Slashdot Mirror

← Back to Stories (view on slashdot.org)

Offshore Drilling Rigs Vulnerable To Hackers

Posted by Soulskill on from the what-do-you-mean-software-needs-to-be-updated dept.

Hugh Pickens writes "Foreign Policy magazine reports that a research team from the SINTEF Group, an independent Norwegian think tank, has warned oil companies worldwide that offshore oil rigs are highly vulnerable to hacking as they shift to unmanned robot platforms where vital operations — everything from data transmission to drilling to sophisticated navigation systems that maintain the platform's position over the wellhead — are controlled via wireless links to onshore facilities. 'The worst-case scenario, of course, is that a hacker will break in and take over control of the whole platform,' says Martin Gilje Jaatun, adding that it hasn't happened yet, but computer viruses have caused personnel injuries and production losses on North Sea platforms. The list of potential cyberattackers includes ecowarriors aiming to jack up an oil firms' production costs, extortionists drawn to oil firms' deep pockets, and foreign governments engaging in a strategic contest for ever-more-scarce global oil reserves, says Jeff Vail, a former counterterrorism and intelligence analyst with the US Interior Department. 'It's underappreciated how vulnerable some of these systems are,' says Vail. 'It is possible, if you really understood them, to cause catastrophic damage by causing safety systems to fail.'"

7 of 116 comments (clear)

  1. A proper shell account by Krneki · · Score: 5, Funny

    Now, "I got a shell account" gets a whole new meaning.

    --
    Love many, trust a few, do harm to none.
  2. Hack The Planet by ticklemeozmo · · Score: 4, Funny

    I hope nobody finds the old Davinci Virus which was written about 25 years ago...

    --
    When modding "Informative", please make sure it both has a source and IS actually informative.
  3. SINTEF is no "think tank" by orzetto · · Score: 4, Informative

    SINTEF is not a think tank, it is a major applied-research institution. It is similar (with due proportions) to the Fraunhofer Institute in Germany.

    --
    Victims of 9/11: <3000. Traffic in the US: >30,000/y
  4. The original reports by hhg · · Score: 4, Informative

    The SINTEF-report can be found here:

    http://www.springerlink.com/content/8v34n016j3648872/

    and the base report for a successful attack is here:

    http://sislab.no/redteam.pdf

  5. SINTEF should not Cry Wolf by Terje+Mathisen · · Score: 4, Informative

    Disclaimer: My first job after graduation was with SINTEF, next I worked 24 years for Hydro/StatoilHydro (Norway's largest offshore oil operator), where I (among many other things) specified how the production and admin networks should be separated on each platform.

    First of all: Most North Sea platforms use fiber links these days, microwave is only there as a backup in case something cuts the fiber, which means that if you want to use the radio link as your attack point, you must first locate and disable the fiber(s).

    Second, the production networks, which is the only part which can directly affect platform infrastructure has significantly better security than the office/admin net.

    I.e. you would first have to hack into the regular StatoilHydro network, then find a way to pass through the admin/process firewall before you could even start to try to take over one or more control computers. (And afaik none of these run any form of open source SCADA sw.)

    Finally, the 'integrated operations' mentioned in the article consists of special on-shore operations rooms which have strict physical security checks: The computers inside these rooms are indeed part of the production network, they have no direct links at all to the office/admin net and/or the Internet.

    Terje

    --
    "almost all programming can be viewed as an exercise in caching"
  6. Re:Astounding by lysergic.acid · · Score: 4, Insightful

    How is going from C + ASM on DOS to VB + Powerbuilder on Win 3.1 more maintainable? Are you seriously suggesting that all embedded systems should be running a desktop OS for maintainability reasons (or that no embedded software is maintainable)?

    I remember using VB4 back in the day (Win98, I think) and even then the VB IDE had a hard time opening VB3 projects. Good luck trying to get Visual Studio 2008 to open a VB2 project. With C and ASM, at least you can code the project in a variety of IDEs--even plaint-text editors. What are you going to use to open an .frx file other than VB?

    Furthermore, you can write maintainable C/ASM code for an embedded RISC/ARM processor just as you can write unmaintainable spaghetti code for an x86 Windows platform. If you're writing software for a desktop platform, you're going to have to update it every few years to keep up with changes in the mainstream desktop platform (new OS, new processors, etc.). If you're writing software for embedded systems then you'll only need to update your software when you decide that you want to change processors, chipsets, or add new features. Re-compiling your code for the next version of the ARM processor is likely to be easier than re-writing your entire application to use a different set of system libraries.

  7. Re:Astounding by MrNaz · · Score: 5, Insightful

    This whole thread is on the wrong track.

    Safety on an oil rig should not be in software. It should be mechanical. A big fat mechanical-reflex operated titanium counterweight that closes a wellhead when pressure is lost can't be hacked in software. Yea, they can shut the rig down, but catastrophic permanent environmental damage is avoided.

    The same goes for all last-line safety systems. They should be 100% mechanical, uninfluenced by these unreliable, capricious devices we call computers.

    --
    I hate printers.