Facilities and installations in use in the petroleum sector are required to have contingency plans in place for managing unwanted incidents. The sector currently operates with some scenarios involving ICT incidents, but the Norwegian Ocean Industry Authority (Havtil) has noted during its supervisory activities that too little training is carried out in the handling of ICT security incidents related to industrial control and security systems. For this reason, we have prepared a set of training and exercise scenarios.

Background

Section 23 of the Activities Regulations stipulates a requirement that personnel must be able to deal efficiently with operational disruptions. Most people will probably be thinking in terms of hazardous situations or accidents involving muster alarms, PA announcements and a control room in communication with a 2nd line contingency team onshore. However, it is very rare that ICT incidents conform to this pattern.

Havtil’s experience

Supervisory activities and the placement of observers in contingency control centres onshore has enabled Havtil to observe that it is difficult to carry out effective training exercises in the field of ICT security for industrial ICT systems. Among the reasons for this are that there exist no relevant skills requirements; individual operators are not aware of what they should be training for, and relevant exercises and drills are not readily available.

New training materials

As part of an initiative called “IKT-sikkerhet – robusthet i petroleumssektoren” (ICT security – robustness in the petroleum sector), Havtil has prepared a draft set of training materials for which the first part is now ready for release. The exercises address the following issues:

  • Social engineering/manipulation
  • Warnings of supply chain attacks
  • Modifications linked to remote work

Since these exercises focus specifically on ICT security linked to industrial ICT systems, most will be directed at the following:

  • Personnel responsible for SAS/IACS
  • Local operations managers
  • Personnel responsible for systems operations
  • ICT departments/teams

The exercises are not designed to cover escalation to emergency situations. It should thus be possible to implement them within limited budgets.

Havtil is planning to publish two additional packages during 2025.