There has been significant interest within the offshore oil and gas industry to utilise Industrial Internet of Things (IIoT) and Industrial Cyber-Physical Systems (ICPS). There has also been a corresponding increase in cyberattacks targeted at oil and gas companies. Offshore oil production requires remote access to and control of large and complex hardware resources. This is achieved by integrating ICPS, Supervisory, Control and Data Acquisition (SCADA) systems and IIoT technologies. A successful cyberattack against an oil and gas (O&G) offshore asset could have a major impact on the environment, marine ecosystem and safety of personnel. Any disruption to the world’s supply of O&G can also have an effect on oil prices and the global economy. We describe the cyberattack surface within the oil and gas industry, discussing emerging trends in the offshore sub-sector and provide a historical perspective of known cyberattacks. We also present a case study of a subsea control system architecture typically used in offshore O&G operations and highlight potential vulnerabilities affecting the components of the system. This study is the first to provide a detailed analysis of attack vectors in a subsea control system. The analysis provides can be used to understanding key vulnerabilities in such systems and may be used to implement efficient mitigation methods.