HOUSTON — The oil and gas industry needs to stitch up safety vulnerabilities created by its increasing use of automated equipment at offshore wells and production facilities, top maritime and drilling regulators said Thursday.
“Machines are talking to machines and making decisions and doing things that aren’t humanly possible, and that’s why we’re able to get higher pressures,” said U.S. Coast Guard Rear Adm. Paul Thomas. “All of these are amazing technologies, but they bring with them vulnerabilities that I don’t think we’ve figured out how to manage.”
There already have been some threats and cyber attacks on offshore installations.
But increasing computerization and automation offshore open up the possibility of less malevolent — but no less dangerous — disruptions, driven by errant software updates and plugged-in flash drives.
In the Gulf of Mexico, software may have triggered at least one offshore accident, when a top drive motor — usually suspended from the derrick — fell to the rig floor. No one was injured and workers thought they had fixed the problem.
Then, it happened again.
According to a preliminary investigation by the Bureau of Safety and Environmental Enforcement, the failures may have been caused by “a software issue and a system compatibility issue,” said Brian Salerno, director of the agency.
Though “there’s nothing to indicate malicious intent,” it illustrates the potential risks, Salerno told attendees at the Offshore Technology Conference. “When we think about how dependent we are on these systems and how they have to be interoperable and connected and compatible, I think it is a legitimate safety concern.”
The good news, Thomas said, is that the offshore oil and gas industry knows how to manage risk. And this is just another risk.
But the industry needs to address it fast.
“This is a real, real challenge,” he said, and “it’s coming at us quickly.”
“We’ve already seen control systems being adversely impacted because somebody plugged an iPhone into the wrong place or someone pushed a patch to a (software program) and it impacted the control system,” he said. “If your safety management system doesn’t address when critical control system software can be patched or updated — who can do it, what’s the status of the system while it’s being done and what’s the test to do afterward — then you have a safety management issue, not a cybersecurity issue.”
But, he added, fixing one could fix the other.