DNVGL.com

Breadcrumbs

Guideline shows how to make oil and gas industry cyber secure

Contact us:

Pål Børre Kristoffersen Pål Børre Kristoffersen
Principal Consultant

Subscribe to PERSPECTIVES - a digital publication from DNV GL - Oil & Gas

Sign up here
SHARE:
PRINT:
Cyber security test lab
Accredited DNV GL laboratories worldwide help to protect critical information, IT and systems in oil and gas assets and operations

  • Digitalization benefits the oil and gas industry but increases cyber risk

  • Most oil and gas companies were hit by a cyber incident in 2016

  • DNV GL’s new Recommended Practice details how to build cyber security with the emphasis on operational technology

Digitalization is bringing profound benefits to the oil and gas industry,1 with more to come as barriers to optimizing use of data are dismantled.2 However, greater connectivity and the rise of the Industrial Internet of Things is also exposing the sector to cyber risks. Cyber security breaches can take businesses offline and lead to: lost production; raised health, safety and environmental risk; costly damages claims; and, negative reputational impacts.

A study by Ponemon Institute found almost 68% of oil and gas companies in the US were hit by at least one cyber incident in 2016.3 Another report revealed that 75% were affected and drew attention to cyber attacks on industrial control systems, not just on corporate information technology networks.4 The global Petya ransomware attack in June 2017 affected oil and gas companies.

The frequency of attacks is probably underestimated. Companies are reluctant to publicize them for fear that exposing a vulnerability may invite further attacks.

“Dealing with cyber security challenges has become a key focus area for the oil and gas sector and there is greater awareness of the requirements that need to be in place,” observed Pål Børre Kristoffersen, principal consultant, information risk management, DNV GL – Oil & Gas. “Critical network segments in production sites, which used to be kept isolated, are now connected to networks, making the operational technology more vulnerable.”

Managing cyber risks to oil and gas operational technology is vital

Senior oil and gas industry leaders agree about the need for a focus on this aspect of cyber security.

“The operational technology convergence between information technology and engineering is critical to ensuring successful operational technology security management,” said Julie Fallon, senior vice president engineering, Woodside Energy.

When the Ponemon Institute surveyed oil and gas professionals responsible for securing or overseeing cyber risk in the operational technology environment, it found 59% believed there is greater cyber risk there than in enterprise information technology.

Managing threats towards operational technology requires knowledge beyond general information security. Such knowledge includes oil and gas operational domain competence related to automated, unmanned, integrated and remote operations which are accessible online (figure 1) .

Globalized projects and rapid digitalization increase cyber threats

In addition, the complexity and global nature of oil and gas field development projects, and rapidly increasing digitalization across the supply chain, increase cyber risk.

Facilities and topsides may be designed in London, and subsea equipment designed in Paris, for example. The shipyard building the hull may be in South Korea, and the fabrication yard there or in China or Singapore. A typical project involves multiple contractors and hundreds of information interfaces, requiring a high level of diligence to understand where risks might arise.

The industry encourages the sharing of information on digitalization processes, software and control systems, and 3D virtual models, for example. These and other trends create risks that may not yet be fully understood or appreciated. Determining who is responsible and accountable for such risks is not yet clear in all cases. Is it the operator, the engineering, procurement and construction contractor, or the software vendor, for example?

DNV GL guideline shows how to manage cyber threats

DNV GL has launched the globally-applicable Recommended Practice (RP) DNVGL-RP-G108Cyber security in the oil and gas industry based on IEC 62443 to address how oil and gas operators, working with system integrators and vendors, can manage the emerging cyber threat. It outlines a tailored approach for the industry on how to build security, with the emphasis on operational technology.

As the title suggests, the new RP is based on the International Electrotechnical Commission’s IEC 62443 standard covering security for industrial automation and control systems. The DNV GL guideline also embraces international practice and experience. It takes into account health, safety and environmental requirements as well as the IEC 61511 standard for specification, design, installation, operation and maintenance of a safety instrumented system.

Industry collaboration pays off

DNVGL-RP-G108 is the result of a joint industry project (JIP) over two years with partners ABB, Emerson, Honeywell, Kongsberg Maritime, Lundin, Shell Norway, Siemens, Statoil, and Woodside Energy. The Norwegian Petroleum Safety Authority has observed the work and exchanged experiences with the JIP group from a regulatory perspective.

Figure 1: Managing cyber risk in operational technology is vital
Figure 1: Managing cyber risk in operational technology is vital

“Industry players need confidence that countermeasures can deal with more frequent and sophisticated cyber attacks, which are becoming increasingly costly and harder for companies to recover from,” said Kristoffersen, who project managed the JIP.

He added: “Until now, there has been a lack of guidance for the oil and gas industry on how to implement these requirements. The new RP, developed in collaboration with key players, puts operational technology in the spotlight alongside IT, so the industry can protect its operations. It is not only for new installations. Existing and older installations may not be prepared for the new connected reality – and need to be updated with respect to the new risk picture.”

The scope of Recommended Practice DNVGL-RP-G108

The RP provides guidance on how to use the IEC 62443 standard for front-end engineering and design projects and operations, including good practice and a reusable approach (figure 2) . The standard defines what to do, while the RP describes how it should be implemented. Among other benefits, this will result in:
  • Reduced risk of cyber security incidents
  • Cost savings for operators by reducing the resources needed to define requirements and follow up
  • Cost savings for contractors and vendors based on identical requirements from operators
  • Simplified audits for authorities and auditors due to common requirements and common conformance claims.

Collaborating on cyber security delivers benefits to oil and gas companies

Industry participants in the JIP that led to DNVGL-RP-G108 say they have benefitted from the collaborative approach.

“The […] process leading to this Recommended Practice has enabled our team to leverage industry best practices, share learnings, and grow capability,” said Woodside Energy’s Fallon. “Aligning our operational technology cyber security approach to IEC 62443 enables us to learn from and contribute to industry knowledge and capability. The RP provides practical guidance on applying the standard to oil and gas.”

In a joint statement, vendors involved in the JIP commented: “Our customers in the oil and gas industry are to a large extent facing the same types of cyber threats found in information technology systems. Being able to standardize what we deliver to our customers is important in reducing cyber risks and reducing cost. Above all, it will increase the safety, availability and reliability of the operational technology systems.”

The statement continued: “The organizations operating the systems can also manage cyber risks by following and implementing the identification, protection, detection, response and recovery steps defined in the standards to withstand cyber attacks. In the process of defining this RP, we have collaborated with both our competitors and our customers on guidance to the IEC 62443 series of standards.”

Download a complimentary copy of DNVGL-RP-G108

References

1Digitalization in the oil and gas industry’, DNV GL
2Dismantling barriers to digitalization’, DNV GL PERSPECTIVES, DNV GL, April 2016
3 ’The state of cybersecurity in the oil & gas industry: United States’, Ponemon Institute LLC, February 2017
4 ’Protecting the connected barrels: cybersecurity for upstream oil and gas’, A Mittal et al, Deloitte Center for Energy Solutions, Publ. Deloitte University Press, June 2017

Figure 2: Recommended Practice DNVGL-RP-G108 explains security in all lifecycle phases
Figure 2: Recommended Practice DNVGL-RP-G108 explains security in all lifecycle phases

Disclaimer:
DNV GL prides itself on providing accurate information but makes no claims or guarantees about the accuracy, completeness or adequacy of contents in this publication, and disclaims liability for any errors or omissions. The authors’ views here do not necessarily reflect DNV GL’s views.