In the era of digital transformation, CyberSecurity has become an increasingly popular topic of discussion in the oil and gas industry. Rising cyber threats have forced industry leaders to quickly identify and mitigate cyber risks with appropriate action. Insecure computer systems and networks can lead to catastrophic interruptions including breach of sensitive data, damage to critical assets and frauds, with vulnerabilities in the cyber systems resulting in exploitation by the user with an illegal access.
Offshore drilling is a well-engineered process which involves sophisticated equipment to make the process safe, efficient and productive. The machinery on a modern drilling rig is mainly controlled by PLC (Programmable Logic Controller), HMI (Human Machine Interface) and SCADA (Supervisory Control and Data Acquisition) and classified as an Industrial Control System (ICS) or Industrial Automation and Control System (IACS) as termed by ISA/IEC 62443.
On a modern drillship with a DP class 3 specification, there are two independent networks that integrate thruster controls, dynamic positioning, power distribution and other operational systems.
Drilling control systems integrate the Cyberbase with PLCs controlling various drilling equipment, mud control systems, sensors, actuators and drilling data logging. The drilling control system is also integrated with SCADA for drilling data analysis.
Depending on the asset sophistication, there may be OEM remote access to the access the drilling network for diagnostic and remediation.
Modern blow out preventers (BOP) and condition-based monitoring for various equipment may also have their own network based control system, separated from the global rig network but equally as vulnerable. Recent technological advancement which includes remote drilling, increases the complexity of the industrial automation and control systems.
Big data requirements which are supported by cloud-based data storage and Artificial Intelligence based analytics also requires access to the Industrial Control Systems.
Such designs of integrated control systems achieve an efficient process for drilling, but also pose risks that could expose vulnerabilities that could result in cyber-attacks if proper security policies, procedures and risk mitigation are not implemented. Drilling companies are adopting CyberSecurity policies based on the CyberSecurity standards set by OEMs, clients and Standard Institutes.
Cyber-attacks from malware, phishing, spear-phishing, ransomware, Trojan, DNS (Domain Name Server) hijacking, Distributed Denial of Service Attack (DDOS), Data Breach and the recently known advanced persistence threats (APT).
These malwares have been responsible for severe financial and reputational damage. It is important to maintain good Cyber hygiene especially for the Industrial Control Systems (ICS). These systems do not normally have anti-malware or other forms of protection.
Just one example of this is a recent ransomware attack on the US’ East Coast Gas Pipeline which lead to an 8,900-kilometre pipeline shut down for six days. The company was forced to pay a ransom to recover access to their IT systems which otherwise would cost the company millions of dollars and months to recover its IT infrastructure.
Cyber-attacks can have a significant impact on essential rig equipment such as dynamic positioning, power management systems and blow-Out Preventer controls. During recent audits, ADC specialists have identified vulnerabilities on the base Operating System and network / firewall devices. One of most common threats is the lack of CyberSecurity awareness among the rig workforce. Personnel with no CyberSecurity understanding can easily fall prey to the attacks such as phishing and malware. Personnel on board using unauthorised USB devices on critical systems, unused open USB ports on the terminals, outdated software and obsolete / outdated hardware. were among the commonly observed vulnerabilities.
Deficiency of CyberSecurity policies and procedures result in the increase of vulnerabilities in the system. Senior management are responsible for identifying the critical risks and implementing pertinent mitigation throughout the company, ensuring effective control measures are in place.
Common vulnerabilities outlined by the International Maritime Organisation guidelines 2021 include:
Offshore drilling companies and major oil companies are aware that their valuable assets are the target for the increasing number of cyber-attacks and OEMS are now focusing on designing ‘cyber-secure’ systems which reduce this risk.
Major offshore drilling companies have developed their systematic risk mitigation strategies based on the frameworks including NIST CyberSecurity framework, ASTM, IMO guidelines, recommended practices by API, ABS, DNV and other international standards and guidelines.
It is important that offshore drilling companies formulate efficient strategies and implement them effectively to make the workplace safer while protecting their valuable assets from attackers. With the advancement of the technology and increasing vulnerabilities and threats, being well prepared is key to mitigate and minimise the impact of cyber-attacks.
ADC recognise that not all DP3, dual activity derrick Drillships are created equal. There will be different levels of capability, efficiency, competence & safety.
Oil & Gas
Despite changes to API 16A having been in place since 2018, BOPs are still being found non-compliant during ADC rig & BOP inspections.