Maria B. Line

A Framework for Incident Response Management in the Petroleum Industry

Abstract Incident response is the process of responding to and handling security-related incidents involving information and communications technology (ICT) infrastructure and data. Incident response has traditionally been reactive in nature, focusing mainly on technical issues. This paper presents the Incident Response Management (IRMA) method, which combines traditional incident response with proactive learning and socio-technical perspectives. The IRMA method is targeted at integrated operations within the petroleum industry, but it is also applicable to other industries that rely on process control systems.

Information security incident management: Current practice as reported in the literature

This paper reports results of a systematic literature review on current practice and experiences with incident management, covering a wide variety of organisations. Identified practices are summarised according to the incident management phases of ISO/IEC 27035. The study shows that current practice and experience seem to be in line with the standard. We identify some inspirational examples that will be useful for organisations looking to improve their practices, and highlight which recommended practices generally are challenging to follow. We provide suggestions for addressing the challenges, and present identified research needs within information security incident management.

Cyber security challenges in Smart Grids

The introduction of telecommunication in the energy grid, leading the way towards Smart Grids, challenges the way safe operations have traditionally been assured in the energy sector. New cyber security challenges emerge, especially related to privacy, connectivity and security management, and these need to be properly addressed. Existing cyber security technology and good practice mainly come from the traditional telecommunication environment where the requirements on safety and availability are less strict. For Smart Grids, lessons can be learned from the oil and gas industry on how they have dealt with security challenges in their implementation of integrated operations. Still, Smart Grids face a slightly different reality, due to their extensive geographical distribution and the enormous number of end-users. The contribution of this paper is a survey of cyber security challenges for Smart Grids, together with a roadmap of how these challenges must be addressed in the near future.

Targeted Attacks against Industrial Control Systems: Is the Power Industry Prepared?

Targeted cyber attacks are on the rise, and the power industry is an attractive target. Espionage and causing physical damage are likely goals of these targeted attacks. In the case of the power industry, the worst possible consequences are severe: large areas, including critical societal infrastructures, can suffer from power outages. In this paper, we try to measure the preparedness of the power industry against targeted attacks. To this end, we have studied well-known targeted attacks and created a taxonomy for them. Furthermore, we conduct a study, in which we interview six power distribution system operators (DSOs), to assess the level of cyber situation awareness among DSOs and to evaluate the efficiency and effectiveness of their currently deployed systems and practices for detecting and responding to targeted attacks. Our findings indicate that the power industry is very well prepared for traditional threats, such as physical attacks. However, cyber attacks, and especially sophisticated targeted attacks, where social engineering is one of the strategies used, have not been addressed appropriately so far. Finally, by understanding previous attacks and learning from them, we try to provide the industry with guidelines for improving their situation awareness and defense (both detection and response) capabilities.

Information Security Incident Management: Identified Practice in Large Organizations

This paper presents a case study on current practice of information security incident management in three large organizations. Qualitative interviews, document studies, and a survey have been performed. Our analysis shows that the organizations have plans and procedures in place, however, not all of these are well established throughout the organizations. Some challenges were prominent in all three organizations, which were related to communication, information collection and dissemination, employee involvement, and allocation of responsibilities. This paper presents our main findings from the study, including current practice for incident management and more details on the identified challenges, and some recommendations for further studies in this field.

A Case Study: Preparing for the Smart Grids - Identifying Current Practice for Information Security Incident Management in the Power Industry

The power industry faces the implementation of smart grids, which will introduce new information security threats to the power automation systems. The ability to appropriately prepare for, and respond to, information security incidents, is of utmost importance, as it is impossible to prevent all possible incidents from occurring. Current trends even show that the power industry is an attractive target for hackers. A main challenge for the power industry to overcome is the differences regarding culture and traditions, knowledge and communication, between ICT staff and power automation staff. This paper presents the background, research method and preliminary results from a case study identifying current practice on information security incident management in the power industry.

Information Security Incident Management: Planning for Failure

This paper reports on an interview study on information security incident management that has been conducted in organizations operating industrial control systems that are highly dependent on conventional IT systems. Six distribution service operators from the power industry have participated in the study. We have investigated current practice regarding planning and preparation activities for incident management, and identified similarities and differences between the two traditions of conventional IT systems and industrial control systems. The findings show that there are differences between the IT and ICS disciplines in how they perceive an information security incident and how they plan and prepare for responding to such. The completeness of documented plans and procedures for incident management varies. Where documentation exists, this is in general not well-established throughout the organization. Training exercises with specific focus on information security are rarely performed. There is a need to create amore unified approach to information security incident management in order for the power industry to be sufficiently prepared to meet the challenges posed by Smart Grids in the near future.

Penetration Testing of OPC as Part of Process Control Systems

We have performed penetration testing on OPC, which is a central component in process control systems on oil installations. We have shown how a malicious user with different privileges --- outside the network, access to the signalling path and physical access to the OPC server --- can fairly easily compromise the integrity, availability and confidentiality of the system. Our tentative tests demonstrate that full-scale penetration testing of process control systems in offshore installations is necessary in order to sensitise the oil and gas industry to the evolving threats.

Understanding Collaborative Challenges in IT Security Preparedness Exercises

IT security preparedness exercises allow for practical collaborative training, which in turn leads to improved response capabilities to information security incidents for an organization. However, such exercises are not commonly performed in the electric power industry. We have observed a tabletop exercise as performed by three organizations with the aim of understanding challenges of performing such exercises. We argue that challenges met during exercises could affect the response process during a real incident as well, and by improving the exercises the response capabilities would be strengthened accordingly. We found that the response team must be carefully selected to include the right competences and all parties that would be involved in a real incident response process, such as technical, managerial, and business responsible. Further, the main goal of the exercise needs to be well understood among the whole team and the facilitator needs to ensure a certain time pressure to increase the value of the exercise, and both the exercise and existing procedures need to be reviewed. Finally, there are many ways to conduct preparedness exercises. Therefore, organizations need to both optimize current exercise practices and experiment with new ones.

A Structured Approach to Incident Response Management in the Oil and Gas Industry

Incident Response is the process of responding to and handling ICT security related incidents involving infrastructure and data. This has traditionally been a reactive approach, focusing mainly on technical issues. In this paper we present the Incident Response Management (IRMA) method, which combines traditional incident response with pro-active learning and socio-technical perspectives. The IRMA method is targeted at integrated operations within the oil and gas industry.