Cyber Security in Procurement of Third-Party Suppliers: A Case Study of the Norwegian Power Sector
Abstract
The Norwegian power sector is currently experiencing an increasingly complexsupply chain, affected by digitalization. This case study examines howdigitalization has changed the procurement of third-party suppliers of InformationTechnology (IT) and Operational Technology (OT), focusing on cyber security, inthe Norwegian power sector. The thesis investigates why cyber security in currentprocurements of third-party suppliers is challenging, in addition to how it ispossible to make better decisions with the procurement of third-party suppliers.Literature findings originating from our Systematic Literature Review (SLR)identifies the need for conducting an exploration of procurement challenges,related to cyber security, in the Norwegian power sector. Qualitative research byutilizing Semi-Structured Interviews (SSI) was applied to acquire an in-depthunderstanding of participants' experiences concerning procurement. Our studyincludes a total of ten interviewees which was divided into four segments of theNorwegian power sector: Production, Support System, Distribution SystemOperator (DSO) and Transmission System Operator (TSO). By analyzing of ourempirical findings and literature findings we demonstrated that there is a varietyof cyber security challenges in the procurement of third-party suppliers. Mostcentrally, a lack of cyber security competence and low capacity of in-houseexpertise within the Norwegian power sector. Additionally, there is a lack ofstandardized requirements regarding cyber security in procurements of third-partysuppliers. Certain Norwegian power companies are too small to make demandstowards larger third-party suppliers making it challenging to apply desired cybersecurity requirements. On this basis, it is recommended that the Norwegian powersector apply competence and capacity enhancing measures.