SINTEF REPORT

TITLE

State of the art report – “SAFETY, SECURITY AND RESILIENCE IN INTEGRATED OPERATIONS”

AUTHOR(S)

Stig Ole Johnsen, Bjørn Axel Gran, Martin Gilje Jaatun, Sjur Larsen, Atoosa P-J. Thunem CLIENT(S)

SINTEF Technology and Society Safety and Reliability Address: NO-7465 Trondheim, NORWAY Location: S P Andersens veg 5 NO-7031 Trondheim Telephone: +47 73 59 03 00 Fax: +47 73 59 28 96 Enterprise No.: NO 948 007 029 MVA

IO Centre (Steering committee, Technical committee)

REPORT NO. CLASSIFICATION CLIENTS REF.

SINTEF A10353 Unrestricted Jon Lippe CLASS. THIS PAGE ISBN PROJECT NO. NO. OF PAGES/APPENDICES

978-82-14-04715-8 504143 30 ELECTRONIC FILE CODE PROJECT MANAGER (NAME, SIGN.) CHECKED BY (NAME, SIGN.)

Document1 Stig Ole Johnsen Bjørn Axel Gran FILE CODE DATE APPROVED BY (NAME, POSITION, SIGN.)

2008-02-06 Jon Kvalem ABSTRACT

This is a “state of the art” report, a delivery in the project “Safety and Security Aspects of Integrated Operations in Oil and Gas Industry” within Program 4, at NTNU/IO Centre. The scope of this report is to present the state of the art with respect to collaboration between offshore and onshore facilities, based on integration of technology, man and organisation. During operations and handling of unwanted incidents our focus is to increase the safety, security and resilience of integrated operations between control rooms offshore, the operators onshore operation centre, the service company’s onshore operations centre, external experts and remote collaborations rooms. (Security is used in the context of safety.) Further research are suggested related to collaboration between onshore and offshore, key issues to be explored are “how is common situational awareness maintained”, “how is coordination and control performed” and “how could safety, security and resilience be improved by IO”.

KEYWORDS ENGLISH NORWEGIAN

GROUP 1 GROUP 2

SELECTED BY AUTHOR

2

TABLE OF CONTENTS

1 Introduction and Scope..........................................................................................................3 Definitions.......................................................................................................................4

2 Background and Key Challenges..........................................................................................5 2.1 Background.....................................................................................................................5 2.2 Key challenges related to Safety and Security aspects of Integrated Operations ...........6

2.2.1 Technical vulnerabilities related to new technology and integration of systems ................................................................................................................6

2.2.2 Human Factors - Knowledge and awareness among different professionals .....7 2.2.3 Organisational challenges - Communication and problem solving between

different organisations.........................................................................................7 2.3 Common risk perceptions in Integrated Operations .......................................................7

Different perspectives from the participants in the project.............................................7

3 Theoretical basis and current “best practices” in the industry .........................................8 3.1 Organisational and Human Factor perspective and theoretical sources .........................8 3.2 Technical perspective and good practice guidelines.......................................................9 3.3 Major R&D activities to improve the theoretical basis and best practices ...................10 3.4 Other possible Areas of Interest....................................................................................13 3.5 Key references ..............................................................................................................14

4 Conclusion.............................................................................................................................15

Appendix A) State of the art in “Security and Safety in IO” from an Information Security Perspective – written by SINTEF ICT................................................................16

Appendix B) State of the art in “Security and Safety in IO” from an Organisational and technical view, – written by SINTEF Technology and Society ........................................18

Appendix C) State of the art in “Security and Safety in IO” collaboration in virtual teams, – written by NTNU/Studio Apertura......................................................................23

Appendix D) State of the art in “Security and Safety in IO” – R&D activities and Experiences from IFE – written by IFE.............................................................................27

3

1 Introduction and Scope This is a “state of the art” report as a delivery of the project “Safety and Security Aspects of Integrated Operations in Oil and Gas Industry” within Program 4. The scope of this report is to present the state of the art with respect to collaboration between offshore and onshore facilities, as displayed in Figure 1, based on integration of technology, man and organisation. During operations and handling of unwanted incidents our focus is to increase the safety, security and resilience of integrated operations between control rooms offshore, the operators onshore operation centre, the service company’s onshore operations centre, external experts and remote collaborations rooms. (Security is used in the context of safety.)

Scope of this

report

Figure 1: Collaboration between onshore and offshore teams (OLF 2004). The scope of this report is displayed by the red box.

We are focusing on organisational and human issues related to collaboration and coordination between offshore (the central control room), onshore (control rooms or collaboration rooms) and suppliers onshore. Key issues are the coordination and common situational awareness between the involved actors in normal operations, during exception handling and during crises. These issues are supported by the systems used in Integrated Operations, such as Information and Communication Technology systems (ICT) and supervisory control and data acquisition systems (SCADA).

4

Process Control System (PCS) with Process Shut Down (PSD)

ICT solutions (Maintenance, SAP, CCTV, Radar, Telephony)

Safety Instrumented Systems (SIS) with (ESD, F&G)

Figure 2: System connected and used in IO.

The ICT systems include administrative IT systems such as maintenance systems and other support systems. The SCADA system is sometimes called Safety and Automation System (SAS) and consists of Process Control System (PCS), Process Shutdown (PSD) and Safety Instrumented Systems (SIS). SIS includes Emergency Shut Down (ESD) systems and Fire and Gas (F&G) solutions. In addition there is communication equipment such as video (CCTV) and telecommunication equipment. The SIS is connected to the PCS systems, and the SCADA systems are connected to the ICT solutions as illustrated in Figure 2 via data network, which may be shared. Power supply could be common or separated. In this state of the art report we have tried to document:

Section 2. Background and key challenges. This section is supported by experiences accumulated in the organisations, which is presented in appendixes.

Section 3. Major theoretical basis for our work and current “best practices” used in the industry.

Section 4. Major research and development activities to improve the theoretical basis and best practices.

Definitions

The following definitions are applied: Remote control: Part of the operation is managed and operated from other places. This can

cover a wide spectrum of possibilities, from control of parts of the process in a normal situation to total control of the installation in an emergency situation. Central control room operators are present at the installation.

Remote operations: The entire process is managed and operated from other places. Virtual organisation: A virtual organisation is a group of people from different

organisations located at different geographical locations working together in shared interdependent processes to achieve shared objectives within a defined timeframe. The authority and roles/responsibility of the participants are clearly defined. The collaboration is supported by technology that gives the participants a common understanding of the objectives to be achieved and enables good co-operation among the participants.

Data network

SCADA system (often with common HMI workstations)

Power supply

5

2 Background and Key Challenges

2.1 Background

The amount of Integrated Operations (IO) is increasing in the North Sea. The main motivations for IO are the potential for operational cost reduction and increased oil recovery from the fields, together with increased safety. The concept IO includes several aspects. Two important aspects are the use of remote operations and remote control of offshore oil and gas installations (see definitions). Initial projects that envisioned quick implementations of remote operations and remote support have not been carried through as easily as expected because the projects have been more complex and difficult than envisioned. One of the complexities and challenges has been related to the effect of IO on HSSE, (health, security1, safety and environment). Another issue has been the challenges of organisational changes and reallocation of responsibilities and work between onshore, offshore and suppliers. The technological challenges in implementing IO are related to integration between two different technological worlds, the SCADA systems and ICT systems in addition to increased real time data communication via networks or internet. The technology used in SCADA systems is changing from proprietary closed systems to standardized IT systems based on Windows integrated in networks that may be connected to internal networks and to the Internet. The reliance on commercial off-the-shelf (COTS) operating systems such as MS Windows and increased networking between the process control systems and the general ICT infrastructure is increasing the vulnerabilities and the risks. The use of Internet connections also increases the overall vulnerability of the network infrastructure. Such changes must be reviewed quite carefully for their effects. For example, one important safety barrier in the PCS systems is the emergency shutdown systems (ESD), ensuring that the operations are closed down in a safe manner. If the connection between the ESD and PCS is not safe and secure, an incident could impact the operation of the ESD system and thus platform safety. Integrated operations are also dependent on the planned development of a virtual organization of suppliers and service companies, providing flexibility and economy to the industry. Several operations and maintenance tasks are already performed outside of the operator’s organization. Increased use of suppliers and the required interconnectivity leads to a network of actors, which by accident, negligence or purpose can inflict unwanted incidents or accident on an operator, causing large economic loss. Exploitation of vulnerabilities may lead to a production stop on an oil platform, with a financial loss in the order 3-5 Million-5 USD per day. There has been an increase in incidents related to PCS and SCADA systems that could impact operations, NIST (2007). These types of incidents and attacks is seldom reported and shared systematically. Traditionally, there has been the impression that PCS and SCADA systems were sheltered from the vulnerabilities related to the Internet, and this perception still seems to be widespread within the automation profession. The British Columbia Institute of Technology has established an Industrial Security Incident Database (ISID), documenting an increase in attacks on SCADA systems (Figure 3).

1 By the term security, we mean information security (IS) in the context of safety.

6

Figure 3: Incident trends in SCADA systems 1992 – 2005 (NIST 2007)

The personnel involved in integrated operations have a tendency to focus on technology, often at the expense of organisational and cultural issues. The reliance on virtual organisations and the increased number of vulnerabilities create the need for common risk perceptions and a common security and safety culture to reduce the risk associated with remote operations.

2.2 Key challenges related to Safety and Security aspects of Integrated Operations

The studies by the participants in this project, as described in the appendixes, have so far identified several challenges related to integrated operations in the oil and gas industry. The main challenges have been related to the integration of technology, human factors and organisational issues. A key issue related to integrated operations has been to establish improved methodologies to perform risk analyses of Integrated Operations in a network of collaborating actors supported by more tightly coupled technology; see St.meld.nr. 12 (2005-2006). This has been an important contribution to establishing the scope and aim of our project.

2.2.1 Technical vulnerabilities related to new technology and integration of systems

One challenge is that proprietary and closed control systems are replaced by standardized ICT systems based on PCs and COTS such as MS Windows connected to internal networks and Internet. CERT Coordination Centre (CERT/CC), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania, publishes quarterly statistics at http://www.cert.org/stats/, reporting vulnerabilities in the IT systems. In the period 1995-2005 it was reported 22,716 vulnerabilities, of these many caused by MS Windows. The SANS (SysAdmin, Audit, Network, Security) Institute documents an expert consensus that MS Windows is listed as a key vulnerability to information security2, see http://www.sans.org/top20/. Based on the increasing reliance of Windows-based technology for control systems, one can assert that their vulnerabilities have further increased as proprietary operating systems are replaced. In addition, the integration of administrative IT systems with PCS/SCADA and SIS/PSD/ESD to establish integrated operations is exposing different technical systems to a new set of challenges they are not designed to master. During a test at CERN 30% of PCS/SCADA systems broke down when exposed to high IT traffic load or Denial of Service attacks, see Luders (2006).

2 The SANS Institute, “The Top 20 Critical Internet Security Vulnerabilities”, retrieved July 17, 2006

7

2.2.2 Human Factors - Knowledge and awareness among different professionals

The awareness of these security vulnerabilities has not equally increased among the different professionals involved in the oil and gas industry. There is a gap in experience and knowledge between the control automation profession and the ICT profession related to the new ICT vulnerabilities. The standards used are also different. In automation a key standard are IEC 61508 (1998) while a key ICT standard are ISO/IEC 27002 [prior ISO/IEC 17799] (2005). A combination has been published as OLF Guideline #104.

2.2.3 Organisational challenges - Communication and problem solving between different organisations

Outsourcing and the use of multiple suppliers have also increased. The need for communication, establishment of common situational awareness, problem solving and coordination between different groups in different organisations are increasing. A focus on knowledge and common perceptions among these different groups can ensure that different professions and organisations share a common understanding of the new risks and can cooperate to improve communication, risk mitigation and resolving of incidents.

2.3 Common risk perceptions in Integrated Operations

We have discussed several of the key challenges in IO at several workshops. Three challenges have been identified as important, and are suggested in Figure 4:

o Incorrect situational awareness between actors involved in integrated operations. o Technical and organisational challenges when ICT and SCADA (SAS) are coupled.

SCADA/SAS system can be halted due to unplanned ICT traffic. Increased coupling could lead to a normal accident scenario.

o Possibilities of stop of systems due to virus or worm attack. (See Bodungen 2008)

10M$- 100K $

>10M$

Frequency

Consequences

1K$-10 $

100K$- 1K $

DailyMonthYear10 Year

Incorrectsituationalawareness

ICT vs SAS

Virus/Worm10M$- 100K $

>10M$

Frequency

Consequences

1K$-10 $

100K$- 1K $

DailyMonthYear10 Year

Incorrectsituationalawareness

ICT vs SAS

Virus/Worm

Frequency

Consequences

1K$-10 $

100K$- 1K $

DailyMonthYear10 Year

Incorrectsituationalawareness

ICT vs SAS

Virus/Worm

Consequences

1K$-10 $

100K$- 1K $

DailyMonthYear10 Year

Incorrectsituationalawareness

Incorrectsituationalawareness

ICT vs SASICT vs SAS

Virus/WormVirus/Worm

Figure 4: Risks due to Integrated Operations

Different perspectives from the participants in the project

The project has been carried out by participants with different perspectives and background. The participants have focused on:

A. The technical view (ICT), by Martin Gilje Jaatun (MGJ)/ SINTEF ICT B. The organisational and technical view, by Stig Ole Johnsen (SOJ)/ SINTEF TS C. Collaboration in virtual teams, by Sjur Larsen (SL)/ Studio Apertura NTNU D. Safety and security research, by Atoosa P-J.Thunem (APJT)/ IFE

8

Each participant has written a part of this “State of the art report” based on experience accumulated in own organisation. The results are documented in the appendix of the report in the sequence mentioned above. These parts form the basis for section 3 and the conclusion. In order to also allow the appendixes to be used as “stand-alone” documents”, overlapping text between section 3 and the appendixes has not been deleted.

3 Theoretical basis and current “best practices” in the industry The theoretical basis and best practises in the industry can be described from two perspectives, the organisational and human factor perspective and the technical perspective.

3.1 Organisational and Human Factor perspective and theoretical sources

Integrated operations could be seen as a continuous change process based on introducing new technology in a network of organisation involved in finding and producing oil and gas. Thus the challenges related to integrated operations seen as a continuous change process should be explored:

In Kotter (1996) and HSE (2003) there is a description of change processes that ensures that safety and security is taken care of. The focus is on performing major changes involving the key stakeholders, establishing common goals and performing change and improving operations by motivating and focusing on safety and security based on co-opting processes.

Related to HSE and safety and security one could chose to focus on what could go wrong, what could go right (based on resilience and optimism) or use both perspectives. We are suggesting focusing on both perspectives resilience/optimism and “what can go wrong”: In Perrow (1999) there is a description of a situation where accidents are the normal outcome

due to IT systems that are tightly coupled and complex. This could be the description of a possible future scenario of integrated operations. These scenarios must be avoided. Perrow gives an important (negative) point of view related to IO that should be explored. In Snook (2002) an accident is described, due to drift into a normal accident scenario that should be avoided in IO. [On March 23, 2005, the BP Texas City refinery experienced a catastrophic process accident. It was one of the most serious U.S. workplace disasters of the past two decades, resulting in 15 deaths and more than 170 injuries. See Baker panel report (2007) for an exploration.]

In LaPorte (1991), Weick and Sutcliffe (2001) and Hollnagel (2006) there is a discussion of how to establish high reliability organisations and design resilient systems to avoid the negative scenarios described by Perrow. This is a point of view to be explored in integrated operations.

In Seligman (1991), there is a discussion of learned optimism and how this can be used to influence safe behaviour. This could be an important point of view to be explored when one is trying to establish resilient organisations and improve the personal conduct of people working with safety critical equipment.

In Johnsen et al. (2004) there is a description of the CRIOP method used to verify and validate the safe operation of control centres used in integrated operations. CRIOP could be used to establish common risk perceptions and to identify key issues to sustain common situational awareness during integrated operations. In Johnsen (2008) a set of MTO tools including CRIOP are suggested.

Virtual teams in IO will become more widespread. There are many factors that will influence on how well safety and security are maintained in a virtual team. The dimension of shared

9

understanding is of particular importance. Cohen and Gibson (2003) provide the following definition of shared understanding in a virtual team context: “Degree of cognitive overlap and commonality in beliefs, expectations, and perceptions about goals, processes, tasks, members’ knowledge, skills, and abilities.” Thus, the concept of shared understanding among members of a virtual team refers to several dimensions. Hinds and Weisband (2003) provide the following list of dimensions to which this concept refers: the nature of the team’s goals, their job or task, the processes required to perform the task, the team interactions that support task accomplishment (e.g., roles and responsibilities), and information about the characteristics and activities of team members themselves. To this list of dimensions should be added another dimension that is especially important in the context of safety and security in virtual teams in IO: that of “shared situational awareness”. IO is concerned with optimizing decision-making processes among people from different disciplines, organizations, and across geographical distances. To be able to maintain high levels of safety in security in daily operations, it is of crucial importance that the geographically distributed collaborators are aware of the same aspects that are critical to be able to make good decisions in a particular situation. “Common risk perceptions” should also be added to the above list of aspects of shared understanding. Experiences from Command and Control of geographically dispersed teams from different cultures from the military area are of special interest in Integrated operations managing crises, and should be explored see Gonzales, D. [et al.] (2005).

3.2 Technical perspective and good practice guidelines

Based on our participation in international and national projects and also conferences, we have found that the industry focus has been to:

A. Identify what can go wrong and prioritize actions based on a risk assessment. B. Establish some sort of an incident-learning loop, to learn across the industry. C. Establish guidelines and technical solutions to mitigate the risks and implement resilient

solutions and resilient/robust organisations. An up to date presentation of key documents and “best practice guidelines” can be found at the web site of US-cert: Control systems – standards and references at http://www.us-cert.gov/control_systems/csstandards.html (Retrieved at 1/1-2008). In addition, we are recommending the SCADA blog at http://www.digitalbond.com/index.php, informing and presenting news within the SCADA area and www.checkit.sintef.no. A) Description of what can go wrong and suggested risk analysis is given in:

Strategies – “Roadmap to Secure Control Systems in the Energy Sector”, see: http://www.controlsystemsroadmap.net

I3P Research Report; no. 6 “Practical risk analysis of oil and gas installations”: http://www.thei3p.org/about/researchreport6.pdf (May 2006)

White paper from Stortinget in Norway St.meld nr 12 (2005-2006) “HMS petroleum”. B) Description of incident reporting and learning is given in:

Tim Grance, Karen Kent, Brian Kim "Computer Security Incident Handling Guide" -Recommendations of the National Institute of Standards and Technology - NIST Special Publication 800-61, see http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf .

Martin Gilje Jaatun, Stig Ole Johnsen, Maria B. Line, Odd Helge Longva, Inger Anne Tøndel, Eirik Albrechtsen, Irene Wærø "Incident Response Management in the oil and gas industry" 2007-12-17, ISBN 9788214040746, REPORT NO. SINTEF A4086, retrieved at www.checkit.sintef.no

10

C) Standards, guidelines and technical solutions:

IEC 61508 "Functional safety of electrical/electronic/programmable electronic safety-related systems", IEC 1998.

ISO/IEC 27002 (ISO/IEC 17799) – "Information Technology - Code of practice for information security management.", ISO 2005.

OLF Guideline #104, R. Ask et al “Information Security Baseline Requirements for Process Control, Safety and Support ICT Systems. ISBR” 09.06.2006, retrieved from http://www.olf.no/?32544.pdf at 5/12-2006.

Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, Centre for the Protection of National Infrastructure (CPNI), London, 2005, http://www.cpni.gov.uk/docs/re-20050223-00157.pdf.

A description of “21 steps to improve Cyber Security of SCADA Networks”, see http://www.ea.doe.gov/pdfs/21stepsbooklet.pdf

Testing and certification of SCADA systems see ISA Security Compliance - http://www.isa.org/Content/NavigationMenu/Technical_Information/ASCI/ISCI/ISCI.htm; Industry leaders from a number of major control system users and manufacturers have investigated the feasibility of creating an organization to establish a set of well-engineered specifications and processes for the testing and certification of critical control systems products.

At Forum for Human Factors in Control Systems (HFC-forum) links to documents and guidelines relevant for improvement of safety and security culture related to Information Technology can be found under “CheckIT”, see: http://www.checkIT.sintef.no

ISA-SP99 Technical Reports - The ISA-SP99 committee has produced two technical reports on control system security. One report focuses on security technologies for manufacturing and control systems [TR99-01], and the other addresses the integration of security components in manufacturing and control system environments [TR99-02]

NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Second Public Draft September 28, 2007, http://csrc.nist.gov/publications/drafts/800-82/2nd-Draft-SP800-82-clean.pdf (retrieved at 1/1-2008). The document presents a comprehensive treatment of security aspects, threats and vulnerabilities.

At the 10th IEEE Conference on Emerging Technologies and Factory Automation Naedele (2005) presented “Standardizing Industrial IT Security - A First Look at the IEC approach”.

3.3 Major R&D activities to improve the theoretical basis and best practices

The industry seems to have gone about the implementation of virtual teams in a trial and error way, with no training provided to team members concerning the particular challenges with working in virtual teams. However, some companies are now in the process of designing training programs. More research is needed into how such training programs should be designed and delivered to ensure that team members are able to handle the safety and security challenges associated with virtual collaboration. The following areas should be prioritized areas of research:

What risk factors exist in virtual teams regarding shared situational awareness and common risk perceptions? How can these risks be effectively managed?

How should roles and responsibilities be designed in virtual teams to maintain safety and security?

How should training programs be designed and delivered to provide team members with the skills needed for maintaining safety and security in virtual teams?

How are safety and security aspects in virtual teams in IO affected by the tendency of participants to cooperate less with those at other “nodes” and more often shift their

11

opinions toward extreme or risky options than they do in face-to-face collaboration? How can these tendencies be mitigated?

The European Commission’s movements and actions in progress indicate a clearly increasing focus on the topic of security. In that respect, a dedicated programme for security research as a part of the 7th Framework Programme has been established, see http://cordis.europa.eu. The prime rationale behind the programme is in fact to better and more efficiently conform to the multi-disciplinary and multi-sectoral requirements for giving a boost to Europe’s security research. The aim is to establish an environment for more coherent research towards security for society and infrastructure, so that the risk for terrorism, organised crime, large-scale accidents and natural disasters can be reduced in a more effective manner. The research programme will therefore be multidisciplinary and multi-industrial of nature. The dominant items of the programme are towards:

Optimising security and protection of networked systems. Protecting against terrorism. Enhancing crisis management (including evacuation, search and rescue operations, control

and remediation). Achieving interoperability and integration of systems for information and communication. Improving situation awareness (e.g. in crisis management, anti-terrorism activities, or

border control). Within the Oil and Gas sector the major research and development activities has been done by the Institute for Information Infrastructure Protection (I3P) - Securing Control Systems in the Oil and Gas Infrastructure, see http://www.thei3p.org. Some key activities from USA in 2005 are described in the following table.

12

Activity Lead Organization Scope Major Events and Actions Process Control Systems Forum

DHS Service & Technology Directorate, Homeland Security Advanced Research Project Agency (HSARPA) and National Cyber Security Division (NCSD)

International design, development and deployment of secure control systems

- PCSF Formational Meeting (2005)

- First International Standards Coordination Meeting (2005)

- PCFS Fall Meeting (2005) - PVFS Spring Meeting (2005),

First Working Group – Congress of Chairs formed (2005)

Institute for Information Infrastructure Protection (I3P)

Darthmouth College, DHS Science & Technology Directorate, and NIST

National cybersecurity R&D coordination program

- I3P SCADA Security Research Project launched (2005)

- I3P Research Report No. 1: Process Control System Security Metrics (2005)

- Securing Control Systems in the Oil and Gas Infrastructure. The I3P SCADA Security Research Project (2005)

American Petroleum Institute (API)

Trade association for the oil and natural gas industry

Industry forum, research center, and policy input

- API standard 1164, Pipeline SCADA Security (2004)

- Other security guidelines under development.

Table 1: Research activities in USA

In Norway OLF, the Norwegian Oil Industry Association (see http://www.olf.no) has initiated a major development program related to Integrated Operations. A quick survey of the activities funded by NFR related to Health, Safety, Security and Environment gives the following research areas:

Petromaks (Includes the Oil and Gas program a part of Petromaks) DEMO 2000, PETROPOL, RISIT, MAROFF, Renenergi

o ICT sec funded projects: urity and vulnerability (IKT Sikkerhet og sårbarhet)

less Application Programming  o

SWAP ‐ Secure Wire

o BAS5 ‐ Critical Information Infrastructure Protection  

o Security Reporting iAccess ‐ Integrated Access Control for Health Care Information Systems 

o nagement (see App. IRMA ‐ From Incident Response to Incident Response Ma

o A) TID ‐ Time Stamps, Digital Traces and Forensic Evidence

ent of policies within truo oach to Security Culture 

 o st management Enforce ‐ analysis and enforcem

ro   

Ambasec ‐ A Model‐Based AppLegal Inf. Security Regulations

o Safecomp 2005 hosted by IFE 

13

An EU-funded FP5 project within security, with several Norwegian partners, was the CORAS project (see: http://coras.sourceforge.net/). The CORAS project developed a tool-supported methodology for model-based risk analysis of security-critical systems. The project was initiated in January 2001 and successfully completed in September 2003. SINTEF was responsible for the technical coordination while Telenor AS R&D was the administrative coordinator and responsible partner towards the European Commission. IFE was responsible for the work package on risk assessment. The CORAS tool and language has been further developed and employed in other research projects led by SINTEF, such as the SECURIS project “Model-driven Development and Analysis of Secure Information Systems” which was funded by NFR 2003-2006. In response to EC’s plans on a security research programme, NFR established the programme VERDIKT (Core Competence and Added Value within ICT) in 2005. A significant difference between VERDIKT and previous NFR initiatives and efforts within the ICT domain is the considerably enhanced focus on multi-disciplinary and multi-sectoral aspects of ICT research. At the same time, an increased focus on security in the context of safety and the related risks is observed within current sector-oriented research programmes, especially towards the transport and petroleum/energy sectors. The following gathers important conclusions drawn from the strategy and the topics of the funded projects so far:

1. There is a shift from the traditional deductive manner of research to a more holistic form, demonstrating more awareness about the potentials of a multidisciplinary research on particularly safety and security and related risk analysis.

2. The focus on experienced risk, as opposed to calculated (or “objective”) risk is growing, among others, as a result of the shift explained above.

3. There is a new view on risk analysis; no longer as a single activity, but as a dynamic process that includes defining risk indicators as a function of both scenario-based data (involving analysis of future tendencies) and historical data, providing better models for risk communications, and more clarified representations of risk acceptance or rejection criteria. Additionally, this risk analysis process is now advocated for becoming an integrated part of the entire development process, including planning, construction and deployment of the systems/infrastructures subject to risk.

4. There is an increasing focus on decision analysis, which includes analysis and assessment of other alternative solutions for handling risks, as a decision’s elements are usually based on the underlying risk analysis process, its resulting risk indicators and the suggested risk elimination, mitigation and containment/control mechanisms.

5. There is a growing concern about the risk compensation mechanisms and their consequences. These are basically caused by the unintended result from the implementation of safety countermeasures, namely the increased conviction and feeling of being safe, leading many to take risks that are evaluated to be unacceptable by the same safety countermeasures.

3.4 Other possible Areas of Interest

From an information security perspective the following areas may be of interest for further research in the “IO Safe” project:

Testing and certification of SCADA systems used in IO, to test the ability to be resilient when the SCADA systems and ICT systems are interconnected.

Security Aspects of Semantic Web: we see the need for a survey of security mechanisms and impacts of using Semantic Web technology.

Security Assessment of Terminal Server solutions: The availability of Common Criteria evaluation reports may render this an area of little research interest, although examination of specific cases may still have merit.

14

Security in wireless sensor networks: This is an area that should be of interest to the

industry, but is likely to fall outside the scope of our current projects. Secure event reporting, storage and treatment: This concern has grown considerably, in

accordance with introducing more complexity, flexibility, user-friendliness, etc. into the operation and maintenance of the computerised and ICT-driven systems involved.

3.5 Key references

Baker James A., III, Frank L. “Skip” Bowman, Glenn Erwin, Slade Gorton, Dennis Hendershot, Nancy Leveson, Sharon Priest, Isadore “Irv” Rosenthal, Paul V. Tebo, Douglas A. Wiegmann, L. Duane Wilson “THE REPORT of THE BP U.S. REFINERIES INDEPENDENT SAFETY REVIEW PANEL” JANUARY 2007 from BP Texas accident – retrieved at 6/2-2008 from http://www.csb.gov/completed_investigations/docs/Baker_panel_report.pdf

Bodungen C., “Hacking Scada” USA 2008, see http://www.hackingscada.com/ Cohen and Gibson (2003): Introduction - G. Cohen and C. B. Gibson (red.), Virtual Teams

that Work. San Fransisco: Jossey-Bass CORAS: A Platform for Risk Analysis of Security Critical systems, IST-2000-25031,

(2000). http://coras.sourceforge.net/. Gonzales, D. [et al.] (2005) “Network-centric operations case study : the Stryker Brigade

Combat Team” RAND Corporation (2005) USA - Santa Monica, retrieved at 6/12 – 2007 from http://www.rand.org/

Hinds, P. and S. Weisband (2003). “Knowledge Sharing and Shared Understanding in Virtual Teams”. In S. G. Cohen and C. B. Gibson (red.), Virtual Teams that Work. San Fransisco: Jossey-Bass (2003).

Hollnagel (2006): Resilience Engineering, Ashgate. HSE (2003): Organisational change and major accident hazards. Chemical Information

sheets No CHIS7. Retrieved from: http://www.hse.gov.uk/pubns/chis7.pdf. Johnsen et al. (2004) Johnsen, S.O., Bjørkli, C., Steiro, T., Fartum, H., Hauknes, H.,

Ramberg, J., Skriver, J.: CRIOP: A scenario method for Crisis Intervention and Operability analysis. SINTEF report STF38 A03424.

Johnsen, S.O., Ask, R., Røisli R,(2008) “Reducing Risks in Oil and Gas Production Operations” in Goetz E., and Shenoi S. “Critical Infrastructure protection” IFIP 2008, ISBN 978-0-387-75461-1 Springer, New York 2008; Pages 83-95.

Kotter (1996): Leading Change. Harvard Business School Press. Lüders (2006) "CERN tests reveal security flaws with industrial network devices"

http://ethernet.industrial-networking.com/articles/articledisplay.asp?id=1490 LaPorte (1991) - LaPorte, T. R., Consolini, P. M. : “Working in practice but not in theory:

Theoretical challenges of High-Reliability Organisations”. Journal of Public Administration Research and Theory, 1.

Naedele, M. (2005): “Standardizing Industrial IT Security - A First Look at the IEC approach”, 10th IEEE Conference on Emerging Technologies and Factory Automation, 2005, 19-22 Sept. 2005, Vol. 2, pp 857- 863

NIST (2007): NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Second Public Draft , September 28, 2007, retrieved 1/1-2008 from http://csrc.nist.gov/publications/drafts/800-82/2nd-Draft-SP800-82-clean.pdf

Oljeindustriens Landsforening (OLF - Norwegian Oil Industry Association). (2004). “Integrated Operations on the Norwegian Continental Shelf.” Available at http://www.olf.no/?22894.pdf, retrieved 1/12-2006

15

Perrow (1999): Normal Accidents: Living with High-Risk Technologies. Princeton

University Press, Princeton, N.J. Scott A. Snook (2002): "Friendly Fire: The Accidental Shootdown of U.S. Black Hawks

over Northern Iraq" Seligman M. E. (1991): Learned Optimism, Knopf (January 9, 1991) TR99-01 (2004): Instrumentation Systems and Automation Society, Security Technologies

for Manufacturing and Control Systems (ANSI/ISA-TR99.00.01-2004). TR99-02 (2004): Instrumentation Systems and Automation Society, Integrating Electronic

Security into the Manufacturing and Control Systems Environment (ANSI/ISA-TR99.00.02-2004).

US-cert: Control systems – standards and references at http://www.us-cert.gov/control_systems/csstandards.html (Retrieved at 1/1-2008).

Weick, K.E. and Sutcliffe, K.M. (2001): Managing the Unexpected: Assuring High Performance in an Age of Complexity, San Fransisco Jossey-Bass (2001)

4 Conclusion Based on the key challenges described we conclude that there is a need to explore and increase the safety, security and resilience of integrated operations between control rooms offshore, the operators onshore operation centre, the service company’s onshore operations centre, external experts and remote collaborations rooms. This should be explored both during normal operations, during an unwanted incident and during an emergency or major accident involving actors onshore and offshore. We would like to explore the handling of unwanted incidents, including incidents based on utilization of new ICT and the vulnerabilities introduced by integrated operations as mentioned. Key issues to be explored are:

o How common situational awareness is maintained? o How is coordination and control performed? o How could safety, security and resilience be improved by IO?

16

Appendix A) State of the art in “Security and Safety in IO” from an Information Security Perspective – written by SINTEF ICT Traditionally there has been a rigid division between PCS/SCADA systems and administrative ICT systems in offshore installations – in addition to physical separation, the two types of systems have been managed and operated by very different classes of personnel. With the advent of Integrated Operations, security measures have to a large extent been concentrated on maintaining a logical separation, even when physical interconnection is in place. This approach can be seen both in a “good practice”-guide from UK’s NISCC [1], as well as reports on IEC’s take on industrial IT security [2]. Network separation using firewalls and similar components are central, and the main focus appears to be on separating legitimate users (who are granted access to the process control systems) from outsiders. Thus, this approach mimics the behaviour of the first firewall systems, where little is done to improve the security of the component behind the protective perimeter. Network boundaries (from “outside” to “inside”) are typically traversed using terminal server technologies. Thus, the majority of efforts are directed toward workarounds and makeshift procedures for securing legacy systems; fewer efforts aim for creating e.g. intrinsically more secure SCADA systems. The fact that products such as the Citrix Metaframe terminal server has been subjected to a Common Criteria evaluation [3] is encouraging, but it is at the same time disappointing that the evaluation has been performed at the trivial Evaluation Assurance Level 2 (contrast this with the Microsoft Windows XP EAL4 certification [4]). Offshore installations currently communicate extensively using OPC (OLE for Process Control); either directly from unit to unit, or via OPC servers using OPC tunnelling. In effect, this means that firewall solutions in use today are full of “holes”, limiting which restrictions it is possible to impose on inter-installation communication. Recent developments indicate that the industry is keen to move from legacy systems to a Service Oriented Architecture (SOA), in time transforming their networks into a “semantic web”. While much work has been carried out on e.g. Web Services Security (see [5]), security in SOA remains little understood by most practitioners. Current Projects

SeSa – Secure Safety [6] Integrated operations in offshore installations lead to increased interconnection between office systems and process control systems. The SeSa project is concerned with establishing guidelines for how such interconnection can be performed without adversely affecting the offshore Safety Instrumented Systems.

IRMA – Incident Response MAnagement [7]

The main goal of the IRMA project is to strengthen information security in relation to integrated operations in the oil & gas industry, through the development of a method for improved handling of information security incidents. IRMA aims at transitioning from incident handling to incident management, by emphasising opportunities for organizational learning.

17

Possible Areas of Interest From an information security perspective the following areas may be of interest for further research in the “IO Safe” project:

Security Aspects of Semantic Web SINTEF has no recent experience in the area of semantic web, but we see the need for a survey of security mechanisms and impacts of using Semantic Web technology.

Security Assessment of Terminal Server solutions The availability of CC evaluation reports may render this an area of little research interest, although examination of specific cases may still have merit.

Security in wireless sensor networks? This is an area that should be of interest to the industry, but is likely to fall outside the scope of our current projects.

References

[1] NISCC Good Practice Guide – Process Control and SCADA Security, PA Consulting Group, October 2005

[2] Martin Naedele: “Standardizing Industrial IT Security - A First Look at the IEC approach”, 10th IEEE Conference on Emerging Technologies and Factory Automation, 2005, 19-22 Sept. 2005, Vol. 2, pp 857- 863

[3] UK IT SECURITY EVALUATION AND CERTIFICATION SCHEME: COMMON CRITERIA CERTIFICATION REPORT No. P201 “Citrix MetaFrame XP Presentation Server for Windows”, April 2004 (http://www.cesg.gov.uk/site/iacs/itsec/media/certreps/CRP201.pdf)

[4] Common Criteria Evaluation Scheme: Microsoft Windows Server 2003 and Microsoft Windows XP (http://niap.bahialab.com/cc-scheme/st/ST_VID4025.cfm)

[5] Martin Naedele: “Standards for XML and Web Services Security”, IEEE Computer Magazine April 2003, pp. 96-98.

[6] Tor Olav Grøtan et al.: “The SeSa Method for Assessing Secure Remote Access to Safety Instrumented Systems”, SINTEF Report A1626, 26. June 2007, Available: http://skala.sintef.no/upload/43002/SINTEF%20A1626%20-%20SeSa%20report-final.pdf

[7] Martin Gilje Jaatun et al.: “Incident Response Management in the oil and gas industry”, SINTEF Report A4086, 17. December 2007

18

Appendix B) State of the art in “Security and Safety in IO” from an Organisational and technical view, – written by SINTEF Technology and Society Theoretical basis Our focus is safety and security when we are collaborating between organisations to do integrated operations (IO). A key issue in cooperation is Human Factor (HF) issues. In Henderson (2002) there is a discussion of HF related to remote operation of process plants. The framework used to discuss common situational awareness among the participants has been of special interest related to IO, and has been explored in Johnsen, Askildsen (2005). In Grabowski (2006), a description of leading indicators related to virtual organisations is given. These indicators can be used to discuss the safety and security issues related to IO. Based on the discussion in Henderson (2002) and Johnsen/Askildsen (2005) the key issues to be explored in IO seems to be:

1. The need for some sort of common communication language and structure or templates to simplify communication especially during emergencies.

2. Knowledge and assumptions about the current situation, termed situational knowledge - indicating the need to establish common situational awareness based on common information systems

3. Professional knowledge about standard operating procedures, termed procedural knowledge and basic understanding of the task – indicating the need for common standard procedures

4. Professional knowledge about each participants roles and responsibilities – indicating the need for clearly defined responsibilities and roles and common training

5. Cultural knowledge (common goals, beliefs, norms) – indicating the need to focus on culture and processes to explore and understand culture across organisations

From a security and safety aspect, it is important to discuss theoretical background of accidents involving IT systems. In Perrow (1999) there is a description of a normal accident scenario when the IT systems are tightly coupled and managed centrally. This could be the description of a possible future scenario of Integrated Operations. These scenarios must be avoided. In LaPorte (1991), Weick (2001) and Hollnagel (2006) there is a discussion of how to establish high reliability organisations and design resilient systems to avoid the negative scenarios described by Perrow. The implementation of Integrated Operations is a complex process involving several key stakeholders having to learn new work processes. The change process in itself could influence the safety and security of the end result. In Kotter (1996) and HSE (2003) there is a description of change processes that ensures that safety and security is taken care of. In Johnsen et al. (2004) a description of models to be used to verify and validate the safe operation of a control centre used in operation and exception handling of oil and gas process plant is given. CRIOP could be used to establish common risk perceptions and to identify key issues to sustain common situational awareness.

19

The key theoretical works of interest to the project are:

Grabowski, M., (2006). Leading Indicators of Safety in Virtual Organisations. Published at Human Factors in Control Conference, April 2006, ref www.criop.sintef.no. Documents key safety issues related to virtual organisations.

Hollnagel (2006)"Resilience Engineering"Ashgate 2006. Discusses key issues in resilient organisations, principles to be used to reduce the risks of remote operations and integrated operations.

Henderson (2002) - Henderson J., Wright K., Brazier A: “Human factors aspects of remote operations in process plants” Prepared by Human Reliability Associates for the Health and Safety Executive, CONTRACT RESEARCH REPORT, 432/2002 HSE (2002) ISBN 0-7176-2355-6. Documents key issues related to in Integrated Operations and Remote Operations of oil and gas installations in the North Sea.

HSE, 2003. Organisational change and major accident hazards. Chemical Information sheets No CHIS7. Retrieved from: http://www.hse.gov.uk/pubns/chis7.pdf. Document important issues related to safe changes.

Johnsen, S.O., Bjørkli, C., Steiro, T., Fartum, H., Hauknes, H., Ramberg, J., Skriver, J., 2004. CRIOP: A scenario method for Crisis Intervention and Operability analysis. SINTEF report STF38 A03424. Document how to validate and verify operation and exception handling in a central control centre related to integrated Operations.

Johnsen Stig Ole, Mary Ann Lundteigen, Eirik Albrechtsen, Tor Olav Grøtan "Trusler og muligheter knyttet til eDrift" SINTEF Report STF38 A04433 of 10.01.2005

Johnsen S.O, A.Askildsen and K.Hunnes: ”Challenges in remote control and remote co-operation of offshore oil and gas installations in the North Sea” Published at ESREL 2005, ISBN 0-415-38340-4.

Kotter (1996) - "Leading Change" Harvard Business School Press. Documents key issues in helping prioritising safety, security and change in a difficult political climate.

LaPorte, T. R., Consolini, P. M., (1991). Working in practice but not in theory: Theoretical challenges of "High-Reliability Organisations". Journal of Public Administration Research and Theory, 1.

Seligman Martin E. "Learned Optimism", Knopf (January 9, 1991) ISBN: 0394579151 Perrow, 1999. Normal Accidents: Living with High-Risk Technologies. Princeton

University Press, Princeton, N.J. Weick Karl E., Sutcliffe Kathleen M. (2001) "Managing the Unexpected: Assuring High

Performance in an Age of Complexity", in Jossey-Bass (July 3, 2001)

Current best practices Current best practices related to integrated operations are in its initial state because remote operations and integrated operations is a fairly new area, going thru a rapid development. However, in the international arena there have been established some major initiatives and meeting arenas:

Private sector, IT safety and security: http://www.sans.org Process Control Systems Forum (PCSF): http://www.pcsforum.org/ Research within oil and gas industry, Institute for Information Infrastructure Protection

(I3P) - Securing Control Systems in the Oil and Gas Infrastructure see http://www.thei3p.org

Based on our participation in several conferences, we have found that the focus of the industry has been to:

20

A. Identify what can go wrong and prioritize actions based on a risk assessment B. Establish some sort of an incident-learning loop, to learn across the industry from

unwanted incidents C. Establish guidelines and technical solutions to mitigate the risks and implement resilient

solutions and resilient/robust organisations. The focus has been on technical solutions to establish defense in depth (i.e. robust design – eliminating overflow problems, good testing of SCADA systems, Segregation of networks, Firewall deployment, Monitoring of traffic and unwanted incidents).

There has not been a great deal of focus on the Human Factors issues, but in Johnsen (2005) these issues are explored. A) Description of what can go wrong is given in:

Strategies - Roadmap to Secure Control Systems in the Energy Sector, see: http://www.controlsystemsroadmap.net

Practical risk analysis of oil and gas installations: I3P Research Report; no. 6 (May 2006) http://www.thei3p.org/about/researchreport6.pdf

Methodology to describe the risks is given in Risk MAP methodology http://www.thei3p.org/about/researchrep7.pdf

B) Description of incident reporting and learning is given in:

"Computer Security Incident Handling Guide" -Recommendations of the National Institute of Standards and Technology - NIST Special Publication 800-61. Tim Grance, Karen Kent, Brian Kim. http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf

Incident documentation and suggestions, ref: http://www.bcit.ca/appliedresearch/security/services.shtml

Training - Look to http://www.sans.org/scadasummit06/ C) Guidelines and technical solutions:

At http://www.niscc.gov.uk/niscc/scada-en.html, NISCC "Good practice Guide on Firewall Deployment for SCADA and Process Control Networks" NISCC " Process Control and SCADA Security" The NISCC Firewall Deployment Guide was developed by the British Columbia Institute of Technology (BCIT) for the U.K.'s National Infrastructure Secure Coordination Centre (NISCC) in February 2005. It provides guidelines for firewall configuration and deployment in industrial environments.

21 steps to improve Cyber Security of SCADA Networks: http://www.ea.doe.gov/pdfs/21stepsbooklet.pdf

Improvement of safety and security culture related to Information Technology, use CheckIT - see http://www.checkIT.sintef.no

The standard of good practice for Information Security from ISF: http://www.isfsecuritystandard.com/pdf/standard.pdf

ISA-SP99 Technical Reports -The ISA-SP99 committee has produced two technical reports on control system security. [TR99-01] focuses on security technologies for manufacturing and control systems. [TR99-02] addresses the integration of security components in manufacturing and control system environments.

NIST System Protection Profile for Industrial Control Systems-In October 2004, NIST released the System Protection Profile (SPP) [NIST SPP 2004], which provides guidance for developing formal statements of functional and security assurance requirements for industrial systems based on the Common Criteria.

21

API-1164 Pipeline SCADA Security Standard-The API-1164 Pipeline SCADA Security

Standard [API 2004] was released in September 2004. This standard provides guidelines, operator checklists and a security plan template for system integrity and security.

NIST SP 800-82 Document- In September 2006, NIST released the first public draft of a guide for SCADA and industrial control systems security (NIST SP 800-82 Document [NIST 2006]). The NIST document presents a comprehensive treatment of security aspects. In particular, it discusses common system topologies, threats and vulnerabilities, and suggests security countermeasures to be used in mitigating risk.

[TR99-01] Instrumentation Systems and Automation Society, Security Technologies for Manufacturing and Control Systems (ANSI/ISA-TR99.00.01-2004), October 2004.

[TR99-02] Instrumentation Systems and Automation Society, Integrating Electronic Security into the Manufacturing and Control Systems Environment (ANSI/ISA-TR99.00.02-2004), October 2004.

[NIST SPP 2004] National Institute of Standards and Technology, System Protection Profile, Gaithersburg, Maryland, 2004.

[NIST 2006] National Institute of Standards and Technology, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security { Initial Public Draft, Gaithersburg, Maryland, 2006.

[API 2004] American Petroleum Institute, API 1164, SCADA Security, American Petroleum Institute, September 1, 2004.

Major research and development activities Within the Oil and Gas sector the major research and development activities has been done by the Institute for Information Infrastructure Protection (I3P) - Securing Control Systems in the Oil and Gas Infrastructure see www.thei3p.org. Key activities from USA are described in the attached table 2-1:

22

Table 2-1: Research activities in USA

In Norway OLF (see www.olf.no) has initiated a major development program related to Integrated Operations. Research and development funded by the Research Council in Norway (NFR) A quick survey of the activities funded by NFR related to Health, Safety, Security and Environment gives the following research areas:

Petromaks (Includes the Oil and Gas program a part of Petromaks) DEMO 2000, PETROPOL, RISIT, MAROFF, Renenergi CORD and CRIOP related to ISO 11064

o ICT sec rbarhet) urity and vulnerability (IKT Sikkerhet og så

less Application Programming  o

SWAP ‐ Secure Wire

o BAS5 ‐ Critical Information Infrastructure Protection  

o ms Security Reporting 

ation Systeo

iAccess ‐ Integrated Access Control for Health Care Inform

o IRMA ‐ From Incident Response to Incident Response Management 

 o st management 

TID ‐ Time Stamps, Digital Traces and Forensic Evidencent of policies within tru

o ch to Security Culture Enforce ‐ analysis and enforceme

del‐Based Approao ty Regulations –  

Ambasec ‐ A MoLegal Inf. Securi

o Safecomp 2005  CORAS related to security

This list is not complete.

23

Appendix C) State of the art in “Security and Safety in IO” collaboration in virtual teams, – written by NTNU/Studio Apertura Virtual teams are becoming an increasingly widespread organizational form within integrated operations. Virtual teams are teams where the members are dispersed and do not conducts much work face-to-face, and where ICT mediates most interaction between members. The virtual teams that have been implemented or are being implemented on the Norwegian continental shelf are of the 1st generation type (Figure 5), where integration is focused on making offshore and onshore collaborating more closely.

Figure 5: Generation 1 integrated work processes: “hybrid” (partly collocated) virtual teams (source: OLF 2005, p. 13)

The 2nd generation of integrated work processes, imply use of virtual teams with more extensive geographical dispersion than in G1 integrated work processes (see Figure 6), and the integration here will focus more on integration between different actors, i.e. between operator companies, service companies, and R&D institutions. Implementation of these processes are assumed to lead to a closer integration of the work processes of operators and vendors and to the development of “digital services”, i.e., operational concepts that are based on delivery of a large portion of the services required to operate a field “over the net”. A typical oil and gas field will then, it is assumed in OLF (2005), be operated by personnel located in operation centres belonging to both operators and vendors.

24

Figure 6: Generation 2 integrated work processes: virtual teams with increased geographical dispersion (source: OLF 2005, p. 18).

Virtual teams in IO will also become more widespread as a result of Norwegian oil companies increasing their global reach with operations in other countries. There are many factors that will influence on how well safety and security are maintained in a virtual team. The dimension of “shared understanding” is of particular importance. Cohen and Gibson (2003, p. 12) provide the following definition of shared understanding in a virtual team context:

“Degree of cognitive overlap and commonality in beliefs, expectations, and perceptions about goals, processes, tasks, members’ knowledge, skills, and abilities.”

Thus, the concept of shared understanding among members of a virtual team refers to several dimensions. Hinds and Weisband (2003) provide the following list of dimensions to which this concept refers: the nature of the team’s goals, their job or task, the processes required to perform the task, the team interactions that support task accomplishment (e.g., roles and responsibilities), and information about the characteristics and activities of team members themselves. To this list of dimensions should be added another dimension that is especially important in the context of safety and security in virtual teams in IO: that of “shared situational awareness”. IO is concerned with optimising decision-making processes among people from different disciplines, organizations, and across geographical distances. To be able to maintain high levels of safety in security in daily operations, it is of crucial importance that the geographically distributed collaborators are aware of the same aspects that are critical to be able to make good decisions in a particular situation. “Common risk perceptions” should also be added to the above list of aspects of shared understanding. On virtual teams, shared understanding is more difficult to generate. Members of virtual teams rely heavily on technology to mediate their interactions, often have different environments in

25

which they are working and technologies supporting their work, and are geographically distant from one another. Each of these factors affects shared understanding. There exists no literature on how group processes in virtual teams in IO can affect safety and security aspects of such teamwork within the upstream petroleum industry. However, there are plenty of examples in the literature on virtual teams from other businesses about what can go wrong in virtual teams due to the complicating aspects of virtual teamwork. One example of a team that failed to establish shared understanding in their work processes concerned the team responsible for the development of the Mars Climate Orbiter. Team members in different locations (Denver, Colorado and Pasadena, California) thought that they were all using the same unit of measurement but found out after the spacecraft failed to push itself into orbit that some team members were using English while others were using metric units. Had the Mars Orbiter team members had a common understanding of their work processes, this multimillion-dollar disaster could have been averted (Hinds & Weisband 2003). Roles and responsibilities is another aspect of shared understanding that will need research focus, especially in relation to G2 virtual teams, as the geographical distribution then also will extend to vendor companies to a larger extent than today. If roles and responsibilities are unclear in such teams, this can prove harmful to safety and security. Research has shown that in virtual collaboration, participants tend to cooperate less with those at other “nodes” and more often shift their opinions toward extreme or risky options than they do in face-to-face collaboration:

In collaboration supported by videoconferencing and audio conferencing (telephone), local coalitions can form in which participants tend to agree more with those in the same room than with those on the other end of the line. There is also a tendency in audio conferencing to disagree with those on the other end of the communication link.

Computer-mediated communication (CMC) can reduce efficiency (as measured in time to solution), status effects, domination, participation, and consensus. It has been shown useful in broadening the range of inputs and ideas. However, CMC has also been shown to increase polarization, deindividuation, and disinhibition. That is, individuals may become more extreme in their thinking, less sensitive to interpersonal aspects of their messages, and more honest and candid (Wainfan and Davis 2003).

The industry seems to have gone about the implementation of virtual teams in a trial and error way, with no training provided to team members concerning the particular challenges with working in virtual teams. However, some companies are now in the process of designing training programs for work in G1 virtual teams. More research is needed into how such training programs should be designed and delivered to ensure that team members are able to handle the safety and security challenges associated with virtual collaboration.

The following areas should be prioritised areas of research:

What risk factors exist in virtual teams regarding shared situational awareness and common risk perceptions? How can these risks be effectively managed?

How should roles and responsibilities be designed in virtual teams to maintain safety and security?

How should training programs be designed and delivered to provide team members with the skills needed for maintaining safety and security in virtual teams?

How are safety and security aspects in virtual teams in IO affected by the tendency of participants to cooperate less with those at other “nodes” and more often shift their

26

opinions toward extreme or risky options than they do in face-to-face collaboration? How can these tendencies be mitigated?

References:

Cohen and Gibson (2003): Introduction - G. Cohen and C. B. Gibson (red.), Virtual Teams that Work. San Fransisco: Jossey-Bass

Hinds, P. and S. Weisband (2003). Knowledge Sharing and Shared Understanding in Virtual Teams. In S. G. Cohen and C. B. Gibson (red.), Virtual Teams that Work. San Fransisco: Jossey-Bass.

OLF (Oljeindustriens landsforening; The Norwegian Oil Industry Association (2005). Integrated Work Processes. Future Work Processes on the Norwegian Continental Shelf.

Wainfan, L. and P. K. Davis (2003). Challenges in Virtual Collaboration. Videoconferencing, Audioconferencing, and Computer-Mediated Communications. Santa Monica: RAND National Defense Research Institute.

27

Appendix D) State of the art in “Security and Safety in IO” – R&D activities and Experiences from IFE – written by IFE As a platform for advanced and applied research activities and the host for the OECD Halden Reactor Project (HRP), the Institute for Energy Technology (IFE) monitors constantly the European and international trends towards its major competence areas and priorities. One of the highest priorities for IFE has been dependability research, focusing mainly on safety, security and reliability analysis of systems and carried out at the Safety - MTO Sector in Halden. As far as the system view is concerned, even focus on software-based systems has gradually been shifting from a pure technology-oriented perspective to a more MTO-oriented perspective. At the same time and in accordance with the increasing application of Information and Communication Technologies (ICT), the awareness about equal importance of all three aspects of MTO has also been growing. As far as research is concerned, IFE has been following up the development within HRP through wishes and needs expressed by member organisations, within the European Commission (EC), and in Norway, mainly through the Research Council of Norway (NFR). As far as the HRP is concerned, the need for better integration of MTO and HES aspects and in relation to those, better description of dependability aspects of all kinds of systems has been emphasised. Especially, the concept of security3 has attracted a growing attention. Systems in focus have been HCI systems, COSS systems (Computerised Operation Support Systems), ICT-driven systems, etc. The European Commission’s movements and actions in progress indicate a clearly increasing focus on the topic of security. In that respect, a dedicated programme for security research as a part of the 7th Framework Programme has been established. The prime rationale behind the programme is in fact to better and more efficiently conform to the multi-disciplinary and multi-sectoral requirements for giving a boost to Europe’s security research. The major difference between the new programme and the EC’s security-related activities within the previous and current framework programmes is the programme’s particular focus on joint civil-defence research. The aim is to establish an environment for more coherent research towards security for society and infrastructure, so that the risk for terrorism, organised crime, large-scale accidents and natural disasters can be reduced in a more effective manner. The research programme will therefore be multidisciplinary and multi-industrial of nature. The dominant items of the programme are towards:

Optimising security and protection of networked systems Protecting against terrorism (including bio-terrorism and incidents with biological,

chemical and other substances) Enhancing crisis management (including evacuation, search and rescue operations, control

and remediation) Achieving interoperability and integration of systems for information and communication Improving situation awareness (e.g. in crisis management, anti-terrorism activities, or

border control) In accordance with the above, the Research Council of Norway (NFR) has launched several initiatives to prepare the research and education community in Norway for better compliance with the requirements set up by the EC.

3 The prime dependability aspect in focus for the Halden Reactor Project has always been and will be safety. Therefore, the Project’s focus on security is and will be in the context of safety.

28

In response to EC’s plans on a security research programme, NFR established the programme VERDIKT (Core Competence and Added Value within ICT) in 2005. A significant difference between VERDIKT and previous NFR initiatives and efforts within the ICT domain is the considerably enhanced focus on multi-disciplinary and multi-sectoral aspects of ICT research. At the same time, an increased focus on security in the context of safety and the related risks is observed within current sector-oriented research programmes, especially towards the transport and petroleum/energy sectors. The following gathers important conclusions drawn from the strategy and the topics of the funded projects so far:

1. There is a shift from the traditional deductive manner of research to a more holistic form, demonstrating more awareness about the potentials of a multidisciplinary research on particularly safety and security and related risk analysis.

2. The focus on experienced risk, as opposed to calculated (or “objective”) risk is growing, among others, as a result of the shift explained above.

3. There is a new view on risk analysis; no longer as a single activity, but as a dynamic process that includes defining risk indicators as a function of both scenario-based data (involving analysis of future tendencies) and historical data, providing better models for risk communications, and more clarified representations of risk acceptance or rejection criteria. Additionally, this risk analysis process is now advocated for becoming an integrated part of the entire development process, including planning, construction and deployment of the systems/infrastructures subject to risk.

4. There is an increasing focus on decision analysis, which includes analysis and assessment of other alternative solutions for handling risks, as a decision’s elements are usually based on the underlying risk analysis process, its resulting risk indicators and the suggested risk elimination, mitigation and containment/control mechanisms.

5. There is a growing concern about the risk compensation mechanisms and their consequences. These are basically caused by the unintended result from the implementation of safety countermeasures, namely the increased conviction and feeling of being safe, leading many to take risks that are evaluated to be unacceptable by the same safety countermeasures.

In spite of the rapidly growing application of ICT systems for building and modernising, e.g., the Norwegian transport infrastructures or operation centres within the petroleum sector, the focus on research towards analysing the role of ICT systems and/or assuring their security has so far been limited within the existing programmes. This has, however, been one of the main reasons for the establishment of the programme VERDIKT, emphasising that understanding the emerging ICT technologies is as important as incorporating MTO and HSE aspects into the construction and operation of ICT-driven systems used for example within the transport and petroleum sector. As far as focus on the operative level is concerned, the experiences of IFE through the consultancy projects with different branches of industry indicate high focus on HSE factors towards the petroleum sector and the Norwegian authorities, where more strict requirements on integration of HSE factors into systems and processes have been introduced. As far as consultancy activities towards modelling and analysis of ICT-driven infrastructures for telecom, railway and aviation industries are concerned, less focus on HSE aspects but more focus on MTO and dependability aspects integrated into MTO models of systems has been observed. A common trend in many consultancy activities is an enlarged spotlight on all aspects of risk such as analysis, assessment, management and documentation. The following are two current projects involving HSE and MTO aspects as well as dependability factors, and where the HSE factors are central to the projects.

29

HSE - Petroleum Competence Development project on Change, Organisation and Technology in the petroleum sector: In 2002, the Research Council of Norway (NFR) initiated the programme HSE Petroleum as a response to the white paper no. 7 (2001-2002) issued by the Parliament and entitled “About Health, Environment and Safety within the Petroleum business branch”. “Change, Organisation and Technology” is one of the four competence projects within the programme. The overall objective of the project is to develop competence and know-how and to apply this towards the petroleum sector in Norway, so that HSE factors can be better integrated into organisational and technological changes, and so that the HSE factors can be used as premise providers with regard to any introduction and implementation of changes. The project will terminate in 2007, but it is believed that certain focus areas paramount to HSE and dependability factors will be further exploited in terms of new projects. IO- Health, Safety, Work, Environment and Emergency Awareness: The project shall develop a set of recommendations for how implementation of IO on the NCS can improve health, safety, work environment and emergency awareness based on input from the following selected focus areas:

1. Organisational changes 2. Working environment 3. Decision, planning and co-ordination 4. Man-Technology-Organisation (MTO) interplay 5. HSE management

In that respect, some main HSE relevant factors affecting integrated work processes (across on- and offshore as well as companies) and important to obtain HSE benefits will be subject to further analysis. Examples are: HSE management, decision making, trust, communication, change management, distance work technology, culture, roles and allocation. Secure event reporting, storage and treatment The paper by Thunem at al (2007) discusses an approach for such secure and user-friendly environment for event reporting, storage and treatment. The approach has been used in developing the COMPSIS databank which is the main product of the OECD NEA project COMPSIS (see http://www.compsis.org/). Reporting events, recording events and analysing and treating events have always been a major concern and at the same time a sensitive issue towards many branches. This concern has grown considerably, in accordance with introducing more complexity, flexibility, user-friendliness, etc. into the operation and maintenance of the computerised and ICT-driven systems involved, as this has also given rise to more, both obvious and hidden, sources of faults and failures. Especially the confidentiality aspect of event reporting and recording has been a dominating factor for vendors and users to be reluctant about reporting and recording events to a common base, so that others can learn about them and eventually figure out how to avoid them. At the same time, other vendors and users, and also regulating authorities wishing to learn from those events, can tend to question the credibility of available reports, if they are not reported in a systematic, uniform and comprehensive manner. In addition, software and hardware faults in safety-critical systems are typically rare and consequently most countries do not experience enough of them to be able to draw any meaningful

30

conclusions after their occurrence. Combining information from several countries provides the opportunity for learning and concluding from a larger supply of events and incidents, so that the causes for the events, the events themselves and their consequences can better be handled. This can be in terms of barriers to control the propagation of an event, means to remove the cause of the event, or means for graceful degradation of the functions and operations of the systems involved. Preceding the construction of the database system is the development of clear and unambiguous coding guidelines specifying the event data to be submitted. Next is the shape of the database and its user interface, in compliance with the coding guidelines. Finally is the selection of technologies required to create a secure, user-friendly, web-based interface to the database, including content management system, web-server, database system and a reliable operating system. References - In addition to references already addressed:

1. NIST: Computer Security, Underlying Technical Models for Information Technology Security, http://csrc.nist.gov/publications/nistpubs/800-33/sp800-33.pdf.

2. EVANS, S., Heinbuch D., Kyle, E., Wallner, J.: “Agency Risk-Based Systems Security Engineering: Stopping Attacks with Intention”, IEEE Security & Privacy Transactions, November/December 2004, pp 59-62.

3. Nicol, D. M., Sanders, W. H., Trivedi, K. S.: “Model-Based Evaluation: From Dependability to Security”, IEEE transactions on Dependable and Secure Computing, Vol. 1, No. 1, pp. 48-65, January-March 2004.

4. Grance, T., Hash, J., Stevens, M.: “Security Considerations in the Information System Development Life Cycle”, 800-series, No. 800-64, Recommendations of the National Institute of Standards and Technology (NIST), 2003, USA.

5. Thunem, A. P-J: “Security Research from a Multi-Disciplinary and Multi-Sectoral Perspective”, SafeComp 2005 international conference, pp 381-389, Fredrikstad, Norway, 2005.

6. Thunem, A. P-J.: “Modelling of Knowledge Intensive Computerised Systems Based on Capability-Oriented Agent Theory (COAT)”, In Proc. International IEEE Conference on Integration of Knowledge Intensive Multi-Agent Systems, IEEE-KIMAS’03, pp 58-63, Cambridge (MA), USA, 2003.

7. Thunem, H. P.J., Thunem, A. P.J. and Bisio, R. “An approach for secure event reporting, storage and treatment”. Printed in Risk, Reliability and Societal Safety (ESREL 2007),Aven & Vinnem (eds) Taylor & Francis Group, London, pp 1359-1364