Cybersecurity hazard identification

Cyber-attacks have the potential to become a major threat to oil and gas operators. Global ransomware damage costs are predicted to exceed $5 billion in 2017. That’s up from $325 million in 2015 — a 15X increase in two years and expected to worsen.

Prevention and mitigation of accidents are normally achieved through good practices, hazard and risk assessments, and application of appropriate risk reduction measures. However, traditional process and hazard studies such as hazard and operability studies (HAZOP), hazard identification (HAZID), etc.. are not appropriate to address cybersecurity threats since they typically only consider single initiating events.

MAR Consulting AS is constantly working in conjunction with partners and clients to adapt and develop existing risk assessment techniques with the objective to prevent and mitigate cyber-attacks to critical systems such as industrial automation and control systems. The methodology behind the risk assessments is guided by the following objectives:

– Identify and analyze the levels of protection, detection, and response mechanisms addressing the threat/ risk/ response security feedback loop;

– Investigate and propose multi-protection measures in series;

– Ensure that technical, procedure and managerial protection measures operate in conjunction to offer robust levels of protection.

Typically, procedures and management systems are the weak links for cyber secure and resilient IT and industrial automation and control systems. Examples are the lack of specific training to increase awareness of employees and contractors; response and recovery procedures; and password management. However, there are also often “quick-wins”, such as e.g. (physical) access control, USB and network port blocking, disabling unused network switch ports…

It is important to emphasize that cybersecurity is a continuing process and an attitude. It is not a reachable goal considering the ever-evolving threats and dynamic environments.