MAR Consulting performed a cyber-security assessment of a recent upgraded safety and automation system (SAS) on a platform in the North Sea. The main focus was on the emergency shutdown system (ESD) and supporting data network infrastructure. Cyber-security assessments are now required by functional safety standard IEC 61511:2016 Ed. 2.
The main objective of the study was to identify cyber-security threats, breaches, and vulnerabilities in the system, with the potential to cause damage and downtime to the platform. Confidentiality consequences were not considered in this study. Each identified scenario was described in terms of consequences, existing barriers and risk ranked in order to prioritize follow-up recommended work. The assessment was performed in a collaborative workshop environment with IT/OT specialists and automation responsible engineers. The shared experience was key to the success of the assessment.
The main findings were related to system management, training, missing procedures, obsolete documentation and potential backdoor via the original process control system.