As any other industry sector, oil and gas has embraced the new digital age. For a number of years now, companies have relied on industrial control systems (ICS) and supervisory control and data acquisition (SCADA) to facilitate and monitor exploration and drilling as well as to optimize production from onshore and offshore sites. This means that within the whole production chain, all operations are connected as parts of the same system.
The increased reliance on automation, on connected data and control systems has in turn increased the vulnerability of the sector to cyber threats and attacks. According to a report by Dragos, “the oil and gas industry is a valuable target for adversaries seeking to exploit industrial control systems (ICS) environments. […] A disruption event from a cyberattack at an oil and gas facility can occur at any point across the three major stages of oil and gas operations: upstream, midstream or downstream. From exploration and production to customer distribution, operational technology (OT) environments are in close proximity to information technology (IT) networks. […] Due to the political and economic impact, and direct effect on civilian lives and infrastructure, the oil and gas industry has a high risk for ICS targeted destruction and disruption campaigns originating from a cyberattack.”
The IEC has published many standards that help increase the resilience and robustness of critical infrastructure and IT systems in the face of a rapidly evolving cyber threat.
In particular, IEC Technical Committee 65: Industrial-process measurement, control and automation, developed a series of international standards, IEC 62443, offering a comprehensive set of cyber security guidelines that applies to manufacturing as well as critical infrastructure, such as power plants, hospitals, water or transport networks. And IECEE, the IEC System of Conformity Assessment Schemes for Electrotechnical Equipment and Components, has put in place a global cyber security certification programme based on the IEC 62443 series. The aim is to verify that cyber security measures have really been implemented.
The IEC and ISO Joint Technical Committee for information technology (ISO/IEC JTC 1), help organizations enhance their information security through one of its subcommittees, SC 27, published ISO/IEC 27001:2013, Information technology – Security techniques – Information security management systems – Requirements. And recently, IECQ, the IEC Quality Assessment System for Electronic Components, has set up a scheme for the certification of ISMS, offering a single approach to the application of ISO/IEC 27001.
Compliance with international standards, such as IEC 62443 and ISO/IEC 27001, and the ensuing testing and certification are essential elements in the protection of critical infrastructure in the oil and gas sector. Unless they are coupled with employee awareness, they will not ensure optimal security.
Companies need to instil a security culture into their staff. Employees should be trained to make sure they are able to minimize the risks and protect their operations.
Oil and gas industry workers’ skills and competence – Ex industry workers’ skills in general – are of the utmost importance. To meet Ex industry’s needs and ensure that all safety aspects have been covered, IECEx, the IEC System for Certification to Standards Relating to Equipment for Use in Explosive Atmospheres, launched the IECEx scheme for certification of personnel competence.
The scheme provides companies working in the Ex field with independent proof that a person has the required competence and capability (based on qualifications, experience and demonstrated ability) to implement the international Ex standards and to work on, or repair, equipment located in hazardous areas. This can be especially important for consultants and contracted staff. The IECEx certificate of personnel competence (CoPC) is personal, non-transferable and valid across international borders. As well as the certificate itself, IECEx-approved personnel are also furnished with a wallet-sized identification card with photo, providing instant proof of certification.
The scheme for certification of personnel competence complements the other IECEx schemes – IECEx certified equipment scheme and IECEx certified service facilities scheme – to ensure that equipment and people working in the Ex field operate in the safest possible conditions.
While this scheme doesn’t explicitly address cyber security, employees that have obtained an IECEx certificate of personnel competence (CoPC) may certainly help all staff be more aware of the security measures that need to be implemented to ensure the safest and smoothest running of their operation.