Equinor - Tjeldbergodden - Information security for the industrial ICT systems

The audit was conducted on 10 and 11 December 2018.

Background

This audit is one of a series of audits in 2018 and 2019 focused on ICT security for the industrial ICT systems in the petroleum industry.

Industrial ICT systems are protected by measures that also protect the office networks. There are also barriers and functions that provide active and passive protection of these systems, so as to minimise the risk of vulnerabilities that can affect the industrial ICT systems – from both unintended and intentional actions.  The shared functions are often operated centrally by the company. Operation and maintenance of the industrial ICT systems and associated network equipment are primarily performed locally at the facility in close collaboration with the operating organisation.

Objective

The objective of the audit at Tjeldbergodden was to monitor how the operating organisation follows up the industrial ICT systems and associated network equipment and devices in order to ensure protection and resilience. We wanted to gain an overview of processes and systems used to ensure follow-up of the industrial ICT systems and how they are implemented and monitored by the persons responsible.

Result

The audit identified regulatory non-conformities and improvement points. The description of these matters is exempt from publication, with reference to Section 24 (3) of the Freedom of Information Act.

What happens next?

We have asked Equinor to report on how the non-conformities will be addressed and for the company’s assessment of the improvement points observed.

The deadline for the feedback is set at 7 March 2019.