UNDERSTANDING INFORMATION SECURITY INCIDENT MANAGEMENT PRACTICES:A case study in the electric power industry

Abstract

With the implementation of smarter electric power distribution grids follows new technologies, which lead to increased connectivity and complexity. Traditional IT components – hardware, firmware, software – replace proprietary solutions for industrial control systems. These technological changes introduce threats and vulnerabilities that make the systems more susceptible to both accidental and deliberate information security incidents. As industrial control systems are used for controlling crucial parts of the society’s critical infrastructure, incidents may have catastrophic consequences for our physical environment in addition to major costs for the organizations that are hit. Recent attacks and threat reports show that industrial control organizations are attractive targets for attacks. Emerging threats create the need for a well-established capacity for responding to unwanted incidents. Such a capacity is influenced by both organizational, human, and technological factors. The main objective of this doctoral project has been to explore information security incident management practices in electric power companies and understand challenges for improvements. Both literature studies and empirical studies have been conducted, with the participation of ten Distribution System Operators (DSOs) in the electric power industry in Norway. Our findings show that detection mechanisms currently in use are not sufficient in light of current threats. As long as no major incidents are experienced, the perceived risk will most likely not increase significantly, and following, the detection mechanisms might not be improved. The risk perception is further affected by the size of the organization and whether IT operations are outsourced. Outsourcing of IT services limits the efforts put into planning and preparatory activities due to a strong confidence in suppliers. Finally, small organizations have a lower risk perception than large ones. They do not perceive themselves as being attractive targets for attacks, and they are able to operate the power grid without the control systems being available. These findings concern risk perception, organizational structure, and resources, which are factors that affect current practices for incident management. Furthermore, different types of personnel, such as business managers and technical personnel, have different perspectives and priorities when it comes to information security. Besides, there is a gap in how IT staff and control system staff understand information security. Cross-functional teams need to be created in order to ensure a holistic view during the incident response process. Training for responding to information security incidents is currently given low priority. Evaluations after training sessions and minor incidents are not performed. Learning to learn would make the organizations able to take advantage of training sessions and evaluations and thereby improve their incident response practices. The main contributions of this thesis are knowledge on factors that affect current information security incident management practices and challenges for improvement, and application of organizational theory on information security incident management. Finally, this thesis contributes to an increased body of empirical knowledge of information security in industrial control organizations.