Handling of security and preparedness against deliberate attacks in the petroleum sector

The programme of meetings with the operating companies was conducted between June 2020 and January 2021.

The participating companies each described their security level and approach to handling security risks. The following topics were covered:

• organisation, roles and competence
• managerial commitment and security culture
• management of security risks (governing documents, analyses and plans)
• system for barrier management (security measures, performance requirements and verification system)
• identified challenges and focus areas
• security challenges in digitalisation initiatives

Developments in security in the petroleum sector

Since an equivalent programme of meetings in 2014, the Petroleum Safety Authority Norway (PSA) has observed progress in the field of security. Managerial commitment, developments in methods and tools, and better understanding, knowledge and competence have yielded results. Security has become more mature.

Learning from incidents, the sharing of information, the growth of cooperative arenas, the operators’ own efforts and the PSA’s activities (reviews, audits, training, exercises, seminars etc.) have contributed to giving the topic of security the attention it requires.

At the same time, our audits show that there are still challenges in terms of identifying, managing and handling security risks.

Cooperation

The safeguarding of a good level of security in the Norwegian petroleum industry requires extensive cooperation between all relevant public and private enterprises. We would mention in particular the operating companies' cooperation within security in the supply chain, including at supply bases and helicopter terminals.

This work has long been a priority of the operating companies. Through the Norwegian Oil & Gas industry organisation, methods, tools, policies, agreements, guidelines etc. have been continuously upgraded and improved.

Management responsibility and involvement

Security work in the companies is a management responsibility, but affects all levels of the business and requires their involvement. Relevant sections of the regulations define requirements for risk management and risk reduction processes, and also include an expectation of enhancement and improvement in levels of health, safety, the environment, emergency preparedness and security.

Holistic risk management

A good risk management process is integrated and holistic, and contains security targets and strategies, as well as decision support that is fit-for-purpose and preexists actual decision-making.

Within a holistic approach to risk management, the security risk of intentional undesirable incidents is one of numerous factors that an organisation must take into account. Knowledge of deliberate undesirable incidents and methods for implementing security measures must form part of holistic risk management.

One challenge that many operators face is that there are divisions not only between security and other professional environments, but also within the professional security environment itself. In audits, we have often observed divisions between the professional environments for physical safety, personnel safety and ICT security. This may lead to an absence of holistic understanding of the security risks of intentional undesirable incidents.

Analyses and surveys

The implementation and use of security risk analyses are an important aspect of decision support for when the business needs to make decisions and implement security measures. Security risk analyses are consequently pivotal to the company's risk management, including the management of security risk. The use of analyses is also dependent on an understanding of their assumptions, limitations and level of uncertainty.

In our audits, we are now seeing that the operators, more so than before, have a structured and deliberate approach to security risk and analysis work. They map their assets that need protection, the threats that they are exposed to and the vulnerabilities that could be exploited.

We are pleased to note that several operators engage in dialogue with and seek advice and information from relevant authorities (e.g. the Norwegian Police Security Service and the Norwegian National Security Authority (NSM)). This can help improve understanding of the complex threat picture facing the petroleum industry, and may provide important input to analytical work. 

We would like to highlight the importance of involving in analysis work all affected professional domains, experts and implementers, as well as the safety delegate service, to ensure that risk contributions are mutually understood and included. Dialogue, communication, involvement and participation are important aspects of preparing decision support for the risk owner.

Barrier management

The purpose of barrier management is to establish and maintain barriers so as to be able to handle at any time the security risk faced. Through our audits, we have seen that most operators have defined an overall barrier strategy for security, but are still working to establish a system for managing security barriers.

Some operators do not have systems for overseeing security barriers, the functions they are intended to fulfil and whether they have weaknesses.

The report from this programme of meetings is exempt from public disclosure, with reference to the Freedom of Information Act, section 24, 3rd paragraph.