Protecting against cyber risk in the offshore energy sector.
This May’s ransomware attack on Colonial Pipeline, which led to the largest fuel pipeline in the US going offline before hackers were paid $4.4m to desist, has served to focus attention on the cyber security threat facing the oil and gas industry as a whole, including offshore platforms.
Recent advances in satellite technology mean that drilling rigs are now far better connected to shore-based systems than before, which in turn increases their cyber vulnerability.
“The Colonial Pipeline attack is a natural progression of what we’ve been seeing in recent years, where the number of cyber-attacks is increasing, the number of successful attacks is increasing, and they’re getting more sophisticated and damaging year on year,” says Adrian Shaw, Senior Incident Response Consultant at Nettitude, the cyber security services provider of Lloyd’s Register (LR).
As with all industries, “the level of detection and response” to cyber risk in the oil and gas industry is “sub-optimal”, he continues, “so more awareness is needed”.
Shaw himself is a former police detective who worked for one of the UK’s first Cyber Crime Units set up under Prime Minister Tony Blair, before leaving to become a government advisor and then join privately owned cyber security specialists Nettitude Group, acquired by LR in early 2018.
Nettitude helps clients mitigate their security risk by conducting ‘penetration testing’, also referred to as pen testing, which consists of a simulated real-world attack on a network, application or system in order to identify vulnerabilities and weaknesses. Nettitude experts are CREST-certified and the company runs its own Security Operations Centre (SOC) in the UK.
In assessing the current vulnerability of offshore oil and gas platforms to cyber threats, Shaw begins by explaining how “four or five years ago, connectivity to anything offshore was extremely limited, in terms of bandwidth and capability. But through the evolution of satellite communications, especially VSAT (Very Small Aperture Terminal) technology, connection to the internet, the attack surface that the attacker can get to, has increased dramatically. So the threats a traditional onshore organisation faces are now being faced by a ship or offshore platform.”
As of this year, ships are required by the International Maritime Organization to address cyber risk and cyber security as part of their safety management systems within the International Safety Management (ISM) Code, and LR has developed its own ShipRight procedures for the Assessment of Cyber Security for New Ships and Ship Systems. But no such global regulation applies to offshore platforms, says Shaw, as cyber security within the energy industry is generally covered by national requirements, with standards and requirements varying from one country to another and little appetite to agree global standards.
However, international standards, such as the International Electrotechnical Commission (IEC), specifically IEC 62443, are starting to incorporate cyber security standards suitable for critical infrastructure.
The risk is similar on a ship or platform, however, continues Shaw. “A crewmember can go on their laptop, access their email and unintentionally click on a malicious link and find themselves compromised. And on a platform, where the machinery is all controlled by networks that are digitised, the hacker can potentially access the Industrial Control Systems (ICS) or Supervisory Control And Data Acquisition (SCADA) system and they could sabotage the operations of the oil rig as they’ve effectively got remote control of the oil rig’s drilling system.”
And even in the case of Colonial Pipeline, when “it wasn’t the SCADA systems that were attacked but the Enterprise System, leaving end user workstations and servers compromised, the company took the decision to take the SCADA system - which is really a cluster of ICS devices - offline”, he points out.
So what should the offshore platform operator do to reduce cyber risk?
Here Shaw refers to the set of Guidelines on Cyber Security Onboard Ships that the shipping association BIMCO has produced, which he says also “seem well suited to offshore platforms” as they “mirror what you would do if you were a land-based company” and thereby constitute a Cyber Risk Management approach.
Shaw runs through a six-step list of recommendations as follows:
Step 1: Risk Assessment – to identify what threat you face, who’s going to be coming after you and what tools and technologies they will use.
Step 2: Identify Vulnerabilities – what digital systems have you got? What can they talk to within the network? Are they ‘patched’ to the latest level in terms of security software updates? Assess the control environment and which users can access which systems with what level of privileges to undertake various actions.
Step 3: Assess Risk Exposure – if there are vulnerabilities identify the level of risk that they are going to be actually exploited by an attacker, ideally using a pen test.
Step 4: Develop Protection and Detection Measures – all around improving and strengthening the control environment to reduce the impact of any vulnerability being exploited.
Step 5: Establish Response Plans – in the event you do suffer a compromise you need a documented process to manage it. Once you’ve developed a plan, test using a tabletop exercise to make sure it works.
Step 6: Incident Response – if you do have an incident or compromise you need to respond to and recover from that using the plan you have developed.
Does an incident – whether it be an actual compromise or the cyber equivalent of a ‘near miss’ – require reporting? Again this depends on jurisdiction says Shaw. In the UK, for example, where the energy sector is considered Critical National Infrastructure by the Centre for the Protection of National Infrastructure (CPNI), there are stringent reporting requirements, but this might not be the same in other countries.
National Infrastructure are those facilities, systems, sites, information, people, networks and processes, necessary for a country to function and upon which daily life depends.
What you should do after a near-compromise incident, he says, is ‘go back to Step 1 and go through the whole process again. Cyber risk management is an iterative process.” In fact, “operators should test their plan at least once a year,” he advises, and likewise undertake annual pen tests, which will include recommendations on “how to improve the platform’s cyber security posture”.
As a general recommendation, Shaw says operators would be well advised to segregate traffic by separating their Operational Technology (OT) network from that of crew usage by installing two separate VSAT systems.
His other top tip is to “thoroughly assess third-party access”. For example, if a SCADA manufacturer has access to the system “if they are compromised you are in trouble”.
To conclude, Shaw warns against a sense of complacency aboard offshore platforms because they are remote. “A big trend in recent years has been supply chain attacks or ‘island hopping’ and the energy sector is “particularly at risk from different tiers of attackers, be it for profit, political or environmental motives or out of sheer devilry”.