Oil and gas steps up fight against cyber attacks targeting operational technology

Image: DNV GL

The benefits of digitalization in the oil and gas industry are profound, but they are also causing cyber risks to emerge, according to DNV GL.

In response, the Norway-based energy consultancy is launching a globally applicable recommended practice (RP), based on a joint industry project, addressing how oil and gas operators, together with system integrators and vendors, can manage the emerging cyber threat.

Almost 68 per cent of oil and gas companies were affected by at least one significant cyber incident in 2016, the Ponemon Institute LLC reported in February, and many attacks are assumed to be undetected or unpublished. And according to the Ponemon Institute, 59 per cent of oil and gas companies surveyed believe there is greater risk in the operational technology (OT) than the information technology (IT) environment.

Critical network segments in production sites, which used to be kept isolated, are now connected to networks, making the OT more vulnerable. Managing threats toward OT requires knowledge beyond general information security, in particular related to automated, unmanned, integrated and remote operations which are accessible online, said DNV GL.

Its new recommended practice, “Cyber security in the oil and gas industry based on IEC 62443” is the result of a nearly two-year-long joint industry project (JIP) together with partners Shell Norge AS, Statoil, Woodside, Lundin Norway, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime.

The Norwegian Petroleum Safety Authority has observed the work and exchanged experiences with the JIP group from a regulatory perspective. The recommended practice is based on the IEC 62443 standard, international practice, professional experience, and takes into account HSE requirements and the IEC 61511 functional safety standard. It outlines a tailored approach for the oil and gas industry on how to build security, with the emphasis on OT.

“Industry players need confidence that security countermeasures can deal with more frequent and sophisticated cyber-attacks, which are becoming increasingly costly and harder for companies to recover from. Dealing with cyber-security challenges has become a key focus area for the oil and gas sector, and there is greater awareness of the requirements that need to be in place,” Pål Børre Kristoffersen, JIP project manager, DNV GL – Oil & Gas, said in a statement.

“There has, until now, been a lack of guidance for the oil and gas industry on how to implement these requirements. The new RP, developed in collaboration with key players, puts OT, together with IT, in the limelight, so the oil and gas industry can protect their operations,” Kristoffersen said.

The scope of the RP is guidance on how to use the IEC 62443 series of standards for projects and operational phases, including good practice and a reusable approach. The IEC standards define what to do, while the RP describes how. Implementation will result in:

• A reduced risk of cyber-security incidents • Cost-savings for operators by reducing the resources needed to define requirements and follow up • Cost-savings for contractors and vendors based on standardized design requirements from operators • Simplified audits for authorities and auditors due to common requirements and common conformance claims

The RP can be downloaded here.