Top 10 cyber security risks

Norwegian certification and classification body DNV GL has produced a "top 10" cyber security vulnerabilities for oil and gas firms operating offshore Norway.

The list, produced as the organization delivered a study on cyber security to the Lysne Commmittee, comes as more firms are moving to new cost-effective operational concepts, using digital technologies with increased dependence on cyber structures.

It follows a survey of 1100 business professionals which found that, although companies are actively managing their information security, just over half (58%) have adopted an ad hoc management strategy, with only 27% setting concrete goals. 

DNV GL says cyber-attacks have grown in stature and sophistication, making them more difficult to detect and defend against, and costing companies increasing sums of money to recover from.

“Headline cyber security incidents are rare, but a lot of lesser attacks go undetected or unreported as many organizations do not know that someone has broken into their systems," says Petter Myrvang, head of Security and Information Risk, DNV GL. "The first line of attack is often the office environment of an oil and gas company, working through to the production network and process control and safety systems.” 

While the study focused on operations on the Norwegian Continental Shelf, the issues are equally applicable to oil and gas operations anywhere in the world, says DNV GL.

The top 10 cyber security vulnerabilities:

1. Lack of cyber security awareness and training among employees
2. Remote work during operations and maintenance
3. Using standard IT products with known vulnerabilities in the production environment
4. A limited cyber security culture among vendors, suppliers and contractors
5. Insufficient separation of data networks
6. The use of mobile devices and storage units including smartphones
7. Data networks between on- and offshore facilities
8. Insufficient physical security of data rooms, cabinets, etc.
9. Vulnerable software
10. Outdated and ageing control systems in facilities

DNV GL believes cyber security vulnerabilities can be addressed through a risk-based approach, using the bow-tie model familiar in safety barrier management. This allows companies to identify the threats to and vulnerabilities of assets and operations and plan barriers to prevent incidents and mitigate the consequences of cyber risks. This includes procedures to maintain the barrier quality documented in performance standards.

“As all oil and gas process plants are now connected to the internet in some way, protecting vital digital infrastructure against cyber-attacks also ensures safe operations and optimal production regularity,” says Trond Winther, head of the Operations Department, DNV GL – Oil & Gas.

The company applies its independent, risk-based approach to designing, implementing, testing, monitoring and maintaining cyber security countermeasures for customers worldwide. The company’s software tool, Synergi Life – Risk Management Module, is used to establish a live asset and risk registry. This tool allows vulnerabilities and threats to be assessed and mitigations to be followed up.