Security offshore: Reigning in complexity

Gregory Hale

September 1, 2014

Vigilance remains key when it comes to offshore cyber security. Gregory Hale explains.

Interconnected systems can be risky. Photo: OE Staff.

Computer networks on offshore oil rigs and platforms have ended up incapacitated in the past by malicious software directly downloaded over satellite networks or via workers’ infected laptops and USB drives.

Today’s offshore platforms consist of interconnected systems, running, monitoring, and recording thousands of calibrations each minute. These systems can be sitting ducks for an attack.

“Offshore oil and gas platforms today have an increasing complex set of interconnected networks,” says Graham Speake, vice president and chief product architect at Atlanta, Georgia-based NexDefense, Inc. “These range from the critical and essential control and safety networks owned and operated by the end user, third party networks for monitoring these networks and rotating equipment, and also open access networks to ensure that rig personnel can effectively communicate with friends and family onshore. Coupled with these networks, more and more subsea devices are being deployed that connect into the control networks. A lot of this technology has been added on to these platforms to extend the life and improve the yield. The networks are therefore extremely complex and often deployed with reduced security as the location of the platforms has always been seen as great perimeter defense.”

Technology sophistication continues to increase so users can get the most out of wells, but there are other issues, says Eric Byres, CTO and vice president of Engineering at Tofino Security Products, a Belden company, based in British Columbia, Canada.

“Not only are the systems getting more connected, but there are more and more applications for the communications links to drilling and production units – for example, voice-over IP, corporate business networking, Internet access, real-time monitoring, maintenance support services, regulatory reporting and ‘crew infotainment services,’ to name a few,” Byres says. “All of these need to be secure both on their own and from each other, yet typically they all run over the same satellite or fiber backbone from the beach.

“Plus there are more parties (consultants, service providers, regulators, etc.) with legitimate needs for accessing data from the platform. Each of these parties add a level of complexity and a potential new vulnerable path that needs to be considered. For the bad guys, it is all about finding the weakest link. For the platform owner/operator, it is all about making sure there is no weakest link in all the partners and suppliers connectivity systems. And when trouble does happen, having a way to quickly quarantine off the infected components or systems without impacting the whole platform,” Byres says.

“Platforms are having greater and greater bandwidth allocation, often through dedicated fiber cables,” Speake said. “The cyber security issues that need to be addressed when deploying these networks has been lagging behind, often due to a lack of skilled engineers in the industrial cyber security field and partly due to a conscious decision to reduce security and complexity to ensure greater uptime.

“Typically, oil and gas platforms have limited cyber security professionals on their staff, and the pressures to keep the platform up and the workers happy (through Internet connections) often mean that security will take a lesser priority. Security updates such as anti-virus signatures files and updates to the operating systems (typically Microsoft-based) and vendor software are usually a low priority and often may only be upgraded once a year (or even less). Running old, out of date software coupled with more interconnected networks, often indirectly connected to the Internet, is exposing these systems to more and more risks which is likely to result in off shore platforms experiencing security issues and potential unexpected outages.”

Dollars can add up

One highly likely effect of a malware infection offshore is unplanned downtime. As it is in any industry, downtime means money, and offshore the millions add up fairly quickly.

“Even something that could be considered ‘minor’ in business IT could have significant cost impact offshore. A dropped packet could skew visibility and impact automated systems to where production slips from its optimal state,” says Eric Knapp, director of cyber security solutions and technology at Honeywell Process Solutions. “Worst case, of course, there is a loss of visibility or a broader impact that halts production altogether. Regardless, to address any issue is more expensive when it’s miles offshore on a controlled facility.”

As communications systems advance, companies reap the benefits of real-time analysis and quicker decision making among others, but they can also suffer from the weaknesses. The real challenge is how to prevent unwanted malicious software from affecting the critical systems offshore.

“When computing systems are new they are ideally secure and we can supplement that security with anti-virus, whitelisting, among others,” Knapp says. “But over time vulnerabilities are discovered, and patched. It’s hard enough deploying patches in a production ICS. When your system is offshore it is compounded. You need to have regular visits or a reliable and secure network connection to the platform. And then you need to apply the patches.

“That’s one reason why application whitelisting is well suited for these environments: It only needs to be updated when a system update or new application is installed, which keeps the system better protected for longer periods of time than traditional AV,” Knapp says.

Taking control

That all means offshore platform operators need to start working to identify weaknesses and take a proactive stand against possible infections.

“One challenge is not making your process control system so convoluted or littering it with such complicated tools, taps, appliances and so on that the cure becomes almost as bad as the disease. Many engineers are now staring glaze-eyed at new technology that just a couple of years ago was totally outside the scope of their knowledge and responsibility,” says Dan Schaffer, business development manager, networking and security at Phoenix Contact, in Pennsylvania.

As always with security, vigilance remains a key thought. “The biggest thing is visibility; staying on top of what’s happening and quickly assessing the risk of any cyber incident or indication thereof, so that corrective action can be taken quickly,” Knapp said.

Separating entertainment from ICS

Crews working offshore do not work all the time, so they need some form of entertainment during their off hours. The Internet is a savior in that entertainment is only a few clicks away. The problem is the Internet introduces a new element of potential compromise.

Crew welfare connectivity is crucial in attracting workers from younger generations to work offshore. Very few people younger than 30 can go a whole day without streaming video as flash players now dominate.

“I have personally talked with employees of a major multinational petroleum company and found that workers were allowed to bring their own (personal) computers on the rigs and connect to a ‘public’ network for use during free time,” said Joel Langill, ICS cyber security consultant.

“This came as quite a surprise, considering that this company is also one of the leaders regarding cyber security within their production and manufacturing assets. It was evident that in this case, a risk assessment and associated failure modes and effects analysis (FMEA) was not thoroughly performed taking into account the risks of the ‘insider’ as the threat source,” Langill said. “They believe that the traditional security controls used to segment and isolate the ‘public’ and ‘production’ networks were sufficient. Sufficient by whose standards?

“Today’s threats are becoming more advanced and are designed to circumvent many standard security controls – such as firewalls and host-based mechanisms like anti-virus software,” Langill said. “Once any malware has bridged on to the production side, the consequences can be great. Many ICS installations in this environment have little technology deployed to monitor the characteristics of the network. The malware could then target the embedded devices that exist to perform critical production tasks and any associated loss-of-view or loss-of-control would result in downtime.

“The problem has the potential to rapidly escalate with the deployment of technologies like WiMAX that effectively creates a mesh network interconnecting multiple rigs from various operating companies. This will not only provide a vector for those on a particular platform to breach the segmentation, but could also provide multiple, external vectors that could facilitate a remote attack from another rig that may have a different set of security policies and associated latent vulnerabilities.”

Breaking the network into zones can help alleviate the issue. “Separating such a high-risk (but needed) system from the mission critical systems running the platform is a good example of how important a zone style design is,” said Eric Byres, CTO and vice president of Engineering at Tofino Security Products. “And once you have such an architecture in place, then it is critical that operators manage all the traffic flows and monitor these flows continuously. Good security wherever it is deployed isn’t just about blocking the bad guys, but also watching what is going on in the communications systems. In a mission critical operation like a platform, this is doubly important.”

Gregory Hale
is the Editor and Founder of Industrial Safety and Security Source ( and is the contributing Automation Editor at Offshore Engineer.