Major EPC contractors are sharpening focus on vendor cyber risk in energy infrastructure projects

  • Engineering, procurement and construction (EPC) contractors are using DNV Cyber verification services to check cybersecurity of third-party suppliers’ operational and information technology components in energy infrastructure.
  • DNV’s cyber risk assessment and testing has helped major EPC contractors to meet customer requirements for infrastructure to be cyber resilient on handover and start-up.
  • Applying security best practices that respond to regulatory change mean compliance should be less of a headache.

Energy projects face rising cyber risk as equipment becomes more network-connected. The traditional ‘air gap’ between IT and operational technology (OT) such as industrial control systems (ICS) is being closed. OT/IT is not only connecting within organizations but externally through the internet.

These trends create challenges for EPC contractors when their customers require assurance that infrastructure is cybersecure at the time of handover to the eventual operator. 

EPC contractors themselves encourage small system suppliers to provide cybersecure systems and components. Some contractors test cyber vulnerabilities of unvalidated new products or technologies.

If different or new original equipment manufacturers cannot validate a new product or technology, contractors may well perform proof of concept and choose to add in cybersecurity penetration testing. Simulating cyber attacks assesses for vulnerabilities in OT/IT that could be exploited to gain potentially malicious access to control system networks.

EPC contractors typically ask DNV Cyber to conduct cyber risk assessment and penetration testing to:

  • Identify and fix cyber vulnerabilities
  • Prove that the infrastructure’s ICS and IT cybersecurity comply with international regulations and standards
  • Assist EPC contractors to hand over cyber-resilient critical energy infrastructure to operators.

DNV Cyber finds and fixes cyber vulnerabilities for many EPCs on energy projects.

DNV Cyber helps EPC contractors prove compliance with cyber regulations and standards.

DNV Cyber assists EPC contractors to hand over cyber-resilient critical infrastructure to operators.

Applying international standards for successful cyber vulnerability testing DNV Cyber has conducted OT/IT penetration testing for many EPC contractors by simulating cyber attacks to assess for vulnerabilities. Working for multiple EPC contractors has allowed DNV Cyber to optimize its assessment and testing processes and working relationships with contractors’ engineers and other key personnel.

While each work scope has individual nuances, DNV Cyber’s approach is based on recognized standards and recommendations such as ISO 27000 series, IEC 62443, and the NIST 800 framework, among others.

For example, DNV Cyber assists oil and gas field development projects by combining deep-seated energy infrastructure knowledge with security best practices that respond to regulatory change, so that compliance should be less of a headache.

We do not normally seek technical advisors in our projects, but trust a lot in our own engineering people. External advisors come with the customer, mostly for complex projects. In our case, DNV has so far supported us very well.

  • Project manager, EPC contractor

The benefits of combining cybersecurity expertise with energy sector experience

The sheer number of people – in-house and suppliers – involved in large energy infrastructure projects raises the risk that cybersecurity could be compromized through their connecting laptops, pen drives, and other devices and peripherals, and installing software. Another significant threat comes through not always using the latest version of cybersecurity software.

DNV Cyber combines knowledge of such threats with deep and extensive experience of how energy infrastructure is developed and operated, and hence of the domain-specific threats that may arise.

This  combination of cybersecurity expertise and more than 90 years of in-depth knowledge of energy industries’ regulation and control systems makes DNV Cyber uniquely qualified to discover customer vulnerabilities before hackers do.

EPC contractors in offshore oil and gas projects say it is helpful to have on board DNV Cyber security experts that can talk to the crew as well as understand an installation or vessel's systems and find their way around.

The combination of cyber and industry skills helps EPC contractors to decide on and deploy cybersecurity solutions for the real world in which they operate. It involves having the right people, processes, and technologies in place to build effective cyber resilience against threats from cyber criminals, and to demonstrate as much to project stakeholders.

In addition, DNV’s maritime surveyors in fabrication and shipbuilding yards help to smooth the way for DNV Cyber experts to spring into action as soon as they can access the systems to be assessed and tested, often to a tight deadline.

We map your supply chain for risks, improve your governance and risk management, and develop a supply chain cybersecurity implementation plan. We support with incident response to help control and limit damage.

Strengthen the resilience of infrastructure, enable digital transformation, and secure your energy transition

Establish strategies, processes, and policies to effectively govern your organization’s cybersecurity and ensure compliance