The energy and maritime industries represent a target rich environment for cyber-attacks by criminals, terrorists, and hacktivists. While their respective goals may differ, the risks and potential consequences of a successfully executed cyber-attack may be severe—even if the attacker did not intend to cause such major consequences.
Many energy workers have experienced how quickly and easily malware and viruses can be accidentally transferred to OT systems. For example, through e-mail or unsecure websites, via infected devices brought in from the outside. Along with increasing levels of digitalization and automation, the potential for damaging consequences increase equally. Even more disturbing is the fact that many cyber-attackers today are extremely well financed and organized, capable of launching highly sophisticated attacks. Hacker tools are available for sale on the black market, providing perpetrators with a comprehensive toolbox to build from.
Back in 2013, researchers at University of Texas, Austin demonstrated how they by building a GPS spoofer could manipulate ship navigation. 4 years later, around the same time Maersk was fighting the effect of NotPetya, an incident affecting GPS signals caused about 20 ships in the Black Sea to head towards a specific airport, far out of their positions. It has not been determined if this was a targeted spoofing attack or an unintentional incident. It did however demonstrate the effect of geolocation interference that today can be achieved using commercial hardware and software – compared to years of significant effort the researchers had to spend only a few years ago.
Like ships, assets in the Oil & Gas industry used in exploration, drilling, transportation and production, depends on a myriad of inter-connected industrial automation and control systems. Today, this industry is undergoing a massive digitalization process offering new insight, efficiency, optimization and the ability to keep people away from harmful tasks. Taking advantage of digitalization and increased connectivity however also means opening up OT systems to cyber threats.
Better security practices and solutions are required
International and national standardization and regulatory activities to protect OT systems in the Oil, Gas and Maritime industry are starting to take form. Examples are voluntary guidelines issued by or referred to by regulators. The goal of these guidelines is to ensure a common adequate level of security in all parts of the supply chain affecting Oil, Gas or Maritime assets. Often they refer to, or reference industry generic internationally recognized standards.
In addition to NIST CFS, IMO refer to other relevant best practices: BIMCOs Guidelines on Cybersecurity Onboard Ships and ISO/IEC 27001.
International Association of Drilling Contractors
Secure-NOK has chaired the IADC Cybersecurity Committee since its beginning as a Work Group in 2014. We and others have contributed our expertise in developing policies, processes and technology to ensure security. In close cooperation with the industry, it is made sure everything we propose is practical and can be realistically utilized in a driller’s environment and mode of operation. The result of this effort is a series of user-friendly guidelines designed to help drillers becoming more secure:
Key to a Cybersecurity Program
Once the required organizational support and scope of the Cybersecurity Program is in place, the strategy and requirements for the program must be established. This usually include selecting a relevant and recognized standard to be used as inspiration and guidance.