Establishing assurance of OT cyber security throughout an oil and gas plant upgrade project

  • An energy transportation operator wanted to embed and assure OT security in a significant capital investment project. 
  • DNV Cyber designed a project assurance framework to achieve the operator’s aims over the project lifecycle. 
  • The framework resulted in a breakthrough improvement in OT resilience across the customer’s organization.

This project was delivered by Applied Risk, a DNV company. DNV, Applied Risk, and Nixu joined forces to form DNV Cyber in 2024, creating one of Europe’s fastest growing cyber-security services businesses.

Cyber security is often forgotten or an afterthought for operational technology (OT) projects. This will result in OT solutions being deployed with weakened security posture – introducing tangible risk to an organization as well as additional remedial costs. 

An energy transportation operator had identified this situation was occurring across its organization and took action to ensure OT security was embedded and assured within a significant capital investment project.  

The operator regards cyber security as a key factor in ensuring the safety, availability, and integrity of its energy transportation operations. This focus on cyber security also complements a broader business strategy of managing cyber risk as part of continuous improvement and to meet regulatory requirements. 

To ensure the OT security in this case, the operator looked for a service provider with extensive experience of identifying, defining, assuring and managing the implementation of OT security controls throughout the project lifecycle.  DNV Cyber was chosen. 

The customer’s target was to introduce a project framework that would be used to deliver appropriate OT security requirements into project scope effectively and efficiently. 

DNV Cyber proposed fulfilling this by using a risk-based approach in which, throughout the project lifecycle, there would be clearly defined OT security-related: 

  • Requirements 
  • Deliverables 
  • Assurance activities.

A DNV Cyber assurance framework guided implementation of OT security controls throughout the project lifecycle.

OT security was embedded and assured.

The controls ensure cyber resilience to empower energy production.

Fulfilling the brief with practical real-world solutions 

To achieve the customer’s goal, DNV Cyber designed a project assurance framework (PAF), The goal of the PAF was to enable the identification, selection, deployment and assurance of OT security controls throughout the entire project lifecycle. 

With its wide experience and knowledge of not only cyber security but how the industries that it advises work, DNV Cyber knows that OT security controls selected should always be appropriate and proportionate to assessed project risk. Cyber security should work for customers, not against them. 

Furthermore, any assessment should take into account the business’s risk appetite and the current threat landscape. With this in mind, DNV Cyber used a pragmatic risk-based approach as part of the PAF to guarantee that there would be the right balance of controls and assurance. 

Working closely with the customer’s experts, the PAF was first trialled on a smaller project, and with very successful results. The outcome of the trial saw the customer decide to: 

  • Scale-up the scope of the project assurance framework 
  • Adapt the PAF for use by other engineering disciplines across its organization.  

The framework provides us with more control and assurance that multimillion-dollar projects are being procured, designed and delivered in a safe, consistent cyber-secure manner.”

  • The customer’s Head of Capital Projects

Empowering energy production through OT cyber resilience 

The DNV Cyber project assurance framework exceeded the customer’s expectations resulting in a breakthrough improvement across the organization. 

OT security requirements are now included within the customer’s tenders provided to project bidders. This ensures project bids include the provision for OT security within design from the start (‘secure by design’) thus limiting change orders and potential for cost escalation. 

Project suppliers are now required to demonstrate OT security maturity as specified by the customer. OT security controls specified are pragmatic, relevant, consistent and aligned with company and industry standards, whilst meeting regulatory requirements. 

OT security project organization, governance, and technical authority roles are now clearly defined. Pro-active management of cyber risk within the customer’s capital projects helps ensure that assets are delivered to operations secure by design, in accordance with company standards, and also meeting regulatory requirements. 

DNV Cyber’s comprehensive experience and proven methodologies have supported numerous customers to ensure that a secure-by-design approach is embedded across a project’s lifecycle.

Woman in a subway

Navigate regulation and compliance

We take a practical approach to keeping you compliant. We share our regulatory knowledge so you stay ahead of developments in your industry and geography.

Secure operational technology

We improve the maturity of your OT cybersecurity without hindering operations and operational efficiency. This safeguards your operational business processes and minimizes safety, productivity, environmental and reputational risk

Energy

Strengthen the resilience of infrastructure, enable digital transformation, and secure your energy transition