Page 21 - Gi December 2018 / January 2019
P. 21
maintenance of a safety-instrumented
FIGURE 1: MANAGING CYBER RISK ACROSS IT AND OT
system. DNVGL-RP-G108 applies not FIGURE 1 Managing cyber risk across IT and OT
only to new installations; existing and
more mature assets may need to be
updated to prevent and protect Information technology in the office domain
against cyber threats.
The RP is intended to include all Infrastructure and networks
elements – people, processes, PCs, laptops, servers, databases
technology – to ensure cyber security is Software applications (information systems)
addressed in industrial automation and Information and data
control systems. This includes the asset
owner/operator, system integrator,
product supplier, service provider and Operational technology in the process control domain
compliance authority. The practice
explains shared responsibilities and Safety and Automation Systems
describes who performs activities, who Industrial networks and infrastructure
should be involved, and the expected Software/Programmable Logic Controller
inputs and outputs. Supervisory Control and Data Acquisition
Data/information
SIMULATING ATTACKS TO
IDENTIFY CYBER
VULNERABILITY
Simulating a cyber-attack on a pipeline Operational cyber threats and protection
system can demonstrate strengths
and weaknesses within an organisation
and is a practical exercise to start Data being transferred
building defences. Some companies, for analytics
including DNV GL, recruit and develop
‘ethical hackers’ to perform testing
and verification of OT, IT and linkages
between them. 2 Control room
DNV GL’s ethical hackers combine
hacking expertise with profound
domain knowledge of OT. Vendor conducting
The ethical hacking process begins remote maintenance
with passive and active reconnaissance
of an asset or system’s cyber security.
Remote metering of infrastructure ©2017 DNV GL
scans for potential vulnerabilities, for
example. If any are found, the next
step is to try to gain access through critical, cyber-enabled infrastructure, technical capabilities and related
penetration testing to reveal actual such as gas networks. Applied at the processes, and of technical and
vulnerabilities and help customers concept phase, it can then be used to organisational measures.
mitigate risk. validate the effectiveness of the The technical implementation and
From the use of default system barriers that were initially designed configuration in the industrial
passwords and missing patching, to into the integrated system. automation and control system, and
unsecured WiFi providing a route into DNV GL’s Technical Assurance how this system is operated,
control systems, vulnerabilities can be Laboratory offers tools and techniques maintained, and deployed will be
simple. Ethical hackers also scan for to detect device flaws as part of a reflected in the protection level. DNV
weaknesses in customer OT and IT product security evaluation service GL intends to update DNVGL-
systems that could be used to enter currently being applied in the sector. RP-G108 regularly to incorporate
and exploit the system to affect This service includes applying ethical industry experience, new and updated
operations or access confidential hacking techniques to products. standards, and fresh developments. ■
information. Some of this scanning and
testing can be carried out remotely. KEEPING UP WITH STANDARDS ■ Download DNV GL’s Recommended
Cyber security is an ever-changing Practice at www.dnvgl.com/oilgas/
ETHICAL HACKING FOR challenge, requiring continual download/dnvgl-rp-g108-cyber-
VERIFICATION AND updates to standards. IEC 62443 security-in-the-oil-and-gas-industry-
TECHNICAL QUALIFICATION committees will likely issue a new based-on-IEC-62443.html
Ethical hacking can also assist the standard for protection levels in the
verification and technical qualification future, for instance. Protection level REFERENCES
of equipment and systems. is a methodology for evaluating 1. Confidence and control: The outlook for the oil and gas
Penetration testing is a relevant protection of plants in operation. It industry in 2018, DNV GL, January 2018
2. Ethical hacking: The white hats in DNV GL cyber security
third-party verification step for any includes combined evaluation of services, K Ording, DNV GL
21
CyberSecurityFromDNV_V2.indd 2 15/11/2018 14:29
