Having worked for a number of years in the offshore Oil & Gas industry, I have seen firsthand the critical importance of safety-critical systems. Offshore platforms are high-stakes cyber-physical pressure cookers. Out here, a security failure isn’t just a data breach—it’s a potential blowout, a spill or even an emergency evacuation.
Yet many security strategies are lifted from enterprise IT completely ignoring the realities of operational technology.
The Purdue Model is the standard and remains the foundation but offshore security , demands a different mindset. This isn’t just about protecting networks. It’s about protecting the physical processes where safety and uptime are non-negotiable.
The risks offshore are unique and often inherited. They are shaped by constraints that don’t exist onshore.
- Latency and bandwidth limits: Satellite links are expensive, narrow and laggy making cloud-based security tools a liability.
- Vendor exposure: We rely on dozens of third-party contractors who need remote access to systems that were never designed to be online.
- Legacy systems: Long asset lifecycles mean patching is often operationally unsafe.
In this environment, attackers aren’t targeting data. They are targeting control.
Levels 0–1: The Physical Layer
This is where the sensors, actuators and Safety Instrumented Systems (SIS) directly control the process. This is the hardware that actually moves the oil.
The Risk: Sensor spoofing which can lead to unsafe conditions under false “normal” readings. If an attacker can trick a controller into thinking a pressure level is lower than it actually is, they can induce a physical failure while the Human Machine Interface (HMI)shows “All Green.”
The Defence:
- Physical security controls such as locked cabinets and tamper seals.
- Validation of digital signals against real world process conditions.
- Strict functional interdependence of the SIS from the control system.
If control is compromised, safety must still function.
Level 2: The Brains (Control Systems)
PLCs and HMIs execute operational logic.
Risk: Unauthorized logic manipulation via compromised engineering access.
Defence:
- Hardened engineering workstations with application whitelisting.
- Strict change management with full auditability.
If an attacker controls the logic, they control the process.
Level 3: The Gateway (Operations & SCADA)
This is the bridge between the rig’s internal systems and the outside world. It’s also the most likely entry point.
Risk: Initial compromise and Lateral movement. Most attacks start here via a compromised vendor laptop or a stolen credential, then pivot down into the controllers.
Defence:
- Controlled access via hardened jump servers. No direct RDP or SSH from the “beach” (onshore) to the PLCs.
- Treat the OT network as a hostile environment. Use “Conduits” to strictly control what data flows between Level 3 and Level 2.
Assume breach at this level. Design to contain it.
Consider a realistic scenario: A vendor’s credentials are stolen.
- Access is gained through the Level 3 SCADA via the VPN.
- The attacker attempts lateral movement towards control systems.
- In a flat network compromise is inevitable.
In a converged defence model:
- Segmentation blocks any movement
- Monitoring detects anomalies
- Critical changes require physical or multi factor authorization
The attack is stopped before impacting the process.
Offshore cybersecurity is not an IT function. It is an engineering requirement.
Security must be embedded into the system design and not added afterwards. By focusing on levels 0-3 and treating cyber risk as a direct safety concern, operators can protect both production and personnel.
