October 3, 2016
To protect oil and natural gas installations against cybersecurity threats, DNV GL is partnering with Royal Dutch Shell plc, Statoil ASA and others to develop an industry best practice.
The joint industry project (JIP) is designed to produce a recommended practice for industrial automation and control systems in 12 months, according to DNV. Initial participants also include Lundin Petroleum, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime. Other oil and gas firms have been invited.
“Dealing with cybersecurity challenges has become a key focus area for the oil and gas sector,” said DNV’s Pal Borre Kristoffersen, principal consultant for oil and gas. “Attacks are becoming increasingly costly and harder for companies to recover from. This JIP will lower the risk of cybersecurity incidents and trim costs for operators, contractors and vendors by reducing the resources needed to define requirements and by driving a standardized approach.”
Cyber crimes cost energy and utilities companies around $12.8 million every year in lost business and damaged equipment, according to DNV. cybersecurity, as in other industries, has become a growing concern for the oil and gas sector because critical network segments in production sites, which once were isolated, now are connected to networks.
A survey conducted a year ago of oil and gas information technology professionals found that 82% had seen an increase in successful cyberattacks in the preceding 12 months, while 69% were not confident that their organizations were detecting all attacks (see Daily GPI, Jan. 15).
More operators have moved to remote operations, remote maintenance and tighter interoperability with centralized process data and plant information. Old and outdated installations are at particular risk and require risk mitigation actions.
cybersecurity standards now exist within the International Organization for Standardization and the International Electrotechnical Commission’s (IEC) 62443. DNV and its partners want to tailor the rules for the oil and gas industry.
IEC 62443 defines what a business can do, while the JIP guideline would describe how. If the JIP results in a standard as hoped, DNV said it could reduce the risk of cybersecurity incidents and lead to cost savings for operators, contractors and vendors, as well as simplified audits for authorities and auditors.
“We see that cybersecurity incidents are increasing with attempted attacks on a daily basis,” said Shell’s Rune Waerstad, control and automation engineer. “By collaborating with others in the industry, we can ensure that we end up with one globally applicable regulation that is suitable for the oil and gas sector.”
DNV now is assisting Total E&P Norge with cybersecurity risk management for the Martin Linge field development and associated operations offshore Norway. DNV work includes the day-to-day management and coordination of cybersecurity during the project phase and through preparations for operation, with a specific focus on integrated control and safety systems. The project also aims to raise awareness of cybersecurity risks and to train personnel to take simple preventative measures.