Vahiny Gnanasekaran1, Maria Bartnes1, Tor Olav Grøtan2, Poul Einar Heegaard1. 1: Norwegian University of Science and Technology, Norway; 2: SINTEF Digital.

Abstract:

The number of significant cyberattacks targeted by national state actors is growing in critical infrastructure. Industrial companies rely on detecting and responding appropriately to such attacks by practicing and developing procedures for cyber-incident response. This paper presents the findings from seven semi-structured interviews to identify distinct practices, challenges, and roles regarding cyber-incident response in the petroleum industry. The literature has only previously addressed specific IT, security, or Operational Technology (OT) teams, but has not considered the holistic view of cyber-incident response in industrial control systems between internal roles, and external actors, such as Security Operations Centers, Computer Security Incident Response Teams, emergency response teams, and on-site personnel. To address this, distinct qualitative research methods consisting of document analysis, and workshops as preparation for interviews, and analysis were conducted. A stakeholder diagram displays the most relevant incident response roles, along with a list of current challenges extracted from the interviews. Future research should consider extending the sample, and include other, organizational and procedural factors.