Abstract
The chapter discusses the important issue of responsibility for information and communications technology (ICT) – or cyber – safety and security for industrial control systems and the challenges involved in dividing the responsibility between industrial control system owners and suppliers in the Norwegian electric power supply industry. Industrial control system owners are increasingly adopting information and communications technologies to enhance business system connectivity and remote access. This integration offers new capabilities, but it reduces the isolation of industrial control systems from the outside world, creating greater security needs. The results of observation studies indicate that Norwegian power network companies and industrial control system suppliers have contributed to the creation of a culture that does not focus on information and communications systems safety and security. The increased use of standards and guidelines can help improve cooperation between industrial control system owners and suppliers. Norwegian industrial control system owners should also implement a culture change in their organizations and should attempt to influence the safety and security culture of their suppliers. Power network companies need to place information and communications systems safety and security on par with operational priorities and they need to become more vocal in demanding secure products from their suppliers.
Chapter PDF
References
Adler, E., Clark, R.: An Invitation to Social Research – How It’s Done, Cengage Learning, Stamford, Connecticut (2015)
Sarri, A., Moulinos, K.: Stocktaking, Analysis and Recommendations on the Protection of CIIs, European Union Agency for Network and Information Security, Heraklion, Greece (2016)
Antonsen, S., Almklov, P., Fenstad, J., Nybo, A.: Reliability consequences of liberalization in the electricity sector: Existing research and remaining questions, Journal of Contingencies and Crisis Management, vol. 18(4), pp. 208–219 (2010)
Byres, E.: Revealing network threats, fears – How to use ANSI/ISA-99 standards to improve control system security, InTech Magazine, pp. 26–31, January/February (2011)
Centre for the Protection of National Infrastructure, Good Practice Guide, Process Control and SCADA Security, Guide 5: Manage Third Party Risk, London, United Kingdom (2015)
Centre for the Protection of National Infrastructure, Security for Industrial Control Systems, Framework Overview, A Good Practice Guide, London, United Kingdom (2015)
Committee of Digital Vulnerabilities in Society, Digital Vulnerability – Secure Society: Protecting People and Society in a Digitalized World (in Norwegian), Official Norwegian Report (NOU 2015:13) to the Ministry of Justice and Public Security, Oslo, Norway (2015)
European Reference Network for Critical Infrastructure Protection, The ERNCIP Project Platform, Joint Research Centre, Ispra, Italy (2016). erncip-project.jrc.ec.europa.eu
Hollnagel, E., Paries, J., Woods, D., Wreathhall, J. (Eds.): Resilience Engineering in Practice: A Guidebook, Ashgate Publishing, Burlington, Vermont (2011)
International Society of Automation, ISA99: Industrial Automation and Control Systems Security, Research Triangle Park, North Carolina (2015)
Jaatun, M., Albrechtsen, E., Line, M., Tondel, I., Longva, O.: A framework for incident response management in the petroleum industry, International Journal of Infrastructure Protection, vol. 2(1-2), pp. 26–37 (2009)
Johnsen, S.: Resilience at interfaces – Improvement of safety and security in distributed control systems by web of influence, Information Management and Computer Security, vol. 20(2), pp. 71–87 (2012)
Knowles, W., Prince, D., Hutchison, D., Disso, J., Jones, K.: A survey of cyber security management in industrial control systems, International Journal of Critical Infrastructure Protection, vol. 9, pp. 52–80 (2015)
Leith, H., Piper, J.: Identification and application of security measures for petrochemical industrial control systems, Journal of Loss Prevention in the Process Industries, vol. 26(6), pp. 982–993 (2013)
Line, M., Tondel, I.: Information and communications technology: Enabling and challenging critical infrastructure, in Risk and Interdependencies in Critical Infrastructures: A Guideline for Analysis, P. Hokstad, I. Utne and J. Vatn (Eds.), Springer, London, United Kingdom, pp. 147–160 (2012)
Nicholson, A., Webber, S., Dyer, S., Patel, T., Janicke, H.: SCADA security in the light of cyber-warfare, Computers and Security, vol. 31(4), pp. 418–436 (2012)
Norwegian Business and Industry Security Council, Norwegian Computer Crime and Security Survey – Information Security, Privacy and Data Crime (in Norwegian), Oslo, Norway (2014)
Norwegian Ministry of Justice and Public Security, National Cyber Security Strategy for Norway, Oslo, Norway (2012). www.regjeringen.no/en/dokumenter/cyber-security-strategy-for-norway-/id729821
Norwegian Ministry of Petroleum and Energy, Facts 2013: Energy and Water Resources in Norway, Oslo, Norway (2013). www.regjeringen.no/globalassets/upload/oed/faktaheftet/facts_energy_water.pdf
Norwegian Water Resources and Energy Directorate, Guideline for Contingency Planning Regulations, Guideline No. 1-2013 (in Norwegian), Oslo, Norway (2013)
Perez, E.: U.S. investigators find proof of cyberattack on Ukraine power grid, CNN, February 3, 2016
Piggin, R.: Are industrial control systems ready for the cloud? International Journal of Critical Infrastructure Protection, vol. 9, pp. 38–40 (2015)
Skotnes, R.: Strengths and weaknesses of technical standards for management of ICT safety and security in electric power supply network companies, Journal of Risk and Governance, vol. 3(2), pp. 119–134 (2012)
Skotnes, R.: Risk perception regarding the safety and security of ICT systems in electric power supply network companies, Safety Science Monitor, vol. 19(1), article no. 4 (2015)
Skotnes, R., Engen, O.: Attitudes toward risk regulation – Prescriptive or functional regulation? Safety Science, vol. 77, pp. 10–18 (2015)
Stefanini, A., Doorman, G., Hadjsaid, N.: ICT vulnerabilities of power systems: Towards a roadmap for future research, in Critical Information Infrastructures Security, J. Lopez and B. Hammerli (Eds.), Springer, Berlin Heidelberg, Germany, pp. 13–24 (2008)
Stouffer, K., Falco, J., Scarfone, K.: Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82, National Institute of Standards and Technology, Gaithersburg, Maryland (2011)
Vatn, J., Hokstad, P., Utne, I.: Defining concepts and categorizing interdependencies, in Risk and Interdependencies in Critical Infrastructures: A Guideline for Analysis, P. Hokstad, I. Utne and J. Vatn (Eds.), Springer, London, United Kingdom, pp. 13–22 (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 IFIP International Federation for Information Processing
About this paper
Cite this paper
Skotnes, R. (2016). Division of Cyber Safety and Security Responsibilities Between Control System Owners and Suppliers. In: Rice, M., Shenoi, S. (eds) Critical Infrastructure Protection X. ICCIP 2016. IFIP Advances in Information and Communication Technology, vol 485. Springer, Cham. https://doi.org/10.1007/978-3-319-48737-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-48737-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-48736-6
Online ISBN: 978-3-319-48737-3
eBook Packages: Computer ScienceComputer Science (R0)