Based on a joint industry project, DNV GL is now launching a globally applicable recommended practice (RP), DNVGL-RP-G108, addressing how oil and gas operators, together with system integrators and vendors, can manage the emerging cyber threat.
As noted, digitalization has not brought only benefits, but also cyber risks in the oil and gas industry. Almost 68% of oil and gas companies were affected by at least one significant cyber incident in 2016, and many attacks are assumed to be undetected or unpublished.
Critical network segments in production sites, which used to be kept isolated, are now connected to networks, making the operational technology (OT) more vulnerable. According to recent research, 59% of oil and gas companies surveyed believe there is greater risk in the OT than the IT environment.
The new DNV GL recommended practice “Cyber security in the oil and gas industry based on IEC 62443” is the result of a nearly two-year-long joint industry project (JIP) together with partners Shell Norge AS, Statoil, Woodside, Lundin Norway, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime. The Norwegian Petroleum Safety Authority has observed the work and exchanged experiences with the JIP group from a regulatory perspective.
The RP is based on the IEC 62443 standard, international practice, professional experience, and takes into account HSE requirements and the IEC 61511 functional safety standard. It outlines a tailored approach for the oil and gas industry on how to build security, with the emphasis on OT.
The scope of the RP is guidance on how to use the IEC 62443 series of standards for projects and operational phases, including good practice and a reusable approach, tailored for oil and gas onshore and offshore operations. The IEC standards define what to do, while the RP describes how, and implementation is expected to result in:
- A reduced risk of cyber-security incidents
- Cost-savings for operators by reducing the resources needed to define requirements and follow up
- Cost-savings for contractors and vendors based on standardized design requirements from operators
- Simplified audits for authorities and auditors due to common requirements and common conformance claims.
In a joint statement, the vendors involved in the RP said: “Being able to standardize what we deliver to our customers is important in reducing cyber-risks and reducing cost. Above all, it will increase the safety, availability and reliability of the operational technology systems. The organizations operating the systems can also manage cyber-risks by following and implementing the identification, protection, detection, response and recovery steps defined in the standards to withstand cyber-attacks.”