"Threat actors also include insiders who just want to fix one line of code. The problem is, they download a change to the PLC and everything stops." Diamond Offshore’s Greg Villano discussed the many threats to operational integrity onboard its drilling vessels.
Offshore drilling rigs are highly reliant on automation to keep them running, and as with other highly automated industrial assets, they can be vulnerable to cyberattack.
"There is no end date for security, the battle never ends," said Greg Villano, industrial automation & control systems (IACS) superintendent at Diamond Offshore, who discussed the company’s multi-year journey to secure its offshore drilling rigs at this week’s Rockwell Automation TechED event in San Diego.
As part of Diamond Offshore's IACS Security Office/Cybersecurity Incident Response Team, Villano is working to identify the many threat actors and protect the many automation systems on the company’s offshore drilling vessels. A big key to the ongoing project’s success is the use of Rockwell Automation FactoryTalk AssetCentre and Cisco Threat Detection Services. With its use, the company now has systems in place to help detect and respond to security threats and expedite the recovery process for critical systems.
Real threats, big names
There are many ICS threat actors, and his can include nation states, terrorists and hacktivists. "And it's more than just certain entities that are not happy about drilling in some areas and want to set the rig on fire," said Villano. "Threat actors also include insiders who just want to fix one line of code. The problem is, they download a change to the PLC and everything stops."
Even though Diamond Offshore is a small company, it works for and is contracted by major corporations that are demanding cybersecure operations. "Big names in the industry hire our rigs and our crews to drill wells for them," said Villano. "Initially, the project was driven by our customers. They came to us and said, show us your policies for industrial control systems and remote access procedures. They then asked us to prove we were following them."
Access to a floating city
One of the company’s typical ships is 757 ft long and 118 ft wide, with a 73x42-ft hole in the center. It can drill in up to 12,000 ft of water and can drill to a depth of 40,000 ft below that. It can house 210 people—a full hotel with air conditioning and galley running 24/7/365. The ship generates its own energy and provides thruster control and dynamic positioning to keep it within a 30 foot circle while drilling. When disconnected, it's a vessel that can travel at up to 12 knots.
The vessels are small floating cities. "I'm out there to fix and protect everything from the power generation, drilling, propulsion, satellite system and engine controls to the Braun coffee maker in the galley," said Villano.
Due to a vessel's isolated location perhaps hundreds of miles off shore, its operations rely heavily on remote access from vendors, said Villano. "This creates multiple routes into our networks for vendor support that we are paying for,” he said. “We were basically paying vendors to have access to our systems, and they could do just about anything without us knowing. A laptop could be plugged in and have free reign of every device within the network."
Security solution
"The first steps for security was identifying what we had," said Villano. “Knowing what we had was important because it made it easier to see the new devices that were added—that nobody was aware of. We didn't have visibility in the past. Seeing unknown, wireless routers was a first step to protection. Identification was a huge piece. Once we could see them, we could protect the networks by adding policies and procedures."
Diamond Offshore started using Claroty tools to look at controllers in four sister vessels and found differences in the firmware of each processor. "They were not sisters any more," said Villano. "The Claroty tools work with FactoryTalk AssetCentre to monitor vessel automation systems, provide centralized tools to minimize downtime due to unauthorized actions or failing devices, and manage the lifecycle of Rockwell Automation hardware devices in the system. FactoryTalk AssetCentre is being used to compare valid master copies of operating software to what is running on the 20 or so PLCs controlling the drilling rig.
From many to one
"When we started this security journey, we gathered all the vendors in a room, and each wanted to build a solution," said Villano. "We didn't want all different solutions. We wanted a single security solution that would work with any vendor. That's when we found the Rockwell Automation/Claroty solution—a vendor agnostic system."
“It gave us visibility into every network without being tied to a specific vendor,” continued Villano. “We even worked with Claroty to reverse engineer a proprietary Kongsberg thruster control protocol to give us plain text visibility of configuration uploads and downloads," he said. "With FactoryTalk AssetCentre and Claroty, we could monitor it all and get alerts when things were changed."
The solution also provided secure remote access, which was an important feature to control PLC configuration and manage patches and changes. "We can watch remote access sessions and disconnect the session if we see something we don't like," said Villano. "We needed to control this third-party access and detect changes and anomalies.”
Today, five vessels are online with a comprehensive cybersecurity program with two more vessels to follow shortly. "We now have real-time monitoring of security incidents, process integrity issues, operational mistakes and important/risky system changes," said Villano.
