You are Home   »   News   »   View Article

DNV GL launches cyber security recommended practice

Friday, May 25, 2018

DNV GL has published a 'recommended practice on cyber security' for the oil and gas industry, looking at 'operational technology' - such as control and automation systems.

The recommended practice addresses how oil and gas companies, together with system integrators and vendors, can manage the cyber threat.

The recommended practice is the result of a two-year joint industry project, involving Shell Norge AS, Statoil, Woodside, Lundin Norway, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime, with contributions from the Norwegian Petroleum Safety Authority from a regulatory perspective.

It is based on IEC (International Electrotechnical Commission) 62443 cybersecurity standards for industrial automation and control systems. It also takes into account HSE requirements and the IEC 61511 functional safety standard.

The benefits of implementing the standard should be a reduced risk of cyber security incidents, cost savings for operators by reducing resources needed to define requirements and follow up, cost savings for vendors and contracts because they can have standardised design requirements from operators, and audits for authorities and internal auditors can be simpler due to common requirements, DNV GL says.

Also, by following the recommended practice, companies should not need to spend so much time developing their own internal standards.

'Aligning our Operational Technology cyber security approach to IEC 62443 enables us to learn from and contribute to industry knowledge and capability," says Julie Fallon, Senior Vice President Engineering, Woodside, in a press release quote. "The recommended practice provides practical guidance on applying the standard to oil and gas.'

Examples of hacking into industrial control systems include the Stuxnet computer worm, thought to be developed by the American and Israeli governments, which forced Iranian centrifuges to speed up and damaged its nuclear program, and stories of pipeline systems being hacked, via a CCTV system.

There have been reports of hacking into vessel dynamic position systems (including hacking the GPS signal). Also control systems can sometimes be updated from shore, so that is another pathway.

The document is 58 pages long, and online at

Operational technology

The document focuses on operational technology (OT), such as control and automation systems, which are used in oil and gas production sites.

The cybersecurity focus has traditionally been on information technology, such as office IT infrastructure. But there is an increasing trend for networks on production sites to be connected to wider corporate networks, so they can be monitored and controlled remotely. But this increases vulnerability, DNV GL says.

Managing operational technology threats requires both oil and gas operational domain competence, as well as general information security competence, DNV GL says.

Of course, the level of the threat depends on how much communications is going on. Cybersecurity can be simplest when companies are just taking data from production systems into corporate systems, because the data is just moving in one direction.

If companies are using remote or centralised control rooms, then cybersecurity is harder, because these control rooms must be able to alter critical offshore systems. It gets harder still if you have vendors being able to access and perhaps control their equipment on the plant, going via the corporate systems.

It includes advice about how to authenticate users. It covers system architecture, risk assessment, worse case scenarios.

It includes what you should do during different stages of development, such as FEED (front end engineering and design), production and operation. And what people in different roles should do.

It shows how the network should be set up, and who should do what at different stages of a greenfield project. It also has safety advice such as not to use USB sticks.

It can be used throughout the lifecycle of a project, providing advice on the different threats.

The standard also advises how cybersecurity should be handled when you have many different companies involved in design or operating a piece of equipment, or many different company departments involved, with hand-offs between different project teams.

The document explains in detail how to set up a so-called 'demilitarised zone' or 'perimeter network' is a midway zone between the internal networks and something else (usually the internet), as a small isolated network. From the outside, you can only connect with what you can see in the DMZ, and from the inside, you can control what you do and don't put into the DMZ. This is particularly important when you might want to allow companies from outside the corporate network to access control systems, for example to monitor equipment they have manufactured or update control system software.

Putting into practice

The right approach could be described as 'defence in depth', where you have a number of different barriers and checks to stop problems, but are still able to continue with your business, says Graham Bennett, VP and business development manager for oil and gas in the UK.

You can have a 'risk based approach', where you assess the risk of a certain business relationship, and adjust levels of control accordingly.

So perhaps the most important step companies can make is to make sure the relevant people are aware of the changing risk environment.

The document is more of a 'recommended practice' than a standard, showing how to run oil and gas automation systems so they can't be hacked into easily.

It is intended to be a live document, not a one-off, perhaps updated every 6 months.

It is important to test safety systems have not been corrupted. Some hackers have realised that if they corrupt a safety systems, which are used very infrequently, it might take a while before anybody knows. For example, if you put a flaw in an anti-lock breaking system (ABS), it will only be apparent when there is an attempt to activate it.

A possible solution is to build a 'digital twin' of the equipment, running the exact same software as the real plant, but on a computer simulation. This way, the computer can see what would actually happen when the safety system is activated, by running the code on its simulator.

Perhaps the most important issue is that people are aware of the different risks and ways that they can be hacked, and design and operate systems taking this into account.

More transparency needed

Our industry is still poor at sharing information about cyber events, Mr Bennett says, often more likely to want to hide cyber-attacks than share awareness about them.

The oil and gas industry is grown up enough to share data about sharing incidents, it ought to be able to share cybersecurity reports in a similar way.

Associated Companies
comments powered by Disqus


To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.


Latest Edition Jan-Feb 2022
Feb 2022

Download latest and back issues


Learn more about supporting Digital Energy Journal