We have issued an order to Maersk Drilling Norway AS (Maersk Drilling) after an audit of Maersk Drilling's management of information security risks for the industrial ICT systems for Maersk Integrator identified serious breaches of the regulations. Notification of the order was made on 9 May 2022 and the order was issued on 2 June 2022. The audit was carried out from 8 to 12 February 2021.
The objective of the audit was to verify how the company follows up the management of risk associated with data security for the industrial ICT systems. The purpose of this type of audit is to verify the processes and systems used by the participant to ensure the follow-up of these systems and how this is accomplished on each individual facility. We also wanted to verify if there is a correlation between overarching procedures and the follow-up of the systems at the facility.
The audit identified regulatory non-conformities. The description of these conditions is exempt from public disclosure, with reference to the Freedom of Information Act section 24, paragraph 3. Accordingly, they do not appear under non-conformities and improvement points in the audit report.
On the basis of our observations in the audit, we have now issued Maersk Drilling with the following order:
Pursuant to the Framework Regulations, section 69 concerning administrative decisions, Maersk Drilling is ordered to:
1. Establish and implement internal requirements to protect against ICT-related risks on all facilities on the Norwegian Continental Shelf, with reference to the Management Regulations, section 6 concerning the management of health, safety and the environment, 1st para; the Management Regulations, section 8 concerning internal requirements; and the Activities Regulations, section 20 concerning the start-up and operation of facilities, 2nd para, items a and b.
2. Implement the measures set out in the company's internal requirements, including training for all facilities on the Norwegian Continental Shelf, with reference to the Management Regulations, section 21 concerning follow-up, 1st para; and the Activities Regulations, section 21 concerning competence.
The deadline for complying with the order is set at 1 September 2022 for part 1 and 31 December 2022 for part 2. We are to be notified when parts 1 and 2 respectively of the order have been carried out.