• An engineering, procurement and design (EPC) contractor undertook to design, build and operate (DBO) an offshore hydrocarbon production facility before handover to the eventual operator.
• DNV Cyber checked cybersecurity of the operational technology (OT) to a tight deadline to help ensure the contractor could securely operate the infrastructure for a year before handover.
• The story holds multi-sector lessons on the challenges of building cybersecurity into energy infrastructure projects.
• One key learning is that as cyber risk rises, it makes sense for EPC contracts to establish who pays for assuring cyber resilience of the OT/IT up to a specified project stage.

Under the initial contract with the eventual operator, the EPC contractor would face financial penalties if the final commissioning deadline for the facility was missed. However, cybersecurity of the interconnected operational technology and IT was not covered in the original contract signed at a time when the oil and gas industry had less focus on cyber risk and resilience. But with cyber risk and reported cyber-attacks on energy infrastructure rising as the development project progressed, the EPC contractor decided to pay to ensure cybersecurity during the one-year operate phase of the DBO contract.

Challenge facing DNV Cyber’s experts included:

• Cyber risk assessment and testing had to fit into only three weeks ahead of the facility’s final commissioning deadline.
• Some components described in documentation were not yet purchased and installed, making it challenging to assess the OT/IT holistically.
• It was important to identify components that should not be touched due to the high risk of crashing them when vendors’ engineers had already left and would not be onsite to repair or restart them.

Daily to-the-point communication was a key factor in success

DNV Cyber reported each cyber risk, as soon as it was discovered, to the contractor’s supervising engineers on the facility, and directly to the contractor’s headquarters by video link.

The reporting protocol involved DNV Cyber:

• Sending daily short reports that hit the points quickly.
• If required, providing extra detail to the EPC contractor in advance of the full report.
• Establishing what was absolutely critical to address before the facility was towed away.
• Making clear recommendations to eliminate risks that needed mitigating immediately.

Creating a framework for up-to-date security

DNV Cyber conducted a document-based design assessment, then formulated use cases and a test plan. Meetings with the EPC contractor and several vendors identified which components could be tested.

It was imperative to gain an overall cyber-security view of the many constituent parts of the complex system to make sure that a strength in one system would not exacerbate a weakness in another. Achieving this assurance included:

• inspecting data entry points
• identifying rogue entry points left over from commissioning
• identifying what networks and hosts could be accessed from entry points
• identifying technologies and protocols used in networks
• and listing the open ports and services of each device.

Though time was very tight, these tasks variously involved from 20% to 100% manual testing by real people.

In the course of its work scope, DNV Cyber identified critical vulnerabilities which, if unresolved, could have created hazardous, potentially life-threatening situations. Risks that could be relatively easily remedied included weak passwords, some OT/IT components being accessible from anywhere, and no passwords on printers.

Eliminating the critical vulnerabilities resulted in the OT/IT being cyber resilient to the degree that the EPC contractor wanted before starting to operate the facility.

DNV Cyber believes that one key learning is that because cyber risk just keeps rising for energy infrastructure development projects, all parties should ensure that EPC contracts state who should pay for holistic assessment of the whole OT/IT system’s cyber resilience before going operational. The lesson is important given the length of time that some projects take compared with the rapid evolution and rising frequency of cyber threats to both OT and IT, which are increasingly interconnected with each other and externally through the internet.