Information and communication technology (ICT), with computers, software, systems and networks, is necessary for secure and efficient operation of offshore platforms and land plants. Industrial ICT systems control processes, monitor possible gas leaks or outbreaks of fire, and ensure safe shutdown of facilities and plants.
Safety-critical equipment and solutions must be provided with good, robust protection – including against ICT security incidents.
The PSA has been following up the industry’s work on ICT security for many years. Attention has been directed at industrial ICT systems and the efforts made by companies to protect these. The Lysne commission (Norwegian Official Reports (NOU) 2015:13 on digital vulnerability – secure society, and the Traavik commission (NOU 2016:19 on interaction for safety) identified a need to strengthen follow-up of and commitment to ICT security for management and control systems in the petroleum sector. The PSA therefore received additional funding in 2018-21 from the Ministry of Labour and Social Inclusion for following up ICT security. Incidents in the industry have illustrated how important such an effort is.
Information and guidance
As significant part of this commitment involved acquiring knowledge in order to obtain an overall picture of ICT challenges and risk conditions in the industry. The PSA has commissioned a number of studies and research activities directed at aspects of robustness in industrial ICT systems. It has received contributions from and shared knowledge with other government agencies, academia, and specialist and scientific teams nationally and internationally. Thirteen reports have been produced in collaboration with the International Research Institute of Stavanger (Iris), DNV, Sintef, Sopra Steria and Proactima.
Read more: ICT security in industrial systems.
These development projects have largely been directed at various aspects of robustness in industrial ICT systems. Technical measures, operational solutions, training and drills on handling incidents have been assessed, and evaluations of the regulations and supervisory methods conducted.
Many of the reports describe what the security of industrial systems involves. These reports are useful in gaining an overall grasp of the issues and differences between IT security in general and the challenges for industrial systems. Many of them look at where ICT security might be a key element in a system. Those with system responsibility could utilise these reports as a checkpoint.
Some of the reports devote more attention to how ICT security can be increased in industrial systems. They address specific disciplines, such as communication, using model-based systems, and challenges related to the requirement for independent security systems.
Although pandemic restrictions affected physical participation in interactive arenas in 2021, the PSA continued to contribute to discipline, industry and official fora by sharing experience from audits and learning activities.
The PSA conducted six audits in 2021 with ITC security as the subject, involving operators of selected facilities and plants as well as those with a high profile for digitalisation activities. Audits have been carried out over a four-year period with most operators and vessel owners, and are planned for the remainder of them in 2022.
These audits have investigated whether principles and procedures are followed up in practice and whether systems incorporate the protection solutions mentioned in governing documentation. They found that the companies generally have governing documentation and procedures for handling ICT security in their industrial systems. The challenge is that these are only observed to a certain extent in day-to-day work. Deficiencies were also identified in expertise, training and drills, and interaction with suppliers on ICT security.
Through this commitment, the PSA has worked to make regulatory requirements clear through reports on supervision and audits. The regulations have been reviewed to clarify the application of more general sections, and this has been communicated to the sector to help increase understanding of the PSA’s ICT-related supervision. In its dialogue with the industry, the PSA has observed that this clarification of the regulations is understood and accepted.
Emergency preparedness and incident management
Coordination and communication are key elements in emergency preparedness and incident management, including with ICT security. PSA audits have sought information on training and drilling of first-line personnel, support functions and suppliers. A number of players are dependent on the central expertise departments in companies with head offices abroad.
The Lysne commission recommended in NOU 2015:13 “that enterprises in the sector either enter into a collaboration with KraftCert or find other solutions for an operational collaboration”. A number of operators have chosen to enter into a collaboration with KraftCert to strengthen their chances of improving incident management.
In its framework for handling ICT security incidents, the Norwegian National Security Authority has emphasised the importance of the sector response milieu (SRM).
The PSA has maintained a close dialogue with KraftCert in order to make provision for an SRM in the petroleum industry.
Since the PSA has followed up ICT security along several lines and with the aid of various instruments, it observes that its overall efforts have had an effect in the form of increased awareness of and knowledge-sharing on ICT security in industrial systems. Industry feedback is that the PSA’s reports are a useful supplement to their own expertise, particularly for smaller discipline teams. At a general level, the PSA sees that its commitment to ICT security has contributed to more robust organisations and systems for handling this type of risk.
Security against cyber attacks
The security and intelligence services have stated that Norway faces a complex risk picture, where foreign states seek with the aid of a broad range of instruments to exploit vulnerabilities in functions, enterprises and systems. Enterprises in the energy and petroleum sectors are considered particularly exposed.
These enterprises are responsible for safeguarding their own business, including personnel, information and infrastructure, against threats and cyber attacks. That requires them to have good systems and robust preparedness in order to adapt their security measures, and to adopt measures appropriate to the relevant threat picture.
The PSA again conducted audits on this issue in 2021. These activities have covered physical, personal and information security, and include an audit series on security along the whole logistics chain which ended in 2022. A meeting series was conducted in 2020-21 with operator companies to investigate their approaches to and handling of security risk.
Its conclusions support findings from other supervisory activities that the trend in this area since a similar meeting series in 2014 has been positive.
Entrenchment with management and development of methods and tools, combined with greater understanding, knowledge and expertise, have yielded results. The level of maturity in security has increased. Nevertheless, the PSA’s overall supervisory activities show that challenges persist for identifying, managing and handling security risks. This will be addressed in future audits. Experience gained will also be shared at a security seminar in 2022.
Sign up for the one-day seminar on security, 15 June 2022 (in Norwegian only)
This article is taken from the PSA’s annual report for 2021 to the Ministry of Labour and Social Inclusion. Access the whole report here (in Norwegian only, English summary).