Securing BSEE real-time monitoring for offshore oil & gas operations
In the wake of the Deepwater Horizon disaster in 2010, the U.S. Department of the Interior launched a series of aggressive reforms to improve safety in offshore well operations. Among them, the Bureau of Safety and Environmental Enforcement (BSEE) final Well Control Rule, which goes live on April 29, 2019, introduced Real-Time Monitoring (RTM) requirements for well operations, including subsea BOPs, surface BOPs on floating platforms, and high-pressure and high-temperature (>15,000 psi, 350oF) environments.
BSEE’s goal is for the industry to use RTM as a tool to improve safety and oversight, and ensure that safety risks are managed in a comprehensive manner. The importance of being able to monitor the health and operational data of high-pressure systems from shore is critical to spotting potential safety concerns and being able to respond to incidents in a more organized and informed manner.
Beyond the safety implications in the original intent of the BSEE requirements, the ability to remotely monitor the vast amounts of data available can have a dramatic impact on cost effectiveness, operational up-time, and overall productivity of well operations. Most operators understand the inherent value of RTM, as it has been proven time and time again by BSEE, field service companies, and consultants in the oil and gas field. Where operators tend to fall short is understanding how to protect the RTM connections and data collection activities, and why protecting them is important.
Rig systems are a major target for adversaries, because they know they are quite physically isolated, and that contractors on the rig may not know how to identify and stop digital attacks. Beyond safeguarding the Leaser’s data, adversaries are clever enough to tunnel back in to “snoop around” in the rig’s operational network until they can find the right way to remotely trigger safety systems, manipulate performance data to cause equipment failure, or simply delete critical data and programs.
BSEE itself acknowledges the vital role of cybersecurity plays in real-time monitoring:
The Department of Homeland Security classifies the energy sector as part of the United States critical infrastructure. “The Energy Sector provides one of the key lifeline-functions upon which all other critical infrastructure sectors rely” and the necessity for cyber security in offshore oilfield operations has never been greater. BSEE encourages operators to evaluate cybersecurity from a risk-based perspective to ensure their monitoring and control systems of networked infrastructure address cyber security, critical access points and resilience. Several guidelines and models exist that industry may use and customize to define the acceptable risk exposure.
However, BSEE also falls short of directing operators to specific technologies or strategies, falling back to a risk-based perspective that suggests the level of cybersecurity should be determined by the operators themselves. While this leaves a lot of flexibility to find a solution that can secure operations without disrupting them, it also does not provide a lot in the way of guidance. So, let’s pick up where they left off.
When working to meet the BSEE RTM regulation, it is especially important to implement defenses that are “fit for purpose” of defending remote, safety-critical systems. Due to the remote nature of the offshore operations, specialized/skilled security resources and personnel can be scarce and extremely expensive. This means your solution needs to require very little maintenance, little or no on-site configuration/training, and be easily replaced in the case of an issue or failure.
Firewall software-enforced security is popular across many industries for its familiarity and low up-front cost. However, the need for frequent updates and heavy ongoing management make them a problematic choice for offshore facilities where specialized personnel are at a premium and equipment may be shared across multiple vendors and managed by still more.
Data diode hardware-enforced network security technologies provide a simple, reliable, and highly-secure means to transfer data one-way for onshore monitoring without the need for heavy ongoing management or frequent software updates. Their ability to function essentially untouched for extremely long periods (10+ years MTBF) and unhackable nature make them a very attractive choice for future-proofing RTM security for offshore facilities. They’re also specifically mentioned in the DHS white paper Seven Strategies to Secure Industrial Control Systems as one of the technologies that can help prevent up to 98% of cyberattacks.
A number of operators have already implemented Owl data diodes to secure their RTM connections, essentially eliminating the attack vector while maintaining a seamless connection to onshore monitoring. Meeting the BSEE RTM requirements while maintaining adequate security doesn’t need to be hard. You know your operations better than anyone, so focus on that and let the data diode manage your security. Contact Owl today to learn more.