The audit was conducted on 5 and 6 March 2020.

Objective

The objective of the audit was to verify how Neptune follows up the management of risk associated with data security for the industrial ICT systems. The aim was to verify processes and systems used by the operator to ensure follow-up of these systems and how this is achieved for each individual unit. We also wanted to verify if there is a correlation between overarching procedures and the follow-up of the systems on the facility.

Result

We looked at the design of the industrial ICT systems and how they are segmented and structured. Verifications were made between the different systems and their links to the office systems.

We verified the governing documents for ICT security of the industrial ICT systems and procedures for these systems.

Operation and maintenance of the industrial ICT systems was verified by means of interviews and document reviews. We also investigated how the industrial ICT systems were followed up, internally by the company as well as to what extent there were service agreements with suppliers for the different systems. We specifically investigated how safety and control systems and electrical systems were followed up by the responsible entities.

We requested an overview of which equipment and associated devices were included in the industrial ICT systems and the routines the company had for following up vulnerability alerts, vulnerability update routines, and handling of software that is no longer supported by the supplier.

An investigation was made of procedures for and verification of the functions that cater for backup and disaster recovery of the industrial ICT systems, and whether personnel were familiar with these procedures and were trained in the tasks involved.

We verified procedures and functions for remote connection to the industrial ICT systems. We examined routines for monitoring and following up data traffic and event logs for the industrial ICT systems.

Training and exercises are key elements in handling incidents. We verified how incidents in the industrial ICT systems would be handled and how the operating organisation and the company’s central organisation would be involved in handling incidents.

We verified the company’s competence requirements for specialists working on and with the industrial ICT systems.

The observations in this audit report are exempt from public disclosure, with reference to the Freedom of Information Act section 24, paragraph 3.

What happens next?

We have sent the audit report to Neptune and requested feedback on our observations by 29 May 2020.