Evaluation Operational Technology Cybersecurity Risk
A major offshore operator engaged Athens Group Services surveyors to evaluate the cybersecurity program on two rigs they had under contract in the Gulf of Mexico.
The contractor provided Athens Group Services surveyors with their cybersecurity policy manual which was reviewed and used as the basis the evaluation. The evaluation was intended to first identify and make recommendations to close any gaps found between the contractors written policies, operator requirements, and industry best practices, for operational technology cybersecurity. Following the evaluation of policy, Athens Group evaluated the contractor’s adherence to, and implementation of, those policies in operations.
The scope included the contractor’s internal policies and practices as well as the polices and practices of the major systems OEMs including drilling controls, station keeping, vessel management, and the associated networks.
When evaluating cybersecurity on an offshore asset, Athens Group Services surveyors use a fit-for-purpose operation technology (OT) network analysis methodology, which is fully compliant with the industry guidance from the US National Institute of Standards and Technology (NIST) and the US Dept of Energy Cybersecurity Capability Maturity Model (C2M2) for the energy sector. Our methods focus on cyber threat identification and prevention and look for evidence of actively managed profiles for assets, threats, and vulnerabilities. These three artifacts are the foundation for effective OT cybersecurity.
During the evaluation, Athens Group Services surveyors discovered significant gaps in the contractor’s ability to identify, quantify, and mitigate their cyber risk. These gaps exposed both the contractor and the operator to cyber events that could damage people, plant, and environment. Using our fit for purpose OT cybersecurity methodology, Athens Group Services surveyors provide the operator and the contractor with a full report of the gaps, ranked according to risk criticality as well as an actionable plan to close those gaps and gain control of the cyber risk levels on the asset.