dc.description.abstract | Owners of Operational Technology (OT) in different sectors from industry, critical infrastructure and other services are increasingly utilizing connected technologies in production processes, systems, and environments that make up their operations, exposing traditionally isolated networks to the Internet (Ashibani & Mahmoud, 2017). With cyber-attacks becoming a regular occurrence, industrial organizations face an ever-increasing challenge in protecting their assets as the cyber threat landscape widens due to Information Technology (IT) being introduced into the OT domain (Dragos, 2024). This means that cyber operations are not necessarily limited to the digital domain and may, in worst-case scenarios, lead to severe physical damage to critical infrastructure and personnel (The Norwegian National Security Authority, 2024). Critical infrastructure and OT are experiencing increased threats from the digital domain, and the current geopolitical situation has caused a spike in cyber-attacks that directly or indirectly impact critical OT environments (The Norwegian National Security Authority, 2024). To increase their cyber-resilience and respond to digital malicious actors targeting their environments, OT organizations may employ Managed Security Service Providers (MSSP) to protect their complex and highly contextualized OT environments from threats that originate in the cyber-realm. However, due to the inherent differences between IT and OT, MSSPs and Security Operations Centers (SOC) experience difficulties when integrating OT into the scope of their enterprise SOC operations (Dragos, 2023). Therefore, when securing systems that consist of OT, MSSPs are dependent on additional sources of knowledge and context to develop the Cyber Situational Awareness (CSA) necessary to effectively monitor and respond to cyber-events that span the IT and OT domains.
With this exploratory study, we aim to determine how OT impacts the development of CSA during Incident Response (IR) in a SOC. Additionally, we investigate how MSSPs can operationalize people, processes, and technologies to effectively provide security operations to organizations that operate and maintain OT environments. We investigate how people, processes, and technology operate in a complex socio-technological environment to determine how the MSSPs and the SOC develop and maintain CSA during cross-domain IR.
This study expands upon the work of Andreassen et al. (2023) by constructing a conceptual framework that illustrates the process of developing CSA in OT-SOC IR. We apply Collective Intelligence (CI) theory and Endsley’s (1995) theory of Situation Awareness (SA) to create a theoretical lens and explain how CSA and shared SA are developed in cross-domain and multi-actor environments. Data was gathered through a systematic assessment of 27 peer reviewed publications and 11 interviews with 14 respondents, varying from engineers to OT security specialists. Using the framework for SA in SOC-IR by Andreassen et al. (2023), theory, and the interview data, we have created a dynamic framework illustrating the process of developing CSA in OT-SOC IR. The framework illustrates how different actors (people, processes, and technologies) cooperate and coordinate across domains towards building CSA during incident response. Further, the framework captures the information flow and decision-making process at different levels to enable SOC operators to correlate cyber incidents with events that impact availability and operational safety in OT environments. Lastly, we explain how the environment changes when OT is incorporated into the scope of the SOC and highlight how elements of cognition, cooperation, and coordination act as the foundation in combined IT and OT cyber-IR. | |