Abstract
Digitalization of the petroleum industry entails a greater interconnection between Information Technology (IT) and Industrial Automation and Control Systems (IACS), and has led to an increased attack surface. To mitigate the consequences of incidents and to ensure a safe operation, the industry uses preparedness exercises. Previously, these exercises have concerned safety-related incidents. Today, digitalization requires the industry to also exercise security incidents, especially incidents that are directed towards IACS. While the need for more detailed guidelines in the area of cyber security and IACS has been explicitly called for by the industry, few guidelines are currently available. We aimed to lessen this shortcoming by investigating descriptions of events to use in exercises, known as scenarios. This project investigated what characterizes a scenario to be realistic and expedient for preparedness exercises on cyber attacks against IACS in the petroleum industry, with a focus on tabletop exercises. Based on data collected through interviews, a list of criteria that characterize such scenarios was created. The list was validated and approved by respondents from two different operator companies. The results highlight the importance of basing the scenario on today’s threat landscape, making the scenarios plausible, and design the scenario such that it leads to a challenging tabletop exercise which also gives a sense of empowerment for the participants.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Norwegian Ministry of Labour and Social Affairs: Health, safety and environment in the petroleum industry. Technical Report, Norwegian Ministry of Labour and Social Affairs (2018). Accessed 21 May 2021
Topdahl, R.C.: -oljå tenker alltid “worst case”. https://www.aftenbladet.no/aenergi/i/1yOjK/oljaa-tenker-alltid-worst-case (2012). Accessed 21 May 2021
Security for Industrial Automation and Control Systems: Standard. International Electrotechnical Commision, Geneva, CH (2010)
Stouffer, K., Falco, J., Scarfone, K.: Guide to industrial control systems (ICS) security. NIST Spec. Publ. 800(82), 16–16 (2011)
i-SCOOP: Operational technology (ot)—definitions and differences with it. https://www.i-scoop.eu/industry-4-0/operational-technology-ot/ (2020). Accessed 04 November 20
Håland, E.: Trening og øvelse. Technical Report, DNV GL (2020)
Pratt, M.K.: Definition: cyber attack. https://searchsecurity.techtarget.com/definition/cyber-attack (2021). Accessed 25 February 2021
Andrea, S., Hotvedt, G.: Preparedness exercises for cyber attacks against industrial control systems in the petroleum industry. Master’s thesis, Norwegian University of Science and Technology (2021)
Ottis, R., Luht, L.: Mapping the best practices for designing multi-level cyber security exercises in Estonia (2017)
Larsen, A.K.: Øvelser - en veiledning i hvordan planlegge og gjennomføre øvelser innen energiforsyningen. Technical Report, The Norwegian Water Resources and Energy Directorate (2015)
Agency, T.N.D.: Veileder i planlegging og gjennomføring av ikt-øvelser. Technical Report, The Norwegian Digitalization Agency (2015)
The Norwegian Directorate for Civil Protection: Veileder i planlegging, gjennomføring og evaluering av øvelser - grunnbok: Introduksjon og prinsipper. Technical Report. The Norwegian Directorate for Civil Protection (2016)
Authority, N.N.S.: Risiko 2021—Helhetlig sikring mot sammensatte trusler. Technical Report. Norwegian National Security Authority (2021). Accessed 23 April 2021
Johnsen, S.O., Bjørkli, C., Steiro, T., Fartum, H., Haukenes, H., Ramber, J., Skriver, J.: Criop: A Scenario Method for Crisis Intervention and Operability Analysis. SINTEF Technology and Society, Technical Report (2011)
Malerud, S., Fridheim, H.: Metode for utvikling av scenarioer til spill og øvelser. Technical Report, Norwegian Defence Research Establishment (2013). Accessed 30 April 2021
Authority, N.N.S.: Grunnprinsipper for sikkerhetsstyring - utarbeid scenario. https://nsm.no/regelverk-og-hjelp/rad-og-anbefalinger/grunnprinsipper-for-sikkerhetsstyring/identifisere-og-kartlegge/utarbeid-scenario/ (2021). Accessed 12 March 2021
Van der Merwe, L.: Scenario-based strategy in practice: a framework. Adv. Dev. Hum. Resour. 10(2), 216–239 (2008)
Grance, T., Nolan, T., Burke, K., Dudley, R., White, G., Good, T.: Guide to test, training, and exercise programs for it plans and capabilities (2006)
Gleason, J.J.: Getting big results by going small-the importance of tabletop exercises. In: International Oil Spill Conference Proceedings, vol. 2014, pp. 114–123. American Petroleum Institute (2014)
Patrick, L., Barber, C.: Tabletop exercises-preparing through play. In: International Oil Spill Conference, vol. 2001, pp. 363–367. American Petroleum Institute (2001)
Robson, C.: Real World Research. John Wiley & Sons, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom (2011)
Acknowledgements
We would like to thank our supervisors, Maria Bartnes, Lars Bodsberg, and Roy Selbæk Myhre for the help and support during the work with our thesis and this article. We would also like to thank the interviewees from the participating organizations.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A
Interview guide
1.1 Introduction
Brief introduction to our research questions and main goal of the research
1.2 Main topics to be discussed (First round of interviews)
-
Digital threats against IT-systems in the petroleum industry
-
Digital threats directed towards the industrial ICT-systems
-
Your experience from preparedness exercises tailored towards digital threats and in general
-
Your experience from working with exercise scenarios (if relevant)
1.3 Validation of criteria and scenarios (Second round of interviews)
Go through each of the criteria and ask if they are considered expedient and realistic. Ask why/why not. Do the same for the scenarios.
1.4 Ending
We want to thank you for contributing to our research. We have gained valuable input from the interview. If you would like to receive our final result, we can send it to you when the report is delivered.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Skytterholm, A., Hotvedt, G. (2023). Criteria for Realistic and Expedient Scenarios for Tabletop Exercises on Cyber Attacks Against Industrial Control Systems in the Petroleum Industry. In: Onwubiko, C., et al. Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media. Springer Proceedings in Complexity. Springer, Singapore. https://doi.org/10.1007/978-981-19-6414-5_3
Download citation
DOI: https://doi.org/10.1007/978-981-19-6414-5_3
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-6413-8
Online ISBN: 978-981-19-6414-5
eBook Packages: Physics and AstronomyPhysics and Astronomy (R0)