Published: 9 March 2022
Rising awareness of the need to build cyber security into oil and gas infrastructure projects inevitably raises questions about what cyber risk assessment and testing is needed, when, and who pays.
Increasing connectivity between corporate operational and information technology (OT and IT), and with external IT systems through the internet, is a key driver of such risk in a wide range of industries. Then there is the question of how and when assessment and testing can be fitted into timetables specified in contracts that expose engineering, procurement and construction contractors to financial penalties if they miss key deadlines.
These challenges are neatly illustrated through a real-life project in which a contractor undertook to design, build and operate (DBO) an offshore hydrocarbon production facility. The contractor was to operate the vessel for a year before handover to the customer, the eventual operator, and accepted that there would be financial penalties if the final commissioning deadline was missed.
The whole project was to last five years, so it might have been thought that there was ample time to identify and resolve any cyber security risks across the interconnected OT and IT involved. However, cyber security was not specified in the contract as it did not have such a high profile at that time. Since the original contract was signed, the rising frequency of reported cyber-attacks on energy infrastructure1,2 led the contractor, acting in line with the policy of continuous improvement, to re-evaluate previous decisions. In light of the increased cyber risk, the contractor commissioned assessment and testing of the facilities OT and opted to cover the cost of ensuring that the facility could operate securely during the one-year operate phase of the DBO contract. It selected DNV to support it in achieving this within only three weeks of the final commissioning deadline.