TY - JOUR
T1 - Impact of Cyber and Physical Incidents in Finnish Water Utilities
AU - Karinsalo, Anni
AU - Pentikäinen, Heimo
N1 - Lehdellä ei ole ISSN-numeroa!
PY - 2017
Y1 - 2017
N2 - Critical Infrastructure (CI) companies are facing more and more cyber and other incidents, either by direct attacks or by accident. The result can be unexpected. The cascading of these incidents can also be due to many reasons. In this paper, we study Finnish CI companies’ incident resilience and how they estimate or measure the effect of cyber and other incidents on their operation, by interviewing Finnish water utilities. We propose improving methods for the revealed problems and focus especially on factors of impact analysis, cascading effects and dependencies. Our analysis offers significant new information about CI state with relation to cyber risks, benefiting not only water industry, but CI systems in general. Our findings are that companies assess industry-specific security impacts, estimate cascading effects, dependencies between impacts and recognize dependencies to industrial automation providers. However, there is a clear lack of cyber security risk recognition and impact assessment, clear interfaces and responsibilities. One development area is to integrate cyber risk management into automation related risk management, and increase cyber risk education. In addition, there is a need for systematic situation awareness at national level and locally. Finally, there should be communication-enablers between different actors in Finland and between Nordic and European countries.
AB - Critical Infrastructure (CI) companies are facing more and more cyber and other incidents, either by direct attacks or by accident. The result can be unexpected. The cascading of these incidents can also be due to many reasons. In this paper, we study Finnish CI companies’ incident resilience and how they estimate or measure the effect of cyber and other incidents on their operation, by interviewing Finnish water utilities. We propose improving methods for the revealed problems and focus especially on factors of impact analysis, cascading effects and dependencies. Our analysis offers significant new information about CI state with relation to cyber risks, benefiting not only water industry, but CI systems in general. Our findings are that companies assess industry-specific security impacts, estimate cascading effects, dependencies between impacts and recognize dependencies to industrial automation providers. However, there is a clear lack of cyber security risk recognition and impact assessment, clear interfaces and responsibilities. One development area is to integrate cyber risk management into automation related risk management, and increase cyber risk education. In addition, there is a need for systematic situation awareness at national level and locally. Finally, there should be communication-enablers between different actors in Finland and between Nordic and European countries.
UR - https://infonomics-society.org/wp-content/uploads/Impact-of-Cyber-and-Physical-Incidents-in-Finnish-Water-Utilities.pdf
U2 - 10.20533/ijicss.9781.9083.20346.2017.0008
DO - 10.20533/ijicss.9781.9083.20346.2017.0008
M3 - Article
VL - 2
SP - 73
EP - 82
JO - International Journal of Industrial Control Systems Security IJICSS
JF - International Journal of Industrial Control Systems Security IJICSS
IS - 1
ER -