Risk Assessment of Offshore Oil And Gas Installations Under Cyber Threats


Research paper appeared in the EastWest 2012, International Congress and Exhibition, 1-4 Sept., 2012


Constantinos Hadjistassou, Antonis M. Hadjiantonis
University of Cyprus, KIOS Research Center for Intelligent Systems and Networks;    School of Engineering, PO Box 20537, 1678 Nicosia

ABSTRACT
Offshore oil and gas drilling and production systems are among the most high-tech energy assets in the industry. The complex mixture of systems and networks comprise a major critical infrastructure of the national and pan-European energy sector. It is, therefore, imperative to assess and address the risks for these infrastructures, especially under the light of emerging new cyber threats. In the context of two hypothetical cyber attacks one targeting the platform master control station and the other aiming to inflict damage to the reservoir formation we highlight the potentially catastrophic nature of malicious attacks and the need for multidisciplinary research and development efforts.

Offshore platform

INTRODUCTION
Herein we provide a high-level overview of operational control of offshore oil and gas installation, and overview the well-know Stuxnet malware incident and its importance and implications for the Energy Sector. In particular, we investigate the possibility of malevolent attacks against industrial control systems and software onboard an offshore production platform residing in Cyprus’s Exclusive Economic Zone (EEZ). In this context we investigate a scenario targeting the platform master control station and a second scenario aiming to inflict damage to the reservoir formation. Motives for such an assault may range from hackers seeking financial benefits, e.g. ransom, to bilateral State conflict. The Stuxnet incident has demonstrated that a determined and well-financed adversary can inflict severe damage even to seemingly isolated networked infrastructures. We therefore aim to raise awareness for the need to prepare and intensify R&D efforts for critical infrastructure protection.

OPERATIONAL CONTROL OF OFFSHORE OIL AND GAS INSTALLATIONS
Field developments strive to maximize value by recovering hydrocarbons in a reliable, safe, uninterrupted, economical, and environmentally-friendly manner. Operational control of the different systems is customary subdivided in the top-side and subsea control elements. In essence, the primary purpose of the control system is to regulate the opening and closing of valves and chokes on subsea trees, manifold/templates, and pipelines. Currently, most offshore hydrocarbons developments utilize the multiplex electrohydraulic control system. Taken together the Master Control Station (MSC), which acts as the interface between the operator and the subsea equipment, and the Subsea Control Module (SCM) constitute the “brain” and “nervous system” of the production system, respectively. However, like any other computerized system, offshore oil & gas floater systems are not immune to malicious cyber attacks.

The recent discovery of malware (malicious software, virus) like Flame (2012) and Stuxnet (2010) targeting for the first time industrial control systems have highlighted the susceptibility of critical infrastructures to cyber threats, even if they are operating in private networks and in isolation from the Internet.

INDUSTRIAL CONTROL SYSTEMS: VULNERABILITIES AND THREATS
The majority of Critical Infrastructure Systems are instrumented by special computerized systems, collectively known as Industrial Control Systems (ICS). ICS are command and control networks and systems designed to support industrial processes. These systems are responsible for monitoring and controlling a variety of processes and operations such as gas and electricity distribution, water treatment, oil refining or railway transportation.  The  largest  subgroup  of  ICS  is  SCADA  (Supervisory Control  and  Data  Acquisition)  systems.  According to ENISA[1] in  the  last  few  years,  ICS  have  passed  through  a significant  transformation  from  proprietary,  isolated  systems  to  open  architectures  and standard technologies highly interconnected with other corporate networks and the Internet.

Today ICS are often networked in local or wide area networks (LAN/WAN). In turn, these networks are either interconnected using private leased communication lines, or use secure tunnels (Virtual Private Networks) over the public Internet, creating a complex network of networks. In special cases, infrastructure networks remain locally isolated and disconnected from the outside world. The latter method, often referred to as “security via obscurity”, was considered a sufficient protection strategy for these networks. However, the latest generation of malware, with Stuxnet as its poster child has uncovered the severe vulnerabilities of industrial control systems, even in the case of network isolation.

According to the aforementioned ENISA report, the biggest challenges in ICS security are identified and it is worth noting two of them in the context of this paper. The 1st Challenge is the lack of specific initiatives on ICS security: “At the EU level, there are policy areas addressing Critical Infrastructure Protection and Critical Information Infrastructure Protection (CIIP). However, none of them are addressing ICS specifically. A European Commission Communication [COM(2011) 163] recognizes that new threats have  emerged, mentioning Stuxnet explicitly. However, new activities proposed by this Communication on CIIP do not include any specific to ICS. In this context, ENISA has already stated that after Stuxnet, currently prevailing on CIIP will have to be reconsidered.” Another challenge identified in ENISA’s report is the difference in the ruling security paradigms between classic ICT and ICS environments. “The ruling security paradigm in Classic ICT systems’ security is based on the CIA model (Confidentiality, Integrity, Availability), but in the ICS environment the SRA model (Safety, Reliability, Availability) is predominant, often referred to as AIC (the inverse of CIA) to emphasize the priority given to Availability.

Although the incident of Stuxnet malware in 2009 raised the profile of cyber security and ICS vulnerabilities, the incident should be examined with caution as its continued examination has revealed that only a state actor could have financed and executed this kind of an attack. An article in Der Spiegel [2] refers to European intelligence agency statement that “it would have taken a programmer at least three years to develop Stuxnet, at a cost in the double-digit millions”. Nonetheless, it highlights the potential impact a determined attacker can inflict, which in the case of Stuxnet is amounted to the delay of Iran’s nuclear program due to extensive damage inflicted on six cascades containing 164 Iranian IR-1 centrifuges used in producing uranium-235 from uranium hexafluoride gas.

ATTACK SCENARIOS AGAINST OFFSHORE OIL AND GAS INSTALLATIONS
In this context, we investigate two scenarios affecting the safe and uninterrupted production of hydrocarbons after a malicious attack on the MCS unit which, in turn, affects the operation of the SCM. Both scenarios examine the potential implications on personnel safety, equipment and environmental hazards and economic risks. The first scenario focuses on false water and hydraulic pressure, temperature, flow and other readings displayed on the computer interface of the MSC. The second scenario explores in detail the potential damage to the reservoir formation which constitutes the most valuable asset of the subsea development. Potential environmental matters such as the release of liquid and gaseous hydrocarbons in the sea and potential adverse effects on marine life are investigated.
Before proceeding to present and analyze the two scenarios which arise from the action of the cyber attackers, we set the stage by epigrammatically presenting the principles of operation of the multiplexed electrohydraulic control system.

THE MULTIPLEXED ELECTROHYDRAULIC CONTROL SYSTEM
The multiplexed electrohydraulic control system (MECS) is typically divided into the: (a) the topside (above the waterline fixed or floating installation) and (b) the subsea (at the seabed) control structures [3]. The topside control units consist of the electrical power unit, the topside umbilical termination unit, the hydraulic power unit, the topside junction box, the master control station, and other components. Below the free-surface, the subsea control components include: umbilicals, electrical and hydraulic flying leads, the subsea umbilical termination unit, the subsea control module, etc. Besides the control of the subsea development valves, the control system provides important chock control and vital diagnostics. Subsequently, we outline the two scenarios.

1. FALSE READINGS AT THE MASTER CONTROL STATION
The Master Control Station (MCS) is an indispensable component of the multiplexed electrohydraulic control system. Located at the host (platform) facility the MCS serves as an interface between the operator and the subsea components. Communications between the topside unit and the subsea equipment is facilitated via electronic messages. The MCS interfaces with the host facility using a supervisory control (SCADA) network. Executions comprise various functions such as subsea well and manifold control, contingency shutdown, and data acquisition. A human/machine interface (HMI) relays commands from the operator to the subsea equipment. A monitor offers the visual means for observing subsea operations and controlling equipment while a keyboard interfaces with the user.

Similar to a computer, the MCS presents vulnerabilities in terms of being inflected with malicious software. Even when the HMI is not connected to the outside world via the Internet acute risks could originate from the people working onboard the platform. Since the 1980s independent oil companies (IOCs) outsource to third party companies a large proportion of the non-core oil & gas operations such as measurements while drilling (MWD), the provision of drilling mud, or catering services. Therefore, different subcontractors which employ a large number of technical and scientific personnel, may gain access to the platform and its different control and operational systems. Mainly due its role of acting as the “nervous system” of the platform, the MCS may be perceived as an attractive system for inflicting damage to the platform, its personnel or the natural resource. Consequently, one should expect the MCS to be a popular target for potential hackers, terrorists, or state sponsored agents.

Given the high stakes of accidents, hydrocarbon platforms offer a high degree of redundancy against equipment failures. This is attributed to the fact that hardware malfunctions may prove catastrophic both to the asset and/or the onboard personnel. Consider for instance the loss of the Piper Alpha natural gas production platform in the North Sea, in 1988, which resulted in the loss of 167 men and the rig itself. Notably platforms are armed with sophisticated subsurface safety valves capable of automatically closing down when sensors detect a drop in the pressure at the surface [4]. Manual shut-off switches also offer the possibility of ceasing hydrocarbon production from subsea wells and pipelines.

In an attempt to overcome the automatic contingency mechanisms of the platform, a sophisticated malicious code can be programmed to provide false on-screen readings regarding the operation of the subsea wells. Hence, this is one of the ways to deceive the operator that the subsea wells operate according to safe practices. In the meantime though, compromising the MCS implies that cyber criminals can influence functions such as the: a) choke control, b) hydrate formation, c) tree valve control, (d) subsea sensor monitoring, etc. This type of “man-in-the-middle” attack was employed by Stuxnet, which recorded normal measurements during safe operation, and played those back during the time it was interfering with the safe operation of Iranian centrifuges. In other words, false readings were presented to the operator, while centrifuges were spinning out of control. The intelligent and intermittent use of this attack made its discovery extremely hard. In fact it was only discovered once heavy damage to centrifuges was inflicted.

Manipulating the HMI readings while instructing the subsea control module to operate outside its safety envelope can prove hazardous for the equipment but more importantly for the offshore natural resource asset, the marine environment and the personnel. Of significant importance is the fact that most often than not the recovery of hydrocarbons cannot be interrupted. Clearly by any means the operator will be prepared to consent to any demands however bizarre in order to avoid a catastrophic failure of the offshore asset which is usually a multi-billion dollar investment. If the cyber criminal wishes to impose to a disastrous damage to the platform this is a very elaborate task requiring specialized coding intended to fool the automatic shut-down mechanisms. In the sequel, we investigate the scenario where cyber criminals damage the reservoir formation.

2. RESERVOIR DAMAGE FORMATION
When the operator of an offshore hydrocarbons production installation detects a malicious attack, following a preliminary assessment of the situation and in accordance with the company guidelines, the natural reaction will be to halt production. This is not the optimum way for an active hydrocarbons system but given the degree of uncertainty it is a prudent decision especially if the accommodation block is located at the same platform. Yet this decision is not without its perils. Even in hurricane prone areas, such as the Gulf of Mexico, operators choose not to completely cease hydrocarbons extraction mainly due to various technical subtleties. Halting oil or gas production in deep or ultra-deep water could pose some grave risks to the reservoir which constitutes the most important asset of the subsea development.

Depending on the water column temperature, the well pressure and temperature, and hydrocarbons composition, such as the presence of liquids, there is considerable risk of jeopardizing flow assurance. The formation of hydrates, for example, can clog flow lines, flexible and rigid marine risers. Understandably the costs of bringing the hydrocarbons system online again could be substantially high. Irrespective of the economic risks, safety considerations and environmental perils can outweigh damage to the subsea hardware and host platform notwithstanding the reservoir itself.

Potentially the attacker might also damage the hydrocarbons reservoir. Formation damage is a term used to describe the impairment of the permeability of a petroleum or natural gas-bearing reservoir by various adverse processes. Usually formation damage may be caused by factors such as physic-chemical, chemical, biological, hydrodynamic, and thermal interactions of porous formations, particles, and fluids and the mechanical deformation of the reservoir under stress and fluid shear [5]. Exploration & production (E&P) experts acknowledge that for the efficient exploitation of hydrocarbon reservoirs, formation assessment, control, and remediation need to be successfully addressed [6, 7].

Subsea wells are routinely injected with chemicals whose primary purpose are flow assurance and corrosion inhibition. Some chemicals are typically administered on a small volume continuous basis. Therefore, if an attacker assumes partial control of the MSC this raises the specter that chemicals might be used to inflict physical damage to the hydrocarbons reservoir. For example injecting an inappropriate dose of solvents such as soaps and acids or diesel could endanger the health of the formation. Formation damage could result in a drop in productivity of oil and gas reservoirs raising also the possibility of non-economically viable operations [5]. It should be emphasized that formation damage is not necessarily reversible. Therefore, it is highly desirable to avoid formation damage in the first place that implementing remedial measures in at attempt to restore rock permeability.

SUMMARY AND CONCLUSIONS
As demonstrated by the Macondo incident, in the Gulf of Mexico, and the Stuxnet episode, which targeted Iranian nuclear infrastructure, the stakes are high and potential economic/environmental costs could be massive. In spite the hype around the cyber threats and the rhetoric of cyber war, one should not underestimate the risks from coordinated cyber attacks to personnel safety, as well as to the valuable physical resources. Therefore, both States and companies ought to prepare against such emerging cyber threats and enhance their capabilities through continued R&D. To anticipate the emerging cyber threats to critical infrastructures and industrial control systems (ICS), an integrated approach is needed combining methodologies from Information Systems Security and ICS engineering. These technical tools may provide invaluable input to a holistic Risk Assessment framework employed by infrastructure operators.

REFERENCES
[1]    ENISA, “Protecting Industrial Control Systems – Recommendations for Europe and Member States ” 2011.
[2]    H. Stark. (2011, 08 Aug.) Stuxnet Virus Opens New Era of Cyber War. Der Spiegel Online.
[3]    Y. Bai and Q. Bai, Subsea Engineering Handbook. Burlington, MA: Gulf Professional Publishing, 2010.
[4]    A. P. Institute, “Security Guidelines For the Petroleum Industry,” ed, 2003.
[5]    F. Civan, Reservoir Formation Damage. Burlington: Elsevier, 2007.
[6]    K. E. Porter, “An Overview of Formation Damage,” J.P.T., vol. 41, pp. 780-786, 1989.
[7]    N. Mungan, “Discussion of An Overview of Formation Damage,” JPT, vol. 41, p. 1124, 1989.


Relevant posts:

Top ↑


[recaptcha_form]

Print Friendly
Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks
This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink.