Sammendrag
The petroleum industry is becoming more and more digitalized, which
leads to a convergence between IT and OT systems. This results in
an expanded threat picture for OT systems as it now also includes
cyber security threats. Traditionally, OT systems have focused on safety
by securing physical assets and preventing accidents. Because of the
convergence, it is necessary to also consider security, by securing data
and information.
A barrier is a measure to prevent or reduce the consequence of unwanted
events. Barriers are used in safety management for OT systems, but it is
less common to use the barrier concept for cyber security. This thesis
investigates if the barrier concept can be applied to cyber security. As
technical measures alone are not enough to handle cyber attacks, we have
considered non-technical barriers in our thesis.
We have used design science as our research design, which includes an
analysis phase, an innovation phase and an evaluation phase. To gather
information, we performed a literature review and completed several
inteviews with representatives from the industry. In the innovation
phase we started with a ransomware attack against an OT system in
the petroleum industry. We identified non-technical barriers that could
prevent or reduce the consequence of the attack. One part of the thesis
included investigating what requirements from ISA/IEC 62443-2-1 that
should be covered by the non-technical barriers. Then, we generalized
the method we used to identify the barriers so that the method could be
used for other attack scenarios. The result became MICS, a method for
identifying non-technical cyber security barriers.
MICS is intended to be used for analyzing new attack scenarios before or
after they have happened. The method involves that the scenario shall
be detailed according to the MITRE framework to get an overview over
the different steps an attacker performs during an attack. By including
requirements from ISA/IEC 62443-2-1 in MICS, it will contribute to make
it easier for the industry to apply the standard.
With MICS we have identified non-technical barriers for cyber security,
and this shows that the barrier concept can be used on cyber security
measures.
leads to a convergence between IT and OT systems. This results in
an expanded threat picture for OT systems as it now also includes
cyber security threats. Traditionally, OT systems have focused on safety
by securing physical assets and preventing accidents. Because of the
convergence, it is necessary to also consider security, by securing data
and information.
A barrier is a measure to prevent or reduce the consequence of unwanted
events. Barriers are used in safety management for OT systems, but it is
less common to use the barrier concept for cyber security. This thesis
investigates if the barrier concept can be applied to cyber security. As
technical measures alone are not enough to handle cyber attacks, we have
considered non-technical barriers in our thesis.
We have used design science as our research design, which includes an
analysis phase, an innovation phase and an evaluation phase. To gather
information, we performed a literature review and completed several
inteviews with representatives from the industry. In the innovation
phase we started with a ransomware attack against an OT system in
the petroleum industry. We identified non-technical barriers that could
prevent or reduce the consequence of the attack. One part of the thesis
included investigating what requirements from ISA/IEC 62443-2-1 that
should be covered by the non-technical barriers. Then, we generalized
the method we used to identify the barriers so that the method could be
used for other attack scenarios. The result became MICS, a method for
identifying non-technical cyber security barriers.
MICS is intended to be used for analyzing new attack scenarios before or
after they have happened. The method involves that the scenario shall
be detailed according to the MITRE framework to get an overview over
the different steps an attacker performs during an attack. By including
requirements from ISA/IEC 62443-2-1 in MICS, it will contribute to make
it easier for the industry to apply the standard.
With MICS we have identified non-technical barriers for cyber security,
and this shows that the barrier concept can be used on cyber security
measures.