The audit was conducted from 31 August to 3 September 2020.

Objective

The objective of the audit was to verify:

  • how the company follows up the management of risks linked to data security of the industrial ICT systems.
  • processes and systems in the company used to ensure follow-up of these systems and how this is implemented in each individual unit.
  • whether there is a correlation between overall procedures and the follow-up of the systems at the installation.

Result

We looked at the design of the industrial ICT systems and how they are segmented and structured. Verifications were made between the different systems and their links to the office systems.

An examination was made of how the industrial ICT systems were maintained and followed up, both internally and through contracts with suppliers of the different systems. We verified procedures and functions for remote connection to the industrial ICT systems, routines for monitoring data flows and event logging for the industrial ICT systems.

We verified the company’s competency requirements for technicians working on the industrial ICT systems, as well as training and drills in how incidents in the industrial ICT systems are handled.

The observations in this audit report are exempt from public disclosure, with reference to the Freedom of Information Act section 24, paragraph 3.

What happens next?

We have sent the audit report to Rowan (Valaris), requesting feedback on our observations by 25 November 2020.