Unsatisfactory security systems in use offshore
As an assignment for the Norwegian Petroleum Safety Authority, SINTEF has carried out a study of security systems in use on offshore installations. The conclusion is that the requirements for independence and robustness are not satisfactorily complied with.
Offshore security systems are to an increasing extent linked together: the same manufacturer supplies control and security systems and the different systems share the same software and user interface. In addition, integrated operations have been introduced, leading to an increase in signal transmission between systems.
However, the regulations place requirements on a satisfactory degree of independence among security barriers and on the ability of security systems to carry out the intended operations independently of other systems.
With the assistance of SINTEF, the Petroleum Safety Authority has therefore completed a project whose objectives were to assess whether interaction between systems has a critical effect on security, and to determine whether such interaction may be unacceptable in some cases.
Evaluation
Inspection has been carried out in connection with three operators and three security system suppliers.
The main conclusions of SINTEF’s report are:
• The industry does not work systematically to ensure that systems are independent of each other
.
• Undesirable ICT incidents and threats such as virus attacks and network storms have already resulted in the shut-down of installations. The industry does not appear to be fully capable of ensuring that such threats will not lead to security-related consequences in the future.
• The risk situation in general is somewhat unclear and awareness should be improved by means of increased use of risk and vulnerability analyses, better collaboration between technical disciplines (ICT, process, automation, instrumentation, telecommunications) and a general improvement in the level of expertise.
• The majority of installations are not prepared, either technically or organisationally, for remote access. Analyses and technical modifications are necessary before this can be implemented in all locations.
The Petroleum Safety Authority will now carry out additional work to ensure that the industry deals with the weaknesses that have been revealed by the report. The report (in Norwegian) can be viewed to the right at this site:
