Skip to main content

DNV GL highlights cyber security vulnerabilities in the oil and gas industry

Published by
LNG Industry,

DNV GL has announced it has delivered a study to the Lysne Committee (Lysneutvalget1) that lists the ten most significant cyber security vulnerabilities for companies that are operating offshore Norway. These vulnerabilities include:

  • A lack of training and awareness amongst employees about cyber security.
  • Remote work during both maintenance and operations.
  • The use of standard IT products that have known vulnerabilities in a production environment.
  • A limited cyber security culture amongst suppliers, vendors and contractors.
  • The insufficient separation of data networks.
  • Using mobile devices and storage units, such as smart phones.
  • Data networks that link onshore and offshore facilities.
  • A lack of proper physical security surrounding data rooms, cabinets, etc.
  • Vulnerable software.
  • Out of date facility control systems.

Whilst these apply to offshore Norwegian companies, DNV GL claims that they are just as relevant in other parts of the world.

In the statement, DNV GL claims that such vulnerabilities can be dealt with by using a risk-based approach, which uses a bow-tie method that is familiar in safety barrier management. This enables companies to locate the threats to their assets, and then develop plans to prevent a cyber attack.

Trond Winther, the Head of the Operations Department, DNV GL – Oil & Gas, said: “As all oil and gas process plants are now connected to the internet in some way, protecting vital digital infrastructure against cyber-attacks also ensures safe operations and optimal production regularity.”

An international survey carried out by DNV GL with over 1100 professionals demonstrated that, despite the fact that most companies are managing the security of their information, 58% have adopted an ad hoc management strategy, whilst only 27% have set firm goals.2

Petter Myrvang, Head of the Security and Information Risk, DNV GL – Oil & Gas, said: “Headline cyber security incidents are rare, but a lot of lesser attacks go undetected or unreported as many organizations do not know that someone has broken into their systems. The first line of attack is often the office environment of an oil and gas company, working through to the production network and process control and safety systems.”

1: The Lysne Committee has been appointed by the Norwegian Ministry of Justice and Public Security to assess the country’s digital vulnerabilities.

2: ‘Viewpoint Report. Is your company’s data secure?’, DNV GL – Business Assurance, October 2015.

Edited from press release by David Rowlands

Read the article online at:


Embed article link: (copy the HTML code below):