Published: 9 March 2022
- Contractor called in DNV to check cyber security of a production facility in commissioning phase
- Cyber risk assessment and testing had to avoid delaying the final commissioning phase
- DNV identified and rapidly communicated priorities for immediate action
- Case study has lessons for managing supply-chain cyber security of infrastructure projects in many industries, says DNV’s Shaun Reardon
Rising awareness of the need to build cyber security into oil and gas infrastructure projects inevitably raises questions about what cyber risk assessment and testing is needed, when, and who pays.
Increasing connectivity between corporate operational and information technology (OT and IT), and with external IT systems through the internet, is a key driver of such risk in a wide range of industries. Then there is the question of how and when assessment and testing can be fitted into timetables specified in contracts that expose engineering, procurement and construction contractors to financial penalties if they miss key deadlines.
These challenges are neatly illustrated through a real-life project in which a contractor undertook to design, build and operate (DBO) an offshore hydrocarbon production facility. The contractor was to operate the vessel for a year before handover to the customer, the eventual operator, and accepted that there would be financial penalties if the final commissioning deadline was missed.
The whole project was to last five years, so it might have been thought that there was ample time to identify and resolve any cyber security risks across the interconnected OT and IT involved. However, cyber security was not specified in the contract as it did not have such a high profile at that time. Since the original contract was signed, the rising frequency of reported cyber-attacks on energy infrastructure1,2 led the contractor, acting in line with the policy of continuous improvement, to re-evaluate previous decisions. In light of the increased cyber risk, the contractor commissioned assessment and testing of the facilities OT and opted to cover the cost of ensuring that the facility could operate securely during the one-year operate phase of the DBO contract. It selected DNV to support it in achieving this within only three weeks of the final commissioning deadline.
One big takeaway alone from this project is the need for cyber security to be built into vendor contracts"
- Principal Cyber Security Consultant
- DNV
“The timing of the decision to tackle cyber security, and the need for the facility to be cyber secure throughout its first year of operation and on eventual handover, required efficient and effective cyber risk assessment, testing and solutions,” said Shaun Reardon, Principal Cyber Security Consultant, DNV. “This story holds valuable learning points on cyber security for a wide range of oil and gas industry projects. One big takeaway alone from this project is the need for cyber security to be built into vendor contracts and for a minimum standard specified either by the client or perhaps to a published international standard that can be audited.”
This requirement is being driven not least by growing pressure from insurers for lending consortia to know a project’s cyber risks and have clarity on who is responsible for the relevant cyber assurance, he added.
Assessing cyber risk to a tight schedule
DNV conducted a document-based design assessment, then formulated use cases and a test plan (Figure 1). Meetings with the client and several vendors identified which components could be tested. Some components described in documentation were yet to be purchased and installed, making it challenging to assess the OT/IT as a holistic system.
“It is imperative to gain an overall cyber security view of the many constituent parts of a complex system to make sure that a strength in one system does not exacerbate a weakness in another,” Reardon explained.
With DNV’s work being during commissioning phase, it was equally important that the discussions also identified which components should not be touched due to the high risk of crashing them when vendor’s engineers would not be onsite to repair and/or restart them. Some vendors had already completed their contracted work scopes and returned to distant bases.
Many OT components used in the industry were not originally designed with cyber security in mind, and could shut down when probed to assess potential cyber weaknesses. When OT components were 'air gapped' (unconnected) from IT, the cyber risk was greatly reduced; hence, designing cyber security into OT was once thought unnecessary. OT components are today being designed for greater cyber security amid increasing connectivity with IT and the internet. It is a game of catch-up, however; IT components normally have a life cycle of three to five years, compared with 15 to 30 years for OT.
“The risk of components crashing during cyber security testing was a key concern because missing the fixed final commissioning deadline in the DBO contract would expose the contractor to having to pay considerable financial penalties,” said Reardon. “It was therefore important for the discussions we had to acknowledge that compromises would be needed, but that these should be based on risk. Obviously, if testing can be conducted earlier in a project life cycle, when all equipment vendors are on site, these constraints need not be so critical.”
Testing flagged cyber risks
The tests identified critical vulnerabilities which, if left unresolved, may have created hazardous and potentially life-threatening situations.
Given the need for speed, DNV reported each such risk, as soon as it was discovered, to the relevant supervising engineers on board the facility, and directly to the contractor’s head office in video conferences. Risks that could be relatively easily remedied included weak passwords, some OT/IT components being accessible from anywhere, and no passwords on printers. Clear recommendations listed risks that needed mitigating immediately.
“Our thinking in daily short reports was to hit the point, hit it quickly and, if the client required, provide extra detail in advance of the full report,” Reardon said. “The whole thrust was to find out what was absolutely critical to address before the facility was towed away, then follow up on the rest.”
The oil and gas project holds key learning points (Figure 2) for a wide range of infrastructure development projects across many industries.
“These lessons have widespread application in industries as it is really all about supply-chain cyber security. I cannot think of any project that I have either worked on or heard of where you have only one vendor,” Reardon commented.
The SolarWinds hacking incident in 20203, which hit multiple vendors using identically sourced software across supply chains, was graphic evidence of this, he added. “Ultimately, it is about understanding the totality of cyber risk. This is underlined in the recent World Economic Forum report finding that 85% of larger companies fear that small and medium businesses in their supply chains do not have robust cyber security.”4
Given this level of concern, such suppliers might well consider whether getting up to speed on cyber security might be a key market differentiator in today’s fast evolving cyber risk landscape, he concluded.
References
1 ‘Oil shipments in European oil hub delayed after cyber attacks’, J Payne, reuters.com, 4 February 2022
2 ‘US pipeline operators face compliance with new cyber security directive after colonial pipeline attack’, DNV Cyber Insights, 11 June 2021
3 ‘The massive SolarWinds hack and the future of cyber espionage’, B Howard, CNBC.com, 26 January 2021
4 ‘Global Cybersecurity Outlook 2022’, World Economic Forum, Insight Report, January 2022.
Read more about DNV cyber security services