By Stephen Whitfield, Associate Editor
Over the past few years, documented cyberattacks have escalated in frequency and severity, evolving from IT data breaches and theft to ransomware attacks with payloads of destructive malware and sophisticated tools. These attacks can cause a loss of visibility or control of an industrial asset, like a drilling rig, leading to manipulation of safety critical systems.
A presentation at the 2021 Offshore Technology Conference on 17 August discussed a three-year project Shell undertook to identify and validate an optimal cybersecurity approach for deepwater rigs. The operator partnered with Naval Dome, a cybersecurity consultancy, on the project. The approach deviated from the conventional “outside-in” approach, where companies set up firewalls around their infrastructure, and went instead with an “inside-out” approach, where each piece of critical OT equipment is protected individually, said Adam Rizika, VP of OEM Sales at Naval Dome.
The project began in 2018, when Naval Dome ran a simulated cyberattack – also known as a penetration test – to identify vulnerabilities onboard one of Shell’s deepwater rigs. The test specifically targeted a dynamic positioning (DP) system using a software installation file for the DP workstation charts. The attack was conducted by simulating an OEM service technician unknowingly using a USB stick with three zero-day exploits – vulnerabilities that hackers can use to attack systems – hidden amongst original files. The original and attack files were mixed together, making the malicious file look like the original file.
The vulnerabilities had passed unnoticed despite the use of anti-virus scanning and a cyber network traffic monitoring system, and the penetration test allowed Naval Dome to take full control – not only of the DP system but also other safety critical systems on the same network, both locally and remotely. This revealed the vulnerabilities of an “outside-in” system: Once the attacker went over what Mr Rizika called the “protection perimeter fence” (the anti-virus and network trafficking systems), a large number of connected systems became exposed.
The goal of the penetration test was to simply illustrate how traditional cyberdefense solutions are inadequate in protecting safety-critical OT systems, Mr Rizika said, and it convinced Shell of the need to move to a more advanced system.
Traditional cyberdefense is often designed to protect IT networks, not OT networks. Most IT systems are connected, monitored and constantly updated against new threats. This connectivity works as a fence – the “outside-in” approach refers to the assumption that network connectivity to the outside world is the primary cyber threat.
While network connectivity can be effective as a barrier against outside attacks, network monitoring systems are subject to human error, alarm fatigue or misdiagnosis – like an attack file in a USB port being misdiagnosed as a regular file. Citing a 2019 study from CISCO, Mr Rizika said that 24% of users with installed detection systems were having to triage more than 100,000 alerts per day. At that rate, it is easy to envisage that some attacks will be missed, allowing them to enter the OT environment.
The penetration test also served to convince Shell of the need for an “inside-out” approach to cybersecurity. For instance, instead of having one firewall for the entire rig’s network, Naval Dome installed its anti-virus protection software and built firewalls for the human-machine interfaces of each OT system: the dynamic positioning, navigation, BOPs and so forth. This approach limits the scope of potential attacks, as hackers would need to launch discrete attacks against multiple OT systems in a short time frame in order to make any noticeable impact. Even in that case, each attack would remain a local break that would be easier to contain.
The project also utilized a Zero Trust software architecture, where critical data, assets, applications and services on a rig’s network are identified and organized within “protect surfaces.” This architecture differs from a traditional security model, which operates under the assumption that everything inside an organization’s network is critical and must be trusted. The traditional approach can be problematic on a rig because it has unique characteristics that make it hard to protect. OT equipment has a long lifecycle, with most systems using legacy operating systems that are no longer supported by OEMs, such as Windows XP or Windows 7. These legacy systems are particularly vulnerable to attack.
“All rigs include a diverse set of OEMs providing a complex set of OT equipment, all with limited to no security. There is no aggregated view of cyberdefense across the rig, which makes it very hard to track,” Mr Rizika said.
While a Zero Trust architecture is complex, it can be built upon existing architecture. In Shell’s case, the operator also didn’t have to replace existing technology or install new operating systems.
Last year, Shell brought together Naval Dome and various OEMs to pilot test and validate the cyberdefense system on a small segment of the safety-critical OT systems on two of Shell’s deepwater rigs in the US Gulf of Mexico. Penetration tests were run on automated drill floor equipment, handling equipment, pressure control equipment and onboard ROVs, and the companies determined that everything remained protected.
Further testing is being planned to reduce the overall deployment time of the system. While the pilot test had a planned five-week installation window, it took nearly eight weeks to fully commission and establish cyber protection onboard the selected OT systems.
Attacks are costly and increasing in number
Companies in the drilling industry are paying increasing attention to cybersecurity in recent years. Around the world across industries, the cost of cyberattacks amounts to $600 billion annually, or around 0.8% of the global GDP, according to Mr Rizika. Large multinational companies incur an average cost of $239 million per cyberattack and can lose upwards of 12,000 devices.
In the oil and gas industry specifically, direct and indirect attacks have caused noticeable financial and process disruptions, with the May 2021 ransomware attack on the Colonial Pipeline on US East Coast being the most recent noteworthy incident.
In this environment, the need to develop systems that keep rigs secure from cyberattacks is greater than ever, Mr Rizika said. “Protecting mission critical OT equipment is a worldwide priority, and as we all know, rigs are absolutely critical infrastructure. The impact of an attack on a deepwater rig is much more than financial damage. We’re talking loss of life, environmental impact, and the loss of reputation can be catastrophic. Providing consistency and reliability in an environment where cyberattacks are growing is both complex and challenging.”