ARC featured a considerable cybersecurity track at this year’s Industry Forum in Orlando, and convergence of safety and cybersecurity was a major topic. The TRITON/TRISIS malware attack on a process safety system was the catalyst that sparked a major conversation, not just about process safety systems as they relate to cybersecurity, but also the wider topic of safety as it relates to cybersecurity.
One key end-user client that broached this topic was Alfredo Montemar, senior control software system engineer for National Oilwell Varco (NOV), which is one of the largest drilling and production equipment manufacturers in the world. NOV Rig Systems develops the core infrastructure for drilling and production, from top-drives and draw works to risers, power and control systems, and things like blowout preventers.
Rules for blowout preventers have changed since Deepwater Horizon
Blowout preventers were the primary topic of Alfredo’s presentation and are a crucial element of safety in oil and gas production, with powerful valves that slam shut with significant force to prevent the uncontrolled release of oil from a well in the event of a surge of unexpected back pressure. In the past, BOPs were relatively “dumb” assets, designed only to function if the conditions warranted, but that’s changing rapidly with the introduction of new regulations governing safety and the march of new technologies like IoT and the cloud.
New regulations and data requirements drive adoption of connected assets
The blowout preventer was the key component that failed in the Deepwater Horizon disaster. In the wake of that incident, new regulations were put into place by the Bureau of Safety and Environmental Enforcement (BSEE) to govern information gathered from blowout preventers and their associated control systems. BSEE was created in 2011, also in the wake of Deepwater Horizon, as the primary agency in charge of improving safety and ensuring environmental protection relating to the offshore energy industry, mainly natural gas and oil, on the United States Outer Continental Shelf (OCS), which includes the Gulf of Mexico (GOM).
Now BSEE has implemented new drilling monitoring regulations that are set to take effect by the end of this year, some as soon as this month. BSEE 30 CFR Part 250 governs oil and gas and sulfur operations in the outer continental shelf and includes blowout preventer systems and well control. In addition, NOV’s clients require more real-time information from their BOPs to verify operational status, evaluate and analyze performance, and take action in case of an event. Maintenance personnel also require condition monitoring information from BOPs, and this monitoring is increasingly being done from remote operations centers that look at asset information from many rigs dispersed across a large geographic area.
Ensuring BOP safety means securing remote access
BOPs and other rig controls have traditionally been “Set and Forget” systems, and they have also traditionally been air gapped from shore and even the rig network, so turning BOPs into “connected” assets requires some intelligent application of cybersecurity principles.
The challenge for NOV was to create a secure connection to shore without drastically modifying the existing system. Security is paramount for these systems because of the disastrous consequences of a BOP failure. All BOP control systems, for example, are locally controlled by at least two (2) physical separate panels to ensure continued safe operation if a catastrophic event damages one location. This philosophy is applied to every critical component in the system. The main objective or NOV was to keep the BOP system protected from an external attack while connecting the system to shore. Obtaining an acceptable level of security, however, presented some challenges. The infrastructure of an offshore rig is complex and can be owned by multiple end-user companies. Equipment on the rig can be changed without notification. Some of the older rig systems still run on older versions of operating systems that are no longer supported.
NOV chooses data diodes from Owl Cyber Defense
With many different devices, assets, and protocols on the rig network, it is critical that Rig Controls are completely segmented. With limited access for patching/updates, security devices must be virtually maintenance free. NOV researched various different devices to accomplish their objective, and eventually decided on unidirectional data transfer devices for remote monitoring, also known as “Data Diodes,” which physically ensure that only one-way communication occurs. In ARC’s view, data diodes are well accepted by the end user community and can be a very effective part of an end user cybersecurity strategy, particularly in the age of IoT and connected devices.
After almost a year of testing, NOV reached a mature architecture that connects the rig controls to data diodes from Owl Cyber Defense, which then connects to an NOV provided firewall, to a local rig client network, and then a VPN to NOV’s onshore systems. The solution was also evaluated by a third party certifying body, who rated the solution using the Owl data diode as SL4 from external threats. NOV proposes this solution to their clients needing a secure way to connect to shore without:
- Compromising the integrity of the system
- Affecting the operation of legacy (old) equipment
- Allowing influence from any other rig network asset
- Need for regular upgrades to the security architecture itself
This system is applicable to new BOPs and Legacy Retrofits for both offshore and land rigs. To date, NOV has implemented 2 full offshore remote monitoring systems at the moment with more on the way as the company is moving to more compact systems for land rig operations.
石油圈
