This report help to concentrate and increase understanding of ICT security in the industry, and can in that way contribute to increasing defences against undesirable incidents in industrial ICT systems for petroleum-related operations.

Sopra Steria has employed literature reviews and interviews with industry participants and representatives from other sectors and the authorities.

Short report summary

The purpose of the assignment was to be able to provide an answer to the question of the extent to which data and information are protected, both while at rest and in transit.

The greatest amount of knowledge about technological solutions for storing and transferring information is often possessed by one or more providers. This creates dependencies between providers at several stages. Cloud, data lake, SaaS and more recent mechanisms for data transport, both wired and wireless, present opportunities for more provider-driven deliveries and operating contracts in the digital value chain.

This interconnection between multiple systems and solutions involving multiple actors contributes to even more complex supply chains. The degree of complexity and dependencies in these types of supply chains make it more difficult to obtain a good overview and knowledge of information assets and owners, vulnerabilities, threats, the probability of incidents and attacks, as well as potential consequences. Such dependencies may result in chain reactions occurring that have consequences for the entire value chain.

In order to provide an answer to how data and information are protected, this assignment has focussed in particular on the interaction between the operators and other actors in the petroleum sector.

This assignment considers whether risk ownership is adequately safeguarded, whether management and control are with the operators, or whether these tasks are left to providers and how this impacts risk and opportunities for control.