and production of onshore shale deposits and offshore deepwater prospects for oil and gas.
At the same time, advances in technology have also exposed the energy industry to cyber risks that should be accounted for in master service agreements (MSA), which dictate relationships between service “contractors” and “companies.”
As technology has advanced, wells have been drilled deeper and farther from shore. As technology has developed, the reliance upon automated systems has replaced manual labor.
Offshore energy service contractors support the exploration, production and transportation of natural resources in both state waters and on the federally controlled Outer Continental Shelf (OCS). It takes a variety of specialty service contractors to drill a well on the OCS. The OCS includes the submerged lands, subsoil and seabed lying between the seaward extent of a State’s jurisdiction, usually beyond 3 miles and extending 200 miles. It is governed by federal regulatory schemes under the Outer Continental Shelf Lands Act (OCSLA) enacted in 1953. Work on the OCS involves vessels, aircraft and various types of platforms used for drilling and production.
The predominant form used to employ service contractors for OCS exploration, production and transportation services is an MSA which sets forth the general terms and conditions between “companies” and “contractors.” Attachments to the general terms and conditions of an MSA address specific obligations like drug policies, labor policies, Safety and Environmental Management Systems (SEMS) and insurance. SEMS were dictated by the Bureau of Safety and Environmental Enforcement (BSEE) in response to the Macondo blowout. Other governmental agencies and departments with regulatory interests include the Occupational Safety and Health Administration, the Department of Homeland Security and the United States Coast Guard.
Today’s exploration for oil and gas is dependent on computers running automated systems which are monitored by skilled workers and contractors providing drilling, production and transportation services. Wells are drilled and minerals are produced using a variety of structures, including platforms, drilling ships and a variety of mobile drilling units which are floated onto deepwater locations and held onto location by advanced dynamic positioning systems. Offshore exploration has entered the age of high risks and high rewards.
Since many industries, including the oil patch, are dependent upon computers and autonomous systems to operate safely, companies and contractors have begun incorporating best practices to avoid well control problems and other incidents. The risks of automation, including cyber security, are acknowledged and accounted for in an MSA or a safety bridging agreement.
Understanding the MSA form and federal cyber security directives applicable to offshore operations is necessary for companies and contractors in contracting for energy exploration and production services on the OCS. A cyber breach could lead to dire consequences, including injury to people, property and the environment. It should be considered as part of any HSE program, and should be proactive in recognizing risks in offshore operations where computers control and monitor the vessels, platforms and machinery.
In 2018, offshore operations and communications are facilitated by and dependent upon the use of technology. The exploration for natural resources and its transportation via ships and pipelines are dependent upon computers, electronics and robotics systems. Vessels and platforms employed for offshore drilling and production are subject to computer programs, smart phones, and satellites which are used to operate, communicate, and position. Offshore service vessels are equipped with auto-pilots, rely upon electronic charts and, in some instances, dynamic positioning, to stay on location while drilling for or producing natural resources. A failure to secure these systems from cyber threats could lead to catastrophic failures and severe environmental impacts.
The public safety and security of offshore operations are both a private and public concern. Oversight is shared by various government agencies, primarily under the Department of the Interior and the Department of Transportation. Cyber risks and breaches were recognized in the President’s Executive Order 13800. The Executive Order was issued on May 11, 2017, under the title “Strengthening the Cyber Security of Federal Networks and Critical Infrastructure.” In addition, the Department of Energy has created an Office of Cyber Security.
Under current regulation 33 C.F.R. parts 105 and 106, facilities on the OCS are required to identify and assess security threats and to develop a US Coast Guard-approved facility security plan. These directives, when codified and enacted, will create legal obligations that must be shared by offshore Companies and Contractors. Cyber threats are real and affect the safety and security of offshore operators. It should be accounted for between companies and contractors in any MSA. Recognition of the importance of cyber security should be part of the discussion in drafting and negotiating an MSA.