Ikke-tekniske cybersikkerhetsbarrierer for OT-systemer i petroleumsindustrien

The petroleum industry is becoming more and more digitalized, which leads to a convergence between IT and OT systems. This results in an expanded threat picture for OT systems as it now also includes cyber security threats. Traditionally, OT systems have focused on safety by securing physical assets and preventing accidents. Because of the convergence, it is necessary to also consider security, by securing data and information. A barrier is a measure to prevent or reduce the consequence of unwanted events. Barriers are used in safety management for OT systems, but it is less common to use the barrier concept for cyber security. This thesis investigates if the barrier concept can be applied to cyber security. As technical measures alone are not enough to handle cyber attacks, we have considered non-technical barriers in our thesis. We have used design science as our research design, which includes an analysis phase, an innovation phase and an evaluation phase. To gather information, we performed a literature review and completed several inteviews with representatives from the industry. In the innovation phase we started with a ransomware attack against an OT system in the petroleum industry. We identified non-technical barriers that could prevent or reduce the consequence of the attack. One part of the thesis included investigating what requirements from ISA/IEC 62443-2-1 that should be covered by the non-technical barriers. Then, we generalized the method we used to identify the barriers so that the method could be used for other attack scenarios. The result became MICS, a method for identifying non-technical cyber security barriers. MICS is intended to be used for analyzing new attack scenarios before or after they have happened. The method involves that the scenario shall be detailed according to the MITRE framework to get an overview over the different steps an attacker performs during an attack. By including requirements from ISA/IEC 62443-2-1 in MICS, it will contribute to make it easier for the industry to apply the standard. With MICS we have identified non-technical barriers for cyber security, and this shows that the barrier concept can be used on cyber security measures.