An integrated risk analysis framework for safety and cybersecurity of industrial SCADA system

The industrial control system (ICS) refers to a collection of various types of control systems commonly found in industrial sectors and critical infrastructures such as energy, oil and gas, transportation, and manufacturing. The supervisory control and data acquisition (SCADA) system is a type of ICS that controls and monitors operations and industrial processes scattered across a large geographic area. SCADA systems are relying on information and communication technology to improve the efficiency of operations. This integration means that SCADA systems are targeted by the same threats and vulnerabilities that affect ICT assets. This means that the cybersecurity problem in SCADA system is exacerbated by the IT heritage issue. If the control system is compromised due to this connection, serious consequences may follow. This leads to the necessity to have an integrated framework that covers both safety and security risk analysis in this context. This thesis proposes an integrated risk analysis framework that comprise of four stages, and that build on the advances of risk science and industry standards, to improve understanding of SCADA system complexity, and manage risks considering process safety and cybersecurity in a holistic approach. The suggested framework is committed to improving safety and security risk analysis by examining the expected consequences through integrated risk identifications and identifying adequate safeguards and countermeasures to defend cyber-attack scenarios. A simplified SCADA system and an undesirable scenario of overpressure in the pipeline are presented in which the relevant stages of the framework are applied

A comparative analysis of security risk management in Norwegian oil and gas and renewable energy companies.

With the recognised urgent need to combat climate change globally, the renewables industry has witnessed significant growth to meet ambitious net zero targets. This thesis aims to emphasize the importance of improving security risk governance to adapt to the evolving energy sector. The increasing adoption of renewable solutions and the expansion of renewable production presents a landscape characterized by uncertain and complex market dynamics. Additionally, these developments contribute to a more adverse threat environment driven by innovation in research and development (R&D), technology, and digitalization. Considering these advancements, criminal actors now have greater opportunity, motive, and increased capabilities, regardless of whether the company is focused on oil and gas, or renewable production. While damages to a renewables asset result in lower costs and less detrimental environmental impacts when compared to an offshore oil and gas asset, they can still have adverse implications on company values. Impacts to critical renewable assets have the potential to increase reliance on traditional fossil fuels, negatively impact local communities, and detrimentally impact company margins. Furthermore, due to market volatility and energy politics, nations aim to safeguard energy supply and reduce dependence on external sources. This is particularly relevant when considering the sanctions imposed on Russian oil and gas following the 2022 invasion of Ukraine. As a result, energy independence and energy security have become increasingly more critical. This thesis has identified with certainty that there is a significant lack of maturity within security risk governance in renewables companies. Therefore, by comparing how both the oil and gas, and renewables sector acknowledge security and therein approach security risk management, a platform is created to offer fit-for-purpose recommendations to the renewables sector. Furthermore, this thesis acknowledges the lower margin nature of renewable production and ultimately emphasises fostering a sustainable and dynamic security culture that allows industry to strategically expand into higher security threat environments. Key words: Renewable production, Security risk, Risk Governance, Security Risk Assessments, risk tolerabilit

Command and Control in the Information Age: A Case Study of a Representative Air Power Command and Control Node

As operations command structures change, it is important to be able to explore and understand their fundamental nature; researchers should unearth the gestalt nature of the operational node. The organizational structure and the infrastructure can significantly affect overall command and control (C2) performance. Thus, it is necessary to develop understanding of effectiveness of the technical network and the people using the system as a whole. The purpose of this research is to conduct an analysis of a representative Air Power Operational C2 node, create and use a repeatable method, and present the results as a case study to elicit fundamental understanding. I posit that there is a recognizable (and discoverable) relationship between the social (human) network and technical supporting network. Examining the system under change can result in an understanding of this relationship. In this work, I enhanced an existing simulation tool to investigate the effects of organizational structure on task effectiveness. The primary research question examined is how a representative AOC system changes varying noise and system fragmentation when operating in two different organizational constructs. Network-Enabled Capability (as the term is used in NATO), Network Centric Operations, or Edge Organizations, is a core C2 transformation predicated upon a set of network-centric tenets. These tenets form the intellectual foundation for ongoing transformations. The secondary research question is to determine if these tenets are unbound, and what elucidation results if they are not. This research produces four significant contributions to Operational Command and Control and Engineering Management disciplines. First, I combined social networking theory and information theory into a single lens for evaluation. By using this new concept, I will be able to accomplish a quantitative evaluation by something other than mission treads, field exercise, historical evaluation, or actual combat. Second, I used both information theory and social networking concepts in a non-traditional setting. Third, I hope this research will start the process required to gain the knowledge to achieve some sort of future C2 structure. Fourth, this research suggests directions for future research to enhance understanding of core Operational Command and Control concepts

Risk identification and assessment of human-machine conflict

The process industries are fully embracing digitalization and artificial intelligence (AI). Industry 4.0 has also transformed the production structures in the process industries to increase productivity and profitability; however, this has also led to emerging risks. The rapid growth and transformation have created gaps and challenges in various aspects, for example, information technology (IT) vs. operation technology (OT), human vs. AI, and traditional statistical analysis vs. machine learning. A notable issue is the apparent differences in decision-making between humans and machines, primarily when they work together. Contradictory observations, states, goals, and actions may lead to conflict between these two decision-makers. Such conflicts have triggered numerous catastrophes in recent years. Moreover, conflicts may become even more elusive and confusing under external forces, e.g., cyberattacks. Therefore, this thesis focuses on human-machine conflict. Five research tasks are conducted to explore the risk of human-machine conflict. More specifically, the thesis presents a systematic literature review on the impact of digitalization on process safety, highlights the myths and misconceptions of data modeling on process safety analysis, and attempts to clarify associated concepts in the area of human-machine conflict. In addition, the thesis summarizes the causes of conflicts and generalizes the mathematical expressions of the causes. It illustrates the evolutional process of conflicts, proposes the measurement of conflicts, develops the risk assessment model of conflicts, and explores the condition of conflict convergence, divergence, and resolution. The thesis also iii demonstrates the proposed methodology and risk models in process systems, for example, the two-phase separator and the Continuous Stirred Tank Reactor (CSTR). It verifies the conflict between manual and automated control (e.g., proportional-integral-derivative control (PID) and model predictive control (MPC)). This thesis proves that conflict is another more profound and implicit phenomenon that raises risks more rapidly and severely. Conflicts are highly associated with faults and failures. Various factors can trigger human-machine conflict, including sensor faults, cyberattacks, human errors, and sabotage. This thesis attempts to provide the readers with a clear picture of the human-machine conflict, alerts the industry and academia about the risk of human-machine conflict, and emphasizes human-centered design

A Design Thinking Framework for Human-Centric Explainable Artificial Intelligence in Time-Critical Systems

Artificial Intelligence (AI) has seen a surge in popularity as increased computing power has made it more viable and useful. The increasing complexity of AI, however, leads to can lead to difficulty in understanding or interpreting the results of AI procedures, which can then lead to incorrect predictions, classifications, or analysis of outcomes. The result of these problems can be over-reliance on AI, under-reliance on AI, or simply confusion as to what the results mean. Additionally, the complexity of AI models can obscure the algorithmic, data and design biases to which all models are subject, which may exacerbate negative outcomes, particularly with respect to minority populations. Explainable AI (XAI) aims to mitigate these problems by providing information on the intent, performance, and reasoning process of the AI. Where time or cognitive resources are limited, the burden of additional information can negatively impact performance. Ensuring XAI information is intuitive and relevant allows the user to quickly calibrate their trust in the AI, in turn improving trust in suggested task alternatives, reducing workload and improving task performance. This study details a structured approach to the development of XAI in time-critical systems based on a design thinking framework that preserves the agile, fast-iterative approach characteristic of design thinking and augments it with practical tools and guides. The framework establishes a focus on shared situational perspective, and the deep understanding of both users and the AI in the empathy phase, provides a model with seven XAI levels and corresponding solution themes, and defines objective, physiological metrics for concurrent assessment of trust and workload

Demonstration of visualization techniques for the control room engineer in 2030.:ELECTRA Deliverable D8.1. WP8: Future Control Room Functionality

Deliverable 8.1 reports results on analytics and visualizations of real time flexibility in support of voltage and frequency control in 2030+ power system. The investigation is carried out by means of relevant control room scenarios in order to derive the appropriate analytics needed for each specific network event