Printer friendly version
Oil platforms vulnerable to hackers
08 June 2009
Oil company data security is inadequate, and production systems are at risk of attack by hackers, viruses and worms.
Once upon a time, offshore platforms were secure communities in which production was controlled by closed processes that were isolated from the external world. Today, the picture is somewhat different: in what are known as “inte3grated operations”, offshore-onshore contact is transparent and may of the processes out on the platform are controlled by onshore personnel via networked PCs.
Although this has several advantages, one disadvantage is a fall in information security. When onshore and offshore networks are linked together, the chances of attacks by viruses and hackers increase.
SINTEF scientists who work on system development and security believe that the oil companies and supply industry have done a good job in the field of offshore health, safety and environment (HSE), but that they have not been just as good as far as information security is concerned.
The researchers have carried out in-depth interviews of key personnel in the petroleum sector in order to find out what conditions out on the field are like. The interviews confirm that the number of “safety incidents” on production systems (platforms) has risen during past few years.
“The worst-case scenario, of course, is that a hacker will break in and take over control of the whole platform,” says SINTEF scientist Martin Gilje Jaatun. “Luckily, this has not happened yet, but we have heard of a number of incidents that could have turned into something quite dramatic. For example, virus attacks have led to process electronic equipment becoming unstable.”
Platform managers are still able to deal with any incidents that occur on a platform, but the current trend is in the direction of unmanned robot-controlled platforms, which leave electronic equipment more exposed to attack.
“Our interviews have revealed that we lack a short concise plan that would say something about how people should deal with such specific events in their organisations. And while scenario training is often used by offshore companies to reduce risks, such training is seldom employed in the field of information security,” says Jaatun.
“Some of our informants also told us that they were not certain that negative occurrences would lead to learning and changes in future behaviour. They were afraid that any such learning would soon be forgotten.”
The way ahead
The study of offshore information security has shown that there is still a necessity for measures of the effects of efforts to improve security. We need to develop new measurement mechanisms that can demonstrate how different ways of dealing with security contingencies affect conditions such as earning capacity and uptime.