ABERDEEN, UK – Increased use of visualization and big data is escalating the risk of cyber crime in the oil and gas industry, claims DNV GL.
A report by the Ponemon Institute found that just over two-thirds of oil and gas companies were hit by at least one significant cyber attack last year, while many other incidents may be going unreported or undetected.
DNV GL has introduced a new globally applicable recommended practice (RP), DNVGL-RP-G108, to help oil and gas operators, system integrators, and vendors manage the growing threat.
It is based on the IEC 62443 standard, and is designed to help the oil and gas industry improvesecurity of operational technology. This has become more vulnerable as formerly isolated, critical parts of production sites are connected to IT networks.
The recommendations take into account findings from a recent joint industry project (JIP) with operators Lundin Norway, Norske Shell, Statoil, Woodside and ABB, Emerson, Honeywell, Kongsberg Maritime andSiemens, with contributions from Norway’s Petroleum Safety Authority.
According to a DNV GL spokesman at Offshore Europe this week, cyber attacks in the oil and gas industry are becoming more sophisticated and costly to deal with: these attacks are not related solely to the spread of malware, but unauthorized personnel gaining access to infrastructure.
Pål Borre Kristoffersen, the JIP project manager, said: “There is a need for efficient counter-measures, to implement these correctly and to ensure that they are sufficient.” Some companies in the industry have already been doing this, he added, “but the JIP members found it was simpler and less costly to follow the new guidelines.
“The industry is having to bring a lot of data from the offshore installation to the office domain, and we are looking at how to secure this. Also, there is a trend to have centralized control rooms onshore which have access to safety systems, and it is important to keep this secure.”
The JIP has been looking at how to integrate remote control rooms more securely, and to verify the individual users to lessen the likelihood of malware slipping through.
DNV GL believes that implementation of the new RP, with the IEC standards, should lessen the risk of cyber-security incidents. It should also save offshore operators money by reducing the resources needed to define security requirements and follow-up action.
The standardized design guidelines from the operators should in turn cut costs for contractors and vendors.