Increased automation offshore means oil & gas companies have far more systems that are vulnerable to computer viruses. Gregory Hale and Richard Sale investigate how onshore attacks have led companies to reassess security concerns.
Major oil companies, already under extreme pressure from computer viruses such as Stuxnet and Shamoon also now have to come to grips with the possibility of a targeted attack in the offshore environment.
With increasing connections between onshore and offshore networks, the chances of cyber attack increase dramatically.
Experts say oil companies have improved offshore safety in the wake of Macondo, but they have been slow to implement more stringent information security. The glaring lack of security comes on the heels of major oil companies such as ConocoPhillips, Marathon, Chevron and Baker Hughes continuing their struggle against increasingly sophisticated cyber attacks. These companies also were infected by the Stuxnet virus that has attacked computers in countries from Germany, Indonesia to Kazakhstan.
In the offshore environment, several experts say virus attacks have led to electronic equipment becoming unstable, and while personnel undergo scenario training to reduce risks, such training is seldom employed in the field of information security.
This becomes especially dangerous with the current trend of increased automation, which leaves equipment more exposed to attack. Ludolf Luehmann, manager of IT at Shell, Europe’s largest oil company, says: ‘We see an increasing number of attacks on our IT systems and information, and there are various motivations behind it: criminal and commercial,’ perhaps focusing on research and development to gain a competitive advantage.
Cyber war experts like James Lewis, of the Center for International & Strategic Studies (CSIS), are aware that most industries operate on computers vulnerable to attack. Hackers are increasing in number, becoming more knowledgeable and skilled, and making more daring attacks on systems.
‘The Chinese have been very successful,’ Lewis says.
Oil companies are warning that the worst-case scenario would be one in which valves were accessed, which could set offshore rigs on fire, kill personnel and halt production. The cost of downtime on a typical offshore rig is $6.3 million/day, say experts. The financial loss could be huge.
Stuxnet, which crippled the nuclear centrifuges in Iran’s Natanz facility, shows the potential devastation of a worm created to cause damage. Experts say this kind of attack could occur on oil producing offshore rigs.
Riemer Brower, head of IT security at Abu Dhabi Company for Onshore Oil Operations, says the oil industry has avoided any damaging incidents so far, but he warns ‘the oil companies in charge are no longer really in control’.
California-based oil giant Chevron has confirmed its computer systems were infected with Stuxnet. Chevron spokesman Morgan Crinklaw says the company was protected from major damage to its network, adding the company makes ‘every effort to protect our data systems from those types of threats’.
According to US officials, any industrial component is liable to be targeted by such sophisticated attacks. Lewis says ‘thousands of places around the world were infected but only one was damaged’, the Iranian facility at Natanz.
‘Stuxnet is an interesting weapons design. You need to introduce the virus and then you need to trigger it. It only works against a specific configuration,’ explains Lewis. The first stage of the virus used a ‘beacon’ that performed surveillance of the target, mapping an electrical blueprint of Iran’s centrifuges. The second stage, a trigger, took advantage of a series of ‘zero-day exploits’ that ended up causing physical damage. The virus was only configured for Iranian nuclear facilities. Apparently, it wasn’t designed to spread.
But it did. Researchers at Symantec and Kaspersky Labs stated Stuxnet had two versions. The first, launched in 2010, had a 21-day period after which the virus would be null and void. Shortly thereafter, a second version was launched. The second version had a different trigger.
Chevron was one of the first oil companies to fall victim to the Stuxnet virus.
Blair Nicholas, of the law firm Bernstein Litowitz Berger & Grossman, based in San Diego, says: ‘To the extent that there aren’t adequate procedures in place to protect the companies’ crown jewels and somebody gets the key to the jewelry box, there is certainly potential for shareholder derivative liability.’
Besides Chevron, no other corporate victims have disclosed attacks in filings with regulators.
Some companies have already been victims of Chinese-backed industrial espionage assaults like Night Dragon that have cost them billions of dollars in plans and intellectual property, sources say, and some of the attacks remained undetected for years.
In the Night Dragon attack, Exxon Mobil, Royal Dutch Shell, BP, Marathon Oil, ConocoPhillips and Baker Hughes fell victim to an advanced persistent threat that targeted ‘project-financing information with regard to oil and gas field bids and operations,’ according to a report from cyber security software provider McAfee Inc. In attacks on Baker Hughes and Shell Oil, the Chinese targeted bid data as well as project plans and financial information.
Conoco and Exxon experienced similar breaches, but they went unreported because of client confidentiality. Studies have already been done of malware aimed at seizing data in the computers of a drilling rig working on a ConocoPhillips project, sources say.
The latest attack was last August’s onslaught of Shamoon, which wiped out the hard drives of more than 30,000 computers at Saudi Aramco. While Saudi Aramco says the attacks did not affect production, the idea of a virus hitting and destroying that many systems so quickly has its business partners worried the virus could propagate into their systems.
The attack did not get into the company’s production environment because security professionals installed security programs. But the issue is that attacks, whether they are on- or offshore, will continue as long as systems remain relatively unguarded and easy to hack into.
As Saudi Aramco president and CEO Khalid Al-Falih said after his company suffered the Shamoon attack: ‘Saudi Aramco is not the only company that became a target for such attempts, and this was not the first nor will it be the last illegal attempt to intrude into our systems, and we will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber attack.’ OE
Gregory Hale is founder/editor of Industrial Safety & Security Source
Richard Sale was United Press International’s intelligence correspondent for 10 years and at the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.
OE Digital E-News is the subsea industry's largest circulation and most authoritative ENews Service, delivered to your Email three times per week