Trying to track down the origins of an Internet meme can be an almost fruitless endeavor. Other than giving credit to its originator and perhaps giving them a few minutes of Internet fame there really isn’t a lot at stake by determining who was the kid in the success.gif or what meme Laina Morris is responsible for. Finding the origin of a story involving the breach of critical infrastructure however, can be rather important.
Like funny Internet memes, stories about compromises of water plants, steel factories, power companies or other systems controlled by SCADA or ICS can be repeated over and over until they are accepted as facts with no one questioning their authenticity. Previous events such as power outages in Brazil, a water pump failure in Illinois, the improper shut down of a blast furnace at a German steel mill, a pipeline explosion in Turkey were all originally attributed to cyber attacks. In fact cyber attacks were blamed in almost all cases not because there was any actual evidence but rather the lack of any other explanation. Since nothing else could have caused the problem it must have been those meddling hackers.
I recently heard of a new incident that seems to fall into this same scenario. The story claims that hackers broke into the control system of a floating oil rig off the coast of Africa, somehow messed with the ballast control and caused the rig to tilt. The rig had to be taken offline while the systems were cleaned up. As with most of these types of stories no supporting information is given. No actual dates, no name of the oil rig or its owner, even the location in this story is vague, ‘off the coast of Africa’, an entire continent.
A little googling of some of the key words in this story show that this ‘meme’ has been repeated dozens and dozens of times. No one has bothered to verify any of the facts and everyone just accepts the story at face value. The earliest reference I can find is from April 23, 2014 in a quote given to Reuters from Mark Gazit, the CEO of ThetaRay an Internet Security Company based in Israel. I have emailed ThetaRay and Mr. Gazit and asked for their source for this story but so far I have not received a reply.
Oil rigs and cyber attacks have a little bit of a history. There was research presented at Blackhat in 2013 on weaknesses in SCADA systems often found on oil rigs, and the case of the ex-employee who tampered with the leak detection controls of an off shore rig. While it was not an oil rig Saudi Aramaco had to clean targeted malware off 30,000 systems after they were breached in 2012. And of course lets not forget one of the key plot points in the 26 year old movie ‘Hackers’ was the capsizing of an entire oil tanker fleet by the fictional ‘Da Vinci virus’.
With a little more googling I find that tilting is a somewhat common problem on floating oil rigs. The rigs are controlled by ballast in the legs that allows them to raise or lower depending on current sea conditions. Unbalanced ballast in the oil rigs legs can lead to tilting. Of course ballast is completely computer controlled these days.
One of the most egregious cases of an oil rig tilting happen to a rig named the Noble Regina Allen while it was being constructed. The Rig eventually tilted 17 degrees causing injuries to 89 works involved in building the rig. The accident with the Noble Regina Allen happened in the Jurong shipyard in Singapore in 2012 and not off the coast of Africa. Digging a little deeper into the causes of the Noble Regina Allen accident and we find that early reports eliminate structural and component defects and that investigators had moved on to examine the software that controlled the jacking system and the brake holding capacity.
I can easily see how someone could make a jump from ‘no structural defects’ and ‘problems with software’ all the way to ‘hackers did it’. Someone then half remembers the story and starts repeating it a few times and it spreads from there.
Another potential source of this particular infosec meme is in the case of an oil rig enroute from South Korea to South America in 2010. The rig was so overwhelmed with malware that it had to be completely shutdown for 19 days as workers attempted to clear the infection. Unfortunately, we have fewer actual details regarding this event that the original story. However, I can see how someone could easily make the jump from ‘random malware’ to ‘hackers did it’.
So we have two potential events that could be the origin of this infosec meme and no way to credit or discredit either of them. Despite story after story claiming ‘hackers did it’ we can still only point to two confirmed proven events where a cyber attack damaged critical infrastructure. For all the Fear, Uncertainty and Doubt being spread by mass media and even InfoSec professionals, Stuxnet, and the power outage in the Ukraine are the only two examples we have of anyone, not just a nation state, causing damage in the physical world with a cyber attack.