Cybercrimes cost energy and utilities companies an average of USD 12.8 million each year in lost business and damaged equipment.* Platform operators need confidence that countermeasures can deal with bigger and more sophisticated cyber-attacks. DNV GL is now collaborating with A/S Norske Shell, Statoil, Lundin, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime to develop best practice in addressing this threat. Other companies are still welcome to join.
Cyber security is a growing issue in the oil and gas sector since critical network segments in production sites, which used to be kept isolated, are now connected to networks. The trend is towards remote operations, remote maintenance and tighter inter-operability with centralised process data and plant information. Old and outdated installations are at particular risk and require risk mitigation actions.
“We see that cyber-security incidents are increasing with attempted attacks on a daily basis. By collaborating with others in the industry, we can ensure that we end up with one globally applicable regulation that is suitable for the oil and gas sector,” says Rune Wærstad, Control & Automation Engineer, A/S Norske Shell.
To address these challenges, DNV GL has established a Joint Industry Project (JIP) together with A/S Norske Shell, Statoil, Lundin, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime. In addition, the Norwegian Petroleum Safety Authority will take part as an observer. The JIP will produce a guideline for protecting oil and gas installations against cyber-security threats. The IEC 62443 standard will be used, but will be tailored to the oil and gas industry. The standard defines what to do, while the guideline will describe how. The JIP will result in:
- Reduced risk of cyber-security incidents.
- Cost-savings for operators by reducing the resources needed to define requirements and follow up.
- Cost-savings for contractors and vendors based on identical requirements from operators.
- Simplified audits for authorities and auditors due to common requirements and common conformance claims.
“Dealing with cyber-security challenges has become a key focus area for the oil and gas sector. Attacks are becoming increasingly costly and harder for companies to recover from. This JIP will lower the risk of cyber-security incidents and trim costs for operators, contractors and vendors by reducing the resources needed to define requirements and by driving a standardised approach,” says Pål Børre Kristoffersen, Principal Consultant, DNV GL – Oil & Gas.
The scope of the JIP is to produce cyber-security guidelines to simplify and clarify the use of IEC 62443 for the FEED, projects and operations. Good practice and reusable patterns are to be produced. The JIP will result in a Recommended Practice (RP) for Industrial Automation and Control Systems in 12 months’ time.
DNV GL is currently assisting Total E&P Norge with cyber-security risk management for the Martin Linge field development and associated operations offshore Norway. DNV GL’s scope of work includes the day-to-day management and coordination of cyber security during the project phase and through preparations for operation, with a specific focus on integrated control and safety systems. The project also aims to raise awareness of cyber-security risks and to train personnel to take simple preventative measures.
*“2015 Global report on the cost of cyber crime”, Ponemon Institute research for HP Enterprise Security, October 2015.