EPC companies are adapting to the cyber security challenge as assets and equipment go online and interconnect

Published: 7 February 2022

• Energy infrastructure development projects face a mounting cyber security challenge as assets and equipment become more network-connected
• Engineering, procurement and construction (EPC) contractors must meet customer requirements for the infrastructure to be cyber secure on handover and operational start-up
• EPC contractors need to encourage small system suppliers to provide cyber-secure systems and components
• It is advisable to test the cyber vulnerability of unvalidated new products or technologies, says Omar Garcia of EPC contractor Schneider Electric

Engineering, procurement and construction (EPC) contractors managing energy infrastructure development projects face growing cyber security challenges as once standalone computing systems managing industrial operations become increasingly connected to IT infrastructure and the Internet of Things.

This growing connectivity makes substantial demands on EPC contractors to develop and hand over assets that are on time and within budget, but also cyber secure at operational start-up. Throughout the project phase, contractors must display to operators up-to-date understanding of the risk that Industrial Control Systems (ICS) could be vulnerable to cyber-attacks, and how risks can be reduced. Operators need reassurance, for example, that third-party equipment and systems that the contractor recommends will not introduce unacceptable cyber risk to their operations.

The sheer number of people – in-house and suppliers – involved in large energy infrastructure projects also raises the risk that cyber security could be compromised through their connecting laptops, pen drives, and other devices and peripherals, and installing software. Another significant threat comes through not always using the latest version of cyber security software.

The complexity of the cyber security challenge is multiplied by the communications requirements that it creates. “The big challenge in implementing cybersecurity for energy infrastructure projects is that there are many different ways to get to the acceptable level of risk that an operator wants to reach before the project can be handed over to them for operation,” says Omar Garcia, project manager for Schneider Electric.

This all means that an EPC contractor’s project manager, dealing directly with the customer, must now be able to convey authoritatively the challenges, options, and progress towards reaching the required level of cybersecurity for a more complex and interconnected set of assets and systems. This requires project managers to continually demonstrate that they know the cybersecurity status of the asset, what the current cyber threat and risk profiles are, and what strategies can ensure customer expectations will continue to be met.

“We depend a lot on technical managers and other SME (subject matter experts) from Schneider Electric and the operator of a development, and tend to prepare and use a risk-assessment matrix in every project to better align with the customer and their expectations,” explains Omar. Such a matrix is a graphical representation of the probability and severity of risks as calculated in quantitative risk assessment (Figure 1). “This involves defining the scope of works to perform in alignment with customers, and is a good, graphic model to show them how you are progressing and how much you are reducing the risks,” Omar adds.

Single-source equipment providers complicate the cyber security challenge

In energy infrastructure projects involving complex, multi-stakeholder supply chains, small system suppliers often represent a higher cyber risk, according to Christian Nerland, business development director, cyber security, DNV: “Smaller vendors have less history of protecting their systems, which used to be standalone. Now, though, their systems are becoming increasingly connected, and the large and fragmented supply chain is a challenge for systems integrators and for the EPC contractors with the oversight of cyber risk.”

Omar observes: “For example, when you are facing Original Equipment Manufacturers (OEMs) and vendors in brownfield projects, all are single sources of specified equipment and parts. You have no option but to use them, and you need their support and engagement. You need them to implement some cybersecurity technologies that the customer requires. In some cases, though, these vendors are not very large companies and do not have the cyber security skills.”

Consequently, the EPC contractor needs ways to assist such vendors to understand the importance of cyber security in the OT components being supplied and to secure their support as much as possible.

“This is quite a challenge,” says Omar. “In my experience, only a few, very large OEMs understand the importance and have the proper people in charge of cybersecurity. Ultimately, our role as the EPC contractor is simply to support the customer in implementing the technologies, not to increase the cyber security of third-party vendors’ equipment.” This, he continues, makes it tough to get proper alignment between a customer’s cyber security requirements and what vendors are supplying.

Managing the supply-chain cyber risk

Large and experienced EPC contractors have experience with most products on the market for large and small projects worldwide. “We evaluate them and, when we are preparing the project design, choose some of these products because we are comfortable with the maturity and the robustness of the solution,” Omar says.

“But if we run into a challenge because a different or new OEM cannot validate a new product or new technology, we need to test them. In this case, we need to perform a POC (proof of concept) in which is really advisable to have a cybersecurity penetration test that assesses the robustness of the solution.” For example, DNV has provided cybersecurity verification services for third-party suppliers’ components in energy infrastructure developments for a range of EPC contractors. This has involved DNV conducting ICS and IT penetration testing, simulating cyber-attacks to assess for vulnerabilities that could be exploited to gain unauthorized and potentially malicious access to control system networks.

“In our case, DNV has so far supported us very well,” says Omar. “We do not normally seek technical advisors in our projects but trust a lot in our own engineering people. External advisors come with the customer, mostly for complex projects. The customer will have already prepared a very detailed scope of work and will follow that to the letter using good in-house cybersecurity resources. Or, they will have an external advisor company supervising all the designs and the main design documents of the project or follow up at the end of the project.”

Assuring cyber security of operational and information technologies

DNV’s cybersecurity approach is based on recognized standards and recommendations, such as ISO 27000 series, IEC 62443, NIST 800 framework, among others. The company also develops recommended practices that can help EPC contractors and their customers to create trust with stakeholders that a project meets cybersecurity benchmarks for OT and IT separately and together.

DNV assists oil and gas field development projects combining deep-seated energy infrastructure knowledge with security best practice. “Customers typically want us to support by identifying and fixing cyber vulnerabilities, proving compliance with regulations and standards, and assisting them to hand over cyber-resilient critical infrastructure to operators,” says DNV’s Nerland.

Read more about DNV cyber security services