The audit was conducted from 28 to 30 January 2020.

Objective

The objective of the audit was to verify how Equinor (Gassco’s technical service provider) follows up the management of risk associated with data security for the industrial ICT systems. The aim was to verify processes and systems used by the operator to ensure follow-up of these systems and how this is achieved for each individual unit. We also wanted to verify if there is a correlation between overarching procedures and the follow-up of the systems at the facility.

Result

We looked at the design of the industrial ICT systems and how they are segmented and structured. Verifications were made between the different systems and their links to the office systems.

We verified the governing documents for ICT security of the industrial ICT systems and procedures for these systems.

Operation and maintenance of the industrial ICT systems were verified by means of interviews and document reviews. We also undertook verifications in associated equipment rooms.

We also investigated how the industrial ICT systems were followed up, internally by Equinor and in the form of service agreements with suppliers. We specifically investigated how safety and control systems and electrical systems were followed up by the responsible entities.

We requested an overview of which equipment and associated devices were included in the industrial ICT systems and the routines Equinor had for following up vulnerability alerts, vulnerability update routines, and handling of software that is no longer supported by the supplier.

An investigation was made of procedures for and verification of the functions that cater for backup and disaster recovery of the industrial ICT systems, and whether personnel were familiar with these procedures and were trained in the tasks involved.

We investigated how the industrial ICT systems were protected by passive measures, including routines for locking rooms and blocking unused communication ports. We verified procedures and functions for remote connection to the industrial ICT systems. We examined routines for monitoring and following up data traffic and event logs for the industrial ICT systems.

Training and exercises are key elements in handling incidents. We verified how incidents in the industrial ICT systems would be handled and how the operating organisation and the company’s central organisation would be involved in handling incidents. We verified Equinor’s competence requirements for specialists working on and with the industrial ICT systems.

We verified procedures and systems for using USB devices and other software used for file transfers to and from industrial ICT systems.

The observations in this audit report are exempt from public disclosure, with reference to the Freedom of Information Act section 24, paragraph 3.

What happens next?

We have sent the audit report to Gassco and requested feedback on our observations by 8 May 2020.