The complexity of the cyber security challenge is multiplied by the communications requirements that it creates. “The big challenge in implementing cybersecurity for energy infrastructure projects is that there are many different ways to get to the acceptable level of risk that an operator wants to reach before the project can be handed over to them for operation,” says Omar Garcia, project manager for Schneider Electric.
This all means that an EPC contractor’s project manager, dealing directly with the customer, must now be able to convey authoritatively the challenges, options, and progress towards reaching the required level of cybersecurity for a more complex and interconnected set of assets and systems. This requires project managers to continually demonstrate that they know the cybersecurity status of the asset, what the current cyber threat and risk profiles are, and what strategies can ensure customer expectations will continue to be met.
“We depend a lot on technical managers and other SME (subject matter experts) from Schneider Electric and the operator of a development, and tend to prepare and use a risk-assessment matrix in every project to better align with the customer and their expectations,” explains Omar. Such a matrix is a graphical representation of the probability and severity of risks as calculated in quantitative risk assessment (Figure 1). “This involves defining the scope of works to perform in alignment with customers, and is a good, graphic model to show them how you are progressing and how much you are reducing the risks,” Omar adds.
Single-source equipment providers complicate the cyber security challenge
In energy infrastructure projects involving complex, multi-stakeholder supply chains, small system suppliers often represent a higher cyber risk, according to Christian Nerland, business development director, cyber security, DNV: “Smaller vendors have less history of protecting their systems, which used to be standalone. Now, though, their systems are becoming increasingly connected, and the large and fragmented supply chain is a challenge for systems integrators and for the EPC contractors with the oversight of cyber risk.”
Omar observes: “For example, when you are facing Original Equipment Manufacturers (OEMs) and vendors in brownfield projects, all are single sources of specified equipment and parts. You have no option but to use them, and you need their support and engagement. You need them to implement some cybersecurity technologies that the customer requires. In some cases, though, these vendors are not very large companies and do not have the cyber security skills.”
Consequently, the EPC contractor needs ways to assist such vendors to understand the importance of cyber security in the OT components being supplied and to secure their support as much as possible.