Athens Group Services

Rig Inspection

Cybersecurity for Drilling Assets: Risk Assessment & Mitigation

On 11 and 12 September 2018, the International Association of Drilling Contractors (IADC) held the IADC Advanced Rig Technology Conference & Exhibition in Austin, Texas. We were on the afternoon panel:  Cybersecurity for Drilling Assets: Risk Assessment & Mitigation.

The panel – drilling industry veterans, class society experts and cybersecurity practitioners – was introduced by the following statements:

“Few doubt the potential risk of cyber-attacks and the potential consequences for drilling assets. This is a huge industrial challenge, not just for drilling, but for all commerce and government. Several well-publicized incidents have brought home the need for a clear focus on cybersecurity. However, opinions differ as to the best approach to safeguard drilling assets. This panel will provide differing insights but leave attendees with a clear path forward for their companies.”

Our panel presentation was titled: “It’s NOT Rocket Science. It’s Blocking and Tackling.” Although a football reference, it was meant to hit home with the simple fact that cybersecurity’s foundation in any organization depends on how well the basics are executed. Blocking refers to instituting the mitigation processes listed in #3 below. Tackling means getting out in front of the threats by implementing a Security Architecture – see our Blog Postings.

Here are the 3 initial steps you need to take:

#1 Identify the Threat and its Source

Here are the seven top cybersecurity threats, worldwide, for 2018:

  1. Getting your clients’ and corporate info compromised in massive data leaks.
  2. Smartphones shipping with malware and malicious apps.
  3. Ransomware attacks on your cloud services.
  4. Cryptojacking your hardware for “Bitcoin” mining.
  5. Financial losses and data compromise due to your corporate cryptocurrency trading.
  6. Scams with advanced social engineering tactics.
  7. IoT devices like smart locks or smart assistants being hacked.

When you dig into where the industry pundits think technology is going, you can generate a frequency word cloud of the most expressed terms:

Mapping the cybersecurity threats to the technologies in the word cloud, only number 7 sticks out: IoT devices like smart locks or smart assistants being hacked. Remember, we are trying to identify our cybersecurity threats and only the last one on the list is even being considered by our industry technologists. But, even then, the Industrial Internet of Things is a red herring when looking at our Industrial Control Systems’(ICS) vulnerability.

Searching Shodan, our ICS browser, 3,551,412 internet connections to ICS components are seen. 10% of the visible ICS systems are Energy & Utilities. Once we remove the Smart Utilities monitoring systems on our homes and businesses, we are left with 2% exposure, or fewer than 4,100 devices in Oil & Gas E&P.

The take away here is that you need to look to the basics not new technologies for your exposures.

#2 Identify and Quantify your ICS Exposure

The first step you need to take is mapping your “as is” network topology and then maintaining the topology through your management of change process. This means that you need to physically view all connections and cabling on your asset that is part of your network. Do you know if your vendors have left behind a silent router hooked to your network? We’ve found an average of 3 unknown network access points on the assets we’ve surveyed.

Install secure, remote network analysis tools. These can be simple freeware that you install to map your network and find all the connections you normally cannot “see”.

Identify all people, companies and applications with access to your network. Do you really know which service people have network access? Is there a list? How about applications running that send data to headquarters servers? What about passwords? Going back to Shodan, almost 65% of visible routers and gateways have their password set to the factory default. Oh, yeah, remember that for many routers the password is “admin” and the username field is left blank.

Identify all software applications running on each piece of your network hardware – PLCs, routers, servers, laptops, virtualized machines, everything. This is a critical final step in identification. It’s not just the hardware and the people, it’s also the applications running on the PLCs, servers and unknown black boxes that a vendor has said “Don’t touch it!” You really don’t know who is “phoning home” within an application or what logging is taking place that is used by service technicians when they access your asset. Catalog everything and put everything under version and change management control.

#3 Institute Mitigation Processes

Here are the four actions to take that will begin your cybersecurity mitigation:

  1. Map and Maintain your network topologies on a regular basis
  2. Analyze the results from secure, remote network analysis tools on no less than a weekly basis
  3. Institute strong passwords with regular changing for all people, companies and applications with access to your network
  4. Institute comprehensive MOC procedures for all software applications running on each piece of your network hardware – PLCs, routers, servers, laptops, virtualized machines, everything

IF you decide to NOT do any of these suggested mitigations, just maintain your middle of the road approach to cybersecurity, remember what they say in Texas: “The only things in the middle of the road are yellow stripes and dead armadillos.”

Category: