Lowering cybersecurity entry barriers for Industry 4.0
Abstract
Cybersecurity is a young field of research; the full weight of cybersecurity issues was not observed before the introduction of the Internet to the public in the 1980s and 1990s. This is even more true for research on cybersecurity of digitalized systems in industry, as these systems were perceived as unreachable from the outside world. However, with the introduction of digitalization in industry, brought about by the increased use of Information Technology (IT), industrial systems, often collectively referred to as operational technology (OT) systems, gradually became reachable from the outside world. These systems encompass a broad range of programmable devices that interact with the physical world to detect or cause a direct change by monitoring and/or controlling devices, processes, and events. Examples of such systems are industrial control systems (ICS), building automation systems, and physical access control systems, to mention a few. Because OT systems interact with the physical world, they are often referred to as cyber-physical systems (CPS). For the same reason, their possible malfunction due to a cyberattack could result in material damage and severe harm to humans or the environment, consequences that far exceed those of cyberattacks on pure IT systems.
OT systems have historically been physically and logically isolated from the outside world due to the use of proprietary technology and communication protocols. As OT has been, in the last decade, increasingly digitalized, with an eye towards streamlining production and increasing efficiency, the term “Industry 4.0” has emerged to represent this process. Such a process requires, among others, the sharing of more data between IT and OT systems, which involves moving from proprietary technology to commercial-of-the-shelf (COTS) components. Unfortunately, increased communication between IT and OT systems increases the attack surface and allows new vulnerabilities to arise, making the previously isolated world of OT interconnected and vulnerable to malicious attacks.
Industry, particularly SMEs, are known to be lagging behind when it comes to the security of OT systems, as compared to that of IT systems. This is due on one hand to the increased attack surface that interconnected and outward-facing ICSs present and to a number of obstacles that such industry faces when attempting to address the security of OT systems on the other. Accordingly, this PhD research project aims at researching such obstacles related to the use of standards and controls on one hand and to the human behavior on the other, focusing on the Norwegian industry. To this end, qualitative and quantitative data have been collected and analyzed through surveys and interviews with IT and OT security personnel in industry.
The findings and results suggest that technical and specific cybersecurity knowledge is a key differentiator. Lack of knowledge is a key attribute when participants reveal their sensitive data. Furthermore, participants express a lack of knowledge about why security controls are implemented in their organizations, leading to workarounds, that is, shadow security. For organizations to start their journey towards improved cybersecurity of OT systems, sources of knowledge like international security standards are seldom used within OT due to the voluminous size and lack of practical advice. Changes in governance structure and increased specific cybersecurity OT training are two identified areas of improvement. Inclusion of OT personnel in the cybersecurity governance team, in conjunction with increased training, should reduce or remove the communication barriers found between IT and OT. Furthermore, training, communication and governance are all social elements in the socio-technical system (STS) framework, so such efforts will move the needle in the direction of a more balanced STS approach towards OT cybersecurity, which in turn should yield the highest return for the organization’s security posture.
Has parts
Paper 1: Kannelønning, Kristian Andreas; Katsikas, Sokratis. A systematic literature review of how cybersecurity-related behavior has been assessed. Information and Computer Security 2023 s. – Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Available at: http://dx.doi.org/10.1108/ICS-08-2022-0139Paper 2: Kannelønning, Kristian Andreas; Katsikas, Sokratis. Cybersecurity-Related Behavior of Personnel in the Norwegian Industry. IFIP Advances in Information and Communication Technology 2023. © 2023 IFIP International Federation for Information Processing. Available at: http://dx.doi.org/10.1007/978-3-031-38530-8_20
Paper 3: Kannelønning, Kristian Andreas; Katsikas, Sokratis. Usage of Cybersecurity Standards in Operational Technology Systems. I: Computer Security – ESORICS 2024. 29th European Symposium on Research in Computer Security, Bydgoszcz, Poland, September 16–20, 2024, Proceedings, Part I. Springer 2024 ISBN 9783031708787. © 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG. Available at: http://dx.doi.org/10.1007/978-3-031-82349-7_28
Paper 4: Kannelønning, Kristian Andreas; Katsikas, Sokratis. Deployment of Cybersecurity Controls in the Norwegian Industry 4.0. I: ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security. Association for Computing Machinery (ACM) 2024 ISBN 979-8-4007-1718-5. s. – Published by ACM. This work is licensed under a Creative Commons Attribution International 4.0 License CC BY. Available at: http://dx.doi.org/10.1145/3664476.3670896
Paper 5: Kannelønning, Kristian Andreas; Katsikas, Sokratis. Socio-technical challenges in improving cybersecurity in Operational Technology organizations. This paper is under review for publication and is therefore not included.