Critical Infrastructure (CI) companies are facing more and more cyber and other incidents, either by direct attacks or by accident. The result can be unexpected. The cascading of these incidents can also be due to many reasons. In this paper, we study Finnish CI companies’ incident resilience and how they estimate or measure the effect of cyber and other incidents on their operation, by interviewing Finnish water utilities. We propose improving methods for the revealed problems and focus especially on factors of impact analysis, cascading effects and dependencies. Our analysis offers significant new information about CI state with relation to cyber risks, benefiting not only water industry, but CI systems in general. Our findings are that companies assess industry-specific security impacts, estimate cascading effects, dependencies between impacts and recognize dependencies to industrial automation providers. However, there is a clear lack of cyber security risk recognition and impact assessment, clear interfaces and responsibilities. One development area is to integrate cyber risk management into automation related risk management, and increase cyber risk education. In addition, there is a need for systematic situation awareness at national level and locally. Finally, there should be communication-enablers between different actors in Finland and between Nordic and European countries.
|Number of pages||9|
|Journal||International Journal of Industrial Control Systems Security IJICSS|
|Publication status||Published - 2017|
|MoE publication type||Not Eligible|