15 research outputs found

    Why securing smart grids is not just a straightforward consultancy exercise

    No full text
    The long-term vision for modernization of power management and control systems, Smart Grid, is rather complex. It comprises several scientific traditions; SCADA and automation systems, information and communication technology, safety, and security. Integrating ICT and power management and control systems causes a need for a major change regarding system design and operation, which security controls are required and implemented, and how incidents are responded to and learnt from. This paper presents concerns that need to be addressed in order for the implementation of smart grids to succeed from an information security point of view: a unified terminology, a fusion of cultures, improved methods for assessing risks in complex and interdependent systems, preserving end-users’ privacy, securing communications and devices, and being well prepared for managing unwanted incidents in a complex operating environment

    Why securing smart grids is not just a straightforward consultancy exercise

    No full text
    The long-term vision for modernization of power management and control systems, Smart Grid, is rather complex. It comprises several scientific traditions; SCADA and automation systems, information and communication technology, safety, and security. Integrating ICT and power management and control systems causes a need for a major change regarding system design and operation, which security controls are required and implemented, and how incidents are responded to and learnt from. This paper presents concerns that need to be addressed in order for the implementation of smart grids to succeed from an information security point of view: a unified terminology, a fusion of cultures, improved methods for assessing risks in complex and interdependent systems, preserving end-users’ privacy, securing communications and devices, and being well prepared for managing unwanted incidents in a complex operating environment.Why securing smart grids is not just a straightforward consultancy exercisepublishedVersionOpen Access article. Published by John Wiley & Sons, Ltd. 2013

    Penetration Testing of OPC as part of Process Control Systems

    No full text
    We have performed penetration testing on OPC, which is a central component in process control systems on oil installations. We have shown how a malicious user with different privileges – outside the network, access to the signalling path and physical access to the OPC server – can fairly easily compromise the integrity, availability and confidentiality of the system. Our tentative tests demonstrate that full-scale penetration testing of process control systems in offshore installations is necessary in order to sensitise the oil and gas industry to the evolving threats.Penetration Testing of OPC as part of Process Control System

    UNDERSTANDING INFORMATION SECURITY INCIDENT MANAGEMENT PRACTICES:A case study in the electric power industry

    No full text
    With the implementation of smarter electric power distribution grids follows new technologies, which lead to increased connectivity and complexity. Traditional IT components – hardware, firmware, software – replace proprietary solutions for industrial control systems. These technological changes introduce threats and vulnerabilities that make the systems more susceptible to both accidental and deliberate information security incidents. As industrial control systems are used for controlling crucial parts of the society’s critical infrastructure, incidents may have catastrophic consequences for our physical environment in addition to major costs for the organizations that are hit. Recent attacks and threat reports show that industrial control organizations are attractive targets for attacks. Emerging threats create the need for a well-established capacity for responding to unwanted incidents. Such a capacity is influenced by both organizational, human, and technological factors. The main objective of this doctoral project has been to explore information security incident management practices in electric power companies and understand challenges for improvements. Both literature studies and empirical studies have been conducted, with the participation of ten Distribution System Operators (DSOs) in the electric power industry in Norway. Our findings show that detection mechanisms currently in use are not sufficient in light of current threats. As long as no major incidents are experienced, the perceived risk will most likely not increase significantly, and following, the detection mechanisms might not be improved. The risk perception is further affected by the size of the organization and whether IT operations are outsourced. Outsourcing of IT services limits the efforts put into planning and preparatory activities due to a strong confidence in suppliers. Finally, small organizations have a lower risk perception than large ones. They do not perceive themselves as being attractive targets for attacks, and they are able to operate the power grid without the control systems being available. These findings concern risk perception, organizational structure, and resources, which are factors that affect current practices for incident management. Furthermore, different types of personnel, such as business managers and technical personnel, have different perspectives and priorities when it comes to information security. Besides, there is a gap in how IT staff and control system staff understand information security. Cross-functional teams need to be created in order to ensure a holistic view during the incident response process. Training for responding to information security incidents is currently given low priority. Evaluations after training sessions and minor incidents are not performed. Learning to learn would make the organizations able to take advantage of training sessions and evaluations and thereby improve their incident response practices. The main contributions of this thesis are knowledge on factors that affect current information security incident management practices and challenges for improvement, and application of organizational theory on information security incident management. Finally, this thesis contributes to an increased body of empirical knowledge of information security in industrial control organizations

    Risikovurdering av AMS. Kartlegging av informasjonssikkerhetsmessige sårbarheter i AMS

    No full text
    Denne rapporten presenterer en overordnet risikovurdering av Avaserte Måle- og Styringssystemer (AMS) knyttet til hvilke konsekvenser det kan ha for kraftforsyningen at AMS utsettes for informasjonssikkerhetbrudd. Vurderingen er hovedsaklig gjort for AMS basisfunksjoner, som er å registrere måledata hos kunde og overføre disse til nettselskapet, samt bryting/struping av effektuttaket i det enkelte målepunkt

    Risikovurdering av AMS. Kartlegging av informasjonssikkerhetsmessige sårbarheter i AMS

    No full text
    -Denne rapporten presenterer en overordnet risikovurdering av Avaserte Måle- og Styringssystemer (AMS) knyttet til hvilke konsekvenser det kan ha for kraftforsyningen at AMS utsettes for informasjonssikkerhetbrudd. Vurderingen er hovedsaklig gjort for AMS basisfunksjoner, som er å registrere måledata hos kunde og overføre disse til nettselskapet, samt bryting/struping av effektuttaket i det enkelte målepunkt

    Challenges in IT Security Preparedness Exercises: A Case Study

    No full text
    The electric power industry is currently implementing major technological changes in order to achieve the goal of smart grids. However, these changes are expected to increase the susceptibility of the industry to IT security incidents. IT security preparedness exercises are not commonly performed in the electric power industry, even though this industry is considered part of society's critical infrastructure. Resolving an IT security incident requires inter-departmental collaborations between various categories of personnel, and to successfully achieve this, training is required. The process of preparing a response to incidents enhances the nature of collaboration, coordination, and communication within an organization. Our objective is to understand the challenges faced when performing IT security preparedness exercises, as challenges experienced during these exercises affect the response process during a real incident. By improving the exercises, the response capabilities would be strengthened accordingly. We have designed a multiple-case study with six teams in three organizations. We collected data by performing semi-structured interviews, participant observations, and from process artifacts. We identified six main challenges involving team composition and external expert involvement, goal definition, documentation, and time management. In summary, there are many ways of conducting preparedness exercises. Therefore, organizations need to both optimize current exercise practices and experiment with new ones in order to ensure continuous learning and improvement; hence, they can be adequately prepared to respond to IT security incidents.© 2016 Elsevier Ltd. Author preprint

    Secure Remote Access to Autonomous Safety Systems: A Good Practice Approach

    No full text
    Safety instrumented systems (SIS) as defined in IEC 61508 and IEC 61511 are very important for the safety of offshore oil and natural gas installations. Partly as a consequence of the evolving 'integrated operations' concept, a need is emerging for remote access to such systems from vendors external to the operating company. This access will pass through a number of IP-based networks used for other purposes, including the open internet. This raises a number of security issues, ultimately threatening the safety integrity of SIS. In this article, we present a layered network architecture that represents current good practice for a solution to ensure secure remote access to SIS. Also, a method for assessing whether a given solution for remote access to SIS is acceptable is described.Secure Remote Access to Autonomous Safety Systems: A Good Practice Approac
    corecore