Baseline security requirements

Appendix 1 to 091 Norwegian Oil and Gas recommended Guidelines for securing supplies and materials in the oil and gas industry

Translated version

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 2

_______________________________________________________________________________________ Contents Specification of changes .................................................................................................................................... 3 Application.......................................................................................................................................................... 3 2 Minimum requirements for security and preparedness............................................................................ 4 2.1 Area security ............................................................................................................................................. 4 2.2 Technical measures for area security minimum requirements ...................................................... 6 2.3 Access control ........................................................................................................................................... 8 2.4 ICT security ............................................................................................................................................... 8 2.5 Personnel security measures .................................................................................................................. 9 2.6 Formulating and administering security agreements....................................................................... 10 2.7 Requirements for physical security of supplies and materials ........................................................ 10 2.8 Control of supplies and materials at the bases .................................................................................. 11 2.9 Control of large equipment units and structures .............................................................................. 14 2.10 General measures ................................................................................................................................. 14 Addendum 1 to Appendix 1 Security agreement..................................................................................... 15

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 3

_______________________________________________________________________________________

Specification of changes
Clarifications to the text have been made throughout the document. Changes to requirements have also been made in the following chapters Chapter 2.2: Technical measures for area security minimum requirements Security fences Traffic barriers Security centre CCTV monitoring Perimeter alarms Chapter 2.8: Control of supplies and materials at the bases Return consignments

Application
This document is issued by virtue of the Norwegian Oil and Gas recommended guidelines for securing supplies and materials in the oil and gas industry. It describes the measures which must be implemented and prepared in order for the players in the supply chain to deal with an ordinary threat level (the normal position) in an acceptable manner. These requirements must be incorporated in the enterprises security plans. They are to be regarded as the baseline security on which a heightened security level will build. Players in the supply chain must implement the guidelines through agreements reached between the parties.

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 4

_______________________________________________________________________________________

2 Minimum requirements for security and preparedness

2.1 Area security
All areas and all buildings in the base area must have an agreed area classification, with security measures which are tailored to the enterprises security requirements. A risk analysis must be conducted for security. This will form the basis for relevant security measures over and above the minimum requirements. Suppliers co-located outside the base area, and who see security and/or cost-related advantages in coordinating their security measures, should seek to establish joint areas with a security standard equivalent to that specified for the base areas. Suppliers with a security agreement must have a controlled area available for packing in/on load carriers and for storage of other inspected cargo. Industrial estate: Generally speaking, no restrictions apply for public access to the industrial estate, and no requirements are specified for physical security measures. Base area: The base area must have signs which clearly indicate who owns or uses it. They must specify that entry is prohibited for unauthorised persons. These measures will help to secure the property and materials, and lay the basis for more effective monitoring in the event of a change in the threat level. Relevant measures: Signs Fences around the areas perimeter Should a perimeter barrier in the form of a fence be impractical, the area can be monitored by CCTV or perimeter alarms Traffic barriers Lighting CCTV monitoring Patrolling security guards

Controlled area: The following requirements must be met in a controlled area: automated detection manual verification of detection locked doors/gates CCTV monitoring

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 5

_______________________________________________________________________________________ automated access control and/or stationary security guards.

Figure 1 Sketch of area types pursuant to 091 and the ISPS

Restricted area: Measures in a restricted area supplement those applied in a controlled area. They must prevent access by unauthorised persons and help to secure the property and materials. The following methods are used: Access confined to authorised personnel

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 6

_______________________________________________________________________________________

2.2 Technical measures for area security minimum requirements

The guidelines refer to established standards for security where these exist in order to ensure the most uniform possible approach to the use of technical security measures. The standards referred to are: the Security Handbook (armed forces buildings) (SHB) Norwegian Insurance Companies Approval Board (FG)

Signposting Signs must be illuminated during periods of darkness, and easily visible at a distance of 100 metres. Security fence A security fence conforming to security class 2 (SHB) must be installed around controlled areas. A fence must also be installed along the perimeter fronting the sea where the perimeter is not a quay. Fence security class 2: Lattice fence installed on iron T-posts driven into the ground. Minimum fence height two metres. Should be reinforced on top with wood or several rows of barbed wire to hinder climbing. The climbing obstacle should project outwards at an angle of 45 degrees. An open zone on both sides of the fence with a minimum width corresponding to the height of the fence should be cleared of vegetation and objects which could provide cover and simplify penetration of the fence. If establishing such a zone is impractical, compensatory measures such as perimeter alarms or CCTV monitoring should be installed. It should not be possible to penetrate beneath the fence without the use of tools/digging implements. The requirement for a fence in security class 2 is to be regarded as a minimum. A risk analysis is recommended to determine whether a fence with a higher security class needs to be installed. Lighting Important areas from a security perspective, such as the perimeter fence, controlled and restricted areas, and traffic hubs, must have lighting to security class 2 (SHB) which makes it possible to detect and possibly prevent breaches of the access provisions as well as illegal activities. Lighting security class 2: Light source(s) which provide sufficient light to register visually, and via optical equipment, activity in the illuminated area.

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 7

_______________________________________________________________________________________ Traffic barriers and security gates in the base area must be sufficiently lit for control activities to be conducted in an acceptable manner. CCTV-monitored areas must have the level of lighting specified by the CCTV equipment manufacturer. Security gates Controlled areas must have security gates at their vehicle entrance. It must not be possible to force locking mechanisms or hinges without special tools. The gate must not be lower than the height of the security fence, and the gap beneath the gate must not be higher than 10 cm. The gate must normally be kept closed. If the gate is not closed, compensatory measures must be taken to protect the level of security. Traffic barriers All access roads for vehicles into the base area and joint security areas must have traffic barriers to regulate access. The barriers must be monitored from a staffed guardhouse. They must be closed outside normal working hours. Access roads to be staffed by security guards in the event of a heightened security level must have a guardhouse. Security centre The enterprise must have the capacity to respond immediately to alarms and to follow up in the event of breaches of the access provisions. The enterprise should unify individual measures when this is cost-effective and sensible in security terms. CCTV monitoring CCTV monitoring will be used to monitor access roads at traffic barriers, controlled and restricted areas, the sea frontage and other areas as required. External cameras must have the necessary amount of light and a heated housing. The recording unit must be digital with a network connection. Perimeter alarms Perimeter alarms can be used on the bases sea frontage if a security fence is impractical. Alarms must be transmitted to a staffed security centre. Anti-intrusion measures Restricted areas in the base area must have intrusion-proof doors, locks and windows, as well as intruder alarms. The alarm system must be FG-approved. Alarms must be transmitted to a staffed security centre, and responded to immediately. Departures from the minimum requirements for technical area security are permitted if the risk analysis indicates that satisfactory alternative solutions can be chosen.

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 8

_______________________________________________________________________________________

2.3 Access control

Personnel permanently employed in the base area and in other joint security areas outside the base must at all times carry identity cards with a photograph issued by their own employer or the client at the base. The identity card must be produced at the request of an authorised person, and must be worn in a clearly visible position when the security plan requires this. Visitors to controlled areas must be registered on individual registration forms or possibly on an electronic system (which also conceals data on other visitors). Visitors must not be given access to information about other visitors. Registered data must be held in a way which is inaccessible to unauthorised persons and for a minimum of three years. A PIN code must be used to access controlled and restricted areas. Visitors to controlled areas must be accompanied back to the reception/guardroom at the end of their visit. Family members are to be regarded as visitors. Unknown people must produce valid proof of identity before being given access to a controlled area. Valid proof of identity includes a driving licence (EEA model) or passport. Personnel employed by a known enterprise can identify themselves with that enterprises own ID card with photograph. Personnel permanently employed in the base area and in other joint security areas who use their own vehicle inside the area must have an ID/access card attached to the windscreen, which indicates that the vehicle is authorised to be driven in the relevant area. Masters of vessels calling at quays in the base area outside the ISPS security area must be able to account for all personnel on board at all times.

2.4 ICT security

Each enterprise must have plans to ensure the necessary operational continuity of its own ICT applications and services which are necessary for maintaining the supply chain. Computer programmes and networks, servers and attached equipment used in the supply chain must be secured against wilful damage, sabotage and unauthorised access at the level of NS 27000 on information security management.

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 9

_______________________________________________________________________________________

2.5 Personnel security measures

Each enterprise is responsible for ensuring that its own employees and contract personnel are qualified to work in the supply chain. Each person must be familiar with and observe the applicable security instructions, and their employer must be able to verify their identity. The following measures will apply to all companies in the base area, to suppliers with a security agreement, and to suppliers delivering equipment critical for operations in the supply chain. Before external recruitment takes place, the candidate must have submitted written documentation of their education and experience. References must be obtained in writing directly from former employers, educational institutions and other referees, and be checked pursuant to applicable legislation and statutory regulations and in accordance with provisions specified by the enterprises human resources manager. Security conversations must be conducted with new employees and contract personnel before they start work. Own employees and contract personnel on long-term engagements must have a security conversation at least every other year. This should cover knowledge of routines and rules for security, reporting of security breaches and consequences of breaching security routines. The manager of personnel with security duties must ascertain that they are suited to performing such duties, and have the necessary expertise. Employees must be subject to a duty of confidentiality about their work, which persists after their employment ceases. This duty must be acknowledged by signing a written declaration of confidentiality. A duty of confidentiality must be a standard contract term in contractual relationships involving personnel hire. Access authorisation must be kept updated at all times. When somebody leaves/a contract is terminated, the base company and tenants at the base must see to it that all authorisations and access permits are withdrawn and that loaned materials, computer software, handbooks, work descriptions, ID cards, keys and other property/documentation are returned to the enterprise.

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 10

_______________________________________________________________________________________

2.6 Formulating and administering security agreements

To ensure prudent and efficient security control of supplies and materials, an operating company or somebody authorised by the operating company can choose to enter into security agreements with key suppliers. Correspondingly, key suppliers subject to agreement with the operating company concerned can enter into security agreements with their own sub-suppliers. Such security agreements have a standardised format and content, which must not be amended. This describes: the parties to the agreement the purpose of the agreement requirements for security measures related to personnel management requirements for area security requirements for access control requirements for control of equipment and materials security requirements for transporting goods by road.

The formulation of the security agreement is described in addendum 1 to this document. The security agreement must indicate to what degree it comprises security preparedness steps during heightened security levels. Operating companies and suppliers which have entered into security agreements with their subsuppliers must supervise compliance with the security agreements. Such supervision must be documented. See chapter 8 in 091. Operator/base companies must maintain an overview of which suppliers have valid security agreements at any given time, and with whom. Security agreements must have a unique reference number.

2.7 Requirements for physical security of supplies and materials

Supplies and materials must be secured against theft, wilful destruction, sabotage and the introduction of illegal objects. This security must be provided by area security and supply chain control. Supplies and materials from suppliers with security agreements must be delivered if at all practicable in closed and sealed steel containers with approved seals. See appendix 3, Instructions from Norwegian Oil and Gas on Security Seals. Supplies and materials from suppliers with security agreements which are packed on open load carriers, equipment packages, and fuel and chemical tanks must be secured if at all practicable

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 11

_______________________________________________________________________________________ against unauthorised access using fine-mesh netting with a tightening mechanism or lid, and be sealed. The security solution to be applied and the degree of security to be used with load carriers must be agreed between the supplier and client. The Security network determines in collaboration with the Base network what types of seals and which seal numbers are to be used. The numbering system must be based on international standards where these exist. The operator companies are responsible for allocating seals. This can be delegated to the base companies. Shipping documents for sealed load carriers from suppliers with security agreements must use a standardised text which makes it clear that the consignment is secured in accordance with the Norwegian Oil and Gas recommended guidelines, and specify the number of the suppliers security agreement. Seal number, container number and contents must also be specified in the documents. On arrival in a public port, measures must be implemented at all times to prevent the addition of unwanted cargo or unauthorised persons getting on board. Containers must be stowed as far as possible door-to-door. The operator companies must contribute to finding cost-effective solutions which fulfil the requirements in the guidelines and meet the industrys expectations of acceptable security for supplies and materials.

2.8 Control of supplies and materials at the bases

Control measures must be planned and implemented in such a way that deliveries are not delayed. The following measures will be used at an ordinary threat level. Goods reception All deliveries must be requisitioned by authorised personnel in the operator company or collaborating contractor company. When supplies and materials are received, the delivery must be checked to ensure that it accords with the shipping documents and the description in the order. On receipt of sealed load carriers from suppliers with a security agreement, the seal number and possible load carrier/container number must be checked against the information in the shipping documents. The suppliers security agreement number must be checked. The load carrier is checked visually for foreign objects. A selected sample of sealed load carriers must be opened for a spot check before being shipped out. After this check, the load carrier must re-sealed.

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 12

_______________________________________________________________________________________ Sealed food containers cannot be opened en route for checks, pursuant to regulations from the Norwegian Food Safety Authority. These can therefore only be accepted from suppliers with security agreements. Closed/covered and sealed load carriers from suppliers without security agreements must be opened, checked and re-sealed with an approved seal. The load carrier is checked visually for foreign objects. Materials which arrive at the base on open, uncovered and unsealed load carriers must be checked visually for foreign objects. Regardless of the points above, the operator can conduct a technical inspection of third-party equipment and check consignment security and goods, with subsequent sealing of load carriers in accordance with the operator companys own routines. Casing must be checked visually and placed in intermediate storage in a controlled area until it is shipped out. Load carriers are checked visually for foreign objects. Goods must be stored in a controlled area until packing/loading takes place.

Outgoing consignments: Written documentation must be available for outgoing supplies and materials. Packing of containers and other load carriers must take place in controlled areas. Personnel must be present at all times in the storage and shipment areas while loading is under way.

Outgoing supplies and materials are checked visually or electronically for alcohol, drugs, explosives and other foreign objects before being placed on load carriers. Closed, sealed containers must be used if practicable. Sealing takes place immediately after packing, with the seal number added to the manifest. The seal number must also be added to the cargo list. If at all practicable, other load carriers must be covered and spot checks carried out. Load carriers are checked visually for foreign objects. Spot checks are conducted on this type of load carrier at an ordinary threat level, and are stepped up in line with the threat level. If the seal number does not correspond to the number on the manifest or cargo list, the load carrier must be rejected and a full physical check of its contents carried out. If a load carrier with a nonconforming seal number is delivered by a supplier with a security agreement, its contents must be checked if possible by the suppliers own personnel. The position is reported to the responsible operator or contractor company, and to the base companys security manager. Seals must be checked on the quayside immediately before loading to ensure that they are physically intact.

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 13

_______________________________________________________________________________________ If a seal is found to be broken, a full physical check of the contents must be carried out. If the load carrier with the broken seal is delivered by a supplier with a security agreement, its contents must be checked if possible by the suppliers own personnel. The position is reported to the responsible operator or contractor company, and to the base companys security manager. Load carriers which are not enclosed/covered and sealed must be checked visually inside and out for foreign objects on the quayside immediately before being loaded on board. Deliveries to private recipients must always be checked.

Return consignments: Materials being returned should be in sealed containers if practicable. Possible sealing is checked against the manifest or cargo list on arrival at the base. If the use of containers is not appropriate, the material must be checked visually for foreign objects, drugs and other objects not on the manifest. Deliveries to private recipients must always be checked, and an approved carry-on permit must accompany the consignment.

Return consignments must be stored in a controlled area while awaiting onward transport.

Dealing with nonconformities: In the event of irregularities, security of personnel will be the overriding concern. Extra caution must be displayed if the seal on a load carrier has been broken, and the contents must be checked for foreign objects. If a seal must be broken during transport for one reason or another, the reason must be entered on the manifest with a signature. That also applies for provision containers. Suspected irregularities must be reported immediately to the responsible operator or contractor company, and to the security manager for the base. Particular caution must be exercised with urgent consignments, and their contents must be checked for foreign objects.

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 14

_______________________________________________________________________________________

2.9 Control of large equipment units and structures

Large units such as tanks and structural elements must be checked visually for foreign objects on arrival at the base. If possible, the equipment must be stored in a controlled area. The equipment must be checked visually for foreign objects on the quayside immediately before being loaded on board.

2.10 General measures

All personnel must be reminded at regular intervals to be on the alert for strangers, vehicles, suspicious packages, bags and the like, and other unusual activity. Security incidents in the base area must be reported without unnecessary delay to the base company and other tenants in the area. Similar arrangements must be established in joint security areas outside the bases. When an industrial safety organisation is established at a base, its personnel must practise physical demarcation of offshore-related activities in the base area, and relevant security duties.

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 15

_______________________________________________________________________________________

Addendum 1 to Appendix 1 Security agreement

1. Parties to the agreement

As of todays date the agreement has been entered into between

______________________________________ (Supplier) and ______________________________________ (Principal)

2. Purpose of the agreement The purpose of the agreement is to establish measures which can facilitate an efficient flow of supplies and materials to the oil industry while simultaneously providing an assurance that only authorised goods are delivered, without deductions, changes or additions. The security agreement describes measures the Supplier must implement in order to obtain permission to use the Norwegian Oil and Gas Associations security seals to seal load carriers to be used in the oil and gas industry on the Norwegian continental shelf. On its own initiative, the Supplier can implement further security measures which it might at any given time consider necessary. Relevant requirements for baseline security measures described in appendix 1 to Norwegian Oil and Gas 091 must have been implemented before a security agreement can be entered into. 3. Personnel-related security measure The Supplier is responsible for ensuring that its own employees and contract personnel have a good character which qualifies them to work for the Client. The Supplier must be able to verify the identity of its personnel. Personnel must be familiar with and observe the requirements specified in this agreement. Before external recruitment takes place, candidates intended to work for the Client must present written documentation of their education and experience. References must be obtained in writing directly from former employees, educational institutions and other referees, and be checked pursuant to applicable legislation and statutory regulations and in accordance with the provisions specified by the Suppliers human resources manager.

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 16

_______________________________________________________________________________________ Security conversations must be conducted with new employees and contract personnel before they start work. Own employees and contract personnel on long-term engagements must have a security conversation at least every other year. This should cover knowledge of routines and rules for security, reporting of security breaches and consequences of breaching security routines. The date and content of the security conversations must be documented. The Supplier must appoint a security manager who will have formal contact with the Client on security issues. While packing and sealing are under way, the Supplier must also have appointed at all times a person responsible for the security of the consignment. Efforts should be made to ensure that personnel with security responsibilities are seen as committed role models for security work. The Suppliers personnel must be subject to a duty of confidentiality in matters relating to their work, which persists after their employment ceases. This duty must be acknowledged by signing a written declaration of confidentiality. A duty of confidentiality must be a standard contract term in contractual relationships involving personnel hire. Access authorisation must be kept updated at all times. When somebody leaves/a contract is terminated, the Supplier must see to it that all authorisations and access permits are withdrawn and that loaned materials, computer software, handbooks, work descriptions, ID cards, keys and other property/documentation are returned to the Supplier.

4. Area security Area security must ensure that unauthorised persons cannot come into contact with the Clients goods or load carriers without this being discovered. Areas and premises used by the Supplier for packing and sealing closed load carriers must be clear and free of obstructions, well-lit and under supervision by the Suppliers responsible person for the security of the consignment. Load carriers which are temporarily or permanently sealed and which must stand without supervision while awaiting further packing or transport must be moved to a controlled area (appendix 1, Norwegian Oil and Gas 091). Should it be discovered that unauthorised persons have or could have been in contact with the Clients goods or load carriers, the Supplier must carry out a full manual check of exposed goods and load carriers in consultation with the Client. See appendix 3, Instructions from Norwegian Oil and Gas on Security Seals for a clarification of the requirements for sealing in the guidelines. 5. Access to controlled area Personnel permanently employed by the Supplier must carry an identity card with photograph issued by their own employer or the Supplier, and wear this in a clearly visible place at all times.

Norwegian Oil and Gas Association recommended guidelines for Securing Supplies and Materials in the Oil Industry No. 091 Established: 5 Nov. 2003 Revision no.: 4 Rev. date: 20 June 2013 Page: 17

_______________________________________________________________________________________ Visitors to controlled areas must be registered on individual registration forms or in a suitable computer system. Visitors must not be given access to the data of other visitors. Registered data must be held in a way which is inaccessible to unauthorised persons and for a minimum of three years. Unknown people must produce valid proof of identity before being given access to a controlled area. Valid proof of identity includes a driving licence, passport or national ID card. Personnel employed by a known enterprise can identify themselves with that enterprises own ID card with photograph. Visitors must be accompanied back to the reception/guardroom at the end of their visit. Family members are to be regarded as visitors.

6. Checking and sealing Supplies and materials must be checked visually before they are packed in/on load carriers and sealed. If a visual check is not possible, another suitable form of checking must be used. Load carriers must only be sealed by the Suppliers responsible person for the security of the consignment or by the Suppliers security manager. Supplies and materials from suppliers without a security agreement must be checked before they are packed in/on load carriers and sealed with the Norwegian Oil and Gas security seal. If continuous supervision is not possible while packing is under way, the Suppliers responsible person for the security of the consignment or the Suppliers security manager must personally lock/cover and seal the relevant load carrier with the Norwegian Oil and Gas security seal until packing can resume. Such temporary sealing can only be used for a brief period (hours). The requirements for sealing in the guidelines must be fulfilled, and the seal number must be logged.