Cybersecurity Barrier Management

The aim of the project is to develop new knowledge and provide guidance to protect industrial control and safety systems against cyberattacks. Several threat actor groups are actively targeting the petroleum sector, and the number of publicly reported cyberattacks is rising, highlighting a growing threat landscape. At the same time, increased digitalisation has amplified vulnerabilities. Cyberattacks against control and safety systems in the petroleum industry can cause physical damage to facilities, endanger personnel on board, and disrupt the security of energy supply to Europe. Digitalisation can also be leveraged to enhance safety, for example by ensuring effective control of barriers that help prevent accidents from occurring. These barriers—both technical (such as intrusion detection systems) and non-technical (such as operators in security control centres monitoring industrial control systems)—complement normal control measures and are designed to address abnormal situations. Barrier management systems have long been established for traditional safety measures against accidental events but are less developed for intentional events such as cyberattacks. Establishing cybersecurity barrier management, and integrating it with existing safety barrier management, is the focus of this project. The work is carried out in close collaboration with Equinor, Aker BP, the CDS forum on cybersecurity in industrial control systems (with 27 participating companies), and external experts. Some of the main findings and results so far include significant differences in current practices, development of a common approach, establishment and use of security levels, and a flowchart outlining a process for continuous risk analysis and risk reduction, based on monitoring threats, vulnerabilities, and barrier impairments. The observed differences in practice stem both from variations in how traditional safety barrier management is implemented, and from the use of different standards and guidelines as the basis for managing cybersecurity in industrial control systems. A key outcome of the project is the development of a common approach for identifying cybersecurity barriers and defining requirements for them. This methodology is designed to be flexible, taking into account company-specific differences. Cybersecurity, and the management of barriers in particular, can be supported by setting requirements for the security level of systems and equipment within industrial control systems, as well as for the maturity level of the organisations that develop and operate these systems. Security assessments can then be carried out based on both the defined security and maturity levels. Within the project, we are exploring how this approach can be implemented in practice. Since the risk picture is more dynamic in cybersecurity than in safety for unintended incidents, the project also examines how to monitor threats and vulnerabilities, in addition to tracking the status of barriers and addressing changes as they occur. One of the key results is a flowchart illustrating a process for continuous risk analysis and mitigation. This process consists of three sub-processes: (1) threat landscape monitoring, (2) vulnerability management, and (3) cybersecurity barrier monitoring. The results will be consolidated into a guideline for integrated safety and cybersecurity barrier management.

The overall project objective is to provide new research-based knowledge and guidance for cybersecurity barrier management as a continuous process during development and operation (incl. maintenance) of ICS in the petroleum industry, covering both technical and non-technical aspects, bridging the safety and cybersecurity domains. Digitalization calls for novel concepts to be able to exploit the potential in digitalization while at the same time managing a considerable growth in cybersecurity threats. Main challenges addressed in this project are protection of ICS to security threats and software upgrade procedures to ensure that newly discovered cyber-security threats are resolved fast. There is a need to develop new research-based knowledge on establishment and follow-up of cybersecurity requirements for technical as well as non-technical barrier elements, and to investigate and develop new innovative work processes for improved interaction between the office IT systems and ICS. The challenge of mastering the interdependencies between safety and cybersecurity is still significant and will be a major challenge for many years to come. The industry needs more practical guidelines and standardized approaches for integrating the safety and security domain to ensure that cybersecurity does not interfere with the proper safe operation of the production process. There is also a need to build new scientific knowledge on the transition from unidirectional to continuous processes for operation and maintenance of ICS, in a context with a multitude of suppliers.