• norsk
    • English
  • norsk 
    • norsk
    • English
  • Logg inn
Vis innførsel 
  •   Hjem
  • Fakultet for informasjonsteknologi og elektroteknikk (IE)
  • Institutt for informasjonssikkerhet og kommunikasjonsteknologi
  • Vis innførsel
  •   Hjem
  • Fakultet for informasjonsteknologi og elektroteknikk (IE)
  • Institutt for informasjonssikkerhet og kommunikasjonsteknologi
  • Vis innførsel
JavaScript is disabled for your browser. Some features of this site may not work without it.

UNDERSTANDING INFORMATION SECURITY INCIDENT MANAGEMENT PRACTICES:A case study in the electric power industry

Line, Maria Bartnes
Doctoral thesis
Åpne
Fulltext not available (Låst)
Fulltext (PDF) available (4.008Mb)
Permanent lenke
http://hdl.handle.net/11250/2359707
Utgivelsesdato
2015
Metadata
Vis full innførsel
Samlinger
  • Institutt for informasjonssikkerhet og kommunikasjonsteknologi [2003]
Sammendrag
With the implementation of smarter electric power distribution grids follows

new technologies, which lead to increased connectivity and complexity.

Traditional IT components – hardware, firmware, software – replace proprietary

solutions for industrial control systems. These technological changes

introduce threats and vulnerabilities that make the systems more susceptible

to both accidental and deliberate information security incidents. As industrial

control systems are used for controlling crucial parts of the society’s critical

infrastructure, incidents may have catastrophic consequences for our physical

environment in addition to major costs for the organizations that are hit.

Recent attacks and threat reports show that industrial control organizations

are attractive targets for attacks.

Emerging threats create the need for a well-established capacity for responding

to unwanted incidents. Such a capacity is influenced by both organizational,

human, and technological factors. The main objective of this doctoral project

has been to explore information security incident management practices in

electric power companies and understand challenges for improvements. Both

literature studies and empirical studies have been conducted, with the participation

of ten Distribution System Operators (DSOs) in the electric power

industry in Norway.

Our findings show that detection mechanisms currently in use are not sufficient

in light of current threats. As long as no major incidents are experienced,

the perceived risk will most likely not increase significantly, and following,

the detection mechanisms might not be improved. The risk perception is

further affected by the size of the organization and whether IT operations are

outsourced. Outsourcing of IT services limits the efforts put into planning

and preparatory activities due to a strong confidence in suppliers. Finally,

small organizations have a lower risk perception than large ones. They do not

perceive themselves as being attractive targets for attacks, and they are able

to operate the power grid without the control systems being available. These

findings concern risk perception, organizational structure, and resources, which

are factors that affect current practices for incident management.

Furthermore, different types of personnel, such as business managers and

technical personnel, have different perspectives and priorities when it comes

to information security. Besides, there is a gap in how IT staff and control system staff understand information security. Cross-functional teams need

to be created in order to ensure a holistic view during the incident response

process. Training for responding to information security incidents is currently

given low priority. Evaluations after training sessions and minor incidents

are not performed. Learning to learn would make the organizations able to

take advantage of training sessions and evaluations and thereby improve their

incident response practices.

The main contributions of this thesis are knowledge on factors that affect

current information security incident management practices and challenges for

improvement, and application of organizational theory on information security

incident management. Finally, this thesis contributes to an increased body of

empirical knowledge of information security in industrial control organizations.
Består av
Paper 1: Line, Maria Bartnes; Tøndel, Inger Anne; JAATUN, Martin Gilje. Cyber Security Challenges in Smart Grids. IEEE PES Innovative Smart Grid Technologies 2011. Is not included due to copyright available at http://dx.doi.org/10.1109/ISGTEurope.2011.6162695

Paper 2: Line, Maria Bartnes. Why securing smart grids is not just a straightforward consultancy exercise. Security and Communication Networks 2014 ;Volum 7.(1) s. 160-174 http://dx.doi.org/10.1002/sec.703 Copyright © 2013 John Wiley & Sons, Ltd. Reprinted with permission from John Wiley and Sons.

Paper 3: Tøndel, Inger Anne; Line, Maria Bartnes; Jaatun, Martin Gilje. Information security incident management: Current practice as reported in the literature. Computers & security (Print) 2014 ;Volum 45. s. 42-57. http://dx.doi.org/10.1016/j.cose.2014.05.003 This article is reprinted with kind permission from Elsevier, sciencedirect.com

Paper 4: Maria B. Line and Eirik Albrechtsen. Examining the suitability of industrial safety management approaches for information security incident management. The final published version is available in International Journal of Information and Computer Security. 2016 ;Volum 24.(1) http://dx.doi.org/10.1108/ICS-01-2015-0003

Paper 5: Line, Maria Bartnes. A Study of Resilience within Information Security in the Power Industry. I: Proceedings from IEEE Africon 2013. Is not included due to copyright available at http://dx.doi.org/10.1109/AFRCON.2013.6757799

Paper 6: Line, Maria Bartnes; Tøndel, Inger Anne; Jaatun, Martin Gilje. Information security incident management: Planning for failure. I: 8th International Conference on IT Security Incident Management and IT Forensics (IMF 2014), May 12-14, 2014, Münster, Germany. IEEE Computer Society 2014 ISBN 978-1-4799-4330-2. s. 47-61. Is not included due to copyright available at http://dx.doi.org/10.1109/IMF.2014.10

Paper 7: Maria B. Line, Inger Anne Tøndel, and Martin G. Jaatun. Does size matter? Information security incident management in large and small industrial control organizations http://dx.doi.org/10.1016/j.ijcip.2015.12.003 © 2015. This manuscript version is made available under the CC-BY-NC-ND 4.0 license

Paper 8: Line, Maria Bartnes; Zand, Ali; Stringhini, Gianluca; Kemmerer, Richard A.. Targeted Attacks against Industrial Control Systems: Is the Power Industry Prepared?. I: CCS'14 2014 ACM SIGSAC Conference on Computer and Communications Security, S s. 13-22. Is not inluded due to copyright avialable at http://dx.doi.org/10.1145/2667190.2667192

Paper 9: Line, Maria Bartnes; Moe, Nils Brede. Understanding Collaborative Challenges in IT Security Preparedness Exercises. I: ICT Systems Security and Privacy Protection : 30th IFIP TC 11 International Conference, SEC 2015, Proceedings. Springer 2015,s. 311-324 The final publication is available at Springer via http://dx.doi.org/10.1007/978-3-319-18467-8_21
Utgiver
NTNU
Serie
Doctoral thesis at NTNU;2015:241

Kontakt oss | Gi tilbakemelding

Personvernerklæring
DSpace software copyright © 2002-2019  DuraSpace

Levert av  Unit
 

 

Bla i

Hele arkivetDelarkiv og samlingerUtgivelsesdatoForfattereTitlerEmneordDokumenttyperTidsskrifterDenne samlingenUtgivelsesdatoForfattereTitlerEmneordDokumenttyperTidsskrifter

Min side

Logg inn

Statistikk

Besøksstatistikk

Kontakt oss | Gi tilbakemelding

Personvernerklæring
DSpace software copyright © 2002-2019  DuraSpace

Levert av  Unit