The Shadow Warriors: In the no man's land between industrial control systems and enterprise IT systems

Modern production processes are heavily reliant on industrial control systems (ICS) to help automate large-scale facilities. The security of these systems is paramount as evidenced by high profile attacks such as those against Iran’s nuclear facilities and the Ukrainian Power Grid. Existing research has largely focused on technical measures against such attacks and little attention has been given to the security challenges and complexities arising from non-technical factors. For instance, cyber security workers need to maintain security whilst satisfying the demands of varied stakeholders such as managers, control engineers, enterprise IT personnel and field site operators. Existing ICS models, such as the Purdue model, tend to abstract away such complexities. In this paper, we report on initial findings from interviews with 25 industry operatives in the UK and Italy. Our analysis shows that the varying demands of various stakeholders in an ICS represent many complexities that we term grey area. Security workers often play the role of shadow warriors tackling the competing and complex demands in these grey areas while protecting themselves, their integrity and credibility.

[1]  A. Bruni,et al.  Knowing in a System of Fragmented Knowledge , 2007 .

[2]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[3]  Sylvain Frey,et al.  SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection , 2016, CPS-SPC '16.

[4]  Sylvain Frey,et al.  On the Role of Latent Design Conditions in Cyber-Physical Systems Security , 2016, 2016 IEEE/ACM 2nd International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS).

[5]  Gerhard P Hancke,et al.  Introduction to Industrial Control Networks , 2013, IEEE Communications Surveys & Tutorials.

[6]  C. McLean,et al.  A proposed hierarchical control model for automated manufacturing systems , 1986 .

[7]  Henrik Sandberg,et al.  Limiting the Impact of Stealthy Attacks on Industrial Control Systems , 2016, CCS.

[8]  Hervé Corvellec,et al.  A relational theory of risk , 2011 .

[9]  Tyson Macaulay,et al.  Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS , 2011 .

[10]  Eric A. M. Luiijf Cyber (In-)security of Industrial Control Systems: A Societal Challenge , 2015, SAFECOMP.

[11]  Nigel King,et al.  Template Analysis for Business and Management Students , 2016 .

[12]  Silvia Gherardi,et al.  Shadow organizing: a metaphor to explore organizing as intra-relating , 2017 .

[13]  A. Tiwari,et al.  Review of cybersecurity issues in industrial critical infrastructure: manufacturing in perspective , 2017 .

[14]  James A. Holstein,et al.  Handbook of constructionist research , 2009, QMiP Bulletin.

[15]  Zhao Yang Dong,et al.  The 2015 Ukraine Blackout: Implications for False Data Injection Attacks , 2017, IEEE Transactions on Power Systems.

[16]  G. Morgan,et al.  Images of Organizations , 1997 .

[17]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[18]  David Hutchison,et al.  Socio-Technical Security Analysis of Industrial Control Systems (ICS) , 2014, ICS-CSR.

[19]  Ruth E. Alcock,et al.  Risk and Organizational Networks: Making Sense of Failure in the Division of Labour , 2008 .

[20]  Jens Rasmussen,et al.  Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human performance models , 1983, IEEE Transactions on Systems, Man, and Cybernetics.

[21]  Frederick Reiss,et al.  TelegraphCQ: continuous dataflow processing , 2003, SIGMOD '03.

[22]  Pieter H. Hartel,et al.  Through the eye of the PLC: semantic security monitoring for industrial processes , 2014, ACSAC.

[23]  Kevin Jones,et al.  A review of cyber security risk assessment methods for SCADA systems , 2016, Comput. Secur..

[24]  Richard Piggin Industrial systems: cyber-security's new battlefront [Information Technology Operational Technology] , 2014 .