Reports from Norwegian Intelligence Service (NIS) and the Norwegian Police Security Service (PST) describe national and international conditions which influence the threat picture.
These evaluations can provide players in the Norwegian oil and gas industry with insights and knowledge for taking good decisions in their encounter with the threat picture and for initiating measures tailored to the individual enterprise which reduce risk.
Since threat agents have become ever more sophisticated, countermeasures to combat them must also be improved. Solutions which were good enough last year may perhaps remain useful now but are unlikely to suffice next year.
At a government press conference, justice and public security minister Emilie Enger Mehl highlighted three areas which call for special attention.
- Increased awareness of how enterprises can protect themselves better.
- New and stronger threats call for better protective tools.
- A coordinated commitment maximises the effects of the resources deployed.
Stable gas deliveries
Norway ranks as the most important supplier of natural gas to Europe and its petroleum industry has knowledge and utilises technology which are attractive to both Russia and China, so this sector is closely monitored. These countries utilise different methods in seeking to acquire insights and information about such technological solutions.
According to the PST, espionage services often use digital recruitment via social media and chat groups. This is supplemented by advanced cyber operations and the fact that Norwegian centres of expertise are attractive to Chinese academics.
Furthermore, the agency emphasises the role of enterprises in the petroleum sector as stable energy suppliers.
They are particularly exposed because Norway has become a more central energy supplier for Europe after the attack on Ukraine. Russia regards the use of energy-related instruments as a key means of sowing dissension in the west.
National Threat Assessment 2024, PST
Value chains
Meanwhile, the Risk 2024 report from the Norwegian National Security Authority (NSM) notes that it can be easier to exploit smaller companies and sub-suppliers than the bigger players.
That means it is just as important that more modest enterprises have good security routines. Four important points are also listed by the NSM.
- Map and become familiar with your value chains.
- Improve your digital protection.
- Be careful with personnel security.
- Think safety in value chains and procurement.
When the enterprise is familiar with its value chains and has a good situational awareness, it possesses a good basis for strengthening its protection. Furthermore, it must be aware of interdependencies such as information and communication systems, contracted-out services and other suppliers.
Vulnerabilities at a supplier also affect the enterprise’s own operations. Good routines for qualification and security follow-up of suppliers are therefore important to the security of the business.
Although an individual enterprise may have good routines, the NSM notes that this is not always adequate.
The employee is seldom of interest personally, but rather the way they can be exploited as an entry point to the enterprise’s assets. In this way, an employee who clicks in good faith on a link or opens an attachment in an e-mail apparently sent by a colleague can provide a threat agent with far-reaching access to the enterprise’s network and internal systems.
Risk 2024, NSM
Organisational and human measures
In its audits, the Norwegian Ocean Industry Authority (Havtil) has seen that identifying, implementing and maintaining effective organisational and human measures can often be more demanding than with technical solutions.
Measuring and verifying the effect of such measures is also more difficult, making it challenging to identify the good solutions in this work. Nevertheless, the Risk 2024 report shows that organisational and human measures are as important as technical ones.
Remote working
Making real-time data available is a precondition for integrated work operations. Together with remote access, this provides opportunities for improved utilisation of internal and external expertise.
Over time, the availability of security solutions for remote access has increased. Since the exploitation of weaknesses in such systems has also risen, however, it is important to continue improving security in this area – both technically and operationally.
KraftCERT
Through Havtil’s collaboration with KraftCERT, operators and vessel owners have access to threat assessments aimed specifically at this sector. These were supplemented in December 2023 with a package of measures which describe specific solutions for each threat.
Assessments and measures cover both the technical solutions used in industrial ICT systems and recommendations related to personnel given access to them.
Threat and risk assessments
In its Risk 2024 report, the NSM assesses the risk of society being affected by deliberate acts which could harm important societal interests.
The PST’s annual National Threat Assessment provides an analysis of expected developments in its area of responsibility – such as terrorism, espionage and threats to authority figures.
In its annual Focus report, the NIS provides its analysis of the current position and expected developments in thematic and geographical areas which it considers particularly relevant for Norway’s security and national interests.
Players can help to improve the national position
Good sectoral and national situational and threat pictures depend on a functioning chain from alertness by the individual, through company reporting systems, to reporting to the authorities.
When enterprises have notification routines and systems for onward reporting to Havtil, KraftCERT, the PST or the NSM, it becomes easier for employees to report.
Havtil has now entered into an agreement with KraftCERT, whereby the latter takes care of the operational role as the sectoral reporting centre for the petroleum industry. All cyber incidents in the industry are reported to KraftCERT.
What must be notified?
- Suspicion of, attempts at or successful security incidents, digital or physical.
What is to be notified to Havtil?
- Section 29 if the management regulations specify requirements for notifying and reporting hazards and accidents. These also apply for cyber and security incidents.
The necessary form can be accessed at https://www.havtil.no/en/contact-us/notify-us/How do you notify other authorities?
- Cyber incidents: cert@kraftcert.no.
- Activities and incidents posing a security threat: varsel@nsm.no or the PST website: www.pst.no/tips-oss (in Norwegian only) Make it clear whether this is a tip-off, a report or a request for help.
Advice and guidance
Use the business contacts in the relevant police district: https://www.politiet.no/kontakt-politiet/naringslivskontakter/ (Norwegian only)