MAR Consulting facilitated a cyber-security risk assessment of the systems required to operate a floating, production, storage and offloading (FPSO) vessel. The FPSO is currently operating in the Norwegian Continental Shelf (NCS). It is required to adhere to the strict regulatory requirements in the country. Petroleum Safety Authority (PSA) in Norway runs periodical audits to ascertain the level of IT security (among others) in the operating assets in the NCS.
The main objective was to draw on the collective experience and lessons learned to identify potential cyber-security hazards. Other objectives were to analyze and evaluate identified cyber-security risks and propose ways to prevent or mitigate the hazardous scenarios. Other than document findings, the study is used as a starting point to improve overall cyber-security in the asset being analyzed.
The methodology used was developed jointly with the operator. It was based on MAR Consulting extensive experience providing such assessments and tailor-made to the operator’s objectives.
The scope of work also included systems, facilities, and contributions from 3rd party vendors. The focus was on the safety automated systems, network and remote access systems, information, and operation technology (IT/OT) systems, telecom systems, among others. The assessment covered normal operations but also start-up/shutdown and emergency modes of operation. In addition, installation, commissioning and decommissioning of equipment within the systems being analyzed, was covered. Although, specific risk assessments should be performed when such projects are being implemented.
Please note that it was not intended to perform any sort of design review nor assess compliance with the Norwegian Oil and Gas Information Security Baseline Requirements (ISBR) or similar standards. However, relevant guidelines and standards such as NoG 104, ISO 27001, ISO 27031 or IEC 62443 were used and referenced when necessary and applicable.