Industry recognizing need for better cyber defenses as hackers become more sophisticated and drilling equipment becomes more interconnected
By Linda Hsieh, Managing Editor
When IADC releases its first set of cybersecurity guidelines later this year, it will hopefully push a long simmering issue from the back burner to the forefront: The drilling industry is woefully unprepared for cyber-attacks, and time for action is now.
We already lag behind other critical infrastructure industries like electric power and nuclear. Within oil and gas, the midstream and downstream sectors are also moving to improve cyber preparedness at a faster pace than upstream. But as our industry continues to automate and digitalize the drilling process, cybersecurity has become an inevitable and critically important consideration.
“Drilling systems are designed around the theory of an isolated network – that the hundreds of miles of ocean and the physical barriers to get to the rig constituted sufficient security to make sure they couldn’t be compromised,” said Kent Hulick, formerly Control System Security Manager for National Oilwell Varco (NOV). “That seemed perfectly valid in the 1990s and early 2000s, really up until about 2010, when Stuxnet hit the world.”
He’s referring to a highly sophisticated computer worm, discovered in 2010, that reportedly took out nearly one-fifth of the centrifuges at an Iranian nuclear facility. The malware wasn’t built to steal passwords or credit card information. It was designed to attack industrial programmable logic controllers (PLCs), and unlike others that came before it, this one reached from inside the virtual world into the real world to execute physical destruction. “Stuxnet proved that the isolation strategy was insufficient. It attacked a facility that was an industrial control system that was offline, and the security of that control system was purely isolation as a strategy,” Mr Hulick said.
Experts point out that drilling rigs are not even as isolated as the industry believes them to be. Automation technologies and the digital oilfield have made drilling rigs and all the equipment onboard much more interconnected than before. Look around any rig with PLC-based systems and you’ll likely find unsecured USB ports into which infected flash drives can be plugged. Maintenance laptops, which employees routinely use to surf the Internet or download movies when off-duty, are often hooked up to various rig systems without much consideration of potential cyber risks. Rigs also commonly provide remote access to multiple shore-based facilities, whether for real-time operations support or equipment troubleshooting.
“We have taken the goodness of technology and all that it gives us – the efficiencies and safety – but we haven’t acknowledged the bad,” said Mark Weatherford, Principal for the Chertoff Group, a risk management and security consulting company. “It’s like building a facility and not putting a fence and guards and cameras and guns around it, and just assume it would be OK. Nobody in their right mind would do that, but that’s what we’ve done with technology in many respects.”
He points out that oilfield organizations have traditionally operated under an air-gap process where all operational technology (OT) systems, like SCADA, are separate and distinct from internet-facing IT systems. “That has changed 100%,” Mr Weatherford said. “I call it the air-gap myth. Anyone who thinks they have an air gap between these two systems is naïve and misinformed because it simply doesn’t exist any longer.”
The good news is, it is still relatively difficult for someone without access to remotely hack into a drilling rig, unless someone with access has already opened a back door for the hacker by intentionally or unintentionally introducing malware into the rig. The bad news is, it’s not that difficult to get that back door opened, and hackers are getting more sophisticated everyday. “A few years ago, the black hat hacking community was really not paying a lot of attention to the oil and gas environment. They were mostly focused on the IT world,” Mr Weatherford said. “That has changed dramatically in the past couple of years. There have been a number of events where we have seen some of the hacking groups in other countries really come up to speed on the technologies we’re seeing in the digital oilfields.”
Look at the August 2008 oil pipeline explosion in Refahiye, Turkey. At the time, the incident was attributed to a mechanical failure. Only last year did it surface that the explosion was the result of a cyber-attack. An investigation by the US indicated that hackers had infiltrated the pipeline’s surveillance systems and valve stations, shut down alarms and super-pressurized the crude oil in the pipeline, causing the explosion. US intelligence has pointed the finger at Russia, indicating that the explosion was used as a cyber weapon.
But attacks don’t have to be nearly this sophisticated to wreak havoc. Case in point is Shamoon, a virus that in 2012 infected a reported 30,000 computers on the Saudi Aramco network, wiping their hard drives and disrupting business for approximately two weeks. A similar attack the same year at Qatar’s RasGas was also attributed to this virus, although that was never confirmed.
In Aramco’s case, the virus was eventually traced to a single disgruntled employee who had access to the internal company system and introduced the virus via a USB stick. Whether an employee is disgruntled or not, however, it’s really not that difficult to get them to unknowingly place a malware into a rig system, said Dr Siv Hilde Houmb, Chief Technology Officer for Secure-NOK, an oil and gas cybersecurity specialist company.
Dr Houmb, who previously worked for 15 years as a white hat hacker and currently serves as an Associate Professor at the Norwegian Information Security Laboratory at Gjøvik University College, describes this potential action plan from a hacker’s point of view: “If I want a malware placed on a rig, I’ll figure out who works on the rig. If I want to target Oil Company X, I need to decide on the region and target rig for the attack, e.g. Rig Y in Gulf of Mexico. Based on this, I know which drilling contractor owns or operates the target rig. I can also figure out whom they employ by means of simple profiling based on information from social media and similar websites, such as LinkedIn. I can also figure out which service companies are on contract on Rig Y, as well as their subcontractors. Then, depending on the desired goal of the attack, I’ll find a person who has appropriate access and start engaging with the person.
“A simple search online will reveal enough information about the characteristics and interest of a person – what they look like, what their interests are. Do they play golf? Are they a cyclist? Then I’ll find them at a conference or a social gathering as I know what their interests and profession are, where they are receptive to taking things from people they feel like they can trust. Then basically I’ll just say, ‘Oh, there’s a new game you should really try. I’ll give it to you for free.’ ”
This type of plan sounds admittedly elaborate and far-fetched, but it’s definitely possible and, according to Dr Houmb, not that difficult for an experienced hacker to carry out. She explained that she doesn’t believe the industry should live in fear of such attacks, yet the mere possibility means that companies should be taking action to improve their cyber preparedness. “You might look at a targeted attack as an event that won’t happen in another 50 years, so it’s not really a problem. Unfortunately, you don’t know in which part of the 50 years it will happen.”
One widely reported cyber incident that involved a drilling rig happened in 2010 on a newbuild offshore rig after it left its construction site in South Korea. The incident was not a targeted attack, but nevertheless the rig was overwhelmed by malware while en route to its drilling location. Multiple computers on the rig were infected, including the one controlling the BOP system. The rig was shut down for 19 days.
Another incident was just cited this summer by the US Coast Guard (USCG), where malware was mistakenly downloaded onto a MODU. “There was a cyber-related problem that impacted the dynamic positioning system and resulted in the need for an emergency breakaway to avoid an accident,” Captain Drew Tucci, Chief for the USCG Office of Ports and Facilities, said. “That incident does not appear to have been from a targeted foreign company or terrorist organization that was trying to cause an accident. It appears that it may have been caused simply by poor cyber practices onboard the vessel.”
In June, the USCG issued a new cyber strategy to guide the agency’s efforts in the cyber domain over the next decade. It is also drafting a set of guidelines to help industry identify cyber risks and ways to deal with those risks, Captain Tucci said. The goal, he added, is to have a performance-based system in place. “What we expect the industry to do is identify the risk, do their homework and realize you’ve got systems that could lead to problems if they’re not addressed… Certainly the Coast Guard is not going to come out with any sort of prescriptive (regulations),” he explained. The USCG expects to issue a draft version of the guidelines by this fall and a final version by early 2016.
Captain Tucci also stressed that no company – no matter how small – should think cybersecurity is irrelevant to them because they’re “too small to be noticed by the bad guys.” Any sophisticated terrorist attack on the US in the future will likely have a cyber component, he explained. Even if a company detects what seems to be a minor system breach, it could be “part of something broader that’s going on within the port community.” Reporting it could allow the USCG to communicate with other federal agencies to prevent bigger attacks.
“There are two different types of organizations – those that have been breached and those that don’t know it,” Captain Tucci said. “Unfortunately, cyber-attacks and cyber accidents are going to continue to be a problem.”
Awareness is growing in the industry, however, and so are cybersecurity budgets. An analysis released in July by consulting firm Frost & Sullivan found that, in the US oil and gas industry, the proportion of the annual budget spent on cybersecurity ranged from 5-10% in 2014. This is expected to double in the next two to three years, said Sonia Francisco, Industrial Automation and Process Control Senior Research Analyst for Frost & Sullivan.
In her research, Ms Francisco found that most systems on today’s rigs were not designed with security in mind – they were built to provide operational efficiencies. Further, the traditional IT approach – running anti-virus software and “disinfecting” the system by removing any malware that’s found – will not work in the industrial control system setting. “You can’t just have an anti-virus that you would use on a normal IT network to protect the operational technology network because those are far more complex,” she said.
From a vendor point of view, NOV is devoting significant efforts to ensure that its new NOVOS integrated drilling control system has cybersecurity features built in from the ground up. The company is also developing retrofits to enhance the security of its Amphion and Cyberbase systems. Mr Hulick, who oversees security for all three systems, agreed that traditional IT approaches won’t work in an industrial control system setting.
“The main reason is that the primary purpose, or the security objective for the control system, is to keep it up and running,” he said. Virus scans, for example, are significant drains on system resources. With a personal computer, the scan can simply be scheduled for a time when the computer is not being used. “But there is no idle time on an industrial control system. There’s no time when it’s convenient to have your SCADA system not work correctly,” Mr Hulick said.
The traditional IT response to a virus – removal of the infected file – is also not appropriate for industrial control systems. The infected file may be critical to the operation of the SCADA system, and deleting it could cause the entire drilling system to hang or crash.
Under NOV’s approach to control system security, Mr Hulick said, the first step is to achieve true isolation for the drilling control system. “That’s quite challenging for our systems because we know we have to update software. We know we have to do maintenance on equipment… So how do we get software updates and configuration updates into the rig control system without also providing a path for undesirable software? The answer to that is to have a secure channel.”
He explained that NOV is implementing the secure channel using a public key infrastructure – the same kind of encryption and authentication used for things like e-commerce and online banking. This allows all the applications and software being brought onto a rig to be authenticated.
“It also means that the rig has to have what we call a diagnostic workstation. If there’s special software or special cables, if there’s equipment that is needed in order to maintain the control system on the rig, it has to be pre-deployed and stay on the rig,” he said. “You don’t have rig service hands bringing laptops and connecting them into the control system because, as soon as they do that, you’ve lost your isolation.” This isolation typically refers to separating the rig from the outside world, he said, but segregation inside the rig should also be implemented where possible. “We want to isolate the drilling control system from the vessel management system, for example, so that a compromise in one system doesn’t spread into another.”
Isolation is just one layer to a cybersecurity strategy, and multiple layers are needed in what security experts call the defense in depth approach. Not only do companies have to keep malware from coming into their system, but they also need a method for monitoring what’s happening inside the system for unauthorized activity. In computer lingo, Mr Hulick said, this is called putting in a honey pot.
“We know we can’t load virus scanning on the actual SCADA computer because that’s critical for mission operations. What we can do is duplicate the SCADA software on a virtual machine that’s connected to the network but outside of the loop from the control system. We can run virus scans on that system because it’s not important to the continued operation of the rig. If we do find a virus or malware on that honey pot, we can be pretty certain that virus or malware is also on the SCADA components in the system.”
Another monitoring method is intrusion detection, which relies on the predictability of communications within an industrial control system. “All of the communication that happens in an industrial control system happens over and over and over again; it’s always the same. We can use that predictability to identify unusual communications that’s not following the rules of the industrial protocols we’re using,” Mr Hulick said, noting that NOV is working to develop proprietary methods of intrusion detection.
Further, the company is developing ways to monitor the performance of the control system. If malware has infected the system, yet it’s not affecting the drilling operation, “the right thing to do is to leave the drilling operation running while we formulate a strategy to get rid of the malware in a way that doesn’t disrupt the activities of the rig,” he said. “We need to provide the operators with the kind of information that they need to make a reasonable decision about how they should proceed in the event of a malicious software incident.”
On an industrywide level, work has been ongoing through the IADC Cybersecurity Task Group, established in mid-2014. The group operates under the Drilling Control Systems (DCS) Subcommittee of the IADC Advanced Rig Technology (ART) Committee. DCS Subcommittee Chairman Trenton Martin said the industry’s interest in cybersecurity was formalized back in 2013 during an automated poll taken at the IADC ART conference in Stavanger, Norway. Based on that poll, the subcommittee decided to form a work group to develop digital security guidelines.
The first set of guidelines, due out later this year, will focus on establishing a risk assessment methodology. “Our main focus was to base the guidelines on existing standards because there are already a number of them out there specific to cybersecurity,” Mr Martin said. “We didn’t want to reinvent the wheel – we wanted to aid drilling contractors and the industry in how to apply those standards.” The IADC guidelines will incorporate standards from the International Society of Automation (ISA), the International Electrotechnical Commission (IEC) and the National Institute of Standards and Technologies (NIST).
At Diamond Offshore, which has been an active participant in the IADC task group, work has been ongoing for the past year to develop three cybersecurity training modules specifically focused on industrial automation. The first is a generalized training for all crew members, and the second is a higher-level training for employees with full access to the networks, such as electrical technicians, captains and maintenance supervisors. “The third module is to train the trainer so that we can carry this forward,” said Gregory Villano, Industrial Automation & Control Systems Superintendent for Diamond Offshore. “We want to make sure that any new crew members are trained and made aware of our policies and procedures as they arrive on the rigs.” Mr Villano said the training modules were due to be rolled out by late August.
Other ways in which Diamond Offshore is improving its cybersecurity include sending its employees to cyber emergency response classes held by the US Department of Homeland Security, as well as conducting its own ethical hacking classes for IT and electrical personnel. “We’re working to raise awareness of the importance of cybersecurity and ways to mitigate the risks of potential cyber-attacks. This is important for every person on the rig, internal and external to Diamond,” Mr Villano said.
Indeed, humans are likely going to be the weak link in the industry’s defenses against cyber threats. Network and system security can and will be improved going forward, but it’s no use having a heavily guarded front door if you just leave the back door open. Manoj Kumar, co-founder and CEO of Graphus, a company that provides cloud-based products and services to detect targeted cyber-attacks, called social engineering a gaping hole in the industry’s vulnerability.
“We, as people working in organizations, are ourselves a threat surface, and this threat surface is getting exploited by the adversaries,” Mr Kumar said. If an email looks like it comes from a credible source, people don’t think very much of clicking on links or opening attachments. “Or if the email looks like it’s coming from our boss, and they want to know something from the IT department, we don’t think a whole lot before we respond or take action on those emails.”
He predicts that 95% of cyber attacks will originate with social engineering attacks coming through emails, i.e., spear phishing attacks. “This is one area that is extremely difficult to protect against because, at the end of the day, the whole trick is to socially engineer the recipient into taking an action that the sender wants them to take… Malware is nothing but software, and if a person with the right privilege executes it in the environment, then the malware will get installed. This is the biggest threat that the oil and gas or any other industry is facing today because it is extremely successful in penetrating networks.”
Awareness training will certainly help, but it’s also important to have incident response systems in place, Mr Kumar said. Graphus, for example, is developing systems that will analyze suspicious emails to figure out whether they’re malicious and, if so, what is the potential impact on the organization.
Another company offering cybersecurity services to the oil and gas industry is AE Solutions. The company has worked with drilling contractors to build cybersecurity into their corporate risk matrices. This can be a challenge because risk matrices at most drilling companies were developed with safety in mind, and safety has a history, said Kenneth Frische, Industrial Cybersecurity Principal Specialist at AE Solutions. “When we try to use that traditional risk matrix for cyber, we do not have that history. You end up with a grossly optimistic view of your risk levels.” Creating a separate risk matrix associated directly with cyber threats is one possible solution.
Mr Frische also suggests that contractors think about cybersecurity from the very beginning of a rig’s life – before it’s even delivered from the yard. He believes that many rigs are actually already infected with malware during the construction process. “So many different contractors have to work on it to get it up to speed. You think you’re accepting a system that has nothing in it, but it hasn’t been cyber-tested,” he said. He suggests that the new normal going forward should be to ensure newbuild rigs undergo cyber versions of functional acceptance tests (FATs) and site acceptance tests (SATs). “After a FAT is done, you do a cyber FAT. Once SAT is done, you do a cyber SAT,” he said.
He also hopes to see more companies within the drilling industry acknowledge the value of taking a proactive approach to cybersecurity – he’s seen too many instances of malware-infected rigs where the infection went undetected for months or even years, he said. In most cases, that virus or malware will cause nothing more than downtime. Yet, it’s only a matter of time until hackers set their sights on something worse, said Mr Frische, who is certified as a hacker himself. “If I went after a driller, what am I after? It’s a blowout. That’s the prize of going after IADC-type environments.”
It’s important to emphasize again that experts agree the potential for a cyber-attack resulting in a blowout is very low at this point, but they also remind the industry that motivations do exist for attacks targeting drilling rigs. Hacktivism, as well as terrorism/cyber espionage by nation-states, are genuine threats. “If something happens at your company, you want to be in a position to show that you’ve done your due diligence,” Mr Frische said. “ ‘We did a risk assessment. This incident falls here in the risk matrix of our company. We decided to accept that risk because it’s too expensive to deal with.’ You would be OK. But if you have no answer and you have no plan, that’s not a good position to be in.”
Looking to the future, it’s clear that cybersecurity has become an additional risk that the industry will have to account for and manage, and there is no easy one-size-fits-all solution. “A lot of times people think there is an ‘end of the line’ for cyber, that you can invest enough money and decrease your cyber risk to zero,” Mr Weatherford of the Chertoff Group said. “It doesn’t matter if you’re flying airplanes or drilling holes for oil, you are never going to eliminate the risk completely. The only way companies can make progress is by acknowledging that. Companies need to start building this into their budgets and their operational planning. It’s another component that they will have to address every year from here to eternity.” DC
DC Editorial Coordinator Alex Endress contributed to this report.
Click here for an online-exclusive interview with Northwest Technical Solutions, which recommends an engineering approach to cybersecurity.