Need for continuous increased vigilance and heightened preparedness in the ICT security work.

The Norwegian Police Security Service (PST) confirmed, on Wednesday 13 August, that two attacks against Norwegian industrial systems are under investigation. The first incident is the attack against the dam facility in Bremanger, Vestland, earlier this year. The second incident has not been made known but has similarities to the incident in Bremanger. PST considers the incidents to be connected and has linked the sabotage acts to a pro-Russian hacker collective.

In a presentation during Arendalsuka, head of PST, Beate Gangås, emphasised that «These are measures and methods that Russia utilises to influence the security situation in other countries. The objective is to influence the Norwegian society, spread unrest and instability, as well as mapping our strengths and weaknesses. »

The threat- and risk assessments from the Norwegian National Security Authority (NSM), the Norwegian Police Security Service (PST), and the Norwegian Intelligence Service (NIS) establish that the threat landscape on the Norwegian continental shelf is characterised by persistent and elevated risk.

The petroleum sector has worked with ICT security for many years. Nevertheless, the persistent and serious threat landscape still places significant demands on the organisations’ efforts in ICT security. It is also important that measures are adapted to the current threat landscape. PST’s investigation of these incidents actualises this.  

Havtil is the sector response milieu for the petroleum sector

Havtil has a collaboration with KraftCERT related to the execution of operative activities for the sector response milieu function. Through Havtil’s collaboration with KraftCERT, the operators and drilling contractors have access to sector-specific threat assessments. The annual threat assessment from KraftCERT is also supplemented by an annual bundle describing concrete measures for each threat.   

The bundle for 2024 includes measures, as well as recommendations for implementation, relevant to the incidents investigated by PST.

• Utilise hardened remote access solutions. Recommendations and measures related to technical solutions for remote access, as well as monitoring.
• Execute regular network scans. Recommendations related to continuous monitoring of exposed interfaces and connections to control systems.
• Ensure adequate logging. Recommendations for measures related to continuous monitoring of log data – which is essential to detect attacks. Central log service should have monitoring and anomalous pattern detection capabilities.
• Focus on activity patterns and anomalies. Recommendations and measures related to the collection and correlation of logs to provide information about techniques and tactics. Use of artificial intelligence (AI) can strengthen the threat actor’s abilities to compile information and adapt attack techniques.
• Plan for elevated preparedness with access limitations. Recommendations and measures related to planned heightening of emergency preparedness that results in limitations to manual accesses and integrations from suppliers.

The bundle emphasises that it is important to exercise attack scenarios. Effective management of different types of attacks are consequence reducing, may contribute to reduce the scope of an attack, and reduce the threat actor’s ability to reach their objective.

The implementation of training and exercise on attack scenarios are important, both for security- and operations personnel. Collaboration and mutual understanding about each other’s roles and measures, as well as how these interact is important.

As part of the «ICT security – robustness in the petroleum sector» initiative, Havtil has prepared a draft set of training materials, consisting of nine scenarios. These are available here: Training materials in the field of ICT security for industrial ICT systems

Reporting of unusual incidents

In an interview published in Havtil’s journal, Dialogue, prime minister Jonas Gahr Støre emphasised that «those working on platforms and onshore facilities is to be vigilant and observant, and to report anything unusual» Furthermore «it is about reporting faults in systems or abnormal incidents. This will result in increased security for everyone.»  

Havtil will repeat this call to action and remind that errors and irregularities that may be linked to digital attacks and cyber incidents is reported to KraftCERT, who handles the operational sector response function in the petroleum sector.

The individual organisations are responsible for ensuring adequate digital security. At the same time, it is important that the organisations report incidents and observed irregularities to the sector response milieus.

The sector response milieu’s role to correlate incidents, within and across sectors, are a key part of national resilience. The incidents PST are investigating emphasise the importance of this.