Oil and gas industry joins forces in fight against cybercrime
Published: 28 September, 2016
DNV GL is collaborating with Shell, Statoil, Lundin, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime to develop best practice in addressing Cybercrimes, which cost energy and utilities companies an average of USD 12.8 million each year in lost business and damaged equipment. Platform operators need confidence that countermeasures can deal with bigger and more sophisticated cyber-attacks.
Cyber security is a growing issue in the oil and gas sector since critical network segments in production sites, which used to be kept isolated, are now connected to networks. The trend is towards remote operations, remote maintenance and tighter inter-operability with centralized process data and plant information. Old and outdated installations are at particular risk and require risk mitigation actions.
Rune Wærstad, a control & automation engineer for Shell, commented: “We see that cyber-security incidents are increasing with attempted attacks on a daily basis. By collaborating with others in the industry, we can ensure that we end up with one globally applicable regulation that is suitable for the oil and gas sector.”
To address these challenges, DNV GL has established a Joint Industry Project (JIP) together with Shell, Statoil, Lundin, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime. In addition, the Norwegian Petroleum Safety Authority will take part as an observer. The JIP will produce a guideline for protecting oil and gas installations against cyber-security threats. The IEC 62443 standard will be used, but will be tailored to the oil and gas industry. The standard defines what to do, while the guideline will describe how.
Pål Børre Kristoffersen, principal consultant, DNV GL – Oil & Gas, added: “Dealing with cyber-security challenges has become a key focus area for the oil and gas sector. Attacks are becoming increasingly costly and harder for companies to recover from. This JIP will lower the risk of cyber-security incidents and trim costs for operators, contractors and vendors by reducing the resources needed to define requirements and by driving a standardized approach.”
The scope of the JIP is to produce cyber-security guidelines to simplify and clarify the use of IEC 62443 for the FEED, projects and operations. Good practice and reusable patterns are to be produced. The JIP will result in a Recommended Practice (RP) for Industrial Automation and Control Systems in 12 months' time.
DNV GL is currently assisting Total E&P Norge with cyber-security risk management for the Martin Linge field development and associated operations offshore Norway. DNV GL’s scope of work includes the day-to-day management and coordination of cyber security during the project phase and through preparations for operation, with a specific focus on integrated control and safety systems. The project also aims to raise awareness of cyber-security risks and to train personnel to take simple preventative measures.