Societal safety and security – the PSA’s responsibility

Security policy position

Russia’s invasion of Ukraine has concentrated greater attention on the threat picture for the petroleum sector, energy security in Europe and the importance of secure operation on the Norwegian continental shelf (NCS).

Norway makes an important contribution to the current position by maintaining a high production of oil and gas through continued great regularity in the delivery chain.

The government has initiated measures to enhance preparedness related to infrastructure, land plants and facilities on the NCS.

It has identified control over petroleum production on the NCS and gas transport by pipeline to Europe as basic national functions.

Societal safety

The PSA is responsible for societal safety within its sector. That relates particularly to contributing to an understanding of the position and the risk picture.

Societal safety is concerned with society’s ability to defend itself against and deal with incidents which threaten basic values and functions, and threaten life and health. Such incidents could be unleashed by natural events, result from technical or human errors, or be a consequence of deliberate attacks – including cyber assaults.

Security

The PSA has the authority to conduct system-oriented and risk-based supervision of security. Audits of offshore facilities and onshore plants have been the key activity in this respect. Offshore audits include the logistical chains for personnel and materials through heliports and supply bases.

Section 9-3 of the Petroleum Act requires licensees to initiate and maintain security measures to help avoid deliberate attacks on facilities and to have contingency plans at all times for dealing with such assaults.

The main issues addressed by the PSA’s security audits involve technical, organisational and operational barriers (various types of security measures), security risk analyses and plans, governing documentation, expertise, and verification of the measures described.

Security work by the authority involves close contact with other relevant government agencies, companies and employers/employees in the industry.

Expertise development

Security is covered in a number of technical memoranda.

• The barrier memorandum (in Norwegian only). Appendix 7.1 to the 2017 edition of the barrier memorandum points out the relevance of barrier management to security. Barriers need to be established to prevent security incidents by reducing opportunities for such events occurring and developing further. Applying the barrier management principles to security incidents helps to ensure a more systematic approach to the actual identification, establishment and maintenance of the barriers. 
• The memorandum on integrated and holistic risk management in the petroleum industry (in Norwegian only) 
• DNV report on handling insider risk (in Norwegian only) 

Strengthened ICT security

Protecting ICT systems is as significant in the petroleum industry as it is in other sectors. That applies both to the systems managing hydrocarbon production and to information on enterprises and activities in the industry.

Over time, the Norwegian government has addressed the intelligence threat to the petroleum sector and the need to strengthen security there.

The PSA has emphasised the need to be alert and for the companies to be in control of their own ability to respond. It has also been a driver for and contributed to increased knowledge about risk related to ICT security.

Broad contacts are maintained with the industry by the authority, which communicates challenges and measures for enhancing the robustness of ICT security through various activities and collaboration arenas. 

• See ICT security - robustness in the industry 

Total defence

The PSA also contributes to Norway’s total defence, a collective term for overall military and civilian preparedness in Norway. It incorporates mutual support and collaboration between the armed forces and civil society over prevention, preparedness planning and operational conditions.

Total defence aims to ensure that society can maintain a functioning national crisis leadership in all types of crises, deal with large numbers of injured people, secure supplies of food, water and energy, and maintain communication and transport systems.

Safety versus security

The PSA distinguishes between safety and security.

While safety concerns avoiding accidents when engaged in legal activities, security deals with preventing undesirable deliberate incidents/conscious attacks. 

Operator companies on the NCS are responsible for safety on their facilities.

This responsibility is assigned to the companies because they are the ones in possession of the necessary knowledge, resources and decision-making authority.

Where security is concerned, the companies are responsible for implementing and maintaining measures which will help to prevent conscious attacks, and for having contingency plans to deal with these.

However, the duties of the companies supplement the government’s direct responsibilities. While the operators must handle and if possible reduce the consequences of attacks in line with their security and preparedness plans, the police are responsible for dealing with incidents which call for the use of force.

In other words, safety and security differ in terms of the division of responsibilities between the companies and the government.

Security Act

The purpose of the Norwegian Security Act is to help prevent, uncover and counter threats in the form of actions which could directly or indirectly harm national security interests.

This legislation builds on a risk-based approach and requires that undertakings subject to its provisions continuously assess the risk their assets are exposed to, and that the necessary measures are taken to achieve a satisfactory level of security.

Threats to Norwegian national security interests take various forms. The collective term employed in the Act is activities which threaten security.

Examples of these activities include intelligence-gathering by foreign states, sabotage, terrorism, serious crime which can harm national security interests, or preparations for such deeds.

This also encompasses insiders who, directly or indirectly, consciously or unconsciously, assist the success of such activities.

Work is under way to assess the extent to which parts of the petroleum industry should be classified as basic national functions and become subject to the Security Act.

Integrated risk management

It is important to take an integrated view of the risk picture and ensure that individual and overall risk assessments are made.

The expanded safety concept enshrined in the Petroleum Act embraces not only health and safety for individuals but also safety for the environment and the financial assets represented by facilities and vessels – including operational availability.

A good risk management process is integrated and holistic, and encompasses security goals and strategies as well as a decision basis fit for purpose and at the leading edge.

In an integrated approach to risk management, the security risk for deliberate undesirable incidents is one of several considerations an organisation must take into account.

Knowledge about such events and methods for implementing security measures must be included in an integrated risk management.

A challenge faced by operators is that dividing lines run not only between security and other technical disciplines but also within the security discipline itself.

In its audits, the PSA has often seen divisions between those responsible for physical security, personnel safety and ICT security as well as between companies and employers/employees. The result could be a lack of integrated understanding of the security risk for deliberate undesirable incidents.

Information-sharing

The PSA has urged the industry to collaborate closely at the government level, between government agencies and companies, between companies, and between employers and employees.

Openness and information-sharing are important for work on health, safety and the environment, since these approaches form the basis for learning and improvement.

Information-sharing and exchanging knowledge are also important in efforts to maintain societal safety and security. Although some information may be classified, a great deal can still be shared. The PSA’s starting point is that the industry must share as much as possible.

It is important to ensure openness – without exposing vulnerabilities.

The companies are also required to report security incidents to the PSA which fall within its remit. Maintaining a good reporting culture in this area as well is important.

Close contacts with the PSA and other government agencies must be maintained by the companies, so that all sides see the overall picture.

Increased infrastructure surveillance

Following the attack on the Nord Stream 1 and  2 pipelines in the Baltic during September 2022, agreement has been reached by Nato on increased surveillance in the North Sea and a strengthening of work to protect critical infrastructure – including oil and gas pipelines. 

Security for such installations has been increased across several domains. Sharing of information and intelligence has also been strengthened.

Both the government and the companies contribute to barriers which protect infrastructure and gas transport against deliberate attacks.

Increased alertness – drones

A number of observations of possible unidentified drones/aircraft have been made since 2002 around facilities on the NCS and onshore petroleum plants.

These sightings are being investigated by the Norwegian police.

The PSA has urged increased alertness from all the operators and vessel owners on the NCS. It is monitoring the position, and is pursuing a close dialogue with the companies and other relevant government agencies.

Unidentified drones/aircraft could pose increased risks, particularly to helicopter traffic and the operation of search and rescue (SAR) helicopters.