You are Home   »   News   »   View Article

EU/UK's network security regulations - and oil and gas

Friday, September 7, 2018

The EU Network and Information Systems Directive has an impact on how offshore oil and gas operators apply cybersecurity. Andrew Wadsworth of PA Consulting explains how it has been implemented in the UK.
By Andrew Wadsworth, PA Consulting

On 10 May 2018 the Security of Network and Information Systems Regulations (2018) (NISR) came into effect in the UK. It is the UK implementation of the EU Network and Information Systems Directive which was adopted by the European Parliament on 6 July 2016.

Oil and gas companies who operate production facilities pipelines, storage or processing facilities which meet the criteria in Schedule 2 of the regulations are covered by NISR.

Companies must meet mandatory requirements regarding network and information security and to inform the Department of Business, Energy and Industrial Strategy of reportable incidents.

At it core, it is about improving the resilience of the essential services on which we all depend and expect to 'just work'.

NISR will require all essential services organisations to take a fresh look at their cyber security to address the increasing threat from cyber attack, and increase their resilience to such attacks.

Depending on the companies' current security status and processes, implementing the required organisational and technical security capabilities may require significant investment, both financial and managerial. These requirements are to be enforced with a notification and inspection regime that can lead to penalties of up to £17m.

NISR seeks to provide legal measures to protect societal essential services such as fuel and energy supply by improving the ability of company networks and information systems that support production, transportation and processing to resist interference that may impact the supply, quality or sufficiency of oil, gas and fuel.

Such interference may be cyber or physical in nature, internal or external to the organisation and may be targeted at company IT or OT systems (collectively referred to as 'electronic systems').

The Regulations mandate 'security duties', meaning companies take appropriate and proportionate technical and organisational measures to manage security risks and to prevent and minimise the impact of security incidents to ensure the continuity of the essential services.

Oil and gas companies are very used to reporting safety and environment incidents but NISR introduces a completely new requirement to report certain security incidents within 72 hours of becoming aware of the incident.

Operators of Essential Services (OES) are also encouraged to voluntarily submit information reports to the National Cyber Security Centre (NCSC) regarding incidents that do not qualify as a NISR Incident but would otherwise help inform the NCSC of threat activity in the oil and gas sector.

For example, the company identifies interference (external, internal or otherwise) within IT or OT or physical security, but there was no impact on the essential service.

Five steps

Companies can demonstrate they are able to meet the new regulations by following five steps.

First, companies must identify whether they are an operator of essential services (OES).

They are an OES if they operate any asset which, annually, produces more than 3 million tonnes of oil equivalent, any pipeline transporting more than 3 million tonnes of oil equivalent or 500,000 tonnes of crude oil based fuel, or a refining, treatment, storage or transmission facility handling more than 500,000 tonnes of crude based fuel.

Having decided they are an OES, companies should then identify what network and information systems the services rely on.

Second, companies should assess whether the current security measures and management meet the NISR requirements.

Third, having identified any gaps, design and execute a programme of improvements in whatever areas are lacking.

This may need to address any of the four NISR areas of systematic management of cyber security risks, proportionate security measures, monitoring of networks and systems, and incident response capability.

The two areas where companies are likely to be weakest are in the monitoring of operational technology systems to detect cyber incidents, and the ability to evaluate and, where necessary, report security events within the 72 hour limit.

Fourth, establish capability and processes to respond to a security event to minimise potential or actual impact on the essential services and to report events to the relevant competent authority (BEIS in the UK).

For example, loss of an OT system due to a security incident and which results in a loss of more than 8,219 tonnes oil equivalent production over a 24 hour period would need to be reported.

A simple desktop run through may not be sufficient and realistic exercises, similar to the emergency response exercises commonly done in the industry, may be more appropriate. In a really serious incident, it's possible that both the security and emergency response plans may be needed.

Fifth and finally, companies should periodically carry out an assurance exercise to give management confidence that the company can meet the demands of NISR, and that the essential services and, therefore, the company's key business activities, are resilient to cyber security events.

NISR will give a push to many companies to up their game on cyber security, placing demands on their organisations, budgets and people.

With all the safety and operational pressures inherent to the oil and gas industry, finding the time and expertise to do this could be challenging. Breaking it down into smaller steps makes it easier and ensures each step is built on solid foundations from the previous work.

Most importantly, working towards compliance with NISR and improving security practices will make companies' operations more resilient to the ever increasing threat cyber attacks present to the business.

Associated Companies
» PA Consulting
comments powered by Disqus


To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.


Latest Edition Aug-Sept 23
Sep 2023

Download latest and back issues


Learn more about supporting Digital Energy Journal