“Previously, oil platforms were isolated far out at sea. You had to use a helicopter to get out there. Now much is available from shore and over the internet,” says Anne Aune, consultant in Information Risk Management in the consulting and classification company DNV GL.
From control rooms onshore, an operator can control and monitor critical operations. Maintenance tasks can be performed from the suppliers’ offices, and in some cases from home offices.
“More and more information is put online. This enables operators to make faster and better decisions, but it does not come without increased risk,” said Aune.
“We know that attempts to attack are ongoing”
While shorebased control rooms and remote maintenance can represent saved costs and better efficiency for the oil companies, it also increases the risk of digital vulnerability.
First line of attack will often be shorebased office networks. From there, hackers move on through technical networks to process control systems, and can ultimately affect security features. To prevent this, devices and routines are required to detect intrusion, as well as segregation of the networks with strict barrier control.
“For example, bringing a mobile phone into a control room can lead to increased risk. If it is connected to the local network while shared Internet is turned on, unauthorized access can be obtained.
“If an attacker can change information via the network, or plant malicious software on critical systems, this may cause a dangerous situation,” explains Aune.
As cyber attacks increase in scale, they get more sophisticated, more difficult to detect and harder to defend against, according to Aune.
“We know that attempts to attack are ongoing. Therefore, strict requirements are imposed on technical solutions, procedures and the competence of personnel needing access to remote control of production systems.”
Who is behind the attacks?
Aune says that both organized hackers and individuals are behind the attacks. In order to pose a risk, the attackers must have ‘qualities, opportunities and motivation’.
“Motivation can, for example, be linked to financial gain, opportunities are linked to system vulnerability, and qualities are related to the resources available to the attacker,” says Aune.
“Must have sufficient knowledge”
Safeguarding critical systems cannot be obtained only by technical solutions. It is important to provide routines such as security updates and anti-virus updates. When hacking has occurred, routines must be in place for taking action and re-establishing operation.
“Personnel who maintain and use the systems must have sufficient knowledge and awareness. In order to achieve effective security measures, one must look at the connection between technology, work processes and the people in the organization,” says Aune.
High on the agenda
According to DNV GL’s annual report on the outlook for the oil and gas industry, ‘Short-term agility – long-term resilience’, it appears that digitalization is higher on the agenda of the oil and gas industry in Norway than in the rest of the world.
More than half of the Norwegian respondents in the survey expect digitalization to increase in their own organization – compared to 39 percent globally.
The risk of digitalization has given cyber security a major focus in the oil and gas industry. According to the same survey, cyber security is ranked as No. 1 among technologies for significant investments or implementation in 2017.
Aune recommends that the industry itself works hard to fight data crime.
“The Norwegian Oil and Gas Industry Organization made guidelines early on, and the Petroleum Safety Authority Norway has put digital security high on the agenda. In addition, DNV GL, together with major industry players, has a joint industrial project to develop a cyber-security practice,” concludes Aune.
DNV GL prepares recommended practice
“We take an active role by gathering players in the oil industry to create a common industry practice. This will guide and support suppliers, operators and authorities,” says Anne Aune, Information Risk Management Consultant in DNV GL.
Do you want more information? Send an email to firstname.lastname@example.org