Background
This audit is one of a series of audits in 2018 and 2019 focused on cyber security for the industrial ICT systems in the petroleum activities.
Industrial ICT systems are protected by measures that also protect the office networks. In addition, there are barriers and functions that provide active and passive protection of these systems, so as to reduce the risk of vulnerabilities that can affect the industrial ICT systems – whether through accidental or intentional incidents. The shared functions are often operated centrally by the company. Operation and maintenance of the industrial ICT systems and associated networking equipment is mainly performed locally on the facility in close collaboration with the operational organisation.
Objective
The objective of the audit was to verify how the company follows up the management of risk associated with cyber security for the industrial ICT systems that interface with the office systems. We also wanted to verify the processes and systems used by the operator to ensure the follow-up of these systems and how they are implemented on each individual unit. We also verified that there was a correlation between the overarching procedures and the follow-up of the systems on the facility.
Result
The audit identified regulatory non-conformities and improvement points. The description of these matters is exempt from publication, with reference to Section 24 (3) of the Freedom of Information Act. They are accordingly not referred to under the non-conformities and improvement points headings in the audit report.
What happens next?
We have asked ConocoPhillips to report on how the non-conformities will be addressed and for the company’s assessment of the improvement points observed.
The deadline for feedback was 8 May 2019.