Exploring Cyber-Physical Systems’ Security Governance in the Oil and Gas Industry

The Fourth Industrial Revolution, which utilizes modern communication-dependent technologies, including cyber-physical systems (CPS), has made exploration and production operations more efficient in the oil and gas industry. CPS in this industry should be secured against operational threats to prevent interruption of critical oil and gas supplies and services. However, these systems are vulnerable to cyberattacks, and many oil and gas companies have not incorporated effective cybersecurity measures into their corporate management strategies. This qualitative, multiple-case study, which was guided by the routine activity theory, explored how cybersecurity governance was applied to develop controls that stopped or mitigated the consequences of cyberattacks against the CPS. Interview-based data were obtained through Zoom meetings with 20 global cybersecurity experts selected from cybersecurity-specialized groups on LinkedIn. These data were then triangulated with global CPS cybersecurity governance standards and methods. The data analysis resulted in nine themes, including CPS vulnerabilities and failure consequences, predominant cybersecurity governance, the efficiency of cybersecurity governance, governance challenges, offenders and motives, cybersecurity enhancement, CPS governance endorsement, cybersecurity performance assessment, and governance mandate. This study’s implications for positive social change include recommendations for applying cybersecurity governance strategies that reduce health and environmental incidents and prevent interruption of critical oil and gas deliveries due to cyberattacks. These results may also help improve the living conditions of the communities surrounding oil and gas fields and similar CPS-based industries worldwide

Software and Systems Engineers in ICS Security - Graduate Level Curricula and Industry Needs

publishedVersio

A harmonized information security taxonomy for cyber physical systems

Cyber physical systems (CPSs) are found in many aspects of daily life, and they control and protect energy production, manufacturing and even healthcare. Due to long lifecycles and the use of legacy technologies, its associated security comes with many challenges. Security taxonomies are useful to classify and communicate security-related information and elements. Despite the existence of numerous taxonomies, they are fragmentary, limited to only specific lifecycle phases or cover only specific aspects. A harmonized taxonomy must be applicable to all lifecycle phases of the CPS. This paper presents well-established taxonomies that are combined into a single comprehensive and harmonized taxonomy and allows application throughout the different lifecycle phases. Application of the taxonomy to real-world scenarios requires a consistent implementation methodology. The use of the harmonized taxonomy methodology is demonstrated by applying it to an actual incident case study. The taxonomy is used to identify information security gaps through its implementation in the industrial facility in question. The identified gaps are then addressed as part of the security lifecycle of the CPS. The harmonized taxonomy can be expanded to apply it to industries with specific requirements.https://www.mdpi.com/journal/applsciam2023Computer Scienc

An integrated risk analysis framework for safety and cybersecurity of industrial SCADA system

The industrial control system (ICS) refers to a collection of various types of control systems commonly found in industrial sectors and critical infrastructures such as energy, oil and gas, transportation, and manufacturing. The supervisory control and data acquisition (SCADA) system is a type of ICS that controls and monitors operations and industrial processes scattered across a large geographic area. SCADA systems are relying on information and communication technology to improve the efficiency of operations. This integration means that SCADA systems are targeted by the same threats and vulnerabilities that affect ICT assets. This means that the cybersecurity problem in SCADA system is exacerbated by the IT heritage issue. If the control system is compromised due to this connection, serious consequences may follow. This leads to the necessity to have an integrated framework that covers both safety and security risk analysis in this context. This thesis proposes an integrated risk analysis framework that comprise of four stages, and that build on the advances of risk science and industry standards, to improve understanding of SCADA system complexity, and manage risks considering process safety and cybersecurity in a holistic approach. The suggested framework is committed to improving safety and security risk analysis by examining the expected consequences through integrated risk identifications and identifying adequate safeguards and countermeasures to defend cyber-attack scenarios. A simplified SCADA system and an undesirable scenario of overpressure in the pipeline are presented in which the relevant stages of the framework are applied

Preliminaries of orthogonal layered defence using functional and assurance controls in industrial control systems

Industrial Control Systems (ICSs) are responsible for the automation of different processes and the overall control of systems that include highly sensitive potential targets such as nuclear facilities, energy-distribution, water-supply, and mass-transit systems. Given the increased complexity and rapid evolvement of their threat landscape, and the fact that these systems form part of the Critical National infrastructure (CNI), makes them an emerging domain of conflict, terrorist attacks, and a playground for cyberexploitation. Existing layered-defence approaches are increasingly criticised for their inability to adequately protect against resourceful and persistent adversaries. It is therefore essential that emerging techniques, such as orthogonality, be combined with existing security strategies to leverage defence advantages against adaptive and often asymmetrical attack vectors. The concept of orthogonality is relatively new and unexplored in an ICS environment and consists of having assurance control as well as functional control at each layer. Our work seeks to partially articulate a framework where multiple functional and assurance controls are introduced at each layer of ICS architectural design to further enhance security while maintaining critical real-time transfer of command and control traffic

Security Issues with Network Connected SCADA Systems

The use of Supervisory Control and Data Acquisition (SCADA) systems has become common place and are being used in several different industries. These have evolved as the technology has progressed. The use of Internet of Things (IOT) devices makes for less human intervention to run daily operations in these industries. This can also allow hackers to gain access to these devices due to security holes that are overlooked. There have several different ways that have been exploited on SCADA networks and the goal is to recognize and secure them so hackers cannot gain access to them

What makes an industrial control system security testbed credible and acceptable? Towards a design consideration framework

The convergence of Industrial Control System (ICS) with Information Technologies (IT) coupled with the resulting and widely publicized cyber security incidents have made ICS security and resilience issues of critical concern to operators and governments. The inability to apply traditional IT security practice to ICSs further complicates the challenges of effectively securing critical industrial systems. To investigate these challenges without impacting upon live system operations, testbeds are being widely used as viable options to explore, develop and assess security risks and controls. However, how an ICS testbed is designed, and its attributes, can directly impact not only on its viability but also its credibility and acceptance for use as a whole. Through a systematic review and analysis of ICS security testbed design factors, a novel outline conceptual mapping of design factors for building credibility and acceptance is proposed. These design considerations include: design objectives, implementation approach, architectural component coverage, core operational characteristics, and evaluation approach

Human factor security: evaluating the cybersecurity capacity of the industrial workforce

Purpose: As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the current highly competitive environment. Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber intrusion events within the industrial control system (ICS) environment. / Design/methodology/approach: A quantitative approach (statistical analysis) is adopted to provide an approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e. weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored Cyber Security Capability Evaluation approach is presented using conceptual analysis techniques. / Findings: Using a test scenario, the approach demonstrates the capacity to proffer an efficient evaluation of workforce security knowledge and skills capabilities and the identification of weakest link in the workforce. / Practical implications: The approach can enable organisations to gain better workforce security perspectives like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies. / Originality/value: This paper demonstrates originality by providing a framework and computational approach for characterising and quantify human-factor security capabilities based on security knowledge and security skills. It also supports the identification of potential security weakest links amongst an evaluated industrial workforce (human agents), some key security susceptibility areas and relevant control interventions. The model and validation results demonstrate the application of action research. This paper demonstrates originality by illustrating how action research can be applied within socio-technical dimensions to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It provides value by demonstrating how theoretical security knowledge (awareness) and practical security skills can help resolve cyber security response and control uncertainties within industrial organisations