DNV GL study reveals cyber threats to oil and gas industry

DNV GL on Monday delivered the study to Lysne Committee revealing cyber security vulnerabilities for companies operating offshore Norway. 

“With the exploitation of new cost-effective operational concepts, use of digital technologies and increased dependence on cyber structures, the oil and gas industry is exposed to new sets of vulnerabilities and threats,” DNV GL said in a statement.

According to the classification society, cyber-attacks have grown in stature and sophistication, making them more difficult to detect and defend against, and costing companies increasing sums of money to recover from.

Through an international survey, DNV GL found that, although companies are actively managing their information security, just over a half (58 percent) have adopted an ad hoc management strategy, with only 27 percent setting concrete goals.

“Headline cyber security incidents are rare, but a lot of lesser attacks go undetected or unreported as many organizations do not know that someone has broken into their systems. The first line of attack is often the office environment of an oil and gas company, working through to the production network and process control and safety systems,” says Petter Myrvang, head of the Security and Information Risk Section, DNV GL – Oil & Gas.

While the study focused on operations on the Norwegian Continental Shelf, the issues are equally applicable to oil and gas operations anywhere in the world, with DNV GL’s study revealing a list of ten major cyber security vulnerabilities:

• Lack of cyber security awareness and training among employees;
• Remote work during operations and maintenance;
• Using standard IT products with known vulnerabilities in the production environment;
• A limited cyber security culture among vendors, suppliers and contractors;
• Insufficient separation of data networks;
• The use of mobile devices and storage units including smartphones;
• Data networks between on- and offshore facilities;
• Insufficient physical security of data rooms, cabinets, etc.;
• Vulnerable software;
• Outdated and ageing control systems in facilities.

DNV GL believes cyber security vulnerabilities can be addressed through a risk-based approach, using the bow-tie model familiar in safety barrier management. This allows companies to identify the threats to and vulnerabilities of assets and operations and plan barriers to prevent incidents and mitigate the consequences of cyber risks. This includes procedures to maintain the barrier quality documented in performance standards.

Trond Winther, head of the Operations Department, DNV GL – Oil & Gas added that due to all oil and gas process plants being connected to the internet in some way, protection of digital infrastructure ensures safe operations and production regularity.

LNG World News Staff; Image: DNV GL