The threat picture and Norwegian petroleum activities

The Petroleum Safety Authority Norway (PSA) has reviewed this year’s unclassified threat and risk assessments from the Norwegian Intelligence Service (NIS), the Norwegian Police Security Service (PST) and the Norwegian National Security Authority (NSM). Some points relevant for the petroleum sector are highlighted below.

Information and assessments on foreign, security and defence policy are provided by the NIS to support Norway’s civilian authorities.

Its Focus 2023 report analyses the status of and expected developments in thematic and geographical areas which the service considers particularly relevant for Norwegian security and national interests. Topics covered include Russia, China, international terrorism and conflict areas.

Combined with the National Threat Assessment 2023 from the PST, the NIS report describes national and international conditions which influence the threat picture.

The PST’s assessment concentrates on the intelligence threat, with particular emphasis on Russian and Chinese espionage. It also describes politically motivated violence – extremism and threats to people in authority.

Intelligence work can be pursued in a variety of ways, including network operations, recruitment of sources, and digital and physical sabotage.

Risk can be reduced

Risk assessments and safety measures must be updated in line with changes to the risk picture. The war in Ukraine has demonstrated that Norway must be prepared for a broad range of threats.

In its Risk 2023 report, the NSM calls attention to how the petroleum sector should reduce vulnerabilities to make the job of threat agents more difficult.

Cyber vulnerabilities exploited

Phishing attacks will still be the simplest and most widely used method for obtaining access to information about a person or an enterprise. The NSM is constantly seeing human, technological and organisational vulnerabilities being exploited to assist malicious cyber operations directed at a number of Norwegian enterprises.

Digital threat agents also exploit such vulnerabilities as weak passwords, outdated software and lack of two-factor authentication to secure unlawful access to ICT systems.

Such attacks are not always aimed directly at networks belonging to enterprises. Individuals and third-party services on which enterprises depend may be exploited because they are regarded as easier to assault than the actual targets.

Insider risk

The Norwegian security services are devoting much attention to insider risk, which can arise at any point in an insider’s period of employment. This means background checks or security declarations are not an adequate means of avoiding such risk. These issues are dealt with in more detail in the PSA’s report on maniging insider risk (Håndtering av innsiderisiko - in Norwegian only).

Industry players can help improve the national picture

Good situation and threat pictures at sectoral and national levels depend on a functioning chain which extends from alertness by the individual through reporting systems at companies to filing reports with the authorities.

Routines at enterprises for internal notification, combined with a system for onward reporting to the PSA, the power sector’s computer emergency response team (KraftCERT), the PST or the NSM, make it easier for employees to report.

The PSA has entered into an agreement with KraftCERT, which discharges the operational role as the sectoral response team for the petroleum sector and receives reports of all cyber incidents in the industry.

What must be reported?

Suspicion of, attempts at or successful security incidents, both digital and physical.

What must be notified to the PSA?

Section 29 of the management regulations specifies the requirements for notifying and reporting hazards and accidents. These also apply to cyber and security incidents. The notification/reporting form can be found at https://hendelser.ptil.no/?language=engelsk

How can other government agencies be notified?

Cyber incidents: cert@kraftcert.no

Activities and incidents which represent a security threat: varsel@nsm.no or the PST website at www.pst.no/tips-oss

It should be made clear whether the notification is a tip-off, accusation or request for assistance.

Advice and guidance

Get in touch with the business contacts in the relevant police district:

https://www.politiet.no/kontakt-politiet/naringslivskontakter/ (in Norwegian only)

Unclassified threat and risk assessments

The five ICS Cybersecurity Critica Controls

The five ICS Cybersecurity Critica Controls, SANS, October 2022

What are you looking for?

All regulations

Acts

Amendments and consultations

PDFs of regulations

Previous versions of the regulations

All regulations

Acts

Amendments and consultations

PDFs of regulations

Previous versions of the regulations

Audit reports

Investigation reports

Consents

Acknowledgements of Compliance (AoC)

Notices about orders

Audit reports

Investigation reports

Consents

Acknowledgements of Compliance (AoC)

Notices about orders

All subjects

Trends in risk level (RNNP)

Terms and expressions

Main issue 2025: Artificial intelligence is also a risk factor

All subjects

Trends in risk level (RNNP)

Terms and expressions

Main issue 2025: Artificial intelligence is also a risk factor

Upcoming events

Previous events

Upcoming events

Previous events

What is tripartite collaboration?

Who is responsible for safety?

Safety Forum

Regulatory Forum

What is tripartite collaboration?

Who is responsible for safety?

Safety Forum

Regulatory Forum

Who is Havtil?

Our organisation

Q&A: Understanding the Norwegian regime

International collaboration

Job vacancies

Who is Havtil?

Our organisation

Q&A: Understanding the Norwegian regime

International collaboration

Job vacancies

Contact persons

Reporting to Havtil

Requests for access

Notify us

Contact persons

Reporting to Havtil

Requests for access

Notify us

The threat picture and Norwegian petroleum activities

Risk can be reduced

Cyber vulnerabilities exploited

Insider risk

Industry players can help improve the national picture

What must be reported?

What must be notified to the PSA?

How can other government agencies be notified?

Advice and guidance

Unclassified threat and risk assessments

The five ICS Cybersecurity Critica Controls

Contact

Ingvild Klaveness