Cyber Risk in the offshore energy space

Transcription

1 Cyber Risk in the offshore energy space Class Society Approach 1 Lillehammer Energy Claims Conference SAFER, SMARTER, GREENER

2 Agenda DNV GL s approach to cyber risks Cyber Security Recommended Practices from DNV GL Cyber Security Type Approval for components The Cyber Security Class Rules 2

3 Maritime & Offshore trends Growing complexity creates new challenges Software & Automation Crew size Interconnectivity 3

4 Cyber risk issues are present and migrating to the operational technology world Information technology (IT) Operational technology (OT) 2,600 2,400 2,200 2,000 1,800 1,600 1,400 1,200 1, % Attacks on industrial control systems Source: AV-TEST Institute, Germany & IBM Managed Security Services ~2010 Stuxnet ~2017 Triton 4

5 NotPETYA: Maersk NotPetya was not targeted specifically for Maersk Arrived via an update to an accounting system in Ukraine (ME Doc) Spread like a worm from an infected machine Shows a ransom note demanding USD 300 Maersk's global network is infected and all of the company systems are down Maersk is forced to halt operations at 76 port terminals The complete infrastructure servers and PCs needed to be reinstalled (10 days) 5

6 DNV GL Activities in Cyber Risk DNV GL assessment for Norwegian Authorities* / Lysneutvalget, April 2015 *Ministry of Justice and Public Security Top 10: 1. Lack of awareness and training amongst employees 2. Remote work - operations / maintenance 3. Standard products with known vulnerabilities in production environment 4. Limited security culture amongst vendors, suppliers and contractors 5. In-sufficient separation of data networks 6. Mobile devices and storage units (inclusive smart phones) 7. Data networks between onshore and offshore facilities 8. In-sufficient physical security of data rooms, cabinets etc. 9. Vulnerable software 10. Outdated and ageing control systems in facilities 6 Maritime Cyber Security Seminar

7 DNVGL-RP-0496 Cyber Security resilience management for ships and mobile offshore units in operation 7

8 DNVGL-RP-G108 Cyber security in the oil and gas industry based on IEC Developed as a Joint Industry project (JIP) Participants: ABB, DNV GL, Emerson, Honeywell, Kongsberg Maritime, Lundin, PTIL, Shell, Siemens, Statoil and Woodside Started April 2016 Released the RP at Offshore Europe September

9 DNVGL-RP-G108 Cyber security in the oil and gas industry based on IEC Out of scope In scope Identification of SuC High-level risk assessment Detailed engineering Maintenance IEC (2-1 and 2-2) Scope of work and requirements Strategy and methodology Roles and responsibilities IEC Partitioning of zones and conduits Detailed risk assessment Cyber security requirement specification IEC (2-4 and 3-3) FAT Commisioning Handover to operation IEC (2-4 and 3-3) Monitoring Managing Change Incident response and recovery CONCEPT FEED PROJECT OPERATION 9

10 Type approval of control system components 10

11 Rules for classification Cyber Security Cyber secure(basic) Minimum security level Primarily intended for sailing vessels where security will be implemented in procedures and existing systems Cyber secure(advanced) Higher security level Primarily intended for new builds, where security will be integrated into the design of the vessel Cyber secure(+) Security level based on risk assessment Target system(s) can be freely selected to address different needs. Can combined with Basic and Advanced 11

12 Typical scope for a crude oil tanker Satellite communication Bridge / WH Cargo Control Vessel IT / office Engine Control 12

13 Example of security implementation by use of zones and conduits IPSec Tunnel Crew member By applying the rules; - Systems are securely segregated - Communication between the systems are managed and secured - Remote access to the vessel are managed and secured 13

14 Promoting Cyber Security awareness is easy through e-learning Module 1: How you can help protect yourself and your organisation (10min) Module 2: Common threats & traps (15min) Module 3: Best practices (15min) Module 4 : Advanced defence in depth course (20min) Available through our on board solution distributor 14

15 Penetration testing of OT systems OT penetration testing: - Deep system and domain knowledge necessary Vulnerability spot-checking of most critical IT/OT systems using white/grey box testing 15 - Tailored configurations and bespoke protocols - Often fragile and safety critical systems

16 A global quality assurance and risk management company 16