UNDERSTANDING INFORMATION SECURITY INCIDENT MANAGEMENT PRACTICES:A case study in the electric power industry

摘要

With the implementation of smarter electric power distribution grids followsudnew technologies, which lead to increased connectivity and complexity.udTraditional IT components – hardware, firmware, software – replace proprietaryudsolutions for industrial control systems. These technological changesudintroduce threats and vulnerabilities that make the systems more susceptibleudto both accidental and deliberate information security incidents. As industrialudcontrol systems are used for controlling crucial parts of the society’s criticaludinfrastructure, incidents may have catastrophic consequences for our physicaludenvironment in addition to major costs for the organizations that are hit.udRecent attacks and threat reports show that industrial control organizationsudare attractive targets for attacks.udEmerging threats create the need for a well-established capacity for respondingudto unwanted incidents. Such a capacity is influenced by both organizational,udhuman, and technological factors. The main objective of this doctoral projectudhas been to explore information security incident management practices inudelectric power companies and understand challenges for improvements. Bothudliterature studies and empirical studies have been conducted, with the participationudof ten Distribution System Operators (DSOs) in the electric powerudindustry in Norway.udOur findings show that detection mechanisms currently in use are not sufficientudin light of current threats. As long as no major incidents are experienced,udthe perceived risk will most likely not increase significantly, and following,udthe detection mechanisms might not be improved. The risk perception isudfurther affected by the size of the organization and whether IT operations areudoutsourced. Outsourcing of IT services limits the efforts put into planningudand preparatory activities due to a strong confidence in suppliers. Finally,udsmall organizations have a lower risk perception than large ones. They do notudperceive themselves as being attractive targets for attacks, and they are ableudto operate the power grid without the control systems being available. Theseudfindings concern risk perception, organizational structure, and resources, whichudare factors that affect current practices for incident management.udFurthermore, different types of personnel, such as business managers andudtechnical personnel, have different perspectives and priorities when it comesudto information security. Besides, there is a gap in how IT staff and control system staff understand information security. Cross-functional teams needudto be created in order to ensure a holistic view during the incident responseudprocess. Training for responding to information security incidents is currentlyudgiven low priority. Evaluations after training sessions and minor incidentsudare not performed. Learning to learn would make the organizations able toudtake advantage of training sessions and evaluations and thereby improve theirudincident response practices.udThe main contributions of this thesis are knowledge on factors that affectudcurrent information security incident management practices and challenges forudimprovement, and application of organizational theory on information securityudincident management. Finally, this thesis contributes to an increased body ofudempirical knowledge of information security in industrial control organizations.