MAR Consulting facilitated a cyber-security risk assessment for an operator of offshore assets in the Norwegian Continental Shelf (NCS). The assets shall comply with the strict Norwegian regulatory requirements. Petroleum Safety Authority (PSA) in Norway runs periodical audits to ascertain the level of IT security (among others) in the operating assets in the NCS. This work is part of an extended partnership with the operator to identify potential cyber-security vulnerabilities in their portfolio. Other assessments part of this work are: Cyber-security assessment of FPSO IT/OT systems · MAR Consulting; Cyber-security risk assessment of FPSO · MAR Consulting; Cybersecurity hazard identification of Norwegian offshore production platform complex · MAR Consulting; Cybersecurity hazard identification · MAR Consulting.
The main objective was to draw on the collective experience and lessons learned to identify potential cyber-security hazards. Other objectives were to analyze and evaluate identified cyber-security risks and propose ways to prevent or mitigate hazardous scenarios. It is a starting point to improve overall cyber-security in the asset, in addition to documenting the findings and deviations identified.
MAR Consulting developed the methodology jointly with the operator. It was based on MAR Consulting extensive experience providing such assessments and tailor-made to the operator’s objectives.
The scope of work also included systems, facilities, and contributions from 3rd party vendors. The assessment focused on safety automated systems, network, and remote access systems, information, and operation technology (IT/OT) systems, telecom systems, among others. The assessment covered normal operations but also start-up/shutdown and emergency modes of operation. Furthermore, it covered installation, commissioning, and decommissioning of equipment. Although, specific risk assessments are recommended to be performed during such modifications.
The assessment did not intend to perform a design review nor assess compliance with the Norwegian Oil and Gas Information Security Baseline Requirements (ISBR) or similar standards. However, we took into consideration relevant guidelines and standards such as NoG 104, ISO 27001, ISO 27031, or IEC 62443.