Perspectives on Control System Security

Assessing security risks resulting from contradicting values between Operational and Information Technology

Master thesis (2013)

Authors

F.A. Schoenmakers

Contributors

M.J.G. Van Eeten (mentor)

M.L.C. De Bruijne (mentor)

G.P.J. Dijkema (mentor)

M.H.J. Knuiman (mentor)

S. Hernando (mentor)

Programme

Beleid, Organisatie, Recht & Gaming () (TU Delft)

Cyber security Control systems Security Paradigm IT/OT integration Risk framework

More Info

expand_more

To reference this document use:

http://resolver.tudelft.nl/uuid:5b2e19c4-c493-4575-972d-d91825d4ef67

Published Date

08-04-2013

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Programme

Beleid, Organisatie, Recht & Gaming

Abstract

Industrial control systems in the electricity domain become increasingly connected. The change in the control systems industry has several drivers. Business drivers on the one hand; management is expecting more information and more steering possibilities. Market drivers on the other hand; better incorporation of decentralized generation, improvements of the existing services and maintaining or improving the existing high levels of system reliability. To facilitate the changing requirements, more intelligence and connectivity in control systems is necessary. In the past, control systems were connected with proprietary networks to the SCADA network. These systems and networks were often custom-made, isolated and had little processing power. The current trend is to implement and use control systems with off-the-shelf technology, with interconnectivity and with computing power. This trend is referred to as Internet Technology (IT) integration into Operational Technology (OT), in short: IT/OT integration. It brings a significant change in the status quo of the energy industry. Based on the literature as well as the questionnaire, we can argue that a difference in perspective can have an impact on control system security. The values that people have can determine - to a certain extend - the way security is interpreted and perceived. When there is a difference in perspectives, it might keep organizations aware, but when the differences are too comprehensive it will restrict the organization in properly dealing with threats. Whether shared values for the IT and OT group are likely to happen and desirable to have is an interesting question. When the IT and OT group maintain their current separate values, communication and interaction is important. Interaction and communication might improve understanding and commitment which can advocate control system security. To increase commitment, understanding and shared values, managers must play an active role in promoting shared values. Risk management is to a large extent steered by people; the influence of their perspective on security is believed to be significant. Throughout every sections of our risk management framework the perspective on security was a reoccurring theme. Threat perception, vulnerability identification and risk response can all be influenced by the perspective on security. Again, a shared set of values on security can contribute in improving risk management. Some final thoughts – ideas and best practices - on control system security had been drafted in the last paragraph of this research. A short abstract of the recommendations: be selective in bringing control systems from isolation, use the wisdom of the crowd to find vulnerabilities, facilitate education and training for personnel, share practical knowledge and ideas with the industry, and make better use of online media monitoring (Twitter, Pastebin, forums) to actively search for threats.

Files

Schoenmakers_Article_Contradic... (pdf)

(pdf | 0.408 Mb)

Schoenmakers_Fullthesis_FinalV... (pdf)

(pdf | 3.97 Mb)