Study: offshore rigs need cybersecurity improvements

Deep-water drilling rigs face shortfalls and real challenges against cyber attacks and hacking, according to a two-year cybersecurity study, the Houston Chronicle reported on Aug. 27.

Naval Dome, an Israeli and Cambridge, Massachusetts-based cybersecurity firm, partnered with the offshore division of Royal Dutch Shell to identify and reduce cybersecurity risks to offshore deep-water drilling rigs. Their report, published last week at the Offshore Technology Conference in Houston, found that minimum guidelines, regulations and security techniques are out of step with the oil industry as it relies more on automation and remote technology to efficiently and safely drill for crude.

"Where systems installed on offshore platforms had traditionally been isolated and unconnected, limiting cyber hack success, the increase in remote monitoring and autonomous control, (Internet of Things) and digitalization has made rigs much more susceptible to attack," Adam Rizika, Naval Dome's head of strategy, said in a statement.

The oil and gas industry is contending with the growing threat of cyber attacks in the wake of the Colonial Pipeline hack, which disrupted gasoline supplies across the northeastern United States this summer. The Georgia-based pipeline company paid hackers, which used a compromised password, a $4.4 million ransom to regain access to the pipeline. The cyber attack underscored how vulnerable the oil and gas industry is to hackers.

Naval Dome worked with Shell over the past two years to install and test its Endpoint cyber defense system on drilling rigs in the Gulf of Mexico. During a simulated cybersecurity attack to test the system, a service technician unwittingly used a USB stick with malicious software to infiltrate internal systems and networks.

"The modified file was packaged in a way that looked and acted like the original one and passed anti-virus scanning without being identified as a cyber attack or picked up by the installed cyber network traffic monitoring system," Rizika said. "Penetration testing confirmed how a targeted cyber attack on a deep-water drilling rig could result in a serious process safety incident, with associated financial and reputational impact."

Many offshore drilling rigs and production platforms use legacy software that is not connected to the Internet or outside networks. Naval Dome found, however, that traditional antivirus software, network monitoring and firewalls were not enough to protect offshore drilling rigs from attack. The firm raised concerns about the shortage of cybersecurity staff, regulations and controls in the offshore industry.

The cost to upgrade offshore drilling systems is high, and even if upgrades are made, rigs remain vulnerable to cyber attack. The risk rises as more offshore companies use remote technology and automated operations, Rizika said.

"It is abundantly clear that more advanced purpose-built solutions are needed to better protect an offshore platform from exposure to external and internal cyber attacks, whether targeted or otherwise," Rizika said.