Abstract
This paper presents an empirical study on the need for sector-specific CERT capacity in the Norwegian construction sector. Findings from the interviews demonstrate a need for developing competence in ICT security in this sector. The actors express a desire for a forum for sharing information and learning from other actors within the industry. In our estimation, there is insufficient support in the industry to create a “full-blown” CERT/CSIRT. However, it seems that all the interviewees are positive about the idea of creating an ISAC-like forum.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bernsmed, K., Jaatun, M.G., Meland, P.H.: Safety critical software and security-how low can you go? In: 2018 IEEE/AIAA 37th Digital Avionics Systems Conference (DASC), pp. 1–6. IEEE (2018)
ENISA: Information Sharing and Analysis Center (ISACS)—Cooperative Models (2018). https://www.enisa.europa.eu/publications/information-sharing-and-analysis-center-isacs-cooperative-models
European Union: Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the union (2016). http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN
Jaatun, M.G., Bodsberg, L., Grøtan, T.O., Elisabeth Gaup Moe, M.: An empirical study of CERT capacity in the North Sea. In: 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–8 (2020). 10.1109/CyberSecurity49315.2020.9138865
Mantha, B., de Soto, B.G., Karri, R.: Cyber security threat modeling in the AEC industry: an example for the commissioning of the built environment. Sustai. Cities Soc. 66, 102682 (2021)
Norwegian Government: Nasjonal strategi for informasjonssikkerhet (National Strategy for Information Security [In Norwegian]) (2012). https://www.regjeringen.no/globalassets/upload/fad/vedlegg/ikt-politikk/nasjonal_strategi_infosikkerhet.pdf
NSM: Rammeverk for håndtering av IKT-hendelser (framework for handling ICT incidents [in Norwegian]) (2017). https://nsm.no/getfile.php/133853-1593022504/Demo/Dokumenter/rammeverk-for-handtering-av-ikt-sikkerhetshendelser.pdf
Oesterreich, T.D., Teuteberg, F.: Understanding the implications of digitisation and automation in the context of industry 4.0: a triangulation approach and elements of a research agenda for the construction industry. Comput. Ind. 83, 121–139 (2016)
Okstad, E.H., Bains, R., Myklebust, T., Jaatun, M.G.: Implications of cyber security to safety approval in railway. In: Proceedings of the 31st European Safety and Reliability Conference, pp. 2120–2127 (2021)
Onshus, T., Bodsberg, L., Hauge, S., Jaatun, M.G., Lundteigen, M.A., Myklebust, T., Ottermo, M.V., Petersen, S., Wille, E.: Security and independence of process safety and control systems in the petroleum industry. J. Cybersecur. Priv. 2(1), 20–41 (2022)
PST: National Threat Assessment 2020 (2020). https://pst.no/alle-artikler/trusselvurderinger/annual-threat-assessment-2020/
Skopik, F., Settanni, G., Fiedler, R.: A problem shared is a problem halved: a survey on the dimensions of collective cyber defense through security information sharing. Comput. Secur. 60, 154–176 (2016)
Sonkor, M.S., García de Soto, B.: Is your construction site secure? A view from the cybersecurity perspective. In: ISARC. Proceedings of the International Symposium on Automation and Robotics in Construction, vol. 38, pp. 864–871. IAARC Publications (2021)
Telenor: Trusselrapport 2020—Trusselforståelse (Threat report 2020—Threat perception [In Norwegian]) (2020). https://www.telenor.no/om/digital-sikkerhet/2020/artikler/trusselforstaaelse.jsp
Turk, Ž, de Soto, B.G., Mantha, B.R., Maciel, A., Georgescu, A.: A systemic framework for addressing cybersecurity in construction. Autom. Constr. 133, 103988 (2022)
UN General Assembly: Group of governmental experts on developments in the field of information and telecommunications in the context of international security. UN Doc. A/70/174, vol. 22 (2015)
Acknowledgements
This work is based on research funded by Oslo Construction City AS. The authors gratefully acknowledge the support from OBOS, AF Gruppen, Betonmast, and Statsbygg, and the anonymous interviewees from the participating organizations.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix 1
Interview Guide
1.1 Background
-
What is your role in the company?
-
Can you describe how your role is linked to managing ICT security incidents?
-
Is the term Operational Technology (OT) used in your company?
-
What systems and routines fall under your responsibility? CERT capacity in the construction sector
-
What do you consider especially challenging in your sector regarding protection against and managing cyberattacks/ICT security incidents?
-
What internal resources and roles are involved in ICY preparedness and incident management in your company?
-
How do you define an ICT security breach?
-
How are ICT security incidents usually discovered in your company?
-
Do you have any plans for managing ICY security incidents?
-
Are these plans included in trainings and exercises?
-
Who is contacted in the event of serious ICT security breaches? When did you last update your contact lists?
-
How do you collaborate with other actors on handling ICT security incidents?
-
Do you see special challenges related to dealing with ICT security breaches in industrial process control systems and automation?
-
Would you benefit from a sector CAC for your industry to better understand, detect, and deal with threats and vulnerabilities? If so, how would you benefit from such a CAC?
-
What improvement needs do you think are the most important when dealing with ICT security breaches in your case?
-
Can you tell us about the last ICT security breach you experienced?
-
How was this handled?
-
How did the handling work?
-
Why did the handling work as it did?
-
Do you experience challenges around cooperation and coordination in handling ICT security breaches? If this is the case, what kind of challenges are experienced?
-
Would you benefit from participating in national exercises focusing on handling ICT security incidents? Feel free to elaborate on why
1.2 Operationalization of CERT Alerts
-
How is your practice regarding information sharing about (own) ICT security breaches? What type of information is shared, and with whom?
-
What tools are used for information sharing about ICT security breaches in your company?
-
Do you know the term TLP (traffic light protocol)? If so, how is this used in your company when sharing information?
-
Do you share information about your own ICT security breaches via CERT channels? If so, what type of information, and in what way?
-
Do you receive information about new ICT security threats and vulnerabilities via CERT channels? If so, how is this information used in the company’s internal ICT security and emergency preparedness work?
-
What improvement needs do you think are the most important when it comes to sharing information in ICT security incidents and operationalizing CERT alerts?
1.3 General Closing Questions
-
Are there topics we have not addressed in this interview that we should have addressed?
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Skytterholm, A.N., Jaatun, M.G. (2023). Exploring the Need for a CERT for the Norwegian Construction Sector. In: Onwubiko, C., et al. Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media. Springer Proceedings in Complexity. Springer, Singapore. https://doi.org/10.1007/978-981-19-6414-5_4
Download citation
DOI: https://doi.org/10.1007/978-981-19-6414-5_4
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-6413-8
Online ISBN: 978-981-19-6414-5
eBook Packages: Physics and AstronomyPhysics and Astronomy (R0)