In this month's newsletter, we outline how Connected Risk will transform Regulation
Offshore Energy Top 10 Cyber Risks
07 December 2015 | Blog Post
“Headline cyber security incidents are rare, but a lot of lesser attacks go undetected or unreported as many organisations do not know that someone has broken into their systems. The first line of attack is often the office environment of an oil and gas company, working through to the production network and process control and safety systems,” says Petter Myrvang, head of the Security and Information Risk Section, DNV GL - Oil & Gas.
DNV GL listed the top ten cyber security vulnerabilities as follows:
- Lack of cyber security awareness and training among employees
- Remote work during operations and maintenance
- Using standard IT products with known vulnerabilities in the production environment
- A limited cyber security culture among vendors, suppliers and contractors
- Insufficient separation of data networks
- The use of mobile devices and storage units including smartphones
- Data networks between on- and offshore facilities
- Insufficient physical security of data rooms, cabinets, etc.
- Vulnerable software
- Outdated and ageing control systems in facilities.
“As all oil and gas process plants are now connected to the Internet in some way, protecting vital digital infrastructure against cyber-attacks also ensures safe operations and optimal production regularity,” says Trond Winther, head of the Operations Department, DNV GL – Oil & Gas.
As DNV GL outlines, due to the use of digital technologies and increased dependence on cyber structures, the oil and gas industry is exposed to new sets of exposures and threats. From an underwriting point of view, such exposures can be analysed using the latest actuarial and risk modelling techniques.
For example, Russell Group’s ALPS Energy product is used to model aggregate exposure and pricing at the asset level, and analyse realistic and probabilistic scenarios while ALPS Enterprise captures a corporate’s exposure to technology vendors and compares with its own inbuilt vendor listing to assess a corporate’s risk profile to probable security threats and cyber events.