2019Drilling Rigs & AutomationSeptember/October

Reducing cyber risk: how Valaris went from limited OT visibility to comprehensive device visibility

OT network monitoring system allows for the detection of not just cyber risks but also operational risks, enhancing the preventive maintenance process

By Dario Lobozzo, Forescout Technologies

With quantifying and mitigating cyber and operational risks becoming a Board-level priority, oil and gas asset owners are beginning to craft long-term risk reduction strategies. Valaris recognized that the first step toward reducing risk was to review potential vulnerabilities on its extensive rig networks. To mitigate operational and safety risk to control, it was critical to fully understand the type of threats and their origins.

Early focus was centered on finding and training qualified personnel to map the network and to establish a strategy to protect it. This operational technology (OT) cybersecurity team was tasked with identifying all the existing assets in the network and assessing their risk levels.

The team’s leader – Juan Negrete, Valaris OT Cybersecurity Manager and Co-Chair of the IADC Cybersecurity Committee – quickly recognized the challenges of such a manual process. It risked taking a considerable amount of time, and threats could go unnoticed in such a vast operation of connecting multiple rigs and offices around the world. An alternative approach was required.

“We needed visibility into what we had and what the risks were,” Mr Negrete said. “We were doing manual exercises to identify assets and assess risk, which we knew was both inefficient and incomplete. It was a black hole of risk, and there was no room for error if we were going to mitigate risk to an acceptable level.”

If the team was not going to manually map the control system networks, then how were they going to do it? A different solution was required to accelerate the process to deliver a more robust solution.

Ultimately, it was decided that the solution should be an OT network monitoring tool. Although this type of technology is widely deployed in the utility industry, it is still relatively uncommon in the offshore drilling industry. However, centralized oversight was required for an expansive and complicated network.

The company then began evaluating OT network monitoring solutions to identify the right fit. The right solution would be able to keep track of all the devices connected to the network, identify any deviations in the normal baseline of network traffic, and archive the data for future reference.

When going through the proof of concept (PoC) and vetting of vendors, the results gave improved visibility into the rig’s critical systems. This provided an initial understanding of how deploying an OT network monitoring tool could help reach the goal of deeper visibility and how this information would prove valuable in reducing the company’s cyber and operational risks.

The PoC also proved vital in providing an accurate budget for the project.

“The results of the PoC were eye-opening but also exposed the challenge of deploying newer technology on legacy systems. Because these complexities were exposed during the PoC, we were able to properly budget for this project,” Mr Negrete said. “Without the PoC, we may have underfunded it.”

This figure shows typical placements of network monitoring sensors for a rig network. Although many systems on a drilling rig should be monitored, it is not practical to have a sensor on every system. In this project, it was determined that hardware should be strategically placed on choke points in the vessel’s network.

Because of the deployment of newer technology on a brownfield site, Valaris strategized on how the operational impact from these changes could be mitigated. A shared concern across the oil and gas industry is how implementing any new technology might impact operations and safety and if it will require any design changes. It was important for Valaris to find a solution that did not require significant investment in infrastructure, was intuitive and could be delivered as a turnkey project.

During this project, Valaris was not just architecting for one control system; multiple control systems across its global fleet required monitoring. Everything from the BOP to the dynamic positioning systems (DPS) that prevent the rig from moving off the wellhead had to be monitored. It was not practical to have a sensor on every system, so the hardware was strategically placed on choke points in the vessel’s network.

Figure 1 provides an illustration of typical network monitoring sensor placements for a rig network.

Once the chosen network monitoring tool was up and running, unprecedented visibility into process data became available. Not only could cyber risks, such as the presence of vulnerabilities on a specific device, be identified, but operational risks, like out-of-range process values, also could be determined.

The data on potential operational risks greatly enhanced Valaris’ preventive maintenance process, while the data on potential cyber risks gave important insight into where the system’s vulnerabilities were. This laid the foundation for an in-depth gap assessment into what vulnerabilities were actually on the network.

A critical requirement for a project like this is a strategic partnership between vendor and client. The cyber landscape is constantly evolving, and it is important to partner with a cybersecurity company that will provide long-term support for software, outstanding customer service and a high level of expertise.

The visibility provided through the Forescout Technologies OT network monitoring tool has assisted Valaris in implementing an enterprise-wide risk mitigation strategy.

This case study in cybersecurity risk management is an excellent model for how the collective oil and gas industry can reduce its cyber and operational risks. DC

This article is based on a presentation at the 2019 IADC Cybersecurity for Drilling Assets Conference, 8-9 October, Houston.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button