In the aftermath of devastating incidents such as Piper Alpha and Deepwater Horizon, the oil and gas industry has taken significant strides in enhancing safety measures. Advancements in safety regulations combined with a deeper understanding of associated risks have significantly bolstered the integrity of offshore oil and gas (O&G) platforms, making them more resilient to potential disasters. Additionally, emphasis on the cybersecurity of these offshore platforms increased in tandem with the growing interconnectivity of our digital age. In recent years, the industry has placed a significant focus on ensuring security, particularly as diverse communication methodologies challenge traditional air gap isolation techniques.
In this article, we’ll conduct a retrospective analysis of cybersecurity incidents targeting offshore oil platforms. We will then explore the current prevailing threats that pose a risk to connected O&G platforms. To round off our discussion, we will offer strategic mitigation measures tailored to address each of the identified cybersecurity challenges.
Why Should You Secure Offshore O&G Platforms?
In October 2022, the United States Government Accountability Office (GAO) conducted a comprehensive review in response to requests from over 1,600 offshore Oil & Gas (O&G) facilities. This review highlighted the pressing cybersecurity challenges facing offshore O&G infrastructure, categorizing various issues. One key finding from this review was the identification of remote exploitation of services and Operational Technology (OT) systems as the cyber threat we should predominantly focus on.
Much like traditional OT environments, offshore oil and gas platform systems were once largely isolated from both the internet and business IT infrastructures. However, in contemporary settings, these platforms are now often interconnected with intra-company systems and are accessible to the internet globally. GAO explains that this underscores the growing urgency to address cybersecurity needs in the offshore O&G sector.
Core Components of an Offshore O&G Platform
Before we can analyze the common vulnerabilities, we first introduce general components inside an offshore O&G platform.
- Hardware: This encompasses a range of equipment including sensors, actuators, Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCs), server apparatuses such as racks and CPUs, routers, and access control mechanisms like smart cards, RFID tags, and valves.
- Firmware: Firmware acts as the intermediary between hardware and software. It contains the operating system and carries the essential data and instructions that orchestrate the hardware’s functionality.
- Software: This layer comprises the Human-Machine Interface (HMI) for both onshore and offshore operations, specialized proprietary software packages, and other essential software utilities.
- Network: This involves communication pathways, which could be both wired and wireless. They span from wireless protocols to 4G/5G cellular networks, satellite communication methods like VSAT and KA-SAT, and optical fiber connections.
- Process: This pertains to the meticulously delineated business logic of the Industrial Control System (ICS) and the configuration of the control system.
Cyber Threats to Offshore O&G Infrastructure
As discussed previously, communication methods like satellite communications (SATCOM) and cellular networks enhance connectivity. This streamlines O&G site operations and monitoring but also expands the threat landscape.
While these enhanced communication capabilities offer convenience, they also expose the infrastructure to numerous vulnerabilities. In addition to challenges posed by legacy protocols and devices, telecommunications are emerging as primary attack vectors. In this section, we will explore these vectors and outline potential threat scenarios.
Offshore platforms employ three primary communication channels to connect with the world at large. Ironically, as connectivity intensifies, so does the potential attack surface. Below, we will narrow our focus and elucidate in detail several threat scenarios.
Satellite Communication (SATCOM)
Despite the substantial costs associated with SATCOM, it remains a predominant choice for offshore communication. Its market relevance is steadily ascending. SATCOM facilitates remote management, enabling offshore O&G platforms to exchange critical operational data with onshore experts, such as valve control, flow measurements, and leak detection. Additionally, SATCOM serves entertainment needs for onboard crew members.
However, SATCOM is not impervious to vulnerabilities. Citing a comprehensive white paper by IOActive, many of their devices manifest the following weaknesses:
- Backdoors: Research exposed vulnerabilities in the Hughes BGAN terminal, which could be remotely accessed via an SMS message. Leveraging the default SMS remote control password, adversaries could potentially compromise the system.
- Hardcoded Credentials: Firmware reverse engineering unveiled hardcoded credentials, providing an avenue for remote logins or unauthorized firmware updates. (CVE-2013-6034)
- Insecure Protocols: The ThraneLINK protocol neglects to verify cryptographic signatures before executing firmware updates. Malicious actors could craft SNMP requests, compelling the device to download tampered firmware from a designated TFTP server. (CVE-2013-0328)
- Undocumented Protocols: The Zing protocol, comprising byte length, memory address, and data in its payload, transmits data sans protective measures. (CVE-2013-6035)
- Weak Password Resets: Some reset functions can be easily deciphered. For instance, certain COBHAM devices (CVE-2013-7810) use an MD5 hash of the device serial number combined with a hardcoded string.
Subpar security practices and outdated protocols within SATCOM devices pave the way for malevolent actors to implant rogue firmware and manipulate, or entirely stifle, communication. A recent example occurred on February 24, 2022, when multiple SurfBeam2 and SurfBeam 2+ modems succumbed to serial Denial of Service (DoS) assaults, rendering the modems non-functional.
5G/LTE Cellular Networks and Offshore Operations
Beyond satellite communication, the advent of cellular networks, particularly 5G and LTE, has significantly boosted connectivity for offshore endeavors. This is particularly vital for offshore drilling rigs, which must ensure uninterrupted communication with onshore experts to maintain operational efficiency and, most importantly, stringent safety standards. However, this advancement in communication infrastructure is not without its vulnerabilities. What’s concerning is that many of these security weaknesses persist across different network generations due to the networks’ backward compatibility features.
Elaborating further, several vulnerabilities inherent to 5G cellular networks have been catalogued :
- Authentication and Key Agreement (AKA) Attack: This vulnerability permits an attacker to infiltrate a service network under the guise of a legitimate user, essentially masquerading as someone else.
- Message Interception: While message authentication can validate the source and content of a message, it lacks robust protective measures against message duplication or alterations. This shortfall potentially allows malevolent entities to eavesdrop, spoof, or even downgrade communications to legacy systems like 3G or 2G.
- Distributed Denial of Service (DDoS): Malefactors can rapidly deplete spectrum resources by monopolizing multiple frequencies. Additionally, the device-to-device (D2D) communication feature, intrinsic to 5G, presents another vulnerable node for such attacks.
Taking a deeper dive, the investigative work of Altaf Shaik et al. has unearthed an array of further attack paradigms targeting cellular networks. These include:
- Identification Attacks: These allow attackers to discern and catalogue devices, be it hardware or software configurations, while operating within the cellular network’s sphere.
- Bidding Down Attack: Through this mechanism, adversaries can seize control of inter-device communications, intentionally stymieing data rates, and negating Voice Over LTE functionalities. This forceful intervention compels users to revert to the more assailable 3G/2G networks.
- Battery Draining Attacks: This strategy specifically targets NB-IoT and LTE-M devices, deactivating their power conservation features and consequently accelerating battery depletion.
The repercussions of compromised cellular networks are grave. Adversaries equipped with such access can eavesdrop on communications, forcibly downgrade network capacities, or even sever communication links entirely. In the context of O&G platforms, this could culminate in a complete loss of operational control.
Cyberattack Dynamics on Oil and Gas Platforms
As cyber adversaries find gateways into systems, whether via SATCOM or advanced telecommunication channels such as 5G/LTE, they frequently go on to engage in malicious activities such as device sabotage or data exfiltration. We delve into some conceivable attack scenarios herein:
OT Protocol Vulnerabilities to MiTM Attack
- OPC MiTM Attack: Alessandro Erba et al. have brought attention to the inadequate security implementations of the OPC UA protocol by various vendors. Many vendors either do not activate the SecurityMode; if they do, they use weak cryptographic measures. This lack of security creates opportunities for adversaries to intercept the OPC UA protocol by deploying rogue server/client configurations. One particularly dangerous form of this attack is known as ‘man-in-the-middle attacks’, where a rogue server interacts with an unsuspecting client, exploiting these vulnerabilities.
- Modbus MiTM Attack: The Modbus TCP protocol is particularly vulnerable due to its unencrypted payload. Research illustrates this vulnerability with a testbed demonstration where Modbus TCP was effortlessly intercepted using tools like Ettercap. Consequently, adversaries can passively monitor the network or actively manipulate payloads exchanged between Modbus masters and slaves.
Following a successful MiTM assault, attackers can execute:
- Data Sniffing: Attackers would gain access to the HMI and sensitive information like pressure and temperature values production flowrates, and maximum allowable working pressure (MAWP). This could lead to significant data breaches, including exposure of production parameters and sensitive sensor data.
- Data Tampering: Adversaries might falsify sensor outputs to deceive control systems. They can also manipulate, delete, or introduce commands during data transmission. For instance, an attacker could hoodwink a Programmable Logic Controller (PLC) by falsely indicating low oil tank levels. Misled by this data, the PLC might continually fill the tank, culminating in a catastrophic oil spill.
Denial of Service (DoS) Attack
If a DoS assault is successful, it has the potential to incapacitate critical control mechanisms. Among these, the Emergency Shutdown System (ESD) stands as a linchpin for ensuring the safety of operations. Imagine a scenario where an attacker floods a Programmable Logic Controller (PLC) with a barrage of Modbus request packets. The resulting failure of the PLC would render the ESD inoperative. In such a dire situation, human operators find themselves in jeopardy. They are suddenly left without the means to initiate an emergency shutdown, potentially facing grave physical harm due to their inability to mitigate a hazardous situation.
In more grave circumstances, adversaries could seize control over entire workstations. Under their malicious command, attackers can use these workstations to override commands, changing the behavior of pumps and actuators as they please. More alarmingly, PLCs — typically programmed to adhere to safe operational thresholds such as maximum permissible pressures and flow rates — could be jeopardized. With a compromised workstation and PLC interaction, the entire platform’s safety hangs in the balance, and the possibility of a catastrophic explosion becomes all too real.
Having delineated possible attack scenarios rooted in vulnerabilities of communications and protocols, we propose the following countermeasures to effectively mitigate these threats:
- Authentication: Facilities must conduct periodic reviews and rigorously implement authentication and authorization measures across all entities. This includes the use of Access Control Lists (ACL), endorsing the principle of least privilege, and eschewing the use of hardcoded credentials.
- Patching & Updating: Regularly updating operating systems, workstations, and firmware is paramount to preempt potential vulnerabilities. This applies to telecommunication devices, workstations, and controllers alike.
- Encryption: Communication within facilities should be safeguarded using encryption. For instance, the OPC UA security mode should be configured to either ‘Sign’ or ‘SignAndEncrypt’, embracing robust cryptographic algorithms and, by default, deactivating weaker ones.
- Network Segmentation: It’s imperative for facilities to implement meticulous network segmentation to shield vital systems; this entails isolating critical infrastructure, corporate networks, and DMZs.
Furthermore, the deployment of firewalls and Intrusion Detection Systems (IDS) is non-negotiable. Notably, several researchers have championed machine-learning (ML) driven IDS systems. Given the correct simulated conditions, these systems can become very useful in assisting operators in anomaly detection.
The evolution of offshore communication technologies has accelerated considerably alongside the expansion of connectivity. Consequently, the potential for malicious incursions into offshore O&G platforms has also risen. The need for robust fortifications against these cyber threats cannot be overstated.
Design flaws in telecommunication and inadvertent misconfigurations or misuse of various ICS protocols can amplify vulnerabilities, making defense increasingly challenging. To successfully fend off these looming cyber threats, O&G platforms must confront these risks head-on, armed with comprehensive regulations and cutting-edge cybersecurity tools.