How to Use Standards and Guidelines to Secure Energy Assets from Cyberthreat
Assets in the Oil & Gas industry used in exploration, drilling, transportation and production depend on a myriad of inter-connected industrial automation and control systems. Today, this industry is undergoing a massive digitalization process offering new insight, efficiency, optimization and the ability to keep people away from harmful tasks. Taking advantage of digitalization and increased connectivity, however, also means opening up OT systems to cyber threats.
Better security practices and solutions are required
At the same time as personnel in most professions today are increasingly impacted by digitalization, they are also equally impacted by the risk of cyber-attacks. Protecting both the IT and OT systems controlling industrial assets requires a new way of thinking amongst all categories of personnel, not only those responsible for IT security.
International and national standardization and regulatory activities to protect OT systems in the Oil and Gas industry have taken form. Examples are voluntary guidelines issued by or referred to by regulators. The goal of these guidelines is to ensure a common adequate level of security in all parts of the supply chain affecting Oil and Gas assets. Often, they reference industry generic internationally recognized standards.
- NOG 104 – Norwegian Oil and Gas recommended guidelines on information security baseline requirements for process control, safety and support ICT systems, (Norway).
- ISA/IEC 62443 Standard series – a cybersecurity standard aimed at securing OT systems against cyberthreats. This standard is becoming increasingly more adopted and recognized across industries.
- The NIST Cybersecurity Framework (NIST CSF) – originally a U.S. standard aimed at operators of critical infrastructure. Now internationally recognized and widely used in various industries.
A few examples relevant for Oil and Gas asset.
International Association of Drilling Contractors
Several industry groups are working to help asset owners and operators manage the threat of cyber-attacks and meet current and future regulatory demands. As an example, the International Association of Drilling Contractors (IADC) are developing guidelines for drilling assets based on the five core functions of NIST CSF. This work is performed in close cooperation with other industry groups, like the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC), the American Petroleum Institute (API) and the International Association of Oil & Gas Producers (IOGP) as well as regulators like the U.S. Coast Guard.
The IADC guidelines provide asset owners and operators with building blocks to develop their own Cybersecurity Programs taking relevant industry and international guidelines into account.
We and others have contributed our expertise in developing policies, processes and technology to ensure security. In close cooperation with the industry, it is made sure everything we propose is practical and can be realistically utilized in a driller’s environment and mode of operation. The result of this effort is a series of user-friendly guidelines designed to help drillers becoming more secure:
- Guidelines for Assessing and Managing Cybersecurity Risks to Drilling Assets.
- Guidelines for Minimum Cybersecurity Requirements for Drilling Assets.
- Ongoing work: Guidelines for Network Segmentation.
- Ongoing work: Guidelines for Cybersecurity Training.
- Ongoing work: Guidelines for Hardening of Control Systems Focusing on Existing Drilling Assets.
- Ongoing work: Guidelines for security Monitoring and Audit.