It shouldn’t come as a huge surprise – after all, anything that uses networked computing is at risk without the proper precautions – but independent researchers have declared oil rigs to be extremely vulnerable to hacking attempts.
While oil companies have made huge improvements in offshore safety and environmental protection, their efforts to secure important data have been poor, the SINTEF team says.
The group says that the current “integrated operations” model, which uses onshore workers to control processes carried out on the platform via networked PCs, leaves communications open to attack.
According to Science Daily, the team interviewed “key personnel in the petroleum sector” to get a sense of the data protection measures currently in place. The interviewees confirmed “that the number of safety incidents on production systems (platforms) has risen during past few years.”
Researchers said that hackers have already made their presence felt on oil platforms.
“The worst-case scenario, of course, is that a hacker will break in and take over control of the whole platform,” says SINTEF scientist, Martin Gilje Jaatun. “Luckily, this has not happened yet, but we have heard of a number of incidents that could have turned into something quite dramatic. For example, virus attacks have led to process electronic equipment becoming unstable.“
Frankly I’m surprised there haven’t been any major incidents so far, but it’s safe to assume that the inevitable resurgence of oil prices (not to mention the increasingly politicised nature of the fossil fuel industry) will make unmanned rigs into highly appealing target for hackers interested in protest or profit. [image by ccgd]
In fact, the profit motive is probably the stronger of the two… profit, or the prospect of free fuel. Any terrorist group or pirate nation looking for a ready source of the black gold would find it easy enough to hire some disaffected code-kiddie, then pay (or threaten) them enough to get them to bypass the security on an unmanned rig and then fiddle the telemetry for long enough to allow a physical invasion of the platform. Hey presto – a big base in offshore waters with all the oil you could ask for, and a target that even a major government is going to think twice about simply bombing to smithereens…
I can see the protest angle working, but I strongly suspect the profit angle is a no-go.
There is a world of difference between hacking the security of the data stream from an unmanned rig and actually taking over that unmanned rig by sending out the right commands.
The former is relatively easy: hack the safety and disturb the data, or turn it into gibberish. The latter is extremely difficult: they equipment on board of such rigs is highly specialised, tailor-made and company specific. So a hacker would have to know which software from which company is used on such a rig, and then also be both highly proficient not only in that software, but in the hardware – which is also very industry specific – as well.
Roughly speaking, it’s like invading Iraq: conquering the country might be relatively easy, keeping it occupied and running it smoothly is a whole different matter.
As to the invasion angle: unmanned rigs are anchored in place, thus they are easily surrounded by naval forces. Those naval forces would not need to blow the platform to smithereens: they would only need to starve the occupiers (there is only a small cache of emergency food on unmanned oil rigs).
Furthermore, such invaders would need a tanker, manned with trained personnel, to get that oil out. Your average navy frigate is two to three times faster than an oil tanker, and much more maneuverable.
So I think the disruptive angle is very well possible, but the profit angle is extremely unlikely to succeed.