DNV GL has delivered a study to the Lysne Committee (Lysneutvalget ) that reveals the top ten most pressing cyber security vulnerabilities for companies operating offshore Norway.
An international DNV GL survey of 1,100 business professionals found that, although companies are actively managing their information security, just over half (58%) have adopted an ad hoc management strategy, with only 27% setting concrete goals.
“Headline cyber security incidents are rare, but a lot of lesser attacks go undetected or unreported as many organizations do not know that someone has broken into their systems. The first line of attack is often the office environment of an oil and gas company, working through to the production network and process control and safety systems,” says Petter Myrvang, head of the Security and Information Risk Section, DNV GL – Oil & Gas.
While the study focused on operations on the Norwegian Continental Shelf, the issues are equally applicable to oil and gas operations anywhere in the world.
The top ten cyber security vulnerabilities:
- Lack of cyber security awareness and training among employees
- Remote work during operations and maintenance
- Using standard IT products with known vulnerabilities in the production environment
- A limited cyber security culture among vendors, suppliers and contractors
- Insufficient separation of data networks
- The use of mobile devices and storage units including smartphones
- Data networks between on- and offshore facilities
- Insufficient physical security of data rooms, cabinets, etc.
- Vulnerable software
- Outdated and ageing control systems in facilities.
DNV GL believes cyber security vulnerabilities can be addressed through a risk-based approach, using the bow-tie model familiar in safety barrier management. This allows companies to identify the threats to and vulnerabilities of assets and operations and plan barriers to prevent incidents and mitigate the consequences of cyber risks. This includes procedures to maintain the barrier quality documented in performance standards.
“As all oil and gas process plants are now connected to the Internet in some way, protecting vital digital infrastructure against cyber-attacks also ensures safe operations and optimal production regularity,” says Trond Winther, head of the Operations Department, DNV GL – Oil & Gas.
The company applies its independent, risk-based approach to designing, implementing, testing, monitoring and maintaining cyber security countermeasures for customers worldwide. The company’s software tool, Synergi™ Life – Risk Management Module, is used to establish a live asset and risk registry. This tool allows vulnerabilities and threats to be assessed and mitigations to be followed up.
Source: DNV GL
Cyber Security is a hot potato indeed. There is no system which is perfect or fool proof and it takes less than two weeks for a bunch of youngsters below age of 20 to penetrate and access any system if the wish to do so.
To have some sort of control one needs to be smarter than the hacker every day. The best practice way is to build systems which keeps the vital and crucial data triggers in the most “visible” places. Humans and the cognitive protocol is built to miss the most visible parts by default and therefore the only place where we cannot find what we are looking for. As longest we try to complicate and hide things, the quicker we give access by baseline function triggers.
Try to hide candy from your wife and kids. Put the candy in the place where they sub-consciously and consciously look most times during the day. They will not find them or it will take a very long time. Try to hide it the best and smartest place and they will find it quickly each time.
Try the same with cyber security and you will get the similar results. We just need to create new continuity fields around whatever we do in order to prolong the perception that we “see” real time data when in fact we create the same out from delayed average. Simple things 🙂
Kind regards,
JJ