©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you.

©2009-2014 Kingston Systems

2014 – API Cybersecurity Conference

Managing Software on Mobile Offshore Drilling Units (MODUs)

Learning to Walk Before you Run

©2009-2014 Kingston Systems

Discussion Scope

• Objective– Gain a perspective on where Drilling Contractors are in their ability to

apply software maintenance best practices to MODU Programmable Logic Controller (PLC) Control Systems

• Questions– Where are they now?

Review real world examples

– Practical next steps?

• Perspective– Kingston Systems performs control systems design review, acceptance

testing and security threat analysis audits on rigs and platforms

©2009-2014 Kingston Systems

©2009-2014 Kingston Systems

Where are Drilling Contractors

• Remember “Walk before you Run”?

©2009-2014 Kingston Systems

Case Studies

Regression:

After commissioning the Top Drive(TD) we found the Vendor editing the Step7 code. When asked if he was pre-testing, post testing, archiving and checking with Base regarding the changes. “Yes Yes Yes” he responded.

Next day, the TD started auto-rotating and speeding up to alarming rates. With no backup, it took 1 week to return to normal; the full commissioning test was never repeated.

©2009-2014 Kingston Systems

Case Studies

Work Authorization:

On a rig with a notorious history of downtime. We were invited to investigate system stability (IE: why are we having so many problems?).

We and observed the Chief Electrical Superintendent and the ET editing Step7 code on the Draw works.

©2009-2014 Kingston Systems

Case Studies

Virus on New Build

A brand new build drillship on its way from the yard. The Acoustic System*had a virus that resulted in a cascade of window pop-ups as it tried to find an internet connection. This cascade made the system inoperable.

It shut the Dynamic Positioning capability down for 18 days

*Windows PC HMI was impacted not the PLC or motor controls

©2009-2014 Kingston Systems

Where are Drilling Contractors

• Other Complications– Rental nature of rigs & Mobile nature of business

– Corporate to Rig disconnect

– Multiple Vendors & Systems

– No single list of software assets on a rig

©2009-2014 Kingston Systems

Where are Drilling Contractors

Where are Drilling Contractors in their ability to apply software maintenance best practices to MODU PLC Control Systems?

– Virtually non-existent or arguably in infancy

– So what are practical next steps?

©2009-2014 Kingston Systems

Tools Available

1988 Piper Alpha

A positive outcome = improved implementation of Permit to Work (PTW)

But Software is not in scope – Why not?

©2009-2014 Kingston Systems

What to do about It

Implement Basic Software Management of Change 1. Corporate Support & Industry Direction2. Change Authorization Process

– Software Change Request– Include Permit to Work (PTW)

3. Software Registry to track assets4. Post Change Testing

Enhance understanding of Software scope and impact !

©2009-2014 Kingston Systems

What to do about It

Implement Basic Software Management of Change 1. Corporate Support & Industry Direction2. Change Authorization Process

– Software Change Request– Include Permit to Work (PTW)

3. Software Registry to track assets4. Post Change Testing

Enhance understanding of Software scope and impact !

Easier Said than Done

We have yet to see a MODU that is compliant with their own process and tools

©2009-2014 Kingston Systems

Wrap Up

Wrap Up• MODUs are not managing their control software very

well

• Implications for security are apparent

• Basic Software Management of Change practices are needed

©2009-2014 Kingston Systems

Thank You

Walk First….…..Then Run

Thank You

Presentation and supporting papers available @ www.kingston-systems.com

[email protected]