Exploring the grounds for cyber resilience in the hyper-connected oil and gas industry
Peer reviewed, Journal article
Published version
Date
2023Metadata
Show full item recordCollections
Abstract
This paper explores the offshore oil and gas industry as a case of an industry operating in demanding conditions with an imminent potential for catastrophic failure, undergoing major transformations driven by advances in digital technologies while being exposed to an increasingly aggressive threat landscape due to geopolitical changes. It is also a case of cyber-physical systems with tight couplings between digital changes which might be incited from virtually anywhere, and real-world, physical consequences. The exploration is aimed at understanding, based on interviews, to which extent the existing cyber security practices in the industry carries the potential to be strengthened by the application of resilience principles. An enhanced level of cyber security, denoted cyber resilience, is regarded as a crucial part for the industry to become able to close a strategic agility gap, in which they are at risk of falling behind in their response repertoire, becoming stuck and stale while trying keep up with an increasing rate of shocks through classical modelling and simulation. Resilience is, however, a concept with many meanings, originating from a diversity of academic discourses. The paper demonstrates the usefulness of analyzing the empirical data through an analytical framework of cyber resilience, a “resilience ABC”, accommodating a crucial distinction between robustness and resilience founded on adaptive capacities. Moreover, we find that closing the strategic agility gap requires a cyber resilience approach that is a mix of robustness and adaptive capacity, and that the gradual shift towards more emphasis on adaptive capacity requires a fundamental shift from seeing resilience-as-outcome as just an epiphenomenon of existing practice. In contrast, we see adaptive capacity as resilience-as-process, a phenomenon to study on its own terms. This also implies that cyber resilience management must move beyond a sheer assimilation with risk management. As access to real incident data may be limited, we also advocate the idea of training on scenarios at the boundaries of robustness.