![Page 1: ©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you](https://reader036.vdocuments.site/reader036/viewer/2022062322/56649dc95503460f94abf973/html5/thumbnails/1.jpg)
©2009-2014 Kingston Systems
2014 – API Cybersecurity Conference
Managing Software on Mobile Offshore Drilling Units (MODUs)
Learning to Walk Before you Run
![Page 2: ©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you](https://reader036.vdocuments.site/reader036/viewer/2022062322/56649dc95503460f94abf973/html5/thumbnails/2.jpg)
©2009-2014 Kingston Systems
Discussion Scope
• Objective– Gain a perspective on where Drilling Contractors are in their ability to
apply software maintenance best practices to MODU Programmable Logic Controller (PLC) Control Systems
• Questions– Where are they now?
Review real world examples
– Practical next steps?
• Perspective– Kingston Systems performs control systems design review, acceptance
testing and security threat analysis audits on rigs and platforms
![Page 3: ©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you](https://reader036.vdocuments.site/reader036/viewer/2022062322/56649dc95503460f94abf973/html5/thumbnails/3.jpg)
©2009-2014 Kingston Systems
![Page 4: ©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you](https://reader036.vdocuments.site/reader036/viewer/2022062322/56649dc95503460f94abf973/html5/thumbnails/4.jpg)
©2009-2014 Kingston Systems
Where are Drilling Contractors
• Remember “Walk before you Run”?
![Page 5: ©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you](https://reader036.vdocuments.site/reader036/viewer/2022062322/56649dc95503460f94abf973/html5/thumbnails/5.jpg)
©2009-2014 Kingston Systems
Case Studies
Regression:
After commissioning the Top Drive(TD) we found the Vendor editing the Step7 code. When asked if he was pre-testing, post testing, archiving and checking with Base regarding the changes. “Yes Yes Yes” he responded.
Next day, the TD started auto-rotating and speeding up to alarming rates. With no backup, it took 1 week to return to normal; the full commissioning test was never repeated.
![Page 6: ©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you](https://reader036.vdocuments.site/reader036/viewer/2022062322/56649dc95503460f94abf973/html5/thumbnails/6.jpg)
©2009-2014 Kingston Systems
Case Studies
Work Authorization:
On a rig with a notorious history of downtime. We were invited to investigate system stability (IE: why are we having so many problems?).
We and observed the Chief Electrical Superintendent and the ET editing Step7 code on the Draw works.
![Page 7: ©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you](https://reader036.vdocuments.site/reader036/viewer/2022062322/56649dc95503460f94abf973/html5/thumbnails/7.jpg)
©2009-2014 Kingston Systems
Case Studies
Virus on New Build
A brand new build drillship on its way from the yard. The Acoustic System*had a virus that resulted in a cascade of window pop-ups as it tried to find an internet connection. This cascade made the system inoperable.
It shut the Dynamic Positioning capability down for 18 days
*Windows PC HMI was impacted not the PLC or motor controls
![Page 8: ©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you](https://reader036.vdocuments.site/reader036/viewer/2022062322/56649dc95503460f94abf973/html5/thumbnails/8.jpg)
©2009-2014 Kingston Systems
Where are Drilling Contractors
• Other Complications– Rental nature of rigs & Mobile nature of business
– Corporate to Rig disconnect
– Multiple Vendors & Systems
– No single list of software assets on a rig
![Page 9: ©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you](https://reader036.vdocuments.site/reader036/viewer/2022062322/56649dc95503460f94abf973/html5/thumbnails/9.jpg)
©2009-2014 Kingston Systems
Where are Drilling Contractors
Where are Drilling Contractors in their ability to apply software maintenance best practices to MODU PLC Control Systems?
– Virtually non-existent or arguably in infancy
– So what are practical next steps?
![Page 10: ©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you](https://reader036.vdocuments.site/reader036/viewer/2022062322/56649dc95503460f94abf973/html5/thumbnails/10.jpg)
©2009-2014 Kingston Systems
Tools Available
1988 Piper Alpha
A positive outcome = improved implementation of Permit to Work (PTW)
But Software is not in scope – Why not?
![Page 11: ©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you](https://reader036.vdocuments.site/reader036/viewer/2022062322/56649dc95503460f94abf973/html5/thumbnails/11.jpg)
©2009-2014 Kingston Systems
What to do about It
Implement Basic Software Management of Change 1. Corporate Support & Industry Direction2. Change Authorization Process
– Software Change Request– Include Permit to Work (PTW)
3. Software Registry to track assets4. Post Change Testing
Enhance understanding of Software scope and impact !
![Page 12: ©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you](https://reader036.vdocuments.site/reader036/viewer/2022062322/56649dc95503460f94abf973/html5/thumbnails/12.jpg)
©2009-2014 Kingston Systems
What to do about It
Implement Basic Software Management of Change 1. Corporate Support & Industry Direction2. Change Authorization Process
– Software Change Request– Include Permit to Work (PTW)
3. Software Registry to track assets4. Post Change Testing
Enhance understanding of Software scope and impact !
Easier Said than Done
We have yet to see a MODU that is compliant with their own process and tools
![Page 13: ©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you](https://reader036.vdocuments.site/reader036/viewer/2022062322/56649dc95503460f94abf973/html5/thumbnails/13.jpg)
©2009-2014 Kingston Systems
Wrap Up
Wrap Up• MODUs are not managing their control software very
well
• Implications for security are apparent
• Basic Software Management of Change practices are needed
![Page 14: ©2009-2014 Kingston Systems 2014 – API Cybersecurity Conference Managing Software on Mobile Offshore Drilling Units (MODUs) Learning to Walk Before you](https://reader036.vdocuments.site/reader036/viewer/2022062322/56649dc95503460f94abf973/html5/thumbnails/14.jpg)
©2009-2014 Kingston Systems
Thank You
Walk First….…..Then Run
Thank You
Presentation and supporting papers available @ www.kingston-systems.com