I live in Houston, Texas, the undisputed Energy Capital of the World. Houston has an entire area of town nicknamed the Energy Corridor where numerous oil and gas companies have their headquarters, or at the very least, a major presence. Within those gleaming towers, geologists, chemists, engineers and a host of other highly educated professionals lead the efforts to produce more energy, both domestically and internationally.
Maybe those companies need to hire a few more IT security professionals.
There was a troubling story on the front page of the Houston Chronicle newspaper this week. (See Zain Shauk’s blog post Malware offshore: Danger lurks where the chips fail.) The article states that malware is a common occurrence on the computer systems responsible for operating offshore drilling systems, and that it would be entirely possible for a hacker – or a terrorist – to take over a live rig via malicious software.
For many of us – and especially those in the energy industry and anyone who lives along the Gulf of Mexico coastline – the tragedy of the Deepwater Horizon explosion and oil spill three years ago is still fresh in our minds. You may recall that the well blowout killed 11 people and the subsequent leak spewed something like 4.9 million barrels of oil into the Gulf of Mexico over a period of nearly 3 months. Now imagine malware penetrating the systems that run the thousands of rigs interspersed throughout the Gulf and around the world and intentionally causing blowouts by one means or another.
You would think that these rigs would be considered critical infrastructure and therefore the computer systems that operate them would be hardened against attacks. In fact, quite the opposite is true, according to the original article.
The software controlling critical operations on many offshore rigs often is old and vulnerable, FuelFix has reported, and updating it can be complicated and costly.
Yes, software updates can be complicated and costly, but those costs have to be weighed against the risks of what can happen when systems like blowout preventers can be remotely turned off and irreversible processes put the rig, its crew and the well in danger. Unfortunately, government oversight is lax, possibly because to date, no serious problems can be traced directly back to compromised computer systems. But that could change in an instant.
Federal regulators say their standards require companies to ensure that safety systems are not compromised by malware, but interviews with industry workers suggest that many rig operators haven’t checked for problem digital files.
That puts them out of compliance with regulations while operating in the Gulf of Mexico and subject to fines or other penalties, though the government to date hasn’t taken such action against a company based on a computer systems deficiency.
“They’re big on mechanical,” Van Gemert said. “But their biggest risk, frankly, in the Gulf of Mexico right now, are information technology systems.” [Michael Van Gemert is manager of systems and controls for Lloyd’s Register Drilling Integrity Services, which inspects offshore systems.]
This isn’t strictly theoretical talk; malware has already been used to attack an offshore rig. Shauk’s article gives a real and recent scenario.
A drilling rig was at sea after leaving its construction site in South Korea when malicious computer software overwhelmed it.
The malware spread so thoroughly through the rig’s systems that it infected even the computers controlling its blowout preventer, a critical piece of safety equipment. That infection could have caused the preventer and other systems to be unresponsive if the rig were drilling, possibly leading to a well blowout, explosion, oil spill and loss of life.
The rig shut down for 19 days as workers tried to clear the problem, which has plagued other offshore oil vessels, knocking out their networks and forcing shut downs because of potential conflicts with safety systems
And the problem isn’t just on drilling rigs. Malware has already taken a toll on business operations and control systems.
An attack last year on Saudi Aramco, the world’s largest oil company, ripped through more than 30,000 computers and was aimed at disrupting its oil operations. Another, on Telvent, a subsidiary of France’s Schneider Electric, raised concerns about hackers gaining remote access to some pipeline control systems.
If the energy industry knows there is a significant vulnerability that puts lives, equipment and the environment at risk, it has an obligation to address the problem. Let’s hope that at least a few of the people in the shining towers of Houston’s Energy Corridor are taking aim at plugging IT security vulnerabilities before the engineers have to work on plugging another disastrous blown out well.