EPC companies are adapting to the cyber security challenge as assets and equipment go online and interconnect

Published: 7 February 2022

• Energy infrastructure development projects face a mounting cyber security challenge as assets and equipment become more network-connected
• Engineering, procurement and construction (EPC) contractors must meet customer requirements for the infrastructure to be cyber secure on handover and operational start-up
• EPC contractors need to encourage small system suppliers to provide cyber-secure systems and components
• It is advisable to test the cyber vulnerability of unvalidated new products or technologies, says Omar Garcia of EPC contractor Schneider Electric

Engineering, procurement and construction (EPC) contractors managing energy infrastructure development projects face growing cyber security challenges as once standalone computing systems managing industrial operations become increasingly connected to IT infrastructure and the Internet of Things.

This growing connectivity makes substantial demands on EPC contractors to develop and hand over assets that are on time and within budget, but also cyber secure at operational start-up. Throughout the project phase, contractors must display to operators up-to-date understanding of the risk that Industrial Control Systems (ICS) could be vulnerable to cyber-attacks, and how risks can be reduced. Operators need reassurance, for example, that third-party equipment and systems that the contractor recommends will not introduce unacceptable cyber risk to their operations.

The sheer number of people – in-house and suppliers – involved in large energy infrastructure projects also raises the risk that cyber security could be compromised through their connecting laptops, pen drives, and other devices and peripherals, and installing software. Another significant threat comes through not always using the latest version of cyber security software.

The complexity of the cyber security challenge is multiplied by the communications requirements that it creates. “The big challenge in implementing cybersecurity for energy infrastructure projects is that there are many different ways to get to the acceptable level of risk that an operator wants to reach before the project can be handed over to them for operation,” says Omar Garcia, project manager for Schneider Electric.

This all means that an EPC contractor’s project manager, dealing directly with the customer, must now be able to convey authoritatively the challenges, options, and progress towards reaching the required level of cybersecurity for a more complex and interconnected set of assets and systems. This requires project managers to continually demonstrate that they know the cybersecurity status of the asset, what the current cyber threat and risk profiles are, and what strategies can ensure customer expectations will continue to be met.

“We depend a lot on technical managers and other SME (subject matter experts) from Schneider Electric and the operator of a development, and tend to prepare and use a risk-assessment matrix in every project to better align with the customer and their expectations,” explains Omar. Such a matrix is a graphical representation of the probability and severity of risks as calculated in quantitative risk assessment (Figure 1). “This involves defining the scope of works to perform in alignment with customers, and is a good, graphic model to show them how you are progressing and how much you are reducing the risks,” Omar adds.

Single-source equipment providers complicate the cyber security challenge

In energy infrastructure projects involving complex, multi-stakeholder supply chains, small system suppliers often represent a higher cyber risk, according to Christian Nerland, business development director, cyber security, DNV: “Smaller vendors have less history of protecting their systems, which used to be standalone. Now, though, their systems are becoming increasingly connected, and the large and fragmented supply chain is a challenge for systems integrators and for the EPC contractors with the oversight of cyber risk.”

Omar observes: “For example, when you are facing Original Equipment Manufacturers (OEMs) and vendors in brownfield projects, all are single sources of specified equipment and parts. You have no option but to use them, and you need their support and engagement. You need them to implement some cybersecurity technologies that the customer requires. In some cases, though, these vendors are not very large companies and do not have the cyber security skills.”

Consequently, the EPC contractor needs ways to assist such vendors to understand the importance of cyber security in the OT components being supplied and to secure their support as much as possible.