Embed Size (px)
Citation preview
©2009-2014 Kingston Systems
2014 – API Cybersecurity Conference
Managing Software on Mobile Offshore Drilling Units (MODUs)
Learning to Walk Before you Run
©2009-2014 Kingston Systems
Discussion Scope
• Objective– Gain a perspective on where Drilling Contractors are in their ability to
apply software maintenance best practices to MODU Programmable Logic Controller (PLC) Control Systems
• Questions– Where are they now?
Review real world examples
– Practical next steps?
• Perspective– Kingston Systems performs control systems design review, acceptance
testing and security threat analysis audits on rigs and platforms
©2009-2014 Kingston Systems
©2009-2014 Kingston Systems
Where are Drilling Contractors
• Remember “Walk before you Run”?
©2009-2014 Kingston Systems
Case Studies
Regression:
After commissioning the Top Drive(TD) we found the Vendor editing the Step7 code. When asked if he was pre-testing, post testing, archiving and checking with Base regarding the changes. “Yes Yes Yes” he responded.
Next day, the TD started auto-rotating and speeding up to alarming rates. With no backup, it took 1 week to return to normal; the full commissioning test was never repeated.
©2009-2014 Kingston Systems
Case Studies
Work Authorization:
On a rig with a notorious history of downtime. We were invited to investigate system stability (IE: why are we having so many problems?).
We and observed the Chief Electrical Superintendent and the ET editing Step7 code on the Draw works.
©2009-2014 Kingston Systems
Case Studies
Virus on New Build
A brand new build drillship on its way from the yard. The Acoustic System*had a virus that resulted in a cascade of window pop-ups as it tried to find an internet connection. This cascade made the system inoperable.
It shut the Dynamic Positioning capability down for 18 days
*Windows PC HMI was impacted not the PLC or motor controls
©2009-2014 Kingston Systems
Where are Drilling Contractors
• Other Complications– Rental nature of rigs & Mobile nature of business
– Corporate to Rig disconnect
– Multiple Vendors & Systems
– No single list of software assets on a rig
©2009-2014 Kingston Systems
Where are Drilling Contractors
Where are Drilling Contractors in their ability to apply software maintenance best practices to MODU PLC Control Systems?
– Virtually non-existent or arguably in infancy
– So what are practical next steps?
©2009-2014 Kingston Systems
Tools Available
1988 Piper Alpha
A positive outcome = improved implementation of Permit to Work (PTW)
But Software is not in scope – Why not?
©2009-2014 Kingston Systems
What to do about It
Implement Basic Software Management of Change 1. Corporate Support & Industry Direction2. Change Authorization Process
– Software Change Request– Include Permit to Work (PTW)
3. Software Registry to track assets4. Post Change Testing
Enhance understanding of Software scope and impact !
©2009-2014 Kingston Systems
What to do about It
Implement Basic Software Management of Change 1. Corporate Support & Industry Direction2. Change Authorization Process
– Software Change Request– Include Permit to Work (PTW)
3. Software Registry to track assets4. Post Change Testing
Enhance understanding of Software scope and impact !
Easier Said than Done
We have yet to see a MODU that is compliant with their own process and tools
©2009-2014 Kingston Systems
Wrap Up
Wrap Up• MODUs are not managing their control software very
well
• Implications for security are apparent
• Basic Software Management of Change practices are needed
©2009-2014 Kingston Systems
Thank You
Walk First….…..Then Run
Thank You
Presentation and supporting papers available @ www.kingston-systems.com
