The Bridge - Issue 2, 2023 - 8

Feature
A Barrier-based Approach to Cyber Security in Critical Infrastructures
the term used in the past, but this has changed, a change
that is also advocated by Norwegian authorities.
D. Performance standards for cyber security
Some companies have started developing dedicated
performance standards for cybersecurity (and physical
security) based on NOROG 104 [10] or requirements from
the NIST Cybersecurity Framework (CSF) [15]. NOROG
104 refers to and maps their requirements to the NIST CSF,
which further refers to IEC 62443. A brief overview of such
mappings is shown in Table I.
Figure 2. Typical safety barrier management process
step 2a. As an example, the event hydrocarbon leakage
is prevented by several barrier functions, among them
prevent leakage from process equipment.
In step 3, each of the barrier functions are broken down
into a set of sub-functions, which in turn are realized
through one or more barrier elements. Barrier elements
can either be technical, operational, or organizational.
Continuing our example, the prevent leakage from process
equipment-function can partly be realized, e.g., through the
sub-function prevent leaks due to technical degradation.
This sub-function is in turn realized through the technical
barrier elements sand detectors and corrosion/erosion
probes, and the organizational element corrosion
monitoring by inspection team.
Step 4 defines the performance requirements for barrier
elements. Step 5 identifies performance influencing factors
for barrier elements and functions. These are the factors
which may significantly affect the element or barriers
function to perform its task. Step 6 is concerned with the
verification of performance requirements.
The safety barrier management process results in a barrier
strategy and performance standards. The barrier strategy
can be defined as " a result of a process that on the basis
of the risk picture, describes and clarifies the barrier
functions and elements to be implemented in order to
reduce risk. " It will typically include methodology (including
a description of the barrier management process), including
a description of the facility, the area division, the DSHAs
(or MAHs), and barrier functions per area (or globally). It
continues with barrier elements, in each area (or globally),
performance requirements for the barrier elements,
performance influencing factors affecting the barrier
elements and verification activities for monitoring of barrier
performance. Detailed information about performance
requirements, PIFs, and verification activities is usually
documented separately in the corresponding performance
standards [14].
The focus on barriers and the use of the term barrier
(strategy) have increased. (Technical) safety strategy was
THE BRIDGE
E. Secure Safety in oil and gas - way forward
The process of developing performance standards
(requirements) for cyber security varies between
companies. We know of instances where NOROG 104
and NIST CSF have been used as a foundation and
complemented with requirements from IEC 62443.
However, some companies report that the development
of cybersecurity requirements is not the main challenge,
but rather verifying compliance with the requirements and
assessing the status of cybersecurity solutions.
TABLE I
Mappings Between Standards/Frameworks
NOROG 104
NIST CSF
IEC 62443
X
X
X X X X X
X X
It is not clear whether the assessment of cyber security
should be tied to the assessment of safety, whether the
assessment should be qualitative or quantitative, what
failure modes are relevant for network components, or how
different types of failure states in cyber security solutions
and equipment can be classified.
NIST CSF [16]
I EC 62443 [11]
ISO 27001/2 [17]
NIST SP 800-53 [18]
CIS CSC [19]
COBIT 5 [20]
The Bridge - Issue 2, 2023

Table of Contents for the Digital Edition of The Bridge - Issue 2, 2023
