Commercial Vessel Compliance

5/21/2015: 2015 Offshore Technology Conference – Complexity of operations and cyber

Maritime Commons attended the 2015 Offshore Technology Conference to provide you with a wrap-up of what was covered by the U.S. Coast Guard and the Bureau of Safety and Environmental Enforcement, or BSEE.

The assistant commandant for U.S. Coast Guard prevention policy, Rear Adm. Paul Thomas, and BSEE director, Brian Salerno, shared the stage on a speaking panel to provide their regulatory stance and joint agency initiatives for offshore safety. The panel was moderated by Charlie Williams, executive director for the Center for Offshore Safety– an industry sponsored organization focused exclusively on offshore safety on the U.S. Outer Continental Shelf

For those of you who were unable to attend, Maritime Commons is providing a condensed version of Thomas and Salerno’s remarks in a six-part series. These remarks are not ‘as delivered’ but provide a condensed version of the panel highlights in the ‘panel-conversational’ style.

Complexity of operations – Cyber

Rear Adm. Paul Thomas:

I don’t want to say that we need regulation but one of the concerns I have with safety management systems, or SMS, is that we always point to them as ways to mitigate and justify operator risk. Offshore supply vessels are complicated and complex. I’ve seen some examples where their SMS plans are very well designed and very well implemented but I’ve also seen those that are very well designed and NOT very well implemented.

It’s not just the complexity of operations; the systems are complex as well. There are amazing technologies that are presenting new vulnerabilities and we have to learn how to manage associated risks. Most people think of cyber in terms of cybersecurity but it’s as much a safety issue as it is a security issue. We need to start thinking about software operation and the maintenance of these automation systems the same way you do with a propulsion system – how you design the reduction gear to work with the shaft to work with the propeller. I don’t’ know that we’re doing that with automation systems.

We see systems that are integrated with other systems that may be on the same server, which may not be a good idea; this is just another risk. We know how to manage risk but I would say that a SMS doesn’t address what critical control system software can be patched or updated, who can do it, the status of the system while it’s being done and what’s the test you can do afterwards to see if there’s an issue.

It’s a SMS issue, it’s a cyber issue and it’s a risk issue that is not being adequately managed. I don’t know that we have that incorporated into SMS. I think that’s coming up on us quickly. Control systems have already inadvertently impacted operations.

We’ve seen systems impacted by an inadvertent thumb drive insert into the wrong place, a patch to a human resource software system that impacted the critical control system in an unexpected way. This is a real challenge and we need to manage this risk.

I think a good question we should be asking ourselves is, ‘what’s the best path to regulation?’

The best path is always adoption of a standard. The worst path is to wait for something bad to happen and responsively pass a law, which would potentially be the most expensive approach. I’ve been encouraging industry to start tackling this issue because I believe if you wait until we have a real cyber incident, it’s going to be fast, painful and expensive.

Brian Salerno:

We are investigating a case right now that’s a perfect example of this. There was a rig that suffered a casualty involving a top drive unit which fell to the drill floor. . Just by sheer luck no one was injured, but it could have easily been otherwise. This case appears to have been caused by software problems as well as system compatibility issues. There is nothing to suggest malicious intent. So it underscores how increasingly we need to consider how these systems are managed and maintained as part of our overall safety approach. In fact, we plan to discuss this in greater detail at our upcoming SEMS workshop, which is being organized through the Ocean Energy Safety Institute.

It is certainly appropriate to factor cyber safety into your overall SEMS planning. It’s a way of thinking about how to protect yourself and avoid inadvertent damage. I’ve talked to a number of companies and, increasingly, they are paying greater attention to this.

Salerno and Thomas want to continue the question. You can send your questions to them on Twitter using the #BSEEUSCG or write them here, on Maritime Commons.

In addition to this post, be sure to read the other posts from the 2015 Offshore Technology Conference.

Part 1: Progress since Deepwater Horizon
Part 2: Subsea containment issues
Part 3: Future challenges and opportunities
Part 4: Complexity of operations and cyber
Part 5: Risk-based operations
Part 6: Continuing the offshore safety discussion

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.

Leave a Reply