To protect oil and natural gas installations against cybersecurity threats, DNV GL is partnering with Royal Dutch Shell plc, Statoil ASA and others to develop an industry best practice.
The joint industry project (JIP) is designed to produce a recommended practice for industrial automation and control systems in 12 months, according to DNV GL. Initial participants also include Lundin Petroleum, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime. Other oil and gas firms have been invited.
"Dealing with cybersecurity challenges has become a key focus area for the oil and gas sector," said DNV GL's Pal Borre Kristoffersen, principal consultant for oil and gas. "Attacks are becoming increasingly costly and harder for companies to recover from. This JIP will lower the risk of cybersecurity incidents and trim costs for operators, contractors and vendors by reducing the resources needed to define requirements and by driving a standardized approach."
Cyber crimes cost energy and utilities companies around $12.8 million every year in lost business and damaged equipment, according to DNV GL. Cybersecurity, as in other industries, has become a growing concern for the oil and gas sector because critical network segments in production sites, which once were isolated, now are connected to networks.
A survey conducted a year ago of oil and gas information technology professionals found that 82% had seen an increase in successful cyberattacks in the preceding 12 months, while 69% were not confident that their organizations were detecting all attacks (see Daily GPI, Jan. 15).
More operators have moved to remote operations, remote maintenance and tighter interoperability with centralized process data and plant information. Old and outdated installations are at particular risk and require risk mitigation actions.
Cybersecurity standards now exist within the International Organization for Standardization and the International Electrotechnical Commission's (IEC) 62443. DNV GL and its partners want to tailor the rules for the oil and gas industry.
IEC 62443 defines what a business can do, while the JIP guideline would describe how. If the JIP results in a standard as hoped, DNV GL said it could reduce the risk of cybersecurity incidents and lead to cost savings for operators, contractors and vendors, as well as simplified audits for authorities and auditors.
"We see that cybersecurity incidents are increasing with attempted attacks on a daily basis," said Shell's Rune Waerstad, control and automation engineer. "By collaborating with others in the industry, we can ensure that we end up with one globally applicable regulation that is suitable for the oil and gas sector."
DNV GL now is assisting Total E&P Norge with cybersecurity risk management for the Martin Linge field development and associated operations offshore Norway. DNV GL work includes the day-to-day management and coordination of cybersecurity during the project phase and through preparations for operation, with a specific focus on integrated control and safety systems. The project also aims to raise awareness of cybersecurity risks and to train personnel to take simple preventative measures.
In related news, the World Energy Council (WEC) has issued a report about managing cyber risks, taking into account the changing nature of the energy industry and its infrastructure.
The report, the third in a series by WEC, was prepared with Swiss Re Corporate Solutions and Marsh & McLennan Cos., with insights from the European Bank for Reconstruction and Development.
"Greater resilience to cyber risks of energy systems is crucial for energy security," WEC researchers said. "Increased digitization lead to more efficiency and opportunities for grid and pipeline management and exploration and production activities.
"Yet, at the same time energy assets become more vulnerable to cyber-attacks," particularly because of automating industrial control systems. Attacks on ICS "could lead to loss of control of key equipment, with potential machinery breakdown, fire, explosion or injuries."