Playbooks Supplements

Data-Driven Oil Fields 2017

Issue link: http://yearbook.epmag.com/i/763545

Contents of this Issue

Navigation

Page 30 of 39

29 EPMAG.COM | DATA-DRIVEN OIL FIELDS | JANUARY 2017 playing a more important role in safety systems. The IT and OT personnel have different experiences and understanding of this coupling. 4. Change management. Not upgrading software (un- patched software) represents a significant cybersecurity vulnerability for a system. Software updates on IT systems are usually upgraded continuously and according to policies and procedures. The OT personnel want a low number of changes in the OT domain, as an unsuccessful upgrade can represent a significant risk to safety or a pos- sibility of production outage. The OT personnel solve this by patching when strictly necessary, after numerous tests involving the vendor of the industrial control application. Digital vulnerabilities According to a recent study undertaken by DNV GL, "Digital Vulnerabilities Oil and Gas," which was an analysis of Nor- way's oil and gas sectors, lack of cybersecurity awareness and training among employees is the No. 1 reason for heightened digital vulnerability. The study revealed the 10 most pressing cybersecurity vulnerabilities for companies operating offshore Norway. While it focuses on operations on the Norwegian Continental Shelf, the issues are equally applicable to operations anywhere in the world. It is important to prepare for cybersecurity throughout the whole value chain and in all phases from design to operation. This means that an early involvement and understanding of cybersecurity is essential for operation readiness. The operators should establish a complete operating cybersecurity regime, for example as described in IEC-62443 Security for Industrial Automation & Control Systems. Joint efforts Many participants in the oil and gas sector have indicated that it is difficult to prevent and mitigate cyber vulner- abilities in accordance with the digital acceleration, and they now want col- laborative effort to take action. The industry expresses that a major reason lies in not having a common industry guideline on how to act to prevent and mitigate cybercrime. Some players in the sector tend not to have any formal procedures, and they want a common guideline to be developed that can be used as the basis for defining company requirements. Others have developed their own re- quirements and practices on how to deal with cyber risks. Further development and mainte - nance of these documents has, according to several operating companies, shown to be very resource-demanding, and a com- mon industry best practice would both save costs and probably improve the effectiveness of how the risks are met. For suppliers, a common industry standard would be largely beneficial, as to date they deliver tools and services meeting vari- ous requirements and procedures. For regulatory authorities and third-party auditors it will be easier to approach a common practice. To meet this industry need DNV GL initiated a joint industry project to develop procedures on how to handle cyber vulnerabil- ities. Statoil ASA, Lundin Norway AS, A/S Norske Shell, Siemens AS, Honeywell AS, ABB AS, Emerson Process Management AS and Kongsberg Maritime AS are participating to develop best practices in addressing this threat. In addition, the Norwegian Petroleum Safety Authority is participating as an observer in the project. Operation readiness Digitalization, if done right, can certainly achieve objectives such as cost-cutting, reliability, increased efficiency and reg- ularity, sustainability and safety. However, as outlined above, these objectives cannot be fully achieved if availability, integrity and confidentiality of critical IT and OT assets are not pro- tected. DNV recommends exploring digital advancements with joined forces from the IT and OT domains in cybersecurity. n References available. Petter Myrvang is head of Enterprise & Information Risk Management at DNV GL–Oil & Gas. When it comes to managing cybersecurity, IT and OT personnel often tend to work toward different objectives. A lack of cybersecurity awareness and training among employees is also the No. 1 reason for heightened digital vulnerability. (Photo courtesy of DNV Oil & Gas)

Articles in this issue

Links on this page

Archives of this issue

view archives of Playbooks Supplements - Data-Driven Oil Fields 2017