In response to significant cyber incidents and attacks aimed at the oil and gas industry, DNV GL has launched a globally applicable recommended practice (RP), DNVGL-RP-G108,to address how oil and gas operators, together with system integrators and vendors, can manage the emerging cyber threat and set up protections.
Titled “Cyber security in the oil and gas industry based on IEC 62443,” the study is a two-year long joint industry project (JIP) with partners Shell Norge AS, Statoil, Woodside, Lundin Norway, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime, with input from a regulatory perspective by the Norwegian Petroleum Safety Authority.
The RP is based on the IEC 62443 standard, international practice, professional experience, and takes into account HSE requirements and the IEC 61511 functional safety standard.
With almost 68% of oil and gas companies affected by at least one significant cyber incident in 2016, and many attacks assumed to be undetected or unpublished, operation technology (OT) and critical network segments in production sites are more vulnerable. Indeed, the same source suggests that fifty-nine per cent of oil and gas companies surveyed believe there is greater risk in the OT than the IT environment. As such, the RP outlines a tailored approach for the oil and gas industry on how to build security with the emphasis on OT, as managing threats towards OT requires knowledge beyond general information security, such as oil and gas operational domain competence, in particular related to automated, unmanned, integrated and remote operations which are accessible online.
The RP offers guidance on how to use the IEC 62443 series of standards for projects and operational phases, including good practice and a reusable approach that is tailored for oil and gas onshore and offshore operations. These standards define what to do, while the RP describes how, with implementation aimed at the reduced risk of cyber-security incidents, cost-savings for operators due to the reduction of the resources needed to define requirements and follow up, cost-savings for contractors and vendors thanks to standardised design requirements from operators, and simplified audits for authorities and auditors as a result of common requirements and common conformance claims.