Oil and gas companies have strengthened management of information security, but many haven’t formalized related strategies, says DNV GL of Norway.
In a survey of 1,100 business professionals by the risk-management firm, 58% of respondents said they have adopted ad hoc management strategies for cyber security, and 27% have set concrete goals.
“Headline cyber security incidents are rare, but a lot of lesser attacks go undetected or unreported as many organizations do not know that someone has broken into their systems,” said Petter Myrvang, head of the security and information risk, DNV GL-Oil & Gas. “The first line of attack is often the office environment of an oil and gas company, working through to the production network and process control and safety systems.”
In a report to a committee appointed by the Norwegian Ministry of Justice and Public Security to assess the country’s digital vulnerabilities, DNV GL identified these top vulnerabilities of companies working offshore Norway
• Lack of cyber security awareness and training among employees.
• Remote work during operations and maintenance.
• Using standard information technology products with known vulnerabilities in the production environment.
• A limited cyber security culture among vendors, suppliers, and contractors.
• Insufficient separation of data networks.
• The use of mobile devices and storage units including smartphones.
• Data networks between on and offshore facilities.
• Insufficient physical security of data rooms, cabinets, etc.
• Vulnerable software.
• Outdated and aging control systems in facilities.
“While the study focused on operations on the Norwegian Continental Shelf, the issues are equally applicable to oil and gas operations anywhere in the world,” DNV GL said.