DNV GL has launched a new recommended practise (RP) focusing on cyber security as the increasing digitalization of the industry poses the threat of it becoming more vulnerable, at SPE Offshore Europe.
DNV GL says almost 68% of oil and gas companies were affected by at least one significant cyber incident in 2016, and many attacks are assumed to be undetected.
Critical network segments in production sites, which used to be kept isolated, are now connected to networks, making operational technology (OT) more vulnerable. According to recent research, 59% believe there is greater risk in the OT than the IT environment.
Managing threats towards OT also requires knowledge beyond general information security, such as oil and gas operational domain competence, in particular related to automated, unmanned, integrated and remote operations which are accessible online.
Following a two-year joint industry project, involving partners Shell Norge, Statoil, Woodside, Lundin, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime, DNV GL has launched a globally applicable RP, DNVGL-RP-G108, addressing how oil and gas operators, together with system integrators and vendors, can manage this emerging threat.
The Norwegian Petroleum Safety Authority gave input from a regulatory perspective to RP Guideline for the use of IEC 62443 in the oil and gas industry. The RP is based on the IEC 62443 standard, international practice and experience, and takes into account HSE requirements and the IEC 61511 functional safety standard.
Pål Børre Kristoffersen, JIP Project Manager, DNV GL – Oil & Gas, says: “Dealing with cyber-security challenges has become a key focus area for the oil and gas sector, and there is greater awareness of the requirements that need to be in place. But there has, until now, been a lack of guidance for the oil and gas industry on how to implement these requirements.”
The scope of the RP is guidance on how to use the IEC 62443 standard for FEED, projects and operations. It aims to reduce the risk of cyber-security incidents, achieve cost-savings for operators by reducing the resources needed to define requirements and follow up, as well as cost-savings for contractors and vendors (based on using identical requirements from operators), simplifying audits for authorities and auditors.