Malware offshore: Danger lurks where the chips fail

In the same year that a massive explosion and oil spill rocked the Gulf of Mexico, a digital disaster played out halfway around the world.

A drilling rig was at sea after leaving its construction site in South Korea when malicious computer software overwhelmed it.

The malware spread so thoroughly through the rig’s systems that it infected even the computers controlling its blowout preventer, a critical piece of safety equipment. That infection could have caused the preventer and other systems to be unresponsive if the rig were drilling, possibly leading to a well blowout, explosion, oil spill and loss of life.

The rig shut down for 19 days as workers tried to clear the problem, which has plagued other offshore oil vessels, knocking out their networks and forcing shut downs because of potential conflicts with safety systems.

So far no offshore catastrophes have been blamed on computer infections, and that may be why the serious dangers they pose have not drawn the same scrutiny from regulators and industry as mechanical systems did after the 2010 Deepwater Horizon disaster in the Gulf.

Yet online threats increasingly are affecting energy companies and offshore rigs, both through targeted attacks and randomly acquired malware that would be harmless to an up-to-date iPhone but could jam systems on a complex rig with old software and poor security measures.

Homeland security: Online attack targets 11 energy companies with emails

The rig en route from Korea to South America in 2010 was one of several that had to shut down for days after being overrun by malware following their construction, said Michael Van Gemert, manager of systems and controls for Lloyd’s Register Drilling Integrity Services, which inspects offshore systems and was contacted about the issues.

He declined to identify the companies involved in the incidents.

With contract rates for some offshore rigs as high as $700,000 a day, outages are substantial from a cost perspective, if not purely for their safety and environmental implications.

Federal regulators say their standards require companies to ensure that safety systems are not compromised by malware, but interviews with industry workers suggest that many rig operators haven’t checked for problem digital files.

That puts them out of compliance with regulations while operating in the Gulf of Mexico and subject to fines or other penalties, though the government to date hasn’t taken such action against a company based on a computer systems deficiency.

“They’re big on mechanical,” Van Gemert said. “But their biggest risk, frankly, in the Gulf of Mexico right now, are information technology systems.”

Van Gemert said he spoke with FuelFix to draw attention to a growing safety risk that is being overlooked by the government and the oil industry.

Malware has infiltrated even computer systems on offshore rigs that are not connected to the Internet and were never meant to interact with the Web. The problems are often caused by users who interact with the machines while unintentionally carrying troubled files. Those files can get onto a computer through links in malicious emails or from websites loaded with malware, then can latch onto USB drives or spread through a network.

While random infections can slow processes down or even cause systems to crash, the greater threat is tailored malware designed to attack a specific offshore facility, possibly causing a major malfunction and disaster, said Chris Goetz, partner of Kingston Systems, an oil industry computer systems company based in The Woodlands.

If rig systems have been infiltrated by basic malware, they are extremely vulnerable to a targeted attack, Goetz said.

“The risks are increasing and I believe there will be some form of intentional attack somewhere in the world,” he said, echoing the concerns of security experts across the industry.

A unit of the U.S. Department of Homeland Security reported this year that 40 percent of all online attacks in 2012 targeted energy companies.

CDC: Death by helicopter leading killer for oil and gas workers

Research by Houston-based security firm Alert Logic showed that energy companies not only are attacked far more often than others, but hackers have successfully stolen information, including financial data, geologic surveys, email addresses and passwords.

An attack last year on Saudi Aramco, the world’s largest oil company, ripped through more than 30,000 computers and was aimed at disrupting its oil operations. Another, on Telvent, a subsidiary of France’s Schneider Electric, raised concerns about hackers gaining remote access to some pipeline control systems.

Exxon Mobil Corp. CEO Rex Tillerson acknowledged the concern in an interview with FuelFix this month, saying that his company and others must emphasize safe computer behavior to reduce growing online threats that pose physical risks.

The software controlling critical operations on many offshore rigs often is old and vulnerable, FuelFix has reported, and updating it can be complicated and costly.

But even without updating software, companies can reduce their risk by educating oil workers about computer use behavior that can help avoid malware infections.

“Security is a layered approach and it does take quite a bit of work to lock things down to reduce the risk,” said Paul Henry, a security and forensic analyst for Lumension Security. “But sticking your head in the sand is not the right solution, and, unfortunately, in many industries, that is exactly what is being done today.”

The U.S. Bureau of Safety and Environmental Enforcement, which requires oil companies to get independent inspections of their rigs’ safety systems before they can be used in the Gulf of Mexico, does not have explicit guidance about computer systems. The bureau believes, however, that its regulations require oil companies to ensure that their safety systems are not compromised by malware, spokeswoman Eileen Angelico said.

But Van Gemert, the Lloyd’s inspector, said most companies that perform the independent safety checks don’t require rig owners to clear malicious software or mandate behaviors that will improve security.

The result is that companies often obtain certification for safety systems that haven’t been checked for malware and security protocols.

Aging systems: Outdated software could cause offshore troubles

Lloyd’s, which does include computer safety checks in its inspections, has rejected about two dozen verifications because of malware or other computer-related problems, Van Gemert said.

ABS, another independent inspector of rig safety systems, does not check for viruses or insist on computer security measures as part of its reviews. The organization will consider adjusting its approach if companies and the government call for a change, spokeswoman Judy Murray said.

“The rules and guides ABS develops for the oil and gas industry are created and updated based on input from industry and other stakeholders,” Murray said.

Paris-based Bureau Veritas, which also conducts inspections, did not respond to requests for comment.

Lloyd’s does initial scans for malware before rigs go to sea, and examines systems for vulnerability to infection, Van Gemert said. It also requires companies to have clean, back-up copies of their software so they can restore systems quickly if they are infected.

ABS offers a similar computer review service, but it is not a mandatory part of its verification process.

“I get people fighting me all the time on it,” Van Gemert said of his inspections of rig computers. “They tell me it’s a closed system” that is not connected to the Internet. That attitude tends to make Van Gemert more diligent, he said, because the lack of caution means the systems probably is compromised.

He recalled getting that kind of resistance from an operator in the Gulf of Mexico. Its system turned out to contain so much malware that the system had to go offline for more than a week.

“It was about 10 days before we got the system cleaned,” Van Gemert said.


Read ongoing FuelFix coverage of the cyberattack threat to the energy industry: