These studies help to concentrate and increase understanding of this issue in the industry, and can in that way contribute to increasing defences against undesirable incidents in industrial ICT systems for petroleum-related operations.

DNV GL has utilised literature studies along with interviewing with players in the industry as well as representatives from other sectors and government authorities.

The reports in brief

Regulatory and supervisory methodology

This sub-project has aimed to assess whether the PSA’s regulations, in their present form, are appropriate in relation to the subject of cyber security and the threat picture in this area.

Similarly, it has addressed whether the methodologies utilised by the authority in supervising ICT security are appropriate, given the number of objects to be supervised and the threat picture.

Cyber security for SIS and intrinsically safe components, communication protocols

This sub-project has addressed ICT security in safety instrumented systems (SIS), how this is built into the design of such solutions and how it is handled during commissioning and operation.

An important part of this delivery has been to assess how the security principles described in IEC 61508/511 and IEC 62443 are implemented.

It also describes trends and developments for industrial ICT systems related to network-based components.

Resilience against cyber incidents and possible help from blockchains

The report explains how resilience, with associated methods, can be utilised to make industrial ICT systems more secure and thereby more robust. It also discusses how principles for ICT security can be applied in relation to blockchain technology and how security can be protected and possibly strengthened by implementing blockchains.

On the basis of current information and available research, the report also discusses whether blockchains can contribute positively to building resilience and making new methods available to promote cyber security for industrial ICT systems and for the interface with administrative systems.

Training and drills

This report provides recommendations on requirements and best practice relating to training and drills, including emergency preparedness for security incidents involving industrial ICT systems.

The distinction between industrial ICT and IT is being challenged, and a hacker attack on administrative IT systems in the office network could be a springboard for penetrating industrial systems.

Digitalisation means that information from the latter is increasingly available in office systems. The report therefore also contains recommendations directed at IT facilities which could indirectly affect industrial ICT systems in an enterprise.

Telecommunication and protocols

This report describes challenges and risks in today’s telecommunication systems, as well as trends in this area which could affect petroleum-sector security in coming years. Possible measures for increasing robustness in telecommunication solutions are discussed.

Attention is concentrated on telecommunication systems relevant for technical installations, both on land and offshore, as well as conditions related to people, the environment and security. The most detailed discussion is devoted to those systems which, in DNV GL’s view, present particular safety challenges.