You are Home   »   News   »   View Article

Cyberattacks to drill rigs - understanding the threats

Thursday, January 23, 2014

Control system security expert Christopher Goetz of Kingston Systems explains where the biggest security gaps are on drilling rig control systems - and what you can do about them

We are slowly recognizing our exposure to cyberattacks on our Mobil Offshore Drilling Units (MODUs).
The fear uncertainly and doubt from stories about Flame and Stuxnet has contributed significantly to our awareness.

However there are significant misconceptions about what is at risk, and what can be done to address the risks today. This confusion may play a role in understanding why MODU owners have done fairly little to address security concerns.

Here we will break down the MODU control system, understand how and where it is vulnerable, point out its current security gaps and strengths and then provide direction on initial actionable steps.

Baseline Model

Breaking a simplified MODU's control system and IT data network into component blocks, you see it has a vessel control system, a process control system,a data IT network linking to external connections and third party well data providers.

Historically there has been an 'air gap' between the control network and all other networks.
The data IT network is not the central core of activity.

On conventional data networks (for example in your office), information security and data protection take a significant priority over system up time and availability.

The exact opposite is true of a control system. System uptime is paramount. Any downtime is effectively Non Productive Time (NPT), and prohibitively expensive. This polar variation in business drivers is important to recognize as it drives funding and security solution fit.

Consider that data on the offshore IT network is arguably less critical than that of an onshore reservoir engineering or finance department. Thus it is not unfair to say that the goals and security solution of a control vs. data network are mutually exclusive.

Perhaps a confusion over these different drivers has slowed the adaptation of security solutions to protect the control system.

The Air Gap

In older MODUs there is a very distinct Air Gap disconnecting the control network from the external world.

This physical Air Gap meant that the system could almost entirely rely on physical security and user education approaches to remain isolated and malware free. So no matter how poorly maintained the MODU IT data side is, the control system remains protected.

Interestingly though, few facility owners have clearly and thoroughly enforced the physical and user education approach to protecting the control system. Almost every rig manager has a story of a vendor boarding the vessel whipping out their lap top, plugging-in to update a patch and leaving, only to have introduced system regression or a virus. How did this vendor gain access with a corrupted laptop and leave without post change testing? Simple user education, process and physical barriers could eliminate these events.

Bu our hunger for data consumption, remote access, and integrated networks means that the 'Air Gap' is dissipating.

Increasingly we see the introduction of external access points, integration between the networks, and integration between disparate control systems, for example remote dial in support, data synchronization across systems, live data feed to shore networks.

New threats include network design flaws and back door openings; object linked and embedded protocol attacks; SQL database corruption; operating System Flaws (Windows OS); Poorly designed original code; the transference of poor data IT Security practices.

These are all of attack avenues that are more familiar to data IT network managers and thus more easy to address.

The first logical step to improving security is to understand the control system network layout and interconnections with other networks.

With a system mapped out, it is much easier to identify security threat points, and assess the probability and impact of an attack on that system.

Control system patches

Process control systems may require security patches to block known deficiencies in the same way that your Windows OS machines require patches. For example, there is a Siemens patch for the feared Stuxnet.

The uptime requirement, infrastructure access restrictions and even support aspects of these systems mean these patches are difficult to deploy and often do not happen for long periods if at all. Often the only safe time to implement a 'patch' is during a 5 year Special Periodic Survey.

Thus in the interim, these systems may lay exposed for long periods of time without the protection of a simple patch. In the interim the 'Air Gap' should be exploited with enhanced physical security and user education.

Don't rely on anti-virus

Why not deploy software based virus protection across the entire platform as a protection mechanism?

This is a great solution on the highly maintained data network, but there are issues with this approach on a control system.

First, a software solution may not be designed to work or be available on the PLC or SCADA equipment.

Secondly a software protection system is only as good as its latest definition file. These may be updated daily, and as mentioned, access to control systems is limited. Additionally that new unknown crippling virus is exactly that, unknown. No anti-virus application can protect against it.

And finally, a security application running in situ may in fact be detrimental to the stable execution of the control system which may be designed to have only select process control applications running to optimally handle network messaging, alarms and control functions.

PLC level attacks are a slightly different animal than a typical data network attack. The resulting security approach also slightly different. PLCs do not typically have viruses that impact operation in the same way that Apple OS is relative virus free. PLCs can however, be the subject of targeted, focused and damaging attack.

In the case of Stuxnet, a government sponsored attack, the PLC lay dormant until certain conditions were met, it then quickly changed the speed of centrifuge, destroying both the centrifuge and the refined material. It was written with a single goal in mind, outside of this environment it is relatively harmless. PLCs can be protected in a variety of ways including white listing software and packet confirmation firewalls.


The probability of a virus attack on a MODU is certain. They happen on the data system every day.

The probability of a Windows OS attack on the control side is also quite likely but with variable, uncertain impact. These types of attacks have happened resulting in negligible to significant downtime.

In one rumored case a rig was forced to delay operations while the vendor re-imaged the system from scratch.

Historically PLCs have not been targets of hackers. But even the US department of homeland security is raising warning levels and asking companies to be prepared. A Stuxnet like PLC attack on a MODU facility does not have a zero probability.

Associated Companies
» Digital Energy Journal
comments powered by Disqus


To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.


Latest Edition Jan-Feb 2024
Jan 2024

Download latest and back issues


Learn more about supporting Digital Energy Journal