Exploring the Need for a CERT for the Norwegian Construction Sector

Skytterholm, Andrea Neverdal; Jaatun, Martin Gilje

doi:10.1007/978-981-19-6414-5_4

Andrea Neverdal Skytterholm⁸ &
Martin Gilje Jaatun^9,10

Part of the book series: Springer Proceedings in Complexity ((SPCOM))

374 Accesses

Abstract

This paper presents an empirical study on the need for sector-specific CERT capacity in the Norwegian construction sector. Findings from the interviews demonstrate a need for developing competence in ICT security in this sector. The actors express a desire for a forum for sharing information and learning from other actors within the industry. In our estimation, there is insufficient support in the industry to create a “full-blown” CERT/CSIRT. However, it seems that all the interviewees are positive about the idea of creating an ISAC-like forum.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 169.00; Price excludes VAT (USA)

Softcover Book: USD 159.99; Price excludes VAT (USA)

Hardcover Book: USD 219.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

References

Bernsmed, K., Jaatun, M.G., Meland, P.H.: Safety critical software and security-how low can you go? In: 2018 IEEE/AIAA 37th Digital Avionics Systems Conference (DASC), pp. 1–6. IEEE (2018)
Google Scholar
ENISA: Information Sharing and Analysis Center (ISACS)—Cooperative Models (2018). https://www.enisa.europa.eu/publications/information-sharing-and-analysis-center-isacs-cooperative-models
European Union: Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the union (2016). http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN
Jaatun, M.G., Bodsberg, L., Grøtan, T.O., Elisabeth Gaup Moe, M.: An empirical study of CERT capacity in the North Sea. In: 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–8 (2020). 10.1109/CyberSecurity49315.2020.9138865
Google Scholar
Mantha, B., de Soto, B.G., Karri, R.: Cyber security threat modeling in the AEC industry: an example for the commissioning of the built environment. Sustai. Cities Soc. 66, 102682 (2021)
Article Google Scholar
Norwegian Government: Nasjonal strategi for informasjonssikkerhet (National Strategy for Information Security [In Norwegian]) (2012). https://www.regjeringen.no/globalassets/upload/fad/vedlegg/ikt-politikk/nasjonal_strategi_infosikkerhet.pdf
NSM: Rammeverk for håndtering av IKT-hendelser (framework for handling ICT incidents [in Norwegian]) (2017). https://nsm.no/getfile.php/133853-1593022504/Demo/Dokumenter/rammeverk-for-handtering-av-ikt-sikkerhetshendelser.pdf
Oesterreich, T.D., Teuteberg, F.: Understanding the implications of digitisation and automation in the context of industry 4.0: a triangulation approach and elements of a research agenda for the construction industry. Comput. Ind. 83, 121–139 (2016)
Google Scholar
Okstad, E.H., Bains, R., Myklebust, T., Jaatun, M.G.: Implications of cyber security to safety approval in railway. In: Proceedings of the 31st European Safety and Reliability Conference, pp. 2120–2127 (2021)
Google Scholar
Onshus, T., Bodsberg, L., Hauge, S., Jaatun, M.G., Lundteigen, M.A., Myklebust, T., Ottermo, M.V., Petersen, S., Wille, E.: Security and independence of process safety and control systems in the petroleum industry. J. Cybersecur. Priv. 2(1), 20–41 (2022)
Article Google Scholar
PST: National Threat Assessment 2020 (2020). https://pst.no/alle-artikler/trusselvurderinger/annual-threat-assessment-2020/
Skopik, F., Settanni, G., Fiedler, R.: A problem shared is a problem halved: a survey on the dimensions of collective cyber defense through security information sharing. Comput. Secur. 60, 154–176 (2016)
Article Google Scholar
Sonkor, M.S., García de Soto, B.: Is your construction site secure? A view from the cybersecurity perspective. In: ISARC. Proceedings of the International Symposium on Automation and Robotics in Construction, vol. 38, pp. 864–871. IAARC Publications (2021)
Google Scholar
Telenor: Trusselrapport 2020—Trusselforståelse (Threat report 2020—Threat perception [In Norwegian]) (2020). https://www.telenor.no/om/digital-sikkerhet/2020/artikler/trusselforstaaelse.jsp
Turk, Ž, de Soto, B.G., Mantha, B.R., Maciel, A., Georgescu, A.: A systemic framework for addressing cybersecurity in construction. Autom. Constr. 133, 103988 (2022)
Article Google Scholar
UN General Assembly: Group of governmental experts on developments in the field of information and telecommunications in the context of international security. UN Doc. A/70/174, vol. 22 (2015)
Google Scholar

Download references

Acknowledgements

This work is based on research funded by Oslo Construction City AS. The authors gratefully acknowledge the support from OBOS, AF Gruppen, Betonmast, and Statsbygg, and the anonymous interviewees from the participating organizations.

Author information

Authors and Affiliations

SINTEF Digital, Trondheim, Norway
Andrea Neverdal Skytterholm
SINTEF Digital, Trondheim, Norway
Martin Gilje Jaatun
University of Stavanger, Stavanger, Norway
Martin Gilje Jaatun

Authors

Andrea Neverdal Skytterholm
View author publications
You can also search for this author in PubMed Google Scholar
Martin Gilje Jaatun
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andrea Neverdal Skytterholm .

Editor information

Editors and Affiliations

Research Series Ltd, London, UK
Cyril Onwubiko
Dublin City University, Dublin, Ireland
Pierangelo Rosati
Temple University, Philadelphia, PA, USA
Aunshul Rege
University of Oxford, Oxford, UK
Arnau Erola
Lupovis, Glasgow, UK
Xavier Bellekens
Ain Shams University, Cairo, Egypt
Hanan Hindy
University of Stavanger, Stavanger, Norway
Martin Gilje Jaatun

Appendices

Appendix 1 Interview Guide

1.1 Background

What is your role in the company?
Can you describe how your role is linked to managing ICT security incidents?
Is the term Operational Technology (OT) used in your company?
What systems and routines fall under your responsibility? CERT capacity in the construction sector
What do you consider especially challenging in your sector regarding protection against and managing cyberattacks/ICT security incidents?
What internal resources and roles are involved in ICY preparedness and incident management in your company?
How do you define an ICT security breach?
How are ICT security incidents usually discovered in your company?
Do you have any plans for managing ICY security incidents?
Are these plans included in trainings and exercises?
Who is contacted in the event of serious ICT security breaches? When did you last update your contact lists?
How do you collaborate with other actors on handling ICT security incidents?
Do you see special challenges related to dealing with ICT security breaches in industrial process control systems and automation?
Would you benefit from a sector CAC for your industry to better understand, detect, and deal with threats and vulnerabilities? If so, how would you benefit from such a CAC?
What improvement needs do you think are the most important when dealing with ICT security breaches in your case?
Can you tell us about the last ICT security breach you experienced?
How was this handled?
How did the handling work?
Why did the handling work as it did?
Do you experience challenges around cooperation and coordination in handling ICT security breaches? If this is the case, what kind of challenges are experienced?
Would you benefit from participating in national exercises focusing on handling ICT security incidents? Feel free to elaborate on why

1.2 Operationalization of CERT Alerts

How is your practice regarding information sharing about (own) ICT security breaches? What type of information is shared, and with whom?
What tools are used for information sharing about ICT security breaches in your company?
Do you know the term TLP (traffic light protocol)? If so, how is this used in your company when sharing information?
Do you share information about your own ICT security breaches via CERT channels? If so, what type of information, and in what way?
Do you receive information about new ICT security threats and vulnerabilities via CERT channels? If so, how is this information used in the company’s internal ICT security and emergency preparedness work?
What improvement needs do you think are the most important when it comes to sharing information in ICT security incidents and operationalizing CERT alerts?

1.3 General Closing Questions

Are there topics we have not addressed in this interview that we should have addressed?

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Skytterholm, A.N., Jaatun, M.G. (2023). Exploring the Need for a CERT for the Norwegian Construction Sector. In: Onwubiko, C., et al. Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media. Springer Proceedings in Complexity. Springer, Singapore. https://doi.org/10.1007/978-981-19-6414-5_4

Download citation

DOI: https://doi.org/10.1007/978-981-19-6414-5_4
Published: 08 March 2023
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-6413-8
Online ISBN: 978-981-19-6414-5
eBook Packages: Physics and AstronomyPhysics and Astronomy (R0)

Publish with us

Policies and ethics