Recommended Practice on Cyber Security (IEC 62443)

Critical network segments in production sites, which used to be kept isolated, are now connected to networks, making the operational technology (OT) more vulnerable. According to recent research, 59% of oil and gas companies surveyed believe there is greater risk in the OT than the IT environment. Managing threats towards OT requires knowledge beyond general information security, such as oil and gas operational domain competence, in particular related to automated, unmanned, integrated and remote operations which are accessible online.

The new DNV GL recommended practice (RP) "Cyber security in the oil and gas industry based on IEC 62443" is the result of a nearly two-year-long joint industry project (JIP) together with partners Shell Norge AS, Statoil, Woodside, Lundin Norway, Siemens, Honeywell, ABB, Emerson and Kongsberg Maritime. The Norwegian Petroleum Safety Authority has observed the work and exchanged experiences with the JIP group from a regulatory perspective. The RP is based on the IEC 62443 standard, international practice, professional experience, and takes into account HSE requirements and the IEC 61511 functional safety standard. It outlines a tailored approach for the oil and gas industry on how to build security, with the emphasis on OT.  

This guideline provides best practice on how to apply the IEC 62443 standard to the oil and gas industry. Although the standard describes cyber security requirements for all industries, this guideline is tailored to oil and gas. While the standard focuses on what to do, this guideline focuses on how to do it.