Installations and facilities in the petroleum sector are required to have contingency plans for handling undesirable incidents. The industry currently operates with some scenarios involving ICT incidents, but, in its supervision, Havtil observes that too little training is carried out in the handling of ICT security incidents in industrial control and security systems. For this reason, we have prepared a set of training and exercise scenarios.

The training and exercise scenarios are now available in Norwegian only. English translation is pending.

Background

The Activities Regulations section 23 requires personnel to be able to effectively handle operational disturbances. For most people, this will probably evoke hazard and accident situations involving muster alarms, PA announcements, the emergency response centre and communication with 2nd line contingency support onshore. It is rare for ICT incidents to conform to this pattern.

KraftCERT’s Threat Assessment 2024 discusses various threats to operations in the petroleum sector. Among the threats highlighted as likely are insider threats, ransomware, and attacks that exploit dependencies between control systems and IT, all with disruptive effects. 

New training materials

As part of the “ICT security – robustness in the petroleum sector” initiative, Havtil has prepared a draft set of training materials. The first part of the material was published earlier, and we are now releasing a further set of training guidelines. These exercises address the following issues:

  • Actor has access to the network
  • Insider threat
  • Loss of communication

Actor has access to the network

One critical scenario is an actor gaining access to the network at the installation or facility and being able to perform malicious acts. Training and exercises for this scenario help test the ability of companies to detect and handle such incidents, including early steps to identify their scope, implement mitigating measures, and restore function after an attack.

Experience from such exercises shows that it is important to have good routines for logging and monitoring communication between offshore and land, identify who is doing what using what equipment – and what skills will be required of the executing resources on board and onshore.

Insider threats

Insider threats are a persistent risk to companies in our sector. This makes it important to practise scenarios where an employee with lawful access to the control systems makes changes that lead to production disruptions.

Exercises and training on handling insider threats can also help reveal weaknesses in access control and routines. This allows the companies to improve measures designed to prevent and handle such incidents.

It is important to have clear routines and measures for handling insider threats. The development of routines and measures should include technical, security and operational resources.

Loss of communication

Loss of communication can have serious consequences for facilities and installations, both for operations and for the protection of safety on board.

Exercises in the loss of communication also help verify the companies’ abilities to identify and assess the operational consequences of such loss. Experience from such exercises shows that it is important to have redundant communication solutions, and train personnel in their use, while also handling the consequences of the loss of communication.

Target group

Since these exercises focus specifically on ICT security in industrial ICT systems, most are directed at:

  • Personnel responsible for SAS/IACS
  • Local operations management
  • Personnel responsible for systems operations
  • ICT departments

The exercises are not designed to cover escalation to emergency situations, and it should therefore be possible to implement them within limited budgets.

Havtil plans to publish a further set of training guidelines during 2025.