A safety instrumented system (SIS) is a combination of safety instruments and safety functions that are designed to detect, prevent, or mitigate hazardous situations. SISs are broadly used in the oil and gas industry and play a critical and integral role in ensuring process safety. With the introduction of intelligent oil fields and the implementation of integrated operations, there is a growing interest in the application of new technologies, for instance, remote control of safety-critical systems. New technological solutions have begun to appear with seamless integration of various hardware and software applications bringing new forms of operational concerns, particularly in security and regulatory terms. In general, safety and security level of SISs can be challenged by both hardware failures and software related issues with the potential for severe consequences. Compared to random hardware failures, software related issues can be more difficult to identify early. With the growth of digitalisation trends across the oil & gas sector, the potential implications of software challenges also gradually increase. After a very recent major cyberattack on Norsk Hydro, the cybersecurity issue has gained significant attention from authorities, operators, and service providers due to its significant impact on safety, production, and asset economics.
Under the existing circumstances, this paper explores critical issues and challenges related to cybersecurity and reviews industry practices with regard to requirements in governing standards, for instance, IEC 62443 series. It also identifies some dangerous failure modes of SISs as examples that need due security attention in a digitalisation process. Towards the end, the paper elaborates on two main grounded-strategies important for assurance cybersecurity of SIS within the oil & gas sector.