An increase in remote monitoring and autonomous control, the internet of things and digitalisation has made offshore drilling rigs much more susceptible to cyber attacks, cyber defence expert Naval Dome has said.
Findings from the two-year joint project between Naval Dome and the offshore division of an unnamed supermajor indicate that the minimum industry guidelines, regulations, and security techniques are out of step with current platform technology, connectivity requirements, and cyber attack methodology.
“Activities over two years have demonstrated shortfalls and real challenges that need to be addressed if we are to create a more cyber-secure deepwater drilling rig environment,” authors of a joint research paper, Cyberdefence of Offshore Deepwater Drilling Rigs, said.
Adam Rizika, head of strategy at Naval Dome, explained how the test rigs’ operation technology networks were penetrated using a software installation file for dynamic positioning and workstation charts. Naval Dome simulated an OEM service technician unwittingly using a USB stick with malicious software containing three zero-day exploits.
It is abundantly clear that more advanced purpose-built solutions are needed
“The modified file was packaged in a way that looked and acted like the original one and passed anti-virus scanning without being identified as a cyberattack or picked up by the installed cyber network traffic monitoring system,” he said.
Although the attack was carried out internally, Rizika noted remote execution was feasible using the rig’s externally facing network connections.
“Penetration testing confirmed how a targeted cyber attack on a deepwater drilling rig could result in a serious process safety incident, with associated financial and reputational impact,” he said.
The paper found that cyber security solutions, such as anti-virus, network monitoring, and firewalls, are not enough to protect critical safety and processing equipment from attack, leaving rigs vulnerable. It also highlighted a shortage of cyber domain skilled staff, regulations and controls that are slow to evolve and be implemented.
“It is abundantly clear that more advanced purpose-built solutions are needed to better protect an offshore platform from exposure to external and internal cyber attacks, whether targeted or otherwise,” reported Rizika.