Oil company data security is inadequate, and production systems are at risk of attack by hackers, viruses and worms.
Once upon a time, offshore platforms were secure communities in which production was controlled by closed processes that were isolated from the external world. Today, the picture is somewhat different: in what are known as “integrated operations”, offshore-onshore contact is transparent and many of the processes out on the platform are controlled by onshore personnel via networked PCs.
Although this has several advantages, one disadvantage is a decrease in information security. When onshore and offshore networks are linked, the chances of attacks by viruses and hackers increase.
SINTEF scientists who work on system development and security believe that the oil companies and the supply industry have done a good job in offshore health, safety and environment (HSE), but have not been as good as far as information security is concerned.
The researchers have carried out in-depth interviews of key personnel in the petroleum sector to find out what conditions out on the field are like. The interviews confirm that the number of “safety incidents” on production systems (platforms) has risen during past few years.
“The worst-case scenario, of course, is that a hacker will break in and take over control of the whole platform”, says SINTEF scientist Martin Gilje Jaatun. “Luckily, this has not happened yet, but we have heard of a number of incidents that could have turned into something quite dramatic. For example, virus attacks have led to process electronic equipment becoming unstable.”
Platform managers are still able to deal with any incidents that occur on a platform, but the current trend is in the direction of unmanned robot-controlled platforms, which leave electronic equipment more exposed to attack.
“Our interviews have revealed that we lack a concise plan that would outline how people should deal with such specific events in their organizations. And while scenario training is often used by offshore companies to reduce risks, such training is seldom employed in the field of information security”, says Jaatun.
“Some of our informants also told us that they were not certain that negative occurrences would lead to learning and changes in future behaviour. They were afraid that any such learning would soon be forgotten.”
The way ahead
The study of offshore information security has shown that there is still a need to measure the effects of efforts to improve security. We need to develop new measurement mechanisms that can demonstrate how different ways of dealing with security contingencies affect conditions such as earning capacity and uptime.