We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
25 June 2018
Operators and non-operating petroleum licensees on the Norwegian Continental Shelf (NCS) must establish emergency preparedness and implement measures to deal with any risks to their petroleum activities. Traditionally, this emergency preparedness planning has been directed towards conventional risks, such as:
Recently, due to increased digitalisation, integrated operations and the utilisation of digital data in the operation and monitoring of petroleum activities, cybersecurity is also becoming a major concern for the oil and gas industry. For example, several Norwegian government reports and industry initiatives have focused on information and communication technology (ICT) and cybersecurity. Incidents relating to both deliberate cyberattacks and digital errors have made the industry worldwide more aware of the potential risks relating to the sector's increased digitalisation. Recently, at least seven natural gas pipeline operators in United States were the victims of hackers that targeted the third-party communications system of Latitude Technologies, while other pipeline owners were also directly hacked. In the past decade, there have been plenty of incidents, such as the attack on the Baku-Ceyhan pipeline (Turkey, 2008) and the Saudi-Aramco malware attack (Shamoon virus, 2012). An example of an accidental digital security breach was the Mongstad incident in Norway (Statoil, 2014), in which outsourced IT personnel managed to accidentally access the operational systems for Statoil's loading terminal in its Mongstad facility, disrupting an ongoing loading operation.
This update presents an overview of the regulation of emergency preparedness and safety precautions against digital threats on the NCS.
The Norwegian Petroleum Act and several other sector laws regulate the health and safety aspects of NCS petroleum activities, including emergency preparedness. The regulation is largely founded on a functional and risk-based system, establishing goal-oriented objectives and overriding principles, rather than technical and operational requirements. The responsibility for choosing individual solutions on how to reach these goals rests with the operator and the non-operating licensees, guided by detailed guidelines and industry standards adopted or endorsed by the Petroleum Safety Authority (PSA).
An overriding principle established in Section 10-1 of the Petroleum Act is that petroleum activities must be conducted in "a prudent manner" and, among other objectives, take due account of "the financial values which the facilities and vessels represent, including also operational availability". Cyber risks may well threaten operational availability. The overall health and safety objective for petroleum activities is stipulated in Section 9-1 of the act, which states that "petroleum activities shall be conducted in such manner as to enable a high level of safety to be maintained and further developed in accordance with the technological development".
This principle is relevant in the context of this update as it presupposes technological development as a means of enhanced health and safety levels, but also the creation of new types of risk relating to such technological development. An example of new technology that may make conventional risks more probable is drone technology, which is widespread and may be misused as a means to launch attacks on facilities.
Specifically addressing emergency preparedness, the Petroleum Act further requires that:
The licensee and other participants in the petroleum activities shall at all times maintain efficient emergency preparedness with a view to dealing with accidents and emergencies which may lead to loss of lives or personal injuries, pollution or major damage to property. (Section 9-2)
The licensee shall initiate and maintain security measures to contribute to avoiding deliberate attacks against facilities and shall at all times have contingency plans to deal with such attacks. (Section 9-3)
These provisions were enacted before cyber risks became a major concern for the industry and the preparatory works do not explicitly mention such risks. However, due to the functional regulatory approach and the overriding principles referred to above, the provisions are also being interpreted to cover emergency preparedness against cyber risks.
Section 9-2, quoted above, covers conventional risks, such as non-deliberate accidents and emergencies resulting from human mistakes, technical errors or weather conditions. These requirements apply to all participants engaged in NCS petroleum activities (both operators, licensees and sub-contractors within the whole range of the activity, including construction, service and supply and seismic acquisition).
The regulation of contingency planning against deliberate attacks (Section 9-3) only applies to licensees (both operators and non-operating partners), as these are the subjects owning or controlling the facilities in question. The term 'deliberate attack' covers a wide range of threats. Considering the requirement to develop safety measures "in accordance with technological development" (Section 9-1, quoted above), the interpretation is that this provision also covers deliberate cyberattacks.
The health and safety regulations elaborate on requirements relating to topics such as risk analysis and emergency preparedness assessments, emergency preparedness organisation and contingency planning and exercises. The requirements are general and functional with no explicit regulation of ICT threats or cyberattacks. The only reference to ICT risks covered by the entire health and safety framework is included in non-binding guidelines to a provision covering control and monitoring systems in the Facility Regulations. This provision recommends that "Norwegian Oil and Gas' Guideline No. 104 should be used as a basis for protecting against ICT-related hazards".(1)
Failure to comply with the regulation may result in various penalties and other formal and informal consequences. For instance, the PSA may order an operator to take specific actions to ensure the appropriate safeguarding of risks. Failure to address such orders or repeat serious breaches of applicable requirements may lead to more severe consequences, including loss of operatorship, revocation of the production licence or criminal charges.
The Petroleum Act stipulates that licensees have a strict liability for pollution damage to third parties. Should any breach of safety requirements lead to other damage to third parties, the operator and/or licensees will be held liable according to the general principles of the law of damages. Under the model joint operating agreement, licensee and joint venture party liability for such damages is joint and several.
The Petroleum Act also stipulates that licensees are jointly and severally liable for any such damages caused by suppliers and contractors engaged by the operator on behalf of the licensees. Internally, within the licence group (unincorporated joint venture), the operator may be liable towards the other joint venture participants if damage caused by non-compliance with safety requirements is the result of gross negligence by the management or supervisory personnel of the operator.(2) Failure to implement emergency preparedness or other precautionary measures against cyber threats could be considered grossly negligent conduct.
According to the PSA's inspection practice,(3) the following are recurring ICT risk factors in the industry:
Could more explicit cybersecurity regulation contribute to lowering these and other security breaches?
The PSA's official view in this regard is that:
The PSA has taken steps to increase internal capacity and focus on cyber risks. While maintaining its support of the current legal framework, the PSA is assessing whether more specific cybersecurity regulation is appropriate or even required.
The functional legislative approach of the Norwegian health and safety regulations has the advantage of flexibility. Thus, substantial adjustments to cover the risks posed by the implementation of new technologies are not necessarily required. However, at least two separate government reports have questioned whether more specific regulation of ICT cyber risks could contribute to a greater focus on these issues by the industry. Further, the considerable scope of this type of risk – relating to virtually all parts of all petroleum activities – seems to justify a thorough assessment of whether clearer regulatory measures, more specific procedures and inspection practice is necessary.
For further information on this topic please contact Nikolai Brøvig or Gunnar Espeland at Advokatfirmaet Simonsen Vogt Wiig AS by telephone (+4751823200) or email (firstname.lastname@example.org or email@example.com). The Advokatfirmaet Simonsen Vogt Wiig AS website can be accessed at www.svw.no.
(1) This document provides guidance on how to implement information security baseline requirements in ICT process control, safety and support systems. In October 2017 DNV GL released a recommended practice tailored for the oil and gas industry, which provides a guide on how the industry should apply the International Electrotechnical Commission 62443 series of standards. The document was established by a work group consisting of industry participants and experts, with the PSA acting as an observer.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.