Preventing the Next Triton? Protecting Chemical Process Plants from Cyber-Threats

(1)

Master Thesis

MSc Crisis and Security Management 2018/2019

Photo credits: https://www.wired.com/story/triton-malware-dangers-industrial-system-sabotage/

Preventing the Next Triton?

Protecting Chemical Process Plants from Cyber-

Threats

(2)

Acknowledgments

As the end of my academic career – for now at least – approaches, it is inevitable to get a little emotional. I can sincerely say that I have been extremely lucky to be surrounded by many supportive people throughout the process of writing my Master Thesis.

My first acknowledgement goes to my supervisor, Dr. Gabriele Landucci, who supported me and guided me through my many – often confused and disorganized – thoughts and ideas. Thank you for believing in me, and my research, since day one.

I would also like to thank the amazing Deloitte Cyber Risk Advisory team that I am part of. It is hard to express my gratitude for everything in words. The amount of support, help, and advice that I received from so many of you since the beginning of this journey is beyond what I ever expected.

Special thanks go to the experts that I interviewed for this study, and to the ones who helped me organizing the interviews. Without all of you, this thesis would not have been possible. Thank you for dedicating your precious time to help me. I hope this study will be useful for you in some way.

And last, but not least of course, I would like to thank my family and friends for all the emotional support I received during these months. To my mom especially, who came all the way from Italy during the last month of writing and sat with me at the library all day just to keep me company.

(3)

3

Abstract

Modern Industrial Control Systems are becoming increasing interconnected and automated thanks to the technological progress of Industry 4.0. This, in addition to bringing numerous benefits for the businesses, is also increasing the cybersecurity risks of industrial environments. Organizations in the chemical and process industry need to especially consider the potentially safety consequences that a cyber-attack could have on their plants and the environment around them. This study explored the way in which chemical and process plants manage cybersecurity risks in their Industrial Control Systems. It did so by interviewing six industry experts to shed light on the common governance structures, risk assessment methodologies, safety and security integration, and cybersecurity measures within organizations. This thesis shows that companies in this industry are in the starting phase of recognizing cybersecurity risks in their operational environment. This is resulting in more awareness and financing towards cybersecurity programs. However, the results show that cybersecurity remains a limited and segregated capability both in the organizations’ governance structures and their implementation of risk management measures and procedures.

Keywords: Cybersecurity, Cyber Risk, Industrial Control Systems (ICS), Industrial

(4)

Table of Figures

Figure 1 ICS plant logical framework. ...15

Figure 2 Structure of the conceptual framework ...19

Figure 3 Nodes in NVivo12. ...37

Figure 4 Hierarchy chart of the three main parent nodes. ...42

Figure 5 Nodes coded at the "Challenges and Solutions" node ...52

Table of Tables

Table 1 Governance (Operationalisation)… ... 31

Table 2 Risk Assessment (Operationalisation)… ... 32

Table 3 Cybersecurity Measures (Operationalisation)… ... 33

Table 4 List of Experts… ... 36

Table 5 Main Responsibility ICS per company ... 44

Table of Abbreviations

Abbreviation Meaning

DCS Distributed Control System

HMI Human-Machine Interface

ICS Industrial Control System

IT Information Technology

OT Operational Technology

PLC Programmable Control System

SCADA Systems Supervisory Control and Data Acquisition Systems

(7)

7

1 Introduction

In December 2017, the landscape of safety and security of industrial systems changed forever: TRITON, a new set of malware, was deployed to manipulate the safety system of an industrial infrastructure in the Middle East (Johnson et al., 2017; Thryft, 2018). The hackers managed to gain control of the control system while trying to manipulate the “layers of built-in emergency shutdown protocols” (Newman, 2018, para. 6). According to a FireEye report, the hackers intended to cause physical damage by shutting down safety-critical operations (Johnson et al., 2017). This makes TRITON arguably one of “the most dangerous malware[s] ever encountered” (Greenberg, 2019, para. 9). TRITON, together with other malware that previously targeted industrial systems (e.g. Stuxnet, a malware that was used to attack a nuclear plant in Iran), greatly helped to increase the awareness of cybersecurity and cyber hygiene in industrial environments (Newman, 2018). According to the 2018 World Economic Forum Global Risk Report, the risk of cyber-attacks against industrial systems is increasing. One reason for this is that industries, which traditionally relied on mechanical systems, are now being influenced by the development of new technologies that allow the digitalization and automation of these systems (Abdo, Kaouk, Flaus, & Masse, 2018). This technological transformation, also called the Fourth Industrial Revolution or Industry 4.0, involves the connection of digital technologies to physical systems or processes (Van Thienen, Clinton, Mahto, & Sniderman, 2016). These systems, called Industrial Control Systems (hereinafter ICSs) are used to monitor, measure, and control the behaviour of industrial devices and equipment (Luiijf & te Paske, 2015; Maglaras et al., 2018). Industry 4.0 is bringing numerous benefits for the industries, such as “real-time information sharing . . . internetworking capabilities between . . . industrial networks . . . [and] more efficient electronic management, control and monitoring potentials” (Ani, He, & Tiwari, 2017, p. 33). Together with these benefits, Industry 4.0 is also bringing security concerns. The transformation of Industry 4.0 “increases the degree of complexity and communication among systems”, which results in ICSs being more vulnerable to cyber-attacks (Abdo et al., 2018). A cyber-attack is here intended as an act of interference from a malicious actor against a system with the intention of causing damage by exploiting a system’s vulnerability and causing an undesired consequence at the digital or physical level (The Hague Security Delta, 2015).

(8)

Protecting an industrial environment from a cyber-attack is challenging: ICS cybersecurity needs not only to mirror the security measures needed for traditional information technology (hereinafter IT) security that is used in corporate environments, but also to give special attention to ICS-specific characteristics, such as safety and reliability implications. For instance, a failure in ICS security in a process plant may cause catastrophic physical consequences, such as loss of human life, or that these systems have usually a long lifespan and cannot be updated or replaced frequently (Collier, Panwar, Ganin, Kott, & Linkov, 2015; Macaulay & Singer, 2012). Another issue is that, historically, ICS were relatively isolated, meaning that “no contact was made with external entities”, and therefore they were considered secure from external threats (Ani et al., 2017). The most used security practice was “security through obscurity”, meaning complete isolation to avoid interferences (Knowles, Prince, Hutchison, Disso, & Jones, 2015, p. 52). Now, with technological innovations and increase in competitiveness of industries, these systems have been updated with the use of “open technologies” and open communication capabilities (Knowles et al., 2015, p. 52). This has made many ICSs vulnerable to exploitations from malicious actors and has made the security through obscurity practice obsolete (Ani et al., 2017; Knowles et al., 2015).

One of the industrial sectors in which one can see this transformation is the chemical and process industry (Argenti, Landucci, Cozzani, & Reniers, 2017; van Erp, 2017). For the purpose of this thesis, the terms chemical and process industry are used to refer to organizations that possess industrial establishments that fall under the scope of the European Directive 2012/18/EU, also known as the Seveso III Directive. This includes any European industrial establishment “where dangerous substances are present in one or more installations, including common or related infrastructures or activities” as set in Article 3 of the Directive. This Directive is one of the most important European legislation that regards the protection of chemical and process establishments in Europe. Its main concern is the protection of human life, the environment, and the economy from “major accidents involving dangerous chemicals” (European Commission, 2017, para. 1).

An interesting aspect is that this Directive is only concerned with safety-related events. Safety is defined as “freedom from conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment” (Kelvin & Hedrick, 1999, cited in Stouffer, Pillitteri, Lightman, Abrams, &

(9)

9

Hahn, 2015). Safety-related events refer to unintended errors or systems failures that can lead to major accidents, such as fires or explosions (Baybutt, 2018). Security-related events, meaning malicious acts of interference deriving both from a physical or cyber malicious source (Baybutt, 2018), are not explicitly covered by the Directive (Landucci, Argenti, Cozzani, & Reniers, 2017). Consequently, cybersecurity risks (such as cyber- attack like TRITON and Stuxnet) are not yet generally considered within the scope of protection of chemical and process plants. However, it has been proven that if a plant is exposed to a cyber-attack, its integrity could be compromised and major accidents could occur as a consequence. It was found that the chemical process sector has a number of technical vulnerabilities that could be exploited due to the increasing integration of technical innovations (Kaspersky Lab ICS CERT, 2018). Of course, not all vulnerabilities lead to an attack. However, a growing number of cyber-attacks to industrial systems are being reported (Casson Moreno, Reniers, Salzano, & Cozzani, 2018; van Erp, 2017; World Economic Forum, 2018). In 2018, more than 40% of ICSs worldwide were attacked at least once (Kaspersky Lab ICS CERT, 2018). Although the majority of such cyber-attacks did not succeed in their purpose, their increasing number and sophistication suggest that the risk is increasing (World Economic Forum, 2018).

As proven by the TRITON malware, the possibility that the safety of a chemical process plant is being put at risk by a cyber-threat “is not entirely unlikely” (van Erp, 2017, p. 76). This industry could be in fact particularly attractive to malicious attackers due to the great amount of hazardous material that is dealt with on a regular basis (Casson Moreno et al., 2018; van Erp, 2017). It is considered one of the industrial sectors in which cyber threats are a serious and real possibility (Chemical Sector Coordinating Council & U.S. Department of Homeland Security, 2012). The risk of an attack to the industry’s ICS depends, of course, on the skills and motivations of the attackers, who can vary from state actors and terrorist organizations to single individuals with an internet connection (The Hague Security Delta, 2015). The attacks can vary from very simple attacks, to more complicated ones that require advanced skills and investments (The Hague Security Delta, 2015).

Despite these risks, ICS security has been considered as a “low priority goal” by many ICS stakeholders and has been “often overlooked” due to the perceived incompatibility of ICS processes and cybersecurity measures (Arampatzis, 2018, para. 2;

(10)

Knowles et al., 2015, p. 52). This can be (partially) explained by the fact that cyber risks are “neither widely understood nor accepted” by stakeholders (van Erp, 2017, p. 77). Nevertheless, in a world where digital technologies are improving by the day and cyber threats are exponentially advancing, “a chemical plant is not safe unless its systems are secure” (Chemical Sector Coordinating Council & U.S. Department of Homeland Security, 2012, p. 2). For this reason, some companies within the chemical and process industry are starting to adopt cybersecurity-oriented ICS strategy (Schwab & Poujol, 2018). To do so, many choose to follow existing security standards, guidelines or best practices. However, there is still ambiguity on how these practices are being followed, applied and evaluated (Knowles et al., 2015).

1.1 Aim the study

In the light of what explained above, the question arises on how cybersecurity in the chemical process industry is managed. This entails what aspects need to be taken into consideration by the stakeholders of private companies in this industry to protect their ICS from malicious cyber-threats. Despite the abundance of cybersecurity frameworks, guidelines, and best practices, it still remains difficult to manage cybersecurity in these environments due to the peculiarity of ICS requirements and the need for industry-tailored measures (Collier et al., 2015; Knapp & Langill, 2011; Knowles et al., 2015). Previous academic literature on the topic includes qualitative and quantitative studies on IT security (e.g. Knapp, Marshall, Kelly Rainer, & Ford, 2007; Kankanhalli, Teo, Tan, & Wei, 2003), cybersecurity in critical infrastructures (Alcaraz & Zeadally, 2015; Laughlin, 2016; Limba, Plėta, Agafonov, & Damkus, 2017; Maglaras et al., 2018) and ICS-specific risk- management methodologies (Knapp & Langill, 2011). However, the scarcity of ICS- specific security metrics and guidelines on how to implement security frameworks is an issue that cannot be ignored (Collier et al., 2015; Knowles et al., 2015)

The purpose of this thesis is to fill the gap in the literature of cybersecurity in industrial chemical process environments by researching what are chemical companies doing to manage cyber-risks. It does so by providing: (1) a literature-based conceptual framework that aims at identifying the key concepts needed for the protection of ICS in the chemical process industry from malicious cyber-attacks, (2) an analysis of empirical data collected from experts’ interviews, that aims at discovering what the current level of

(11)

11

cybersecurity in the industry is, and (3) a discussion of both theoretical and the empirical results that will lead to possible recommendations for the industry.

1.2 Research Question

In light of what explained above, this thesis answers the following exploratory research question:

How do organizations in the chemical and process industry manage cyber-risks in their Industrial Control Systems (ICS)?

This exploratory study will answer the research question by leveraging concepts from existing literature, and then performing semi-structured interviews conducted with cybersecurity experts coming from both inside companies and ICS cybersecurity consultancies that work with the chemical process sector. The goal is to get expert insights on how such companies deal with the increasing need for cybersecurity. The theoretical concepts derived from the existing literature on the topic will be used to structurally analyse the data collected during the interview and to draw conclusions on how the industry can improve, and what the next steps are for the companies.

1.2 Academic and Societal Relevance

This thesis contributes to the literature in ICS cybersecurity by providing an integrated – both conceptual and empirical – approach to further identify specific measures that can contribute to the development of a framework for cybersecurity implementation in this sector. This study provides a set of guiding factors that are specially tailored to the needs of chemical process industry ICS, and that that could then be used by organizations also from other sectors to improve their cybersecurity capabilities. These factors are related to the governance of cybersecurity, the risk management procedures, and the cybersecurity measures.

Researching this topic is relevant for the academic literature in Crisis and Security Management because it contributes to the literature on cyber and industrial security. Although there is a vast amount of literature on IT security, and on the application of these criteria in ICS environments (Macaulay & Singer, 2012), there is a lack of empirical research on specific ICS cybersecurity in this sector. Furthermore, considering the possible

(12)

catastrophic safety consequences that a cyber-attack could have on society, researching this topic adds to the discipline of public administration, crisis management and safety (Laughlin, 2016). Being the cybersecurity in industrial settings topic a relatively recent one, and continuously evolving due to the advance in technology and the associated risks, further and more thorough research is needed (Knowles et al., 2015). This study lays the basis for developing new academic research on how to effectively protect industries from growing cyber threats. Expanding the knowledge on this emerging security discipline is thus necessary and important.

Furthermore, this topic is societally relevant, as the chemical and process industry evolve in an increasingly digitalized world, where vulnerabilities are growing and there is need for integration of new cybersecurity measures to enhance security for the industry, the people, and the environment surrounding it (Chemical Sector Coordinating Council & U.S. Department of Homeland Security, 2012). In many countries, such as the United States and the Netherlands, this industrial sector is considered part of the critical infrastructure sectors and therefore considered vital for the functioning of society (Department of Homeland Security, 2009; Ministerie van Justitie en Veiligheid, 2019). The importance of the chemical and process industry also derives from the fact that it “contributes to almost every manufactured product” and therefore supports many other industries such as “agriculture, automotive, construction, and pharmaceuticals” (Van Thienen et al., 2016, para. 1). Therefore, researching how to protect this industry is not only important for the needs of the industry itself, but also contributes to the long-term functioning of society.

This study contributes to the understanding that cyber threats and vulnerabilities to industrial systems are increasing and that there is a need for organizations to implement cybersecurity measures. Moreover, it bridges the conceptual and empirical findings, offering a more holistic approach to the topic of cybersecurity in industrial environments. This research can thus be seen as a practical contribution both to the private organizations that aim at reaching effective cybersecurity as well as to other bodies and agencies (such as regulatory bodies) that are related to the protection of chemical and process plants.

In those countries in which chemical process plants are considered critical infrastructures, their protection is also a matter of concern for national governments.

(13)

13

However, the main responsibility lies in the private sector, i.e. the companies that own or manage the facilities (Laughlin, 2016; The Hague Security Delta, 2015). This is why this thesis chooses to focus only on the private sector and not on the role of the governments – although one should not underestimate the importance of government support in rules and regulations around cybersecurity in critical infrastructure (Laughlin, 2016).

1.3 Reading Guide

This thesis is structured as follows. Chapter 2 provides background knowledge on the topics of Industrial Control Systems and cybersecurity risks. Chapter 3 highlights concepts from ICS cybersecurity management and identifies the main factors that will then be used to structure the analysis. Chapter 4 elaborates on the research methods used in this thesis and on the operationalisation of the theoretical concepts. Chapter 5 presents the results, and Chapter 6 concludes with the limitations of the research and recommendations for academia and the industry.

(14)

2 Background

This chapter offers a representative sample of previous literature on the topic of cybersecurity in industrial environments. First, it gives an introduction on Industrial Control Systems, and second it elaborates on the definition of cybersecurity risk.

The term cybersecurity is nowadays being used in different contexts, subjects, and it entails a variety of dimensions and disciplines (Craigen, Diakun-Thibault, & Purse, 2014; Singer & Friedman, 2013). For the purpose of this thesis, it is useful to distinguish between two, although highly interconnected, dimensions of cyber. The first dimension is Information Technology (IT). This refers to the common enterprise technology, such as office hardware, software, and networks (Munnings-Tomes & Scott, 2017). IT security is generally related to the protection of confidentiality, integrity, and availability of information (also called the CIA-triad) (Torres, Sarriegi, Santos, & Serrano, 2006). The second dimension is Operational Technology (hereinafter OT), also called Industrial Control Systems (ICSs) which refers to the technology that is related to physical processes and systems (Colbert & Kott, 2016, p. 51; Munnings-Tomes & Scott, 2017). ICS is an encompassing term that refers to several types of systems and networks designed and constructed for industrial environments (Ani et al., 2017; Mattioli & Moulinos, 2015; Stouffer et al., 2015). Being ICSs strictly linked to physical processes and operation, ICS cybersecurity has the primary goals of protecting the “availability, visibility, operability, and integrity of the ICS-controlled processes, the process efficiency, and safety”, thus mixing the IT and OT worlds (Colbert & Kott, 2016; Luiijf & te Paske, 2015, p. 24).

2.1 Introduction to Industrial Control Systems (ICSs)

ICSs can be composed by different equipment, which can all have various functionality, depending on the industry in which they are used (e.g. chemical, manufacturing, energy, etc). Typically, ICSs are composed of a monitoring and controlling system, such as Supervisory Control and Data (SCADA) systems or Distributed Control Systems (DCSs). These systems can for instance monitor data coming from controllers, such as Programmable Logic Controllers (PLCs), which are then sent to operators through a Human-Machine Interface (HMI). They can as well control processes and industrial equipment by defining parameters and sending them to actuators such as valves, breaks, or switches (Knapp et al., 2007; Stouffer et al., 2015).

(15)

15

Historically, ICSs were relatively isolated from other systems, meaning that they did not have any external contact with other entities (Ani et al., 2017). With the proliferation of technological innovation, IT technologies and practices started to be implemented also in the operations’ domains, and ICSs started to become more interconnected (Brenner, 2013). Due to this integration, ICS and IT components now can interact together in intertwined layers of networks. These layers are commonly categorised according to the Purdue Model for Control Hierarchy illustrated in Figure 1 (Macaulay & Singer, 2012).

Figure 1 ICS plant logical framework. Reprinted from Didier et al., 2011, p. 2–2

As it can be seen in the figure, the first layer is the Safety Zone, in which there are devices called Safety Instrumented Systems (SISs), a special type of PLC, that are used to manage the safety functions of an ICS and make sure that, in case of danger, the system enters a fail-safe mode (i.e. a system that shuts down in a way that causes no harm to other devices or personnel. These systems are considered critical for chemical and process plants, and therefore should never be connected to any other systems to avoid compromising them (Didier et al., 2011; Knowles et al., 2015). In the Manufacturing Zone, devices like sensors, actuators and controllers operate and are monitored. These levels often communicate with the business applications in the Enterprise Zone (the traditional IT business services) through a demilitarized zone that allows information to be securely shared. (Didier et al., 2011; Knowles et al., 2015). Different ICS assets are usually distributed in different geographical areas and are monitored by SCADA systems that send data to a central operation centre (Stouffer et al., 2015)

(16)

The increased openness, connectivity, and modernization of ICSs increased the risks related to malicious cyber activities within industrial environments (European Network and Information Security Agency (ENISA), 2011). The next section elaborates on the definition of cybersecurity risk.

2.2 ICS Cybersecurity Risks

Before diving into the concept of cybersecurity risk, an introductory explanation of risk in industrial environments is needed. Industrial risk analysis is one of the backbones of the chemical and process industry due to the many hazards that can be found in a plant (Abdo et al., 2018). Traditionally, industrial risk analysis is concerned with safety risks, meaning that much importance is given to identifying those hazards that can lead to negative consequences on the environment and the people around it (Abdo et al., 2018; Colbert & Kott, 2016; Piètre-Cambacédès & Bouissou, 2013). Here, a difference between a safety and a security risk needs to be considered. Many authors compared the terms safety and security in industrial environments, although it mainly refers to engineering concepts (Burns, McDermid, & Dobson, 1992; Firesmith, 2003; Piètre-Cambacédès & Bouissou, 2013). The main aspect relevant for this thesis differentiating safety and security risks is the source, or origin, of it. On the one hand, safety risks are related to unintended actions, accidents, system failures, or human-errors. On the other hand, security risks derive from malicious sources through an attack (Abdo et al., 2018; Kriaa, Bouissou, Piètre- Cambacedes, & Halgand, 2015). Security risks can be caused by a malicious attacker using either physical (which are outside of the scope of this thesis) or cyber means (Abdo et al., 2018).

A cybersecurity risk towards an ICS is defined “in terms of likelihood and effects of a given threat exploiting a potential vulnerability” (Abdo et al., 2018, p. 176). Vulnerabilities are “weaknesses in information systems, system procedures, controls, or implementations that can be exploited by a threat source” (Stouffer et al., 2015, p. C–2). Vulnerabilities can be exploited by attackers in order to take control of the system and perform a malicious action possibly cause damage (Limba et al., 2017). Vulnerabilities can be technical weaknesses, as well as poor management and organizational practices and low compliance to security measures (Ani et al., 2017; Macaulay & Singer, 2012). A threat is defined as “any circumstance or event with the potential to adversely impact

(17)

17

organizational operations. . . organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service” (Stouffer et al., 2015, p. C–1) A threat source, or attacker, can have various capabilities and intentions depending on their background and motivations. For example, the nature of attackers can range from nation- states trying to disrupt other states’ critical infrastructure system, terrorist groups greedy insiders, or script kiddies (Ani et al., 2017; Stouffer et al., 2015).

The exploitation of one of more vulnerabilities by a malicious actor can lead to potential consequences, or threat events. These can, for example, target the availability of a system by denying access or control to the system, manipulation and sabotage of certain critical operations, and manipulation of safety controls (Stouffer et al., 2015). Cyber- attacks to ICS can cause physical, economic, and social consequences (Stamp, Dillinger, & Young, 2003). This is a major challenge in ICS environments, since damage from a cyber-attack is measured not only in financial or reputational losses, but in terms of “loss of life, cost of recovery, environmental impact and global/regional economic impact” (Laing, Badii, & Vickers, 2013, p. 223).

(18)

3 Theoretical Framework: ICS Cybersecurity

Management

This chapter provides a conceptual review of the most important factors of ICS cybersecurity management. Due to the scarce ICS-specific literature on this specific topic, this chapter is also supported by IT security and organization management literature. This is possible because the principles that are used to protect industrial systems from cyber- threats “are aligned with those to prevent cyber-attack to any computerised system or process, i.e. Information Technology” (Munnings-Tomes & Scott, 2017, p. 4)

Cybersecurity management can be defined as the multidisciplinary (technical, managerial, and organizational) factors taken by an organization to protect its assets (being physical or digital) from cyber-threats (Bulgurcu, Cavusoglu, & Benbasat, 2010; Posthumus & von Solms, 2004). According to Lezzi, Lazoi, & Corallo (2018), cybersecurity management is characterized by the following phases. First, the identification of the vulnerabilities and threats to the systems, answering the question “what is to be protected against?”. Second, the analysis of the consequences of a cybers- attack to a system, answering the question “what are the impacts?” And finally, identifying possible solutions and answering the question “how should you protect yourself”? (p. 102). For the sake of clarity, a preliminary categorisation to conceptualize cybersecurity management has been made based on the information of the previous chapter as well as a scan of the relevant literature. These categorisations will be used later in this thesis to structure the analysis. Although these categories are highly intertwined, it is useful to distinguish between governance and risk management.

First, governance refers to the organizational measures taken at the corporate level of a company (Conner, 2004). Section 3.1 is concerned with the implications of governance for cybersecurity management. Second, risk management can be defined as the “identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities” (de Cruz & Bentes, 2013, p. 563). One can separate two different processes in risk management: the identification of risks (i.e. risk assessment) and the actions, or measures,

(19)

19

Scope of Risk Assessment

Safety and Security Integration Non-technical Measures Technical Measures

Governance

Organizational Structure Senior-management Support

implemented to manage these risks. Section 3.2 is concerned with the assessment of the risks, while Section 3.3 with the cybersecurity measures. The three main concepts – governance, risk assessment, and measures – are divided into sub-categories. Figure 2 illustrates this conceptual division.

3.1 Governance

Figure 2 Structure of the conceptual framework

This section explores the concept of governance of cybersecurity management, which is defined in this thesis as the merging of corporate governance of an organization – i.e. the “the set of policies and internal controls by which organizations . . . are directed and managed” – with the processes of managing cybersecurity risks (Conner, 2004, para. 4; Johnston & Hale, 2009). In fact, cybersecurity is closely related to how it is organized and managed within the organization (Tipton & Krause, 2007). This means that cybersecurity should not be viewed merely “as an IT issue”, but instead as a general business concern throughout all departments in an organization (Munnings-Tomes & Scott, 2017, p. 9). Stouffer et al. (2015) argue that the organizations that want to improve their ICS cybersecurity capabilities need first to develop a “business case for security” (p. 4-2). In order to do so, there are two aspects that organizations should consider: organizational structure and senior-management support. These two factors were chosen because they were the most recurrent in the governance of cybersecurity literature. The next sections elaborate on these.

(20)

3.1.1 Organizational structure

Organizational structure is defined as the “method by which organizational activities are divided, organized and coordinated” (Ahmady, Mehrpour, & Nikooravesh, 2016, p. 456). It refers to the division of roles and responsibility within an organization, how are they set up and coordinated, and how different departments collaborate with other (Ahmady et al., 2016). A clear structure is essential for organizations, especially complex ones, as it facilitates the connection between the organizational goals with how people and processes behave towards those goals (Pertusa-Ortega, Zaragoza-Sáez, & Claver-Cortés, 2010; Sennewald, 2003). Although there exist many security governance structures that organizations can adopt, one of the most important factors is that this structure, or governance model, facilitates the attainment of the goals and objective of the organization (Robbins, 1990; Tipton & Krause, 2007).

According to Robbins (1990), organizational structure has three dimensions: complexity, formalization and centralization. First, complexity refers to how the roles and responsibilities within organizations are divided, i.e. the “degree of differentiation” among units (p. 83). The more specialization there is within a company, the more complex it becomes. This thesis assumes that the organizations that are subjects to this study have a high degree of complexity. Robbins (1990) argues that greater complexity within an organization leads to a higher responsibility of management to make sure that the different units cooperate and communicate together to reach the organization’s goal. This connects to the concept of integration studied by Lawrence and Lorsch (mentioned in Robbins, 1990). Integration refers to the “quality of collaboration that exists among interdepended units or departments that are required to achieve unity of effort” (p. 216). This concept is important in the context of this thesis because, due to the characteristics of industrial environments that were explained in the previous chapter, ICS cybersecurity management needs the cooperation between highly differentiated departments such as operations, IT, and management (European Network and Information Security Agency (ENISA), 2011). Stouffer et al., (2015) argue that in these kinds of environments there needs to be a “cross- functional team” that is able to merge different kinds of knowledge in the operational departments as well as in the IT/business and management ones (which, for the sake of clarity, are in this thesis referred to the OT and IT departments, although there may be

(21)

21

variations in reality) (p. 4-5). Therefore, integrity is seen as a fundamental aspect for ICS cybersecurity in chemical companies.

The second aspect mentioned by Robbins (1990) is formalization. This refers to the degree to which the organization sets rules and procedure to guide the people in their work. The more structured and explicit the rules and procedures within an organization, the more formalized it is. According to Straub & Collins (1990), having a formalized method of organizational structure is essential for organizations that want to tackle information security risks. In the context of ICS cybersecurity, it is intended in the degree of formalization regarding ICS requirements policies, and programs within an organization (Stouffer et al., 2015). Finally, the third aspect mentioned by Robbins (1990) is

centralization, which refers to the level in which the decision-making process happens

within an organization, and to what extent are responsibilities delegated. In the context of this thesis, centralization refers specifically to the extent to which ICS cybersecurity responsibilities are delegated throughout the organizations, including the different plants.

3.1.2 Senior Management Support

In order to have a good organizational structure, there needs to be adequate guidance from the top-level management. This is in fact considered as an essential aspect within the information security academic literature (Knapp et al., 2007; Tipton & Krause, 2007). Senior management support is defined as the “degree that senior management understands the importance of the security function and the extent that management is perceived to support security goals and priorities” (Tipton & Krause, 2007, p. 55). This definition can be broken down in two parts: first, there is the cognitive aspect of acknowledging something that is important for the organization. This is the first step to be reached, as top- management has the most power within an organization to support and implement change. Moreover, the recognition of something from the senior management can positively influence the behaviour of all other employees towards it (Knapp et al., 2007; Singh, Gupta, & Ojha, 2014). It is in fact recognized in the literature that it is of critical importance that cybersecurity is considered a main priority by the upper level of an organization (Conner, 2004; Eloff, 1988; Kankanhalli et al., 2003; Knapp et al., 2007; Posthumus & von Solms, 2004; Singh et al., 2014; von Solms, 2001).

(22)

Second, there is the aspect of supporting these new security priorities, and the perception of it by the other levels in the organization. Once top-management has acknowledged the importance of something, such as a new security issue, they have the power to make sure that the whole organization values and goals are in line with these changes (Trim & Upton, 2013). Having senior management support is important for cybersecurity as it “can significantly influence resource allocation and act as a champion of change in creating an organizational environment conducive to security goals” (Knapp et al., 2007, p. 52). Top management support was also proven to positively influence the compliance of information security policies by employees (Hu, Dinev, Hart, & Cooke, 2012)

In the ICS context, it is recognized that an ICS cybersecurity program will not be successful if not accompanied by the active participation of upper level management (Stouffer et al., 2015). It was found by the European Network and Information Security Agency (ENISA) (2011) that it is “essential” that top management realizes that ICS security is an investment rather than a cost or constraint (p. 14). By recognizing cybersecurity risks within the organization’s environment, senior management can in fact shift prioritization of finances and resources towards policies and procedures aimed at protecting the organization from cyber risks and facilitate the compliance of these by employees (Hu et al., 2012; Singh et al., 2014).

This section elaborated on the governance of cybersecurity by explaining the concepts of organizational structure and senior management support. This processes however, in order to be successful, need to be carried out within a risk-management program (Stouffer et al., 2015). The next section elaborates on this concept.

3.2 Risk Assessment

The previous section explored how governance plays a role in the cybersecurity management of an organization. It showed how senior management support and organizational structure are important for reaching the organization’s goals. In order to achieve this, companies need to consider various kinds of risks to which they are exposed to, and take decisions based on their business priorities (Blakley, McDermott, & Geer, 2001; Walker, 2013). As explained beforehand, the development in Industry 4.0 technologies, and the consequent increase connectivity and automation of ICSs, has

(23)

23

introduced new risks for organizations. Systems that were isolated before are now vulnerable to malicious cyber-attacks, and threats targeting specifically ICSs are increasing (Chockalingam, Hadžiosmanović, Pieters, Teixeira, & van Gelder, 2017; Knowles et al., 2015). Risk assessment is the first step of the risk management process, and it has the following definition:

Risk assessment –“overall process of risk identification, risk analysis and risk

evaluation” (ISO, 2009, Def. 2.2), where risk identification is the “process of finding, recognizing and describing risks” (ISO, 2009, Def. 2.15), risk analysis is the “process to comprehend the nature of risk and to determine the level of risk” (ISO, 2009, Def. 2.21) and risk evaluation is the “process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable” (ISO, 2009, Def. 2.24). (Cited in Cherdantseva et al., 2016, p. 19).

The process of risk assessment is “one of the most crucial parts of the risk management process as it is the basis for making risk treating decisions” (Chockalingam et al., 2017, p. 2). It includes the identifying vulnerabilities, threats, and what consequences can derive from them and to what extent the organization is willing to accept, mitigate, or transfer the risk (Francia, Thornton, & Dawson, 2012; Jones & Ashenden, 2005; Macaulay & Singer, 2012; Patel & Zaveri, 2010).

3.2.1 Scope of Risk Assessments

Organizations should consider that ICS risk assessment should have a specific scope. There exists an abundance of ICS risk assessment methodologies, including best practices, guidelines, and academic publications that aim at helping organization measuring risks (Cherdantseva et al., 2016; Knowles et al., 2015; Macaulay & Singer, 2012). Although many IT risk assessment methodologies can be applied in ICS environment, In the ICS context, the risk assessment process is different from the purely IT, or the physical ones (Knowles et al., 2015; Stouffer et al., 2015). Because the consequences of a cyber-attack can directly or indirectly affect safety and integrity of physical systems, merely IT-based risk assessment methodologies are not sufficient, as they rely on different security goals (the CIA-triad, as mentioned in Chapter 2). ICS risk assessments therefore need to consider the impacts – being physical or digital – of a cyber-attack on the operational level. Traditionally, industrial risk analysis is mostly concerned with safety (Reniers, 2017).

(24)

However, due to the high intertwinement of the physical and cyber world in the ICS environment, an integrated safety and security approach to risk management is needed (Abdo et al., 2018; Ani et al., 2017; Knowles et al., 2015; Kriaa et al., 2015; Stouffer et al., 2015). The next sub-section elaborates on this concept.

3.2.2 Safety and Security Integration

Safety culture is highly embedded in the chemical and process industry (Reniers, 2010; Stouffer et al., 2015). In Europe, safety risk assessment of chemical and process plants is regulated by the Seveso III Directive (European Commission, 2017). The Directives aim at setting requirements to protect such establishments from the potential hazard of dangerous materials. These materials can be potentially toxic and be involved with potentially dangerous process conditions that if not handled properly, can cause accidents such as spillages or explosions (Baybutt, 2018). The Directive impose companies to have a robust safety report in which all risks and hazards are identified. This serves the purpose of recognizing “the hazards and hazardous events of the process and associated equipment, the process risks associated with the hazardous events, and the safety functions to achieve the necessary risk reduction” (de Cruz & Bentes, 2013; Sabaliauskaite & Mathur, 2015, p. 3). Once safety hazards are determined, safety measures, such as the SIS requirements, are established (Sabaliauskaite & Mathur, 2015).

As mentioned in the previous chapter, the Directives do not mention explicitly risks related to intentional cyber-attacks (Landucci et al., 2017). Generally, cybersecurity is in fact not considered in industrial risk analysis, because of the traditional misalignment between safety and security (Sabaliauskaite & Mathur, 2015; “Securing safety systems in industrial installations and critical infrastructures,” 2019). Cybersecurity risks are instead considered separately, often only in the IT realm instead of the operational one (Stouffer et al., 2015). Risk management for industrial systems, however, “plays a major role in dealing with both unintentional/non-malicious, and intentional/malicious threats” (Chockalingam et al., 2017, p. 2). A full protection of ICSs is not reachable when safety and security are not aligned, as they both have several interdependencies (Sabaliauskaite & Mathur, 2015). For this reason, in recent years academics have tried to develop integrated risk assessment methodologies in which both safety and security are considered (Abdo et al., 2018; Chockalingam et al., 2017; Kriaa et al., 2015; Sabaliauskaite & Mathur, 2015). An integrated safety and security risk assessment would in fact provide more

(25)

25

completeness to the risk management process (Chockalingam et al., 2017). With this in mind, it is interesting to question whether this methodological integration is happening in practice in the organizations.

The second step of risk management is to deal with the identified risks by implementing measures. The following section elaborates on some cybersecurity measures that are recognized to be important for organizations to consider.

3.3 Cybersecurity Measures

After an organization has assessed and evaluated he risks that it faces, it needs to establish a program in which measures against these risks are decided, and implemented throughout the organization (Leith & Piper, 2013). It is widely recognized in the literature of cybersecurity that a cybersecurity program needs a balance between technical measures and social measures (Kayworth & Whitten, 2010). This thesis divides cybersecurity measures according to whether they are of technical or non-technical nature. The following sub-sections elaborate specifically on these measures.

3.3.1 Technical measures

Technical measures are the “bedrock of modern ICS setups” (Ani et al., 2017, p. 63). It is inevitable that ICSs, especially due to the innovations of the Industry 4.0 trend, become more dependent on higher connectivity and enhanced communication (“Cyber security for industrial assets,” 2009). This increases the technical vulnerabilities to which ICSs are exposed to, as explained in Chapter 2 of this thesis. The technical security measures that are needed are therefore a combination between traditional IT security measures that are used to protect the enterprise environment, and ICS-specific measures that tackle the special character tics of the operational environment (Ani et al., 2017). Although there are many standards and guidelines on the topic (see for example (Knowles et al., 2015; Leith & Piper, 2013; Stouffer et al., 2015), the most relevant for this thesis are found to be the following: network segmentation and segregation, access control, and securing the safety systems.

As seen above, an ICS environment involves different layers on networks, from the purely operational/physical level to the enterprise level. Modern ICSs often require enhanced connectivity among these different layers, which can pose a great cybersecurity

(26)

risk as it opens the operational environment up for cyber-attacks (Stouffer et al., 2015). A secure network architecture is therefore needed to protect this from happening (Ani et al., 2017; Weiss, 2016). This includes “partitioning a network into smaller networks”, which is called network segmentation, and “developing and enforcing a ruleset for controlling the communications between specific hosts and services” which is called network segregation (Australian Cyber Security Centre, 2019, p. 1). These two practices are considered amongst the most important measures to protect ICSs from unauthorized access to the networks that can lead to a cyber-attack (Stouffer et al., 2015). Another related aspect that organization have to take care if is access control, i.e. making sure that access to the ICS networks and devices is only allowed to those who have the right to (Stouffer et al., 2015). This include making sure that those who access the ICS network remotely – such as operators from a different geographical location, or third-parties like vendors and service providers – do not provide attackers with the possibility of accessing as well (Homeland Security, 2010).

When technical vulnerabilities cannot be tackled by specific measures, organizations need to take “compensating measures” instead (Ginter, 2013, p. 5). One of these compensating measures is the protection of the safety systems, or SIS. SIS are extremely important in the chemical and process industry, as their function is “avoiding dangerous situations in the production system by stopping or shutting down processes if unsafe conditions develop” (Macaulay & Singer, 2012, p. 14). These systems differ from other types of ICSs because they only operate in case a dangerous situation happens, and therefore are related to process safety controls that are aimed at avoiding random failures. These controls are therefore outside of the scope of cybersecurity, which is mainly focused in protecting the systems from exploitations of vulnerability and malicious acts of interference (Macaulay & Singer, 2012). However, as it was proven by the TRITON malware, the SIS can be tampered with through a cyber-attack, and that can cause the plant to not fail-safe, therefore increasing the risk of catastrophic consequences (Johnson et al., 2017; Macaulay & Singer, 2012; Mostia, 2016; “Securing safety systems in industrial installations and critical infrastructures,” 2019). It is thus crucial that, “no matter what the cyber-attack, these systems are able to detect unsafe conditions and trigger a safe shutdown” (Ginter, 2013, p. 5).

(27)

27

3.3.2 Non-technical measures

Technical measures alone do not work if they are not understood by the people who have to implement it (Kayworth & Whitten, 2010). Non-technical controls that are aimed at targeting target people, policies and procedures, that an organization undertakes to reach or comply with security goals (Ani et al., 2017). The most mentioned measures in the literature of cybersecurity for ICS are awareness, trainings and incident readiness.

First, awareness is considered one of the most important aspect in the literature of cybersecurity (Ani et al., 2017; Kayworth & Whitten, 2010; Tu & Yuan, 2014). People must be aware of which threats their organization is exposed to, which vulnerabilities could be exploited, and what they can do to prevent incidents (Tu & Yuan, 2014). Without a proper understanding of the security of an organization, employees – including management – might become themselves a threat for the organization (Van Niekerk & Von Solms, 2010). This is because awareness of cybersecurity allows people to work securely, recognize cases of cybersecurity issues, and consequently respond to them in an appropriate way (Ani et al., 2017). In order to do so, the organization has to make sure that a culture of cybersecurity develops within all departments (Krutz, 2006; Tu & Yuan, 2014) In the ICS context, the this can entail a “paradigm shift in thinking” from a well-established safety culture to a combined culture of safety and cybersecurity (Krutz, 2006, p. 106). In order to do so, personnel need to be educated. An organization can make sure that training programs are in place so that employees can learn and understand new skills that they can they apply to their daily job (Munnings-Tomes & Scott, 2017). Specific trainings tailored to the employees needs can “help employees understand why new access and control methods are required, ideas they can use to reduce risks, and the impact on the organization if control methods are not incorporated” (Stouffer et al., 2015, pp. 6–13).

As seen above, having a cybersecurity culture integrated in the safety culture of an organization also entails recognizing that cyber-threats can have safety consequences.

Incident readiness can therefore be understood as the degree to which an organization is

prepared to deal with a cyber incident that can affect the operational environment (Stouffer et al., 2015). This can be translated into practical measures by identifying what consequences – both at the physical and digital levels – can a cyber-attack have on the organization (Munnings-Tomes & Scott, 2017). Having a clear Business Impact Analysis and Disaster recovery plan that includes ICS cybersecurity provisions is therefore essential

(28)

to be protected against a cyber-attack (Munnings-Tomes & Scott, 2017; Stouffer et al., 2015).

3.4 Summary of Theoretical Framework

This chapter proposed a conceptual framework based on previous research on cybersecurity management in ICS, IT, and organizational literature. It identified various cybersecurity management factors that organizations in the chemical and process industries should consider when dealing with ICS cybersecurity risks. These factors were categorised based on whether they related to governance – i.e. organizational structure and senior management support – or risk management. Risk management was divided into risk assessment – i.e. the identification of risks and the consequent alignment of safety and security risks necessary for ICS environments – and cybersecurity technical and non- technical measures. With this in mind, it is now interesting to investigate how organization in the chemical process industry approach ICS cybersecurity. The next chapter elaborates on the methodology used in this thesis.

(29)

29

4 Methodology

This chapters outlines the methodology used in this thesis used to answer the research question How do organizations in the chemical and process industry manage cyber-risks

in their Industrial Control Systems (ICS)? The chapter starts with defining the research

design and methodology, the operationalisation of concepts, the data collection and analysis, and finally discusses the validity and reliability issues of the research.

4.1 Research design

To answer the research question, this thesis uses a qualitative exploratory research design. Qualitative research is used in social sciences to “explore, describe, or explain social phenomenon” (Leavy, 2014, p. 2). As the research question of this thesis aims at exploring the status of cybersecurity in a specific sector, and due to the dearth of empirical research on the subject, qualitative research was deemed appropriate for the study (Stebbins, 2012, p. 329).. Moreover, due to the limited time and resources of the researcher, qualitative research was deemed best suited for this study, as it allows for small samples that do not require an elevated amount of resources and time (Dickinger, 2007).

The study uses the status of ICS cybersecurity in chemical process companies as a unit of analysis, and the individuals (experts) that were interviewed are the unit of observation. The conceptual framework developed in Chapter 3 of this thesis was used to develop the interview questionnaire for the experts. To sum up, the framework includes first exploring the organizations’ level of organization structure and senior management support (Ahmady et al., 2016; Robbins, 1990; Tipton & Krause, 2007). Second, it includes exploring whether the organizations’ risk assessments include cybersecurity risks, and whether they relate to the integration of safety and cybersecurity (Abdo et al., 2018; Kriaa et al., 2015; Stouffer, Falco, & Scarfone, 2011). Finally, it includes exploring what kind of technical and non-technical measures organizations are implementing to manage cyber- risks (Ani et al., 2017; Stouffer et al., 2015).

The theories and concepts are used to structure the presentation of the empirical data in the next chapter. This means that the data collected from the interviews has been analysed with the purpose of understanding the data based on the previous knowledge

(30)

given by the existing literature. The next sub-section elaborates on how the theoretical concepts are operationalised into empirical indicators.

4.1.1 Operationalisation of concepts

The process of operationalisation of concepts in qualitative research consists of two phases (Berg, 2001). The first one is to make sure that the concepts used throughout the research are well defined and understandable for the reader. The second one is that the concept is transformed into some form of measurement “intended to calculate how much or to what degree that concept exists” (p. 26). In this thesis, this process is laid out in the following tables. The tables include the definition of the concepts and sub-concepts of the previous chapter, the indicators that will be used to measure the concepts against the empirical data, and finally the reference to the interviews’ question(s) related to that concept. The tables are divided according to the concept categorization of Chapter 3: Governance (Table 2), Risk Assessment (Table 3), and Cybersecurity Measures (Table 4).

(31)

Reference

Organizational Structure

The “method by which organizational activities are divided, organized, and coordinated” (Ahmady, Mehrpour, &

Nikooravesh, 2016, p. 456)

Integration

The degree of cooperation

between the different departments

The IT and OT departments collaborate and form a cross-functional team for ICS

cybersecurity

8.1.2, 8.2.2

Formalization

The degree in which the organization sets rules and procedures to guide the people in their work

There is an ICS cybersecurity policy and ICS cybersecurity rules and procedures are formalized in clear sets of provisions.

Centralization

The level in which decisions are made within an organization

The decisions regarding ICS cybersecurity are taken either at the central level or local (i.e. each plant) level.

Senior Management Support

The “degree that senior management understands the importance of the security function and the extent that management is perceived to support security goals and priorities” (Tipton &

Krause, 2007, p. 55).

Acknowledgment

The degree in which senior- management is aware and acknowledges that something is important for the organization

Senior management regards ICS

cybersecurity as a top-priority together with the other organization’s values

Support

The degree in which senior

management supports new policies and measures.

Senior management actively supports ICS cybersecurity by allocating resources

(32)

Reference

Scope of risk assessments

The nature of vulnerabilities, threats, and consequences considered in risk

assessment.

The organization include ICS cybersecurity in their risk assessments, recognizing the connection between cyber-risks and physical consequences.

8.1.3, 8.2.3 Safety and Security Integration

The recognition that cybersecurity risks should be included in the traditional

process safety analysis in order to enhance and protect process safety

Industrial safety risk assessment and ICS cybersecurity risk assessment are aligned, and there is an understanding that

(33)

Reference

Non-technical Measures

Measures intended to address people and processes vulnerabilities

Awareness The organization has specific awareness programs

in place and values cybersecurity culture

8.1.4, 8.2.4

Training The organization has specific ICS cybersecurity

trainings available for the employees

Incident readiness A cyber-attack is considered in the emergency

response plan of the organization.

Technical measures

Measures intended to tackle technical vulnerabilities

Network segmentation and segregation

The organization has a clear segmentation and segregation of network layers both in the OT and IT environment

Access Control The organization takes measures to prevent

unauthorized access to the ICS environment.

Protection of Safety Systems The protection of the organization’s SIS is in the

(34)

4.2 Data Collection Method

Data collection refers to the process, or mean, of how the data was collected by the researcher (Berg, 2001; Firmin, 2012). For this thesis, the researcher chose semi-structured

experts interviews as a data collection method. The semi-structured method of interviewing

consist of “several key questions that help to define the areas to be explored, but also allows the interviewer or interviewee to diverge in order to pursue an idea or response in more detail” (Gill, Stewart, Treasure, & Chadwick, 2008, p. 291). This method was chosen because it gave enough flexibility to explore the topic by giving the interviewees more liberty in developing their answers. Two interview questionnaires that covered all the concepts were developed by the researcher1_{: one for the interviews with the experts from}

the chemical companies, and one for the interviews with the experts from the consultancy company (Alshenqeeti, 2014). This differentiation was done because, although the questions were fundamentally the same, the nature of the interviewees was different and therefore required tailored questions. In fact, the consultants were asked to speak of their general experience with chemical companies, while the industry professionals were asked specific questions about their companies. The interviews started with a general description of the digitalization progress in the chemical process industry, in order to introduce the topic of cybersecurity within that context. All interviews were done in person, lasted between 45 minutes and 1 hour, and were recorded. All recordings were then “transcribed . . . corrected, and edited” so that they could be easily organized and analysed by the researcher (Berg, 2001, p. 34).

4.1.1 Experts Interviews

An expert is defined as someone who “has knowledge, which she or he may not necessarily possess alone, but which is not accessible to anybody in the field of action under study” (Bogner, Littig, & Menz, 2009, p. 18). In the context of this thesis, an expert is someone who has the knowledge about how chemical companies deal with ICS cybersecurity. Two kinds of experts were identified: on the one hand, someone who works at a chemical company and has direct contact with ICS cybersecurity; on the other hand, someone who

(35)

35

works at a cybersecurity company and has direct contact with the ICS cybersecurity practices of chemical companies.

Due to confidentiality constraints, the process of identification and contact of the experts cannot be laid out in details. This has been considered as a limitation of this study since it does not allow an external person to verify the source of the data. This issue is explained in more detail in the validity and reliability section, further in this chapter. A total of four different companies participated in the interviews: three chemical companies, and one cybersecurity consultancy company. A total of six expert interviewees were chosen for this study: three were chosen directly from three chemical companies, and three from a cybersecurity consultancy that deals with chemical companies daily.

The chemical companies chosen for this study had to meet the following requirements: • The company deals with hazardous chemical materials, and

• The company’s industrial establishments fall under the definition of “chemical establishment” laid out in the EU Directive 2012/18/EU, Art. 3.

Although Article 3 of the Directive distinguishes between “lower-tier” and “upper-tier” establishments based on the quantity of dangerous material present in the establishment, this differentiation is not taken into consideration in this thesis, as there was a lack of information on this. To verify whether the companies’ establishments fell under the scope of the Directive, the author first checked whether the country in which the companies are established applied the Directive in their national legislation. Since all three companies have at least some establishments in the Netherlands, the Dutch national legislation was consulted. In The Netherlands, the Seveso III Directive was implemented in 2015 as the “Besluit risico’s zware ongevallen2_{”, also known as the BRZO legislation (“Brzo 2015,”}

n.d.). Thus, the author checked whether the companies that participated in this study complied with this legislation. This was done through an online research that proved that all three companies complied to the BRZO legislation and therefore were eligible for the study.

(36)

The table below shows the list of experts that were interviewed. The names of the interviewees were replaced by “Expert” followed by a randomized number from 1 to 6. The organizations names were replaced by the nature of the organization: “Chemical company” or “Cybersecurity Consultancy”.

Table 4 List of experts

Name Professional Role Organization

Expert 1 Process Control Engineer Chemical company 1 Expert 2 Senior Manager Cybersecurity consultancy Expert 3 Director Cybersecurity consultancy Expert 4 Chief Information Security Officer (CISO) Chemical company 2 Expert 5 Manager Cybersecurity consultancy Expert 6 Interim Managing Director Chemical company 3

4.3 Data Analysis

Data analysis is the process of interpreting the empirical data and its meanings (Carcary, 2011). According to Carcary (2011), interpretation has four dimensions “Interaction with the empirical material; Interpretation of underlying meanings; Critical interpretation; [and] Reflection on text production and language use” (p. 14). In order to start interacting with the data, all interviews were transcribed and a preliminary categorization was made based on a first scan, by dividing the interviews into paragraphs with similar content. The transcripts were then uploaded in NVivo 12, a software used to code and analyse qualitative data. In this way, data that was previously unstructured could be managed in a structured and efficient way (Wickham & Woods, 2005).

The first step was to use the autocoding function of NVivo based on the paragraphs’ divisions. In this way, the author managed to have a general picture of the most recurring themes in the text so that it would facilitate the coding procedure. The second step was to create a mind map in NVivo containing all the concepts and sub-concepts identified in section 4.1.1 of this thesis. The mind map was then translated into nodes. Nodes in NVivo

Preventing the Next Triton? Protecting Chemical Process Plants from Cyber-Threats

Master Thesis

MSc Crisis and Security Management 2018/2019

Preventing the Next Triton?

Protecting Chemical Process Plants from Cyber-

Threats

Acknowledgments

Abstract

Table of Contents

Table of Figures

Table of Tables

Table of Abbreviations

1 Introduction

1.1 Aim the study

1.2 Research Question

1.2 Academic and Societal Relevance

1.3 Reading Guide

2 Background

2.1 Introduction to Industrial Control Systems (ICSs)

2.2 ICS Cybersecurity Risks

3 Theoretical Framework: ICS Cybersecurity

Management

Governance

3.1 Governance

3.2 Risk Assessment

3.3 Cybersecurity Measures

3.4 Summary of Theoretical Framework

4 Methodology

4.1 Research design

Reference

Reference

Reference

4.2 Data Collection Method

4.3 Data Analysis