Challenges for safety and security management of network companies due to increased use of ICT in the electric power supply sector

PhD thesis in Risk management and societal safetyThe generation, transmission, and distribution of energy are among the most vital prerequisites for the functioning of modern societies (Antonsen et al., 2010). Today, information and communication technology (ICT) is used to monitor, control, and operate power generation plants and power distributionon within electric power supply systems (Patel and Sanyal, 2008). Process control systems, e.g., supervisory control and data acquisition systems (SCADA systems) and other ICT systems used within electric power supply systems, are vulnerable to a multitude of physical, electromagnetic, and logical threats, both natural and man-made (Rodal, 2001). The recent trends are toward more general purpose software solutions; and toward use of the Internet for communication related to operations and management of remote processes and production systems. This increases efficiency and cooperation, saves time, and reduces costs. However, this also makes formerly isolated ICT systems vulnerable to a set of threats and risks they have not been exposed to before (Line and Tøndel, 2012). Since the early 1990s, the energy sectors of Western societies have been through a process of institutional restructuring, where large state-owned monopolies have been divided into several independent organizations (Antonsen et al., 2010). Emergent control technologies, making intensive use of ICT, have been useful for dealing with the new situation of enlargement, open access, progressive integration of electricity markets, and intensification of cross-border trade. However, the full application of these technologies has demanded a new approach to system design and operation, and their integration within existing control infrastructures and practices has been a challenge (The GRID Consortium, 2007). With this background as a point of departure, the thesis examines several important elements of safety and security management systems which have been emphasized in previous research (Rasmussen, 1997; Hagen, Albrechtsen, and Hovden, 2008; Renn, 2014; Aven et al., 2004), i.e., government risk regulation, the use of technical standards for safety and security, risk perception among managers and employees, management commitment to safety and security, and awareness creation and training with regard to safety and security. The aim of the study is to follow up on previous research on challenges for safety and security management and to explore, describe, and discuss challenges for safety and security management of network (distribution/grid) companies within the electric power sector that arise due to the increased use of ICT to monitor, control, and operate electric power production and distribution. Thus, the main aim of the thesis is to answer the following question: What challenges for safety and security management of network companies within the electric power sector have arisen in light of the increased use of ICT to monitor, control, and operate electric power production and distribution? Specific research questions have been derived from the main aim, and these research questions are addressed in the four articles included in the thesis. The context for the study is the Norwegian electric power supply sector, and the research questions are answered by presenting results from a survey sent to 137 network (distribution/grid) companies in Norway, supplemented by results from interviews, observation studies, and document studies. The thesis focuses on companies involved in transmission and distribution of electricity, and not generation (production). The generation system in the Norwegian electric power supply consists of many power stations distributed over the whole country. The structure is thus relatively robust, and the dependence on individual plants is small (Fridheim, Hagen, and Henriksen, 2001). However, a failure in the electricity networks and the transmission and distribution of electricity to critical infrastructures and important societal functions, as well as to individual households, would have a huge impact on societal safety (and security). This thesis concentrates on organizational safety and security (risk) management within electric power supply network companies. However, network companies run critical national infrastructure, and the safety and security management of these companies can thus affect societal safety and security. Safety and security management of network companies is also affected by national regulations, and there is no longer a clear distinction between national regulations and safety and security management of network companies. Ideas about internal control and risk management have been increasingly commingled, and risk management and regulation are no longer seen as broadly contrasting methods of assuring safety and security (Power, 2007). The results of the study show that finding the best balance between the use of detailed, prescriptive regulation versus functional regulation (self-regulation/internal control) as principles for controlling risk and ensuring safety and security is a challenge for the safety and security management of the network companies. Next, the thesis finds that technical standards for management of ICT safety and security pose a challenge for the network companies. These standards have both strengths and weaknesses, and both use and non-use of these standards can lead to challenges for the safety and security management of the network companies. The study also suggests that users (both managers and employees) of ICT systems (including SCADA systems) within the electric power supply network companies perceive the risk of attacks on or malfunctions in these systems as low, which can present a challenge for the safety and security management of the companies. Furthermore, the study finds a statistically significant correlation between management commitment to ICT safety and security and implementation of awareness creation and training measures in the companies; however, the use of awareness creation and training measures for ICT safety and security varies quite a bit among the network companies. The lack of awareness of a danger might lead to weak vigilance by users and a greater potential for abuse, which can be a challenge for safety and security management. The thesis also highlights that one main factor ‒complexity ‒ influences all the different challenges studied. The theoretical framework for the thesis (i.e., the sociotechnical perspective and institutional organizational theory) has helped to contextualize the studied phenomena, highlight aspects and elements that are important to consider in relation to safety and security (or risk) management, and show that many different factors can lead to challenges for safety and security management at every level of the sociotechnical system. The thesis illustrates why it is important to consider human, technological, and organizational factors, as well as the dynamic interaction between these factors. It is especially important to consider cultural-cognitive factors and be aware of how these elements affect safety and security management. Institutional organizational theory contributes to illustrate that there is no clear distinction between organizations and their environments and that many socially constructed and institutionalized aspects can influence organizations and create important challenges. Regulative (regulations), normative (technical standards), and cultural-cognitive (sensemaking, risk perception, commitment, and awareness) processes are connected in complex and changing mixtures, and these processes shape organizational structures and activities. The use of institutional organizational theory also sheds light on the important fact that many issues related to safety and security seem to be taken for granted

”AF og Akademikerne”

Temaet for min hovedoppgave er hovedsammenslutninger på arbeidstakersiden i Norge, med spesielt fokus på Akademikernes Fellesorganisasjon (AF) og Akademikerne. Organisasjonsmønsteret/-kartet på arbeidstakersiden i Norge var lenge relativt stabilt. Siden omtrent midten av 1970-tallet hadde vi tre hovedsammenslutninger (Landsorganisasjonen (LO), AF og Yrkesorganisasjonenes Sentralforbund (YS)) som omfattet de fleste av de organiserte arbeidstakerne. Men på slutten av 1990-tallet og i de første årene etter årtusenskiftet forekom det flere endringer i mønsteret av hovedsammenslutninger

Risk and Crisis Communication about Invisible Hazards

This article discusses differences between invisible and visible hazards, and how these differences can affect risk and crisis communication. Invisible hazards are risks that we cannot see, and often cannot touch, taste, nor smell. Examples are COVID-19, radon gas, mold spores, or asbestos fibers. Invisible hazards are often uncertain, complex, and ambiguous risk problems. Results from a Norwegian study show that authorities need to be aware of the possible differences in risk perception among authorities, stakeholders, and the general public. Involving citizens, creating trust, and being honest is important for all risk and crisis communication. However, the less we know about a hazard, the more we need to rely on others to make decisions, and consequently trust is particularly important when dealing with invisible hazards.publishedVersio

Risiko- og krisekommunikasjon om usynlige farer

Denne rapporten formidler funn fra prosjektet «Risiko- og krisekommunikasjon om usynlige farer i norske kommuner», gjennomført av en tverrfaglig prosjektgruppe ved NORCE fra august 2017 til mai 2020. Prosjektet ble gjennomført i samarbeid med fire norske kommuner; Fjell, Stavanger, Øygarden og Lindås, og Direktoratet for strålevern og atomsikkerhet (DSA). Prosjektet er finansiert av Regionale Forskningsfond Vestlandet (RFFVEST)

Exploring the complexity of hydrogen perception and acceptance among key stakeholders in Norway

This article explores the complexity of factors or mechanisms that can influence hydrogen stakeholder perception and acceptance in Norway. We systematically analyze 16 semi-structured in-depth interviews with industry stakeholders at local, municipal, regional, and national levels of interest and authority in Norway. Four empirical dimensions are identified that highlight the need for whole system approaches in hydrogen technology research: (1) several challenges, incentives, and synergy effects influence the hydrogen transition; (2) transport preferences are influenced by combined needs and limitations; (3) levels of knowledge and societal trust determinant to perceptions of risk and acceptance; and (4) national and international hydrogen stakeholders are crucial to building incentives and securing commitment among key actors. Our findings imply that project management, planners, engineers, and policymakers need to apply a whole system perspective and work across local, regional, and national levels before proceeding with large-scale development and implementation of the hydrogen supply chain.publishedVersio

Risiko- og krisekommunikasjon om usynlige farer

Denne rapporten formidler funn fra prosjektet «Risiko- og krisekommunikasjon om usynlige farer i norske kommuner», gjennomført av en tverrfaglig prosjektgruppe ved NORCE fra august 2017 til mai 2020. Prosjektet ble gjennomført i samarbeid med fire norske kommuner; Fjell, Stavanger, Øygarden og Lindås, og Direktoratet for strålevern og atomsikkerhet (DSA). Prosjektet er finansiert av Regionale Forskningsfond Vestlandet (RFFVEST).publishedVersio

Municipal risk communication challenges in the Nordic context : Organizing risk ownership

At a time when disasters, pandemics, pollution, and other crises gain prominence, local governments bear a crucial responsibility for effective risk communication. Yet, there remains a gap in our understanding of how municipalities approach risk communication before a crisis occurs. This qualitative study, involving seven focus groups and 29 semistructured interviews across two Nordic countries, raises questions about ownership of municipal risk communication: What challenges do municipalities face in managing ownership in risk communication? How does the organization of communication influence municipal risk communication? The results underscore three key considerations: First, there is a critical need for municipalities to engage in definitional clarification of risk and crisis communication. Establishing a shared understanding is paramount for effective communication strategies. Second, reframing uncertainty in municipal risk communication ownership as an opportunity is suggested. Embracing the inherent uncertainties and dependencies can offer a valuable perspective. Lastly, recognizing the underappreciation of risk communication emphasizes the imperative for municipal decision makers to address resource allocation issues. This involves ensuring that communication professionals have the confidence and resources needed, vis-à-vis other functions involved in risk management.The study was funded by the Regional Research Fund Western Norway, which is part of the Norwegian Research Council (grant number 27196) and the Swedish Civil Contingencies Agency (grant number 2020‐09584).DURCO

Division of Cyber Safety and Security Responsibilities Between Control System Owners and Suppliers

Part 2: CONTROL SYSTEMS SECURITYInternational audienceThe chapter discusses the important issue of responsibility for information and communications technology (ICT) – or cyber – safety and security for industrial control systems and the challenges involved in dividing the responsibility between industrial control system owners and suppliers in the Norwegian electric power supply industry. Industrial control system owners are increasingly adopting information and communications technologies to enhance business system connectivity and remote access. This integration offers new capabilities, but it reduces the isolation of industrial control systems from the outside world, creating greater security needs. The results of observation studies indicate that Norwegian power network companies and industrial control system suppliers have contributed to the creation of a culture that does not focus on information and communications systems safety and security. The increased use of standards and guidelines can help improve cooperation between industrial control system owners and suppliers. Norwegian industrial control system owners should also implement a culture change in their organizations and should attempt to influence the safety and security culture of their suppliers. Power network companies need to place information and communications systems safety and security on par with operational priorities and they need to become more vocal in demanding secure products from their suppliers