Installations and facilities in the petroleum sector are required to have contingency plans for handling undesirable incidents. The industry currently operates with some scenarios involving ICT incidents, but, in its supervision, Havtil observes that too little training is carried out in the handling of ICT security incidents in industrial control and security systems.
For this reason, we have prepared a set of eight training and exercise scenarios. The attachment can be found at the bottom of the article.
Background
The Activities Regulations section 23 requires personnel to be able to effectively handle operational disturbances. For most people, this will probably evoke hazard and accident situations involving muster alarms, PA announcements, the emergency response centre and communication with 2nd line contingency support onshore. It is rare for ICT incidents to conform to this pattern.
KraftCERT’s Threat Assessment 2024 discusses various threats to operations in the petroleum sector. Among the threats highlighted as likely are insider threats, ransomware, and attacks that exploit dependencies between control systems and IT, all with disruptive effects.
Experiences
Havtil has, through audits and by being observers in the emergency response centre onshore, noted that it is difficult to implement effective ICT security exercises in the industrial ICT systems. This is, among other reasons, due to a lack of relevant competence requirements, individuals not knowing what is relevant to exercise, and the absence of available exercise programs.
Well done is better than well said
The threat- and risk assessments from the Norwegian National Security Authority (NSM), the Norwegian Police Security Service (PST), and the Norwegian Intelligence Service (NIS) establish that the threat picture on the Norwegian continental shelf is characterised by persistent and elevated risk.
Prime minister Jonas Gahr Støre has emphasised that workers on installations and land facilities must be vigilant and report unusual activities. Moreover, he states that: “this is about making sure that surroundings and systems are as they should be. It is about reporting faults in systems or abnormal incidents. This will result in increased security for everyone.”
During the presentation of NSM’s threat assessment for 2025, director Arne Christian Haugstøyl emphasised that it is time to implement a “well done is better than well said” stance to the work on preventive safety. The focus on reviewing and exercising plans and scenarios is important.
One of Havtil’s responsibilities is to advise the sector, and through this, contribute to ensuring that the organisations take care of their responsibility for the safety on installations and land facilities.
New training materials
As part of the “ICT security – robustness in the petroleum sector” initiative, Havtil has prepared a draft set of training materials. The first and second part of the material has been previously published, and we are now releasing a final set consisting of 2 training guidelines. In total, this constitutes eight exercises. These exercises address the following issues:
- Social engineering
- Supply chain attack
- Maintenance and modification of remote work
- Threat actor has access to the network
- Insider
- Loss of communication
- Reconnaissance
- Irregularities in the data traffic
In connection with the publication of the latest set, on request from the industry stakeholders, translated all guidelines to English.
Target group
Since these exercises focus specifically on ICT security in industrial ICT systems, most are directed at:
- Personnel responsible for SAS/IACS
- Local operations management
- Personnel responsible for systems operations
- ICT departments
The exercises are not designed to cover escalation to emergency situations, and it should therefore be possible to implement them within limited budgets.