The New Threat to Oil Supplies: Hackers

Earlier this year, a sullen, 28-year-old contractor in California was charged in federal court with sabotaging the computerized controls on oil-rig sitting off the coast, allegedly out of spite for not being hired full time. Prosecutors say the contractor hacked into a shore-to-rig communications network that, among other functions, detected oil leaks. He caused thousands of dollars worth of damage, they charge, though, fortunately, no leaks.

A research team from the SINTEF Group, an independent Norwegian think tank, recently warned oil companies worldwide that offshore oil rigs are making themselves particularly vulnerable to hacking as they shift to unmanned robot platforms where vital operations — everything from data transmission to drilling to sophisticated navigation systems that maintain the platform’s position over the wellhead — are controlled via wireless links to onshore facilities.

The usual threat of a takeover of the massive oil platforms is in the form of seaborne raiders; Britain’s Royal Marines commandos still regularly train for hostage rescue on rigs that dot the North Sea. But now, according to SINTEF scientist Martin Gilje Jaatun, with the advent of robot-controlled platforms, a cyberattacker with a PC anywhere in the world can attempt to seize control of a rig, or a cluster of rigs, by hacking into the "integrated operations" that link onshore computer networks to offshore ones. "The worst-case scenario, of course, is that a hacker will break in and take over control of the whole platform," Jaatun said. That hasn’t happened yet, but computer viruses have caused personnel injuries and production losses on North Sea platforms, he noted.

Today, most new oil-field discovery, such as off the coasts of Brazil and Nigeria, occurs in deep ocean waters. Work on the massive metal platforms towering hundreds of feet above the ocean is notoriously dangerous for the "roughnecks," and specialized labor costs, not to mention feeding, providing care, and keeping fleets of helicopters and boats on standby to evacuate rig crews in the event of fire or hurricanes, is hugely expensive for oil companies; hence, the move to robot-operated platforms.

Although the newest oil rigs, which cost upward of $1 billion apiece, might be loaded with cutting-edge robotics technology, the software that controls a rig’s basic functions is anything but. Most rely on the decades-old supervisory control and data acquisition (SCADA) software, written in an era when the "open source" tag was more important than security, said Jeff Vail, a former counterterrorism and intelligence analyst with the U.S. Interior Department. "It’s underappreciated how vulnerable some of these systems are," he said. "It is possible, if you really understood them, to cause catastrophic damage by causing safety systems to fail."

The list of potential cyberattackers includes ecowarriors aiming to jack up an oil firms’ production costs, extortionists drawn to oil firms’ deep pockets, and foreign governments engaging in a strategic contest for ever more scarce global oil reserves, Vail said. Insurgents, such as Nigeria’s Movement for the Emancipation of the Niger Delta, which is waging a war against oil firms operating in that country’s waters, could hire mercenary cyberwarriors to mount full-scale assaults on rigs in the delta. Despite obvious network vulnerabilities, oil firms have not made security a priority, said SINTEF’s Jaatun, "leaving many of us feeling like ‘chicken little’ chirping on that the sky is about to fall."