Friday, May 7, 2010

The Oil Spill: Accident or Cyber Attack?

Before the massive oil drilling disaster in the Gulf of Mexico, experts and politicians confidently said that it couldn’t happen. Or, if something did go wrong, the impacts would be swiftly contained with minimal leaking. Now that those assurances have been proven wrong, they claim that it was an accident that couldn’t have been predicted, and meanwhile avoid the elephant in the room – how and why.

It will be some time before we get an official explanation. In the meantime, however, there is plenty of information – and more than one possible explanation – to consider. It could have been a technical failure, for example, or the result of human error. But labeling it an “accident,” as news outlets do every day, is at the very least premature, especially since one possibility not being examined is a premeditated attack.

It’s natural to assume that is impossible, just some far-fetched conspiracy theory, and much easier to believe that another corporation has acted irresponsibly. Perhaps it did. But also consider this: Last August Foreign Policy posted an article citing credible research and directly warning oil companies worldwide that their offshore oil rigs are highly vulnerable to hacking. As Richard Clarke explains in his new book Cyber War, “Computer commands can derail a train or cause a gas pipeline to burst.”

In early 2009, a 28-year-old contractor in California was charged in federal court with almost disabling an offshore rig. Prosecutors say the contractor, who was allegedly angry about not being hired full time, hacked into the computerized network of an oil-rig off the coast, specifically the controls that detect leaks. He caused some damage, but fortunately not a leak.

This January, the Christian Science Monitor reported that at least three US oil companies have been the target of a series of cyber attacks. In these cases, the culprit is most likely someone or some group in China. The incidents, kept secret since 2008, involved Marathon Oil, ExxonMobil, and ConocoPhillips. The companies didn’t realize how serious their problem was until the FBI alerted them. Federal officials said that proprietary information – email passwords, messages, and information linked to executives – had been flowing out to computers overseas.

Chinese government involvement hasn’t been confirmed, but some data did end up on a computer in China and one oil company security staffer privately called the breaches the “China virus.”

The companies wouldn’t comment, or even admit that the attacks happened. But the Monitor persisted, interviewing insiders, officials and cyber attack experts, and ultimately confirmed the story. Their overall conclusion was that cyber-burglars, using new spyware that is almost undetectable, pose a serious and potentially dangerous threat to private industry.

As Clarke notes in his book, many nations conduct Internet espionage and sometimes even cyber attacks. Several of the most aggressive are China, Russia, and North Korea. Spying on defense agencies and diplomats is a major focus, but strategically important businesses and even other countries have also been targeted. Google claims that it has found evidence of at least 20 companies that have been infiltrated from China. According to a report in the Wall Street Journal, logic bombs have been infiltrated into the US electric power grid. If so, they could operate like time bombs.

On oil rigs, the advent of robot-controlled platforms has made a cyber attack possible with a PC anywhere in the world. Control of a rig could be accomplished by hacking into the "integrated operations" that link onshore computer networks to offshore ones. No one will admit that this has happened yet. But there is confirmation that computer viruses have caused personnel injuries and production losses on North Sea platforms.

The problem is that even though newer oil rigs have cutting-edge robotics technology, the software that controls their basic functions is old school. Most rely on supervisory control and data acquisition (SCADA) software, which was created in an era when "open source" was more important than security,

"It's underappreciated how vulnerable some of these systems are," said Jeff Vail, a former counterterrorism and intelligence analyst with the US Interior Department who talked with Greg Grant, author of the Foreign Policy article. "It is possible, if you really understood them, to cause catastrophic damage by causing safety systems to fail."

The name of the piece, by the way, was “The New Threat to Oil Supplies – Hackers.” It sounds a lot like “Bin Laden Determined to Strike Inside the US.”

Failure to Prevent

How does this vulnerability relate to the Gulf disaster? To understand that, let’s review what we already know. Although the headlines place the responsibility on BP and the oil company doesn’t deny it, CEO Tony Hayward has also argued that “it wasn’t our accident.” His explanation? "The drilling rig was a Transocean drilling rig,” he said. “It was their rig and their equipment that failed, run by their people, their processors."

The dozens of lawsuits already filed recognize that. But they go even farther, naming not only BP and Transocean Ltd, which owned the drilling rig, but also Halliburton Energy Services, whose employees were working on the platform, and Cameron International Corp., which manufactured the blowout preventer (BOP) that was supposed to shut off the oil flow.

Of these, the company most directly implicated is Cameron, a Fortune 500 company formerly known as Cooper Cameron and a worldwide leader in providing BOPs to offshore rigs. In early May, Cameron said that AIG has insured the company for $500 million against legal claims in the event of a problem. Based in Houston, this maker of fail-safe devices created the first blowout preventer of its kind in 1922. A BOP is a large valve that is supposed to seal off a wellhead if something goes wrong – for example, if pressure from an underground formation causes oil to threaten the rig. The valve is usually closed remotely.

According to BP, when workers attempted to activate the BOP from the top of the Deepwater Horizon rig before they were evacuated, nothing happened. The website ScienceInsider says that the shut off should have been automatic. Even after the rig sank, when BP and the Coast Guard tried to use robot submarines to trigger the BOP, it didn’t work.

There were multiple “Panic Buttons” to hit, even a so-called “Deadman” fail-safe that should have been engaged automatically. None of these security procedures worked. According to BP’s Hayward, “It is the ultimate safety system on any rig and there is no precedent for them failing.” In fact, Minerals Management Service records show that this BOP passed a test on April 10, less than two weeks before it failed. Thus far, no one has been able to explain it and Cameron has been conspicuously silent.

“We are all very curious,” said an insider who works for one of BP’s competitors. “What happened to all that equipment, all the computer power, all the automated systems and manpower in place, could not be invoked to stop this?”

A press release by Cameron last November does point to one clue. The company had just acquired NATCO, another wellhead and refinery equipment manufacturer. The merger gave Cameron, among other things, a subsidiary known as TEST Automation & Controls, which upgraded its automated control, safety and SCADA systems.

In short, Cameron uses SCADA systems, which collect data from various sensors and send it to a central computer on oil rigs. Instructions are not encrypted and are sometimes sent over the Internet. Among other things, SCADA monitors information from the blowout preventer, whose failure on the Deepwater Horizon apparently led to the disaster.

In 1999, when a pipeline burst in Bellingham, Washington, a SCADA failure was implicated. A software glitch in a SCADA system also slowed controls on the power grid during a successful computer attack in 2003. Incidentally, SCADA network and control systems also run dams, power plants, and gas and oil refineries.

A recent study funded by security vendor McAfee Inc and released in January by the Center for Strategic and International Studies at the World Economic Forum in Davos, Switzerland concluded that SCADA systems are being attacked by a variety of methods, individuals and gangs. Two-thirds of those surveyed said their SCADA systems were connected to an IP network or the Internet. About half of those said the connection created SCADA security issues that aren't being addressed.

"I would describe the preparedness as quite spotty and in some cases quite lacking," admitted Stewart Baker, a former senior official at the Department of Homeland Security and the National Security Agency who led the survey team. "Basic key security measures are still not widely adopted." And the problem is getting worse. About 40 percent of those surveyed expected a major incident – an attack resulting in major consequences – within a year.

Unusual Suspects

Who would do such a thing? The Right, of course, says that environmentalists or “eco-warriors” might try, either to punish big oil or build pressure for stricter regulations. But there are other, more likely candidates, including extortionists who hope to blackmail big pocket companies like BP, which reported $6 billion in profits during the last quarter alone, or else a foreign government. Between 20 and 30 countries have cyber attack capabilities. The motives for a government-sponsored attack include a strategic move to change the balance of global oil reserves, or a preemptive strike by a country that feels threatened – or has a bone to pick.

One piece of circumstantial evidence already points toward North Korea. The Deepwater Horizon oil platform was built and financed by South Korea’s Hyundai Heavy Industries Co. Ltd. Its destruction will hurt both the company and the country’s economy.

President Obama’s April 29 decision to dispatch SWAT teams to the Gulf to investigate oil rigs has also fueled suspicions. A related, much more radical theory – mainly circulating on the Right – is that North Korea used a military mini-sub to attack the oil rig. It sounds crazy, especially since a cyber attack could accomplish the same result. Then again, Kim Jong-il does feel that his country is at war with the US, and has invested in several cyber warfare units with around 1000 hackers.

Last July, North Korea was also the main suspect when a series of attacks paralyzed websites of the US and South Korean government. Known as a Distributed Denial-of-Service (DDOS) attack, this one hit on July 4th, targeting computers at the White House, the Pentagon, and the New York Stock Exchange. The websites of the Department of Transportation, the Treasury Department and the Federal Trade Commission were shut down for days.

South Korean targets included the presidential Blue House, the Defense Ministry, the National Assembly, Shinhan Bank, Korea Exchange Bank and the country’s top Internet portal. The attacks coincided with North Korea’s anticipated testing of a long-range missile with the potential to hit Hawaii. The missile was never launched, but several scud missiles were fired.

There are already several examples of cyber warfare allegedly orchestrated by a state against a rival government. Russia, for example, has been implicated in attacks aimed at Georgia and Estonia. The 2007 cyber attack on Estonia crippled its parliament, banks, ministries, phone systems, newspapers and broadcasters. The reason was allegedly a dispute over the relocation of war graves and a Soviet-era grave marker. Russia denied responsibility but an ethnic Russian Estonian was tried and convicted for being involved.

Assuming Responsibility

The US government’s failure to address private-sector vulnerability to cyber attacks goes back decades. Even the Obama administration hesitates to challenge the status quo. Given the vulnerability of crucial infrastructure and much of the private sector, surprisingly little is being done to prepare for what sounds inevitable.

There is a US Cyber Command, which attempts to protect federal infrastructure, while various branches of the military have developed their own offensive capabilities. But not even the Department of Homeland Security has taken responsibility for protecting the private sector. According to DHS Secretary Janet Napolitano, legal and privacy issues get in the way of having the government monitor the Internet or business operations for evidence of potential cyber attacks. Businesses are, as always, wary of any regulation that might accompany government help.

Though cyber attacks have certainly happened, many leave no obvious trace. As Clarke explains, corporations tend to believe that the “millions of dollars they have spent on computer security systems means they have successfully protected their company’s secrets.” Unfortunately, they are wrong. Intrusion detection and prevention systems sometimes fail.

Nevertheless, no federal agency is currently responsible for defending the banking system, power grids or oil rigs from attacks. The prevailing logic is that businesses should handle their own security. Yet their experts readily admit that they wouldn’t know what to do if an attack came from another nation, and assume that defense in such a case is the government’s job.

A US Senate bill in the pipeline could change that – if it survives the usual Congressional cage match. Sponsored by Democrat Jay Rockefeller and Republican Olympia Snowe, it would require the president to work with the private sector on a comprehensive national cybersecurity strategy, create a joint public-private advisory board and Senate-confirmed national security adviser position, and promote what Rockefeller calls “unprecedented information sharing between government and the private sector.”

In the meantime, however, the US continues to suffer from “a conspiracy of secrecy about the scale of cyber risk,” as James Fallows put it in a March article for the Atlantic. Companies simply can’t admit how easily they can be infiltrated. As a result, the changes in law, regulation, or habits that could increase safety aren’t often discussed. But sooner or later, Fallows warns, “the cyber equivalent of 9/11 will occur—and, if the real 9/11 is a model, we will understandably, but destructively, overreact.”

Of course, it is also certainly possible that the Gulf disaster wasn’t caused by intentional sabotage. The BOP may simply have failed. In the late 1990s, there were more than 100 such failures on the outer continental shelf. According to a 2008 lawsuit filed in Louisiana, Cameron and Hydril, a General Electric unit that makes drilling equipment, provided defective blowout preventer equipment resulting in a 2007 leak from an offshore Louisiana well. But nothing comes close to the current disaster, and so far no one can explain why this supposedly foolproof system didn’t work.

“There would have been a dozen barriers that had to fail in order for this accident to happen,” notes Tim Robertson, an oil-spill consultant with Nuka Research and Planning Group in Alaska.

There’s that word again – accident. And maybe it was. But before accepting this assumption as fact, it would be prudent to consider all the possibilities and find out more about what really happened.

2 comments:

Unknown said...

hey greg - found this article partially in reference to the stuxnet fiasco; i remain skeptical concerning the popular opinion concerning its origins and target (its c&c servers were in malaysia) and this story is all the more relevant concerning the data released by computer security folks over the past few weeks. also caught parts of story you did in censored 2008; all looks good and i look forward to reading more of your stuff. cheers.

sindhuja cynixit said...


This post is much helpful for us. This is really very massive value to all the readers and it will be the only reason for the post to get popular with great authority.
cyber security online training Hyderabad