With infrastructure cybersecurity becoming a growing concern for businesses globally, it is not surprising that yet another industry association – the International Association of Drilling Contractors (“IADC”) – has issued cybersecurity guidelines for its members. IADC’s Guidelines for Assessing and Managing Cybersecurity Risks to Drilling Assets address the cyber risks affecting the “digital oilfield” – including wireless offshore technologies and automated drilling assets and drilling control systems.
Oilfield services companies and operators have historically put in place operational procedures to mitigate and respond to physical disasters, but companies and operators are increasingly concerned with how to best assess, manage, and prepare to respond to cybersecurity risks. While the proliferation of big-data analytics, digital technologies, and remote operations have led to dramatic advancements in optimization and efficiency in the industry, companies must grapple with the concurrent cybersecurity risks presented by these innovations. In light of the growing focus on cybersecurity concerns, the IADC Guidelines seek to provide high-level non-regionalized standards that harmonize various international cybersecurity frameworks.
Overview of the IADC Guidelines
The Guidelines’ main focus is providing risk management methods and standards that companies can use for assessing cybersecurity risks of drilling assets. The Guidelines are designed to assist companies with identifying and quantifying the potential for loss associated with cyber threats and establishing the priorities for their mitigation response. The Guidelines do not, however, articulate how companies may mitigate the cyber risks they identify in the risk management process.
Risk Assessment Steps
The Guidelines recommend that companies first assess drilling controls and automation systems for risks (including health and safety, environmental, and financial risks) that may result from cyber incidents, and assign a criticality grade to the various risks based on the company’s overall business priorities. Once risks have been ranked, the Guidelines suggest plotting the risks on a matrix that gauges the risk severity level against the likelihood of the event occurring. The goal of the process is to help companies assess the need for risk mitigation measures for each type of risk – whether the measures are immediately required, or are necessary but not critical, or merely should be considered – and to implement the mitigation measures according to the need determination.
The Guidelines base their cybersecurity strategy on three cybersecurity standards:
NIST Cybersecurity Framework: The NIST Framework for Improving Critical Infrastructure (2014) is a voluntary framework that has become the gold standard in the United States and beyond. Created in response to Executive Order 13636, the framework provides guidance to operators of critical infrastructure and services in managing and improving cybersecurity risks, as part of the entire organization’s risk management process. In particular, the NIST SP-800 series on Computer Security incorporates standards regarding Operational Technology (“OT”) cybersecurity and a Risk Management framework.
ISO/IEC Standards: Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and commonly used across Europe and Asia-Pacific, the ISO/IEC 27000-Series on Information Security Management Systems overlaps somewhat with the NIST SP-800 Series. These ISO/IEC standards establish a framework of core standards for implementing information security management systems, and incorporate particular standards regarding OT cybersecurity. In addition, ISO/IEC 21827 offers a set of practices that define cybersecurity and management practices to help organizations implement and mature their cybersecurity strategies.
ISA/IEC Standards: The IADC Guidelines refer extensively to the ISA/IEC 62443, created by the International Society for Automation (ISA) and aligned with IEC Standards. ISA/IEC 62443 is a standards family specifically for industrial automation and control systems cybersecurity (though the standards are not drilling control systems-specific). The Guidelines focus in particular on ISA/IEC 62443-3-2, which provides a prescriptive approach to (1) identifying critical systems, (2) defining target security levels, and (3) assessing risks to identify gaps and allocate appropriate countermeasures.
Oilfield services companies, operators and asset owners should evaluate how to incorporate cybersecurity risk management into their risk management programs, if they have not done so already, and periodically re-evaluate those measures once incorporated. The IADC Guidelines identify drilling operations as one the focus points for addressing and mitigating cyber risks.
In addition to addressing the issues identified in the IADC Guidelines, companies may consider incorporating cybersecurity vulnerability assessments into their due diligence processes, and consider evaluating liability, indemnification, and information-sharing provisions specific to cybersecurity incidents in services contracts. A proactive approach may be helpful for developing policies and procedures that address the IADC Guidelines, in order to further mitigate security, regulatory and litigation risks. It may be advisable for some or all of the cyber security risk assessment to be completed by or at the direction of counsel to support an argument that the risk assessment falls within the scope of the attorney-client privilege.