Global college of Engineering and Technology, Muscat, Oman

Department of Mechanical Engineering,

Industrial Control System Security Effectiveness

To Oil and Gas Organizational performance

Module Code: UFMFTF-60-M

Dr. Pooyan Rahmanivahid

Project Supervisor: Dr. Mazhar Malik

A Dissertation submitted in partial fulfilment of the requirements of the

University of the West of England, Bristol for the Degree of
Master of Science in Engineering Management.

Project Owner: Mujtaba Al-Musawi

Student ID: 202021004
Word Count: 12,021
Programme: MSc Engineering Management
Submission Date: 25th October 2021

DECLARATION
I confirm that this report is my own work, is not copied from any other sources (published or
unpublished), and has not previously submitted for assessment either at UWE or elsewhere. I
confirm that I have read and understood the University regulations on plagiarism.

REGD NO: 202021004

NAME: Mujtaba Sharaf Ali Al-Musawi

SIGNATURE:

Plagiarism Report

Figure 1: Plagiarism Report (UWE, Blackboard)

1
Abstract
In 1962, the British Chemical Company invented the first Industrial Control System (ICS),
which had the capability to perform control function to an oil and gas process. In the
following years, several enhancement were made on the ICS systems such as the DCS and
SCADA systems to control sensitive and critical infrastructure (Segovia, 2012).

Nowadays, Industrial Control Systems (ICS) monitor and control several national
infrastructure in different industries such as electrical power generation, electricity
transmission, oil and gas. The reliability and sustainability of these industries depend on the
healthiness of the ICS systems.

These systems are integrated with other networks to transfer important real time data for
monitoring, diagnostic and analysis. Various reports showed that ICS systems became
vulnerable to cyberattacks globally. Several systems were attacked and sabotaged using
malwares or ransomwares resulted in massive financial consequences. With this, the need to
secure ICS systems become essential to all organizations to sustain their operations.

The objective of this research is to evaluate the effectiveness of implementing ICS security
solutions to oil and gas organizations and its impact to organizational performance. Data were
collected by two methods, firstly, reviewing pervious literature and secondly by a survey sent
to ICS professionals in Oman, with 36 valid responses. The results confirm the importance of
ICS effectiveness, which positively influence performance of the organizations,
consequently, affects financial and non-financial performance.
The study presents an ICS framework that can be considered as a comprehensive set of
factors affecting the security effectiveness of the ICS. It also adopts ADRI model to evaluate
the ICS security approach in any organization. The ADRI model can be utilized as a road
map to implement the ICS security and to guide future studies in enhancing the understanding
of how organizations can better prepare themselves to reduce the incidence and impact of
cyberattacks.

In the light of this objective, the research is divided into several chapters. The first chapter
provides an overview of the research question, problem statement and introduction to ICS
systems. The second chapter reviews previous literature and introduces the international

2
initiatives to battle the cyberattacks, as well as GCC countries strategies to defend
cyberattacks and Oman’s national security approaches.
The third chapter demonstrates the research methodology and the collection methods. The
forth chapter discusses and analyses the details of performed research opening with IT and
OT comparison, ICS Threats & Vulnerabilities, historical cyberattack to DCS. It also
analyses the survey outcomes.
The fifth chapter discusses the Cost of ICS cyberattack and challenges in implementing
security solutions in the ICS system and presenting ADRI model as a road map to assess ICS
security approaches in organizations.
The last chapter presents the conclusions, recommendations and future recommendations.

3
Acknowledgements

It gives a pleasure to send my sincerest appreciation and acknowledgement to my supervisor

Dr. Mazhar Hussain Malik for all support and patience he provided me during writing the
dissertation and for the feedbacks, he made on the progression of my research.

I am grateful to Dr. Pooyan Rahmanivahid our module leader for the support he provided my
colleagues and I throughout the master studies in the Global College of Engineering and
Technology specifically during the COVID19 pandemic.

I would send my appreciations to all participants on the ICS security survey, which added a
value to the research analysis.

I would also thanks my company Daleel Petroleum LLC for their sponsorship of master
program without which this Master Degree would not have been possible.

4
Table of Content
Plagiarism Report..............................................................................................................................
Abstract...............................................................................................................................................
Acknowledgements.............................................................................................................................
Table of Content.................................................................................................................................
List of Tables.......................................................................................................................................
List of Figures.....................................................................................................................................
Terminology........................................................................................................................................
Chapter 1: Introduction to the Study.............................................................................................
1.1. Chapter Aim.............................................................................................................................10
1.2 Introduction...............................................................................................................................10
1.3 Problem Statement....................................................................................................................11
1.4 Research Question.....................................................................................................................12
1.5 Research Aims and Objectives..................................................................................................12
1.6 Research Scope.........................................................................................................................12
1.7 Research Structure.....................................................................................................................12
1.8 ICS Background........................................................................................................................13
1.8.1 Industrial Control System ICS theory.................................................................................................14
A. Overview of Industrial Control Systems.................................................................................................14
B. ICS History..............................................................................................................................................15
C. Key ICS Components.............................................................................................................................18
D. ICS (DCS) Operation...............................................................................................................................20
Chapter 2: Literature Review.........................................................................................................
2.1 Chapter Aim..............................................................................................................................22
2.2 Historical Literature Review.....................................................................................................22
2.2.1 ICS Security Worldwide......................................................................................................................22
2.2.2 Cyber security in GCC Countries........................................................................................................23
2.2.4 Oman Cyber security...........................................................................................................................24
2.2.5 ICS security during COVID-19 pandemic..........................................................................................24
2.3 ICS Security Effectiveness........................................................................................................25
2.3.1 ICS Security Effectiveness Framework...............................................................................................26
2.4 Organizational Performance......................................................................................................28
Chapter 3: Research methodology..................................................................................................
3.1 Chapter Aim..............................................................................................................................30
3.2 Research Purpose......................................................................................................................30
3.3 Background Research................................................................................................................30

5
 3.4 Collection Methods...................................................................................................................31
3.5 Methodology Diagram..............................................................................................................32
3.6 Research process.......................................................................................................................33
3.6 ADRI Model.............................................................................................................................34
Chapter 4: Research Performed.....................................................................................................
4.1. Chapter Aim.............................................................................................................................35
4.2 Comparing IT and OT Systems.................................................................................................35
4.3 ICS Threats & Vulnerabilities...................................................................................................37
4.4 Historical Cyberattack to DCS..................................................................................................40
4.5 Cyber-incidents.........................................................................................................................41
4.5.1 Stuxnet.................................................................................................................................................41
4.5.2 Shamoon..............................................................................................................................................41
4.5.3 Ukraine Power Grid Attack.................................................................................................................42
4.5.4 TRITON/Trisis....................................................................................................................................42
4.5.5 WannaCry ransomware.......................................................................................................................42
4.6 Recent ICS Cyber Attacks.........................................................................................................43
4.7 ICS Security..............................................................................................................................43
Chapter 5: Discussion and Data Analysis......................................................................................
5.1. Chapter Aim.............................................................................................................................45
5.2 Cost of ICS cyber attack............................................................................................................45
5.3 ICS Survey Outcomes...............................................................................................................48
5.4 Challenges of Managing ICS Cyber security.............................................................................50
5.5 ADRI Model to ICS security.....................................................................................................52
Chapter 6: Findings, Results and Conclusions..............................................................................
6.1 Chapter Aim..............................................................................................................................58
6.2 Review of Research Question...................................................................................................58
6.3 Conclusions & Recommendations.............................................................................................59
6.4 Research Difficulties.................................................................................................................60
6.5 Future Recommendation...........................................................................................................60
References.........................................................................................................................................
Appendix...........................................................................................................................................
A. Ethical Checklist Review Ethics.............................................................................................65
B. Timeline of the Dissertation Research....................................................................................66
C. Survey Questions....................................................................................................................66
D. Survey Validation...................................................................................................................70

6
List of Tables
Table 1: GCC ranking on ITU’s Global Cyber security Index for 2018.................................24
Table 2: ICS cyber-incident timeline.......................................................................................41
Table 3: Total costs of cyber-crimes in seven countries (in Million)......................................47
Table 4: ADRI Quantitative approach.....................................................................................56
Table 5: ADRI implementation................................................................................................56
Table 6: Ethical Checklist Review...........................................................................................65
Table 7: Research Gantt chart..................................................................................................66
Table 8: Survey Validation......................................................................................................70

7
List of Figures
Figure 1: Plagiarism Report (UWE, Blackboard)......................................................................1
Figure 2: Structure of the Main Dissertation Project...............................................................13
Figure 3: Human Machine Interface........................................................................................14
Figure 4: Simple control system architecture..........................................................................15
Figure 5: Pneumatic Control System.......................................................................................16
Figure 6: Old relay Control Panel............................................................................................16
Figure 7: Local control system network..................................................................................17
Figure 8: Real time data...........................................................................................................18
Figure 9: DCS Components.....................................................................................................20
Figure 10: Hardwire instrument signal flow............................................................................21
Figure 11: ICS Security Effectiveness Framework..................................................................26
Figure 12: Visual Research Methodology Representation......................................................32
Figure 13: Overall research process.........................................................................................33
Figure 14: Percentage of ICS computers on which malicious objects were blocked in selected
industries..................................................................................................................................39
Figure 15 Percentage of ICS computers on which Malicious objects were blocked, by global
region.......................................................................................................................................39
Figure 16: Main sources of threats blocked on ICS computers...............................................40
Figure 17: Number of security incidents in 12 months............................................................46
Figure 18: ICS Security Survey respondent.............................................................................49
Figure 19: Survey respondent on ICS security........................................................................49
Figure 20: Perceived Effectiveness and Implementation of ICS Security Measures..............50
Figure 21: Challenges of Managing ICS Cyber security.........................................................52
Figure 22: ADRI Quality Cycle...............................................................................................53

8
Terminology

ADRI Approach, Deploy, Review Improve

DCS Distributed Control System
GCC Gulf Cooperation Council
HMI Human-Machine Interface
ICS Industrial Control System
IEC International Electrotechnical Commission
ITU International Telecommunication Union
ISA International Society of Automation
ISO International Organization for Standardization
IT Information Technology
KPI Key Performance Indicator
LAN Local Area Network
NIST National Institute of Standard and Technology
OS Operating System
OT Operational Technology
PLC Programmable Logic Controller
RDP Remote Desktop Protocol
SCADA Supervisory Control and Data Acquisition
SIS Safety Instrumented System

9
Chapter 1: Introduction to the Study
1.1. Chapter Aim
The aim of this chapter is to introduce the reader to the overall research. It includes the
research question, problem statement, research objectives and the research structure. This
chapter forms the foundation of the study, the purpose it was selected and the detailed
objectives of study.

1.2 Introduction
Today, globalization has driven the growth of the world communications, data transfer,
networks, and communication systems to the furthest extent with the development of internet.
This massive growth has simplified all means of communication between people and
organizations using various devices. On the other hand, the accelerated development has
introduced new growing threats called the cyberattacks, which in recent years have harmfully
affected companies and their overall performance around the world.

Cyberattacks on critical infrastructure become one of the top five global risks, according to
the world leaders who participated in the World Economic Forum in 2018 Global Risk
Report (Heather, 2018). Companies which manages critical infrastructure such as electrical
power generation plants, electrical distribution, water desalination, communication
companies, chemicals, defense, emergency services, energy, food and agriculture,
government, healthcare, manufacturing, and transportation, started to face genuine challenges
in improving their defenses not against terrorism attacks only, but against cyberattacks, also.

The cyberattacks against critical infrastructure systems differ from attacking other systems.
For example, systems that provide us with electricity, gas, and water function have different
set of operational conditions than systems that provide us Facebook or WhatsApp (Dwight
Anderson, 2014).

Furthermore, the cyberattacks have reached to national infrastructures by attacking and

sabotaging the Industrial Control Systems in oil and gas organizations and have cost
companies millions of dollars through disturbing the services and critical operations (Heather,
2018).

10
This study adopts the ADRI Model (Approach, Deploy, Review, and Improve) to assess and
evaluate the effectiveness of implementing ICS cyber security approaches towards
organizational performance (financial and non-financial performance). Data were collected
from previous similar literature and from cyber security institutions annual reports, surveys
and Kaspersky Lab, which is a security expert laboratory in critical infrastructure.

1.3 Problem Statement

Companies involved in Information Technology (IT) business have been worried about cyber
security for many years. Thus, the IT companies came up with excellent defenses for the IT
environment.
However, Operational Technology (OT) networks connected to critical infrastructures were
not considered part of Information Technology (IT). Consequently, such networks left
without any protection against cyberattacks for ages.
However, in recent years, international standards were developed and companies started to
invest in ICS security. Conversely, many gaps and challenges appeared during the
implementation. Some of these issues are below:
 Lack of skilled resources in ICS security in the market (Kaspersky Lab, 2017).
 Lack of senior management awareness of ICS security effectiveness, thus, shortage of
financial support (Eduard, 2019).

There are other obstacles encountering the implementation of security controls to the ICS
systems. Although the risk of cyberattacks in such industries is significant as plenty of
control systems around the world were attacked or sabotaged resulting in vanishing
businesses. As per the NIST Report, 2014 indicated that Cyberattacks could completely
disturb or even paralyze sections of critical national infrastructure (Al Neaimi, 2015). A
Canadian telecom company named Nortel networks bankrupted in 2009 when Chinese
hackers penetrated their network (Venkatachary, 2017).

The problem is that how to encourage the senior management in an oil and gas organization
to invest in ICS security and how to demonstrate the effectiveness of this investment? What
are the impacts to the performance of the organization?

11
 1.4 Research Question
To resolve the above-mentioned problem, in this research, I studied the effectiveness of
implementing cyber security solutions in ICS systems and its effects to the performance of
the organization. The following research questions are addressed:

What are the effects of implementing security measures into Industrial Control Systems?
How does the ICS cyber security affect organizational performance?

1.5 Research Aims and Objectives

The objective of this research is to review various literature, written report to investigate the
effectiveness of implementing cyber security solutions in the Industrial Control Systems ICS
in the oil and gas industries and its result towards the organizational performance. Also, to
Address the main challenges in implementing the cyber security in the ICS and come up with
solutions to these challenges.

1.6 Research Scope

The scope of this research is to provide justification to implement ICS security. The findings
from this study might help organizations to development their ICS security approaches,
deployment, review and improvement strategies using ADRI model provided in this study.
The information may also provide insights that a company can realize the importance of
implementing ICS security program to avoid any financial losses.

1.7 Research Structure

The report is be presented by in six chapters. The first chapter begins with an introduction to
the research, problem statement, research question, research objective, scope, Industrial
Control System (ICS) overview, ICS history, ICS key components, ICS operation and
information that are essential to understand the overall research.
Chapter 2 presents the literature review, ICS security worldwide, ICS security in GCC
countries, Oman cyber security, ICS security during COVID-19npandemic, ICS security
effectiveness framework and organizational performance. Chapter 3 presents the research
methodology, collection methods, methodology diagram, research process and ADRI Model.
Chapter 4 presents the research performed, comparing IT & OT systems, ICS threats,
Historical cyberattacks to DCS, recent cyber incidents and ICS security. Chapter 5 presents

12
the cost of ICS cyberattack, ICS survey outcomes, challenges in managing ICS security and
practical ADRI Model to ICS security.
Finally, Chapter 6 presents conclusions, recommendations research difficulties and future
recommendations. The diagram below is the designed structure of the research.

Figure 2: Structure of the Main Dissertation Project.

1.8 ICS Background

This section provides the reader a background of the Industrial Control systems. It defines
key information of ICS systems. The Industrial Control System Theory, ICS history,
components and operation.

13
 1.8.1 Industrial Control System ICS theory
This section introduces the Industrial Control Systems with all related information that
support the research.
A. Overview of Industrial Control Systems
A Control system is a system which interconnects different components (hardware &
software) forming a system configuration to provide a desired function (Richard, 2008). The
term Industrial control system (ICS) is a generic term that covers different types of control
systems including:
 Distributed Control Systems (DCS)
 Supervisory Control And Data Acquisition (SCADA)
 Programmable Logic Controllers (PLC)
These systems are normally found in manufacturing sectors and critical infrastructures such
as electrical generation plants, electrical transmission, water desalination, wastewater
treatment, oil & gas industries, and chemical plants (Stouffer, 2011). The main function of
the control system is to monitor, control, safeguard, optimize, automate and facilitate remote
operation of all surface facilities. It also provide an interface between human and machine,
so, people can control machines (refer to figure 3) through a graphical representation of the
machines in HMI (Human Machine Interface) workstations.

Figure 3: Human Machine Interface

The control systems are built in networks of computer systems, connected to plenty
(hundreds or thousands) of instrument devices like sensors, transmitters & actuators used to
measure, control, and safeguard physical equipments like pumps, compressors, vessels or
tanks (Figure 4). They play an important part in the operation of geographically distributed

14
critical infrastructures. Thus, the systems are called Distributed Control Systems DCS and the
networks are named as Operational Technology (OT) Networks.

Figure 4: Simple control system architecture

There are some differences between DCS and SCADA systems. One of the differences is that
the communications are typically achieved using Local Area Networks (LAN) technology in
DCS. Which is more reliable and high speed communication in comparison with SCADA
that requires long distances and might use wireless communication. The DCS has greater
scan time and complex logics that can handle closed loops better than SCADA.
In this study, the DCS, SCADA, or PLC systems will be referred as ICS unless a specific
reference is made to one of them.

B. ICS History

The ICS systems were designed to meet performance, reliability and safety requirements
(Stouffer, 2011). In the past, control systems were very basic and locally operated using
systems which are pneumatically (by air) (figure 5) or hydraulically (by hydraulic oil)
operated.

15
 Figure 5: Pneumatic Control System
(Nishioka, 2008)

Then with the development of the electrical technology, control systems were slowly
upgraded to utilize electricity. The electricity was a big jump in the control systems, but it
introduced another complication, which is using live electric devices inside the oil, and gas
stations where explosive air/gas mixture is likely to be present. Soon, this issue was resolved
by inventing the explosion proof systems, which prevent generating sparks. However, the
control systems were still locally operated (Figure 6).

Figure 6: Old relay Control Panel

(Segovia, 2012)

Another improvement to the control systems was to use them in closed environments
separated from other systems. The need for security at that time was not considered (Lee,

16
2008). They were reasonably secure because they were, in most cases, isolated from other
systems or networks.
At that time, security for ICS meant to physically secure the access to the network and the
consoles that control the plant by simply locking the door to the control room (Hieb, 2008).
The system engineers and the maintenance team were very competent in maintaining these
systems (Figure 7).

Figure 7: Local control system network

(T. Angevaare, 2003)
However, in recent years, with the development of communication technology, the need to
connect the DCS, SCADA and other control systems to open networks increased
significantly, thus, the vulnerability increased, also. Consequently, they were connected to
different systems and networks such as office domain networks to transfer real time data for
the use of critical analysis, calculations, diagnostics and decision-making (refer to figure 8)
exposing DCS to major security threats.

17
 Figure 8: Real time data
(Smart Portal, Daleel Petroleum LLC, 2021)
With this quick integration demand, the control systems neither were equipped with software
and hardware to protect them against cyberattacks nor were the system vendors adequately
educated nor skilled to deal with cyber security issues nor the maintenance teams were aware
about the new requirements for maintaining these systems.
Moreover, the senior management are not aware about these challenges and the associated
risks with these new requirements, which should be reflected on the roles and responsibilities
of the team working in these systems.

Apart from this, reports indicate that cyberattacks against control systems are increasing. The
1997 report of the President’s Commission on Critical Infrastructure Protection stated that the
vulnerability would increase in the future because of the increasing connections between the
Internet and the critical infrastructures. Recent report from Kaspersky lab (2021) indicate
over 19,400 malware attacked industrial automation systems around the world.

C. Key ICS Components

There are different types of control systems such DCS or SCADA. Their main components
are almost similar (Figure 9). The main components are:

Server: is one of the important parts of the control system. It contains all services that make
the system functioning as per demand. It also contain several Softwares that comprise the

18
database and the system configurations. It interconnects data from other systems (3rd party
systems).
Controller: are industrial microprocessors which process plenty of data come from Input and
Output modules (I/O modules) and take the necessary actions for each data. The controller
preserve huge configurations and system database.

Input/output (I/O) modules: are cards, which digitize the signals that come from sensors
and transfer them to the controller. It also send back the processed signals to the actuators in
the station.

Communication module: is a module, which interfaces with other systems. It translates

other systems’ signals to a standard digital signal that the ICS understands and executes.

Control Loop: A control loop includes sensors for measurement, controller, actuators such
as control valves and configuration. Process variables are transmitted to the controller from
transmitters by 4 to 20 milli-ampere signals. The controller receives the signals, takes
corresponding actions and transmits the signals to the final control elements.

Historian server: is a server, which gathers and stores all log files and processed data in a
centralized location.

Programmable Logic Controller (PLC) is a small controller connected to certain

equipments in the plant and sends the data to the control system through communication
modules.

Human-Machine Interface (HMI): This is where the interface between people and
machineries occur. The HMI contains software and hardware components located usually in
control rooms, where operators and engineers can monitor, control and configure the entire
processes.

OPC Server: is an Object Linking and Embedding for Process Control is a server, which has
standard communication that enables the exchange of data between multi-vendor devices and
control applications without any proprietary restrictions

19
 Figure 9: DCS Components
(Stouffer, 2011. p2-11)

D. ICS (DCS) Operation

The DCS is connected to many sensors that measure process variables in the plant such as
pressure, flowrate, tank level and temperature. The sensors are embedded into transmitters,
which transmit the sensor signals to the control room through cables connected to junction
boxes installed in the plant.
From field junction boxes through multicore cables, the signals are transferred to Marshalling
cabinets, where wires enter into the control panels.
In the control panels, controllers and I/O modules are positioned. After signal entering the
control panel, the signals’ wires are connected to the I/O modules of the controller. The
Controller thereby processes the data according to the configured logic and gives output
signals to the Final Control Element through output cards, following the same cable route.
(Figure 9). The signals are processed in the DCS with specified scan. The process variables

20
will be displayed to the operator in the HMI for his/her monitor and manual intervention
when required.

Figure 10: Hardwire instrument signal flow

The ICS components will be integrated together to form one system to monitor a complete
process. The processes are normally divided into two types:

Continuous Process: This type of process operates in a continuous manner. Typical

continuous manufacturing process includes oil and gas, power plant, refinery and chemical
plant.

Batch Process: This process has discrete processing which comprises of a series of steps to
produce the end product, conducted on a quantity of material. There is a different start and
end step to a batch process. Examples of batch processes are food manufacturing (Stouffer,
2011). Both processes utilize the same types of control systems, sensors, and networks.

In summary, the objective of this chapter is to provide an Overview of Industrial Control

Systems, ICS History, Key ICS Components and ICS Operation. This information will form
the basis to understand the thesis of this study.

21
Chapter 2: Literature Review

2.1 Chapter Aim

This chapter sets out to review previous literature, ICS security worldwide, cyber security in
GCC countries and cyber security in Oman, ICS security during COVID-19 pandemic, ICS
Security Effectiveness Framework and Organizational Performance.

2.2 Historical Literature Review

The aim of the research is to study the ICS security effectiveness to the oil and gas
organizational performance. Thus, review of existing literature is conducted to recognize the
researches performed in this subject to avoid replication of information in same topic.
It was obvious to the author that there are few studies conducted specifically in the ICS
security and its effectiveness to the performance of oil and gas organizations. However, there
are plenty of information distributed in various studies that can be gathered and utilized in
this research. Other data is collected from cyber security researches related to IT systems that
supports this research.

In the 1950s, it was the period of the birth of the control system, which was based on
computers. Then the studies were conducted to improve the computing systems for process
control resulted in developing the first IBM computer for this purpose in 1961, but it was for
supervision only. Following year, British Chemical Company Imperial Chemical Industries
manufactured a computer that performs the control function to the process. After that,
programs were developed to replace the wiring with faster and reliable processers resulting in
faster process controls and reliable plants. In 1980s, a big step forward occurred when the
Distributed Control System DCS was introduced with microprocessors to control oil and gas
plants (Segovia, 2012).

2.2.1 ICS Security Worldwide

Globally, the ICS security became a serious matter to many governments as the number of
detected vulnerabilities has increased 20 times since 2010 (Robert, 2016). Many ICS attacks
occurred in different parts of the world. One of the famous ones is when National Laboratory
ran the Aurora Generator Test in 2007 by a cyberattack proving that such attacks could

22
penetrate into the system and destroy physical equipments of the electric grid. Stuxnet and
Shamoon are other proves of the capabilities of these attacks (Robert, 2016).
As a result, governments around the world have established several agencies, institutes and
organizations to develop ICS standard practices and statistics, such as:
 The National Institute of Standards and Technology (NIST).
 International Society of Automation (ISA).
 International Electrotechnical Commission (IEC).
 International Organization for Standardization (ISO).
 Design Engineering Practice (DEP).
 SysAdmin, Audit, Network and Security (SANS).

2.2.2 Cyber security in GCC Countries

Gulf Countries (Bahrain, Kuwait, Oman, Qatar, Saudi Arabia and United Arab Emirates)
have established a series of cyber research projects aimed for the Gulf Cooperation
Council (GCC) countries. These projects intended to assess the GCC countries how to
establish better cyber security bases and accomplish cyber resilience against cyber threats.
The GCC countries established long-term national plans and strategies to focus their
economies and efforts towards technology and innovation.
Each county established a governmental agency responsible for the cyber security issues.
Below are the centers in GCC countries:
 Bahrain Telecommunications Regulatory Authority (TRA).
 Kuwait Communication and Information Technology Regulatory Authority (CITRA).
 Oman National Computer Emergency Readiness Team (OCERT).
 Qatar Computer Emergency Response Team (QCERT).
 Saudi Federation for Cyber security, and National Cyber security Center (NCSC).
 UAE Bahrain Telecommunications Regulatory Authority (TRA).

23
 Table 1: GCC ranking on ITU’s Global Cyber security Index for 2018
(James, 2020)
The GCC countries have scored excellent positions in the Global Cyber security Index as per
the International Telecommunication Union ITU where Saudi Arabia is ranked as 13th best
cyber security defenses and Oman is the 16th in 2018. This indicates the measures GCC
countries have taken to enhance their cyber security position (James, 2020).

2.2.4 Oman Cyber security

Sultanate of Oman launched the National Computer Emergency Readiness Team (OCERT)
in April 2010, which analyzes security risks and threats that might be present in the
cyberspace and communicates data to users of Internet services and technical information for
public, private institutions, or individuals. Oman was ranked as the 3rd best Arab country in
Cyber security Index 2020 and it is ranked the third in the world for countries best equipped
for cyberattacks, according to the Global Cyber security Index. This because of the best
organizational practices thanks to its High Level Cyber security Strategy and Master Plan,
and Comprehensive Roadmap. Its strengths comprise of the organizational structure, legal
measures, technical and procedural actions, continuous audits and regional and international
collaboration.

2.2.5 ICS security during COVID-19 pandemic

Since the World Health Organization confirmed the Covid-19 outbreak pandemic (2020 -
2021), and the crisis is not yet over. The year 2021 has been an exceptional year for
cybercriminals; they have taken benefit of the pandemic and exploited the increase use of
working remotely, attacking both technical and social vulnerabilities. The manufacturing and
critical infrastructures industries were intensely impacted by the pandemic – including
operational interruptions, production loss, lower sales and the cyberattacks. The new
requirements to “work from home” were introduced.
The need for remote operations of industrial facilities and production plants has increased.
The major financial impact of this pandemic has forced organizations in public and private
sectors to rearrange their budgets. Working from home has introduced new security
requirements and procedure for IT as well as OT for remote operations. Working from home
was missing cyber security protections and the remote access offered hackers a wide surface
to attack (Zak, 2021). In the pandemic period, Kaspersky Lab noticed a global trend for
growth in the percentage of attacked ICS computers Remote Desktop Protocol (RDP) on
24
industrial computers. As per SANS survey in 2021, 18% of incidents involved the
engineering workstation due remote access. The engineering workstation is the most critical
piece of equipment in the ICS network and having this involved in so many incidents is
concerning. It should be noted that such attacks, if successful, would directly provide the
attackers a remote access to the ICS engineering servers and database, which is considered
the greatest risk for compromising an ICS system (Mark, 2021). The risk in such attacks must
not be underestimated (Kaspersky Lab, 2021).

In first six months of 2021, according to industrial cyber security firm Claroty, the Industrial
Control System (ICS) were affected by 637 vulnerabilities more than 70% of them were
assigned as critical or high severity ratings. The company said 61% of the weaknesses
exploited remotely which indicates the remote access vulnerability (Eduard, 2021).

As per the News from global industry analysts, among the COVID-19 crisis, the worldwide
market for Industrial Cyber security expected at US$15.2 Billion in the year 2020, is
estimated to reach US$22.3 Billion by 2026 (Zak, 2021).

2.3 ICS Security Effectiveness

Companies have realized the importance of implementing various security control measures
including the cyber security in their ICS systems, which is a good sign. The SANS survey in
2021 indicated that organizations leverage variety of security technologies and solutions in
their OT environment in terms of Access controls (by 82%), Antivirus solutions (77%) and
Assessment/audit programs (65%) (Mark, 2021). However, many organizations have failed to
strategically invest in cyber security to ensure that it is in line with their business objectives
(Al Neaimi, 2015).

The security implementation needs to be measured and evaluated by metrics. The following
are examples of various KPIs that can be used:
 Current Capabilities: An organization should be able to list their current security
capabilities in terms of resources.
 List Vulnerable Assets: it is important to identify the number of all vulnerable assets.
 Patching and Updates: Patch management is a critical part of addressing
vulnerabilities in software.

25
  Response Time: track of response times for different cyber incidents is a reasonably
effective method to measure overall efficiency.
 Data Transfer: Monitoring the amount of data that is being transferred will help an
organization detect misuse.

With this, by implementing and monitoring the ICS systems, companies may get benefits of
having more visibility of industrial networks for both OT and IT and identifying the
weaknesses in networks.

2.3.1 ICS Security Effectiveness Framework

In this paper, a framework is developed for effective evaluation of ICS security in any oil and
gas organization. The suggested framework is built upon reviewing of the existing strategies
presented in literature as well as proposing new strategies that suite other infrastructure.

Figure 11: ICS Security Effectiveness Framework

The proposed framework represents (Figure 11) a comprehensive approach for organizations
to follow with international security standards such as NIST, ISA or IEC, awareness and
training programs, Competent ICS Security Professionals, government regulations as well as
strong senior Management accountabilities in ICS security.

26
a) Management Accountability
The influence of the senior management and their awareness on ICS security is one of the
important success factor in the security of control system. This was supported by the study by
Gutta, R.R., where senior management should be more proactive in identifying and building
competencies for people, process, and technology to protect critical assets of the organization
from cyberattacks (Gutta, 2019). It is also important that senior management should consider
cyber security into the corporate planning and budgeting processes of the organization (Al
Neaimi, 2015).

b) ICS Security Expertise

Organizations needs to build strong workforce in the area of ICS security by dedicating
number of people with appropriate skills through specified training programs. Organizations
should also coordinate with system providers and vendors contractually to have full support
during the emergencies.

c) Government Regulations
Government should develop necessary policies and regulations to enforce companies to
implement ICS security and to assure that the national infrastructure are well protected.
National laws on availability, integrity and confidentiality of systems installed in sensitive
locations can only be enforced by ensuring compliance of all companies to the regulations.
Governments should be more vigilant in the implementation of the laws and review of these
laws on scheduled basis to capture any upcoming security threats and to decrease the
cyberattacks (Al Neaimi, 2015).

d) Users Training and Awareness

Various indications has been provided in the literature about the importance of awareness and
training as a key factor in cyber-security effectiveness. Companies should consider ICS
training as a core value to the corporate development strategy. Organizations might have
applied the best ICS technology that is supported by experienced vendors but without
effective user awareness and training programs. In such circumstances, its cyber-security
programs will still have gap as any single mistake by one of the user can have significant
consequences to the security. Therefore, it is recommended that companies should develop
learning materials and programs about ICS security for all users.

27
e) Compliance with International Standards
It is also recommend that organizations should follow ICS security standards as many studies
indicate that organizations following industry standards (like NIST best practices, ISO
guidelines, ISA and IEC) are more prepared to combat cyberattacks. Industry standards
support organizations by providing best practices, guidelines, and regulations in ICS security
(Hasan, 2021).

The above five strategies represents a strong framework that can be used to ensure effective
ICS security systems in the oil and gas organizations. These strategies can be evaluated by
ADRI model mentioned in this research.

2.4 Organizational Performance

As mentioned earlier, the main objective of this research to evaluate the effectiveness of
implementing cyber security solution in the ICS environment towards the overall
performance of the company.

Normally the organizational performance is measured in economic (financial) and operational

terms (non-financial):

The economic performance refers to financial results and outcomes that evaluate the
revenues, sales, return on investment for shareholders. It includes the expected financial
benefits for organizations with larger security performance. The availability of appropriate
security processes contributes to reaching excellent long-term financial and non-financial
performance. (Hasan, 2021). With respect to ICS security, the economic performance is to
save the organization from any financial losses resulted from any breach of malware into the
system causing the system to malfunction and stop the daily operations.

The operational performance is considered as a non-financial performance. It focuses on

the competitive position, corporate image, reputation of the organization, customer loyalty
and attracting new customers are measure for the operational performance (Hasan, 2021 ).
The operational performance is to protect the daily operations and activities from any
malfunctioning caused by the any cyberattack to the ICS system.

28
With this, it can be obvious that the organizational performance in terms of ICS can be
measured by the reduction of the number of cyber incidents occurring in the ICS over time if
it increases its means that the stakeholders need to combat cyberattacks by investing in OT
security (Hasan, 2021). Another key performance indicator is the good reputation of the
company and the sustainability of its operations.

The research methodology will follow this chapter defining all the techniques, which are used
later in the research.

29
Chapter 3: Research methodology
3.1 Chapter Aim
This chapter describes the research methodology used in this study. The first two sections
define the research purpose and research background. At the end of this research, collection
methods and analyzing methods are described.

3.2 Research Purpose

The objective of this research is to evaluate the effectiveness of implementing ICS security to
the performance of the organizations. The research in the field of Industrial Control System
ICS is unique in terms of studying the managerial side of this technical subject. There are
plenty of technical researches around this topic, however, there are few incorporating the
effectiveness part.
A mixed method of quantitative and qualitative approaches are adopted to evaluate the
effectiveness of implementing ICS security. A survey was developed as a quantitative
method to support the research outcomes (Appendix C: Survey questions).

Regardless of the importance of ICS cyber security, a review of the literature indicates that
existing surveys of the ICS cyber security of organizations are insufficient especially in
respect to organizational performance. The preparation and distribution of the survey
commenced with a review of the literature.

A literature review was commenced, focused on the of ICS cyber security effectiveness to oil
and gas organizational performance. The literature review covered both, IT cyber security,
OT cyber security researches, publications, studies, surveys and international standards such
as NIST SP 800-53, ISA-99 and IEC-62443.

3.3 Background Research

A logical literature review was conducted to identify different factors affecting ICS cyber
security studied in previous researches. First, applicable studies were recognized by searches
utilizing Google Scholar, ResearchGate and international standards like NIST and IEC.
Several searches were performed, including cyber security, cyber security management, ICS
security, ADRI and organizational performance. Thirteen (13) studies were found relevant to

30
general IT security and some of them in ICS security effectiveness. Other studies may
include useful information that support this research.

3.4 Collection Methods

The collection of data is a very critical stage in any research paper. It is considered as a
prominent factor to determine the accomplishment for any research. The way of collection of
the raw data has a large impact on the study.

From the author point of view, the preferred method for this research is gathering all data
from researches, specialized labs from different industries around the world as this field is
unique, and it is not simple to get information regarding this topic (Malik, 2016).

Since the research question within the first part of the study requires hard evidence based on
numerical and quantitative conclusion, opinions and perceptions are of only minor interest.
The questionnaire method is another method used in this research; it is directed to a
specialized ICS professional who work in this field. I anticipated that the survey would
certainly add value to the findings along with the data analysis. In addition, several
researches, reports and statistics such are Kaspersky Lab, annual reports from well-known
institutions and organizations were reviewed and analyzed to support this study.

The survey was developed after reviewing different literature and the questions were
validated by three specialized personnel scoring 92% of validation (Appendix D). The
respondents were asked different questions in the subject. The survey was sent to
approximately 40 selected people from ICS profession from different organizations in Oman
in the period of September – October 2021. The respondent group was selected as the most
knowledgeable about ICS in the organizations. The survey was designed by
www.freeonlinesurvey.com and distributed to different organizations by emails and
WhatsApp.

A thorough research was performed to establish what, if any, studies had been performed
looking at previous projects in ICS security effectiveness. Following review of available
literature relating to the research question, an initial period of evidence gathering is

31
performed to establish what has been published in terms of guidelines and frameworks in
which technology development schemes operate.
It was also recognized that it would be essential to perform a significant amount of searches
in order to compare performance benefits with financial costs. Financial data analysis
correlation to technical specifications would therefore be required to be able to look at the
business case and return on investment being achieved by implementation of ICS security
solutions.

These aspects of the dissertation combines both qualitative and quantitative evaluations. The
research methodology is therefore tailored as a result.

3.5 Methodology Diagram

The figure (figure 12) below illustrates the research methodology.

Figure 12: Visual Research Methodology Representation

32
 3.6 Research process
The general process of the research contains sequence of steps as shown below (figure
13):

Figure 13: Overall research process

In the preparation step, initial study of various literature sources was performed to identify
the possible problem areas and to identify the limitation of previous studies. The next step was
to define the research problem, objectives and research question. The third step was to
reorganized literature, review them in chronological manner, and describe the security
effectiveness and organizational performance.
The fourth step was to explain the methodology used for the research. After analyzing various
methodologies and explain the ADRI model. The fifth step is collecting and organizing all
related data and statistics.The sixth step was analysis of data and comparing to the theoretical

33
part for finding patterns. Finally, the last step was to develop conclusions and describe future
research possibilities within sixth chapter.
3.6 ADRI Model
The ADRI model: Approach, Deploy, Results and Improvement was adopted as an analytical
tool to assess and evaluate the areas where strategic planning for ICS requires enhancement
and the effectiveness of the processes. ADRI model is a well-known quality assurance model
that is used widely in the education and business sectors (Malik, 2016).

The ADRI model emphases on what an organization aims to accomplish and how it intends
to achieve these objectives. Deployment focuses on how these strategies are being tracked in
practically implemented. Results look at the indication of whether the approach and
deployment are effective in achieving the planned outcomes. The improvement focuses on
reviewing the approach and deployment in order to make improvements to lead to better
results (Razvi, 2012).

34
Chapter 4: Research Performed
4.1. Chapter Aim
This chapter discusses and analyses the details of performed research. The structure of this
chapter starts with explaining the comparison between IT and OT, ICS Threats &
Vulnerabilities, historical cyberattack to DCS, ICS security and implementation challenges.

4.2 Comparing IT and OT Systems

Nowadays, the IT systems including their hardware, software, operating systems and network
protocols are widely used in the OT networks. This integration supports implementing the IT
capabilities into the OT, but it also provide less segregation for OT network from the outside
world, thus, creating more demands to secure the OT systems. However, securing OT system
using IT solutions might need tailoring of these solutions to operate in the OT environment.

The comparisons between the IT & OT is very essential to understand the similarities,
differences, and potential risks in these networks.

One of the major differences between the IT & OT is the risk management and risk priorities.
In the OT and ICS systems, the major priorities are for managing hazards and mitigating the
potential risks to human lives, equipments (assets), environment, reputation, loss of
production and financial losses (Stouffer, 2011). Therefore, the OT network structure is
normally built taking in consideration operational requirements as top priority. Less concern
is considered for security (Robert, 2016). On the other hand, managing operational risks do
not have the same importance as in the IT. These differences must be well known to IT
professionals when dealing with OT systems because the whole ICS system is built upon this
concept where safety is the first priority.

Normally in IT environment, the financial gain is possibly the main motive for any
cyberattack. The intent of getting money from a cyberattack has been escalated to the OT
environment, too. An example of such attack is the Colonial Pipeline where the company was
forced to pay the hackers $5 million. However, the main motives of attacking ICS systems
are to steal classified information or to create disturbance to operations. Disturbing operations
have greater risk to people lives. Such motive to disturb operations was determined in the

35
Brazil blackout in 1999 leaving almost 70% of people in the dark for more than 5 hours
affecting over 97 million citizens (Venkatachary, 2017). It was also observed in Stuxnet
malware in 2010, which was intended to disturb operations and cause damage at a nuclear
facility in Iran due to political reasons. It was determined in 2012, when an attack occurred
in India affecting more than 600 million people, which is about 10% of the world’s
population, had been left without electricity for several hours (Venkatachary, 2017).
Similarly, the attack against the Ukraine Electric Power Grid (Hemsley, 2018) which will be
discussed later in the report.

Another difference is the availability requirements in ICS systems. The oil and gas
operations are typically continuous process and it does not tolerate any shutdowns. Thus,
anything activity which lower the availability of the systems is not acceptable. That is why;
upgrades of software and hardware in OT are more difficult than in the IT systems especially
when hardware restart is required. Software updates on ICS cannot be always performed on
time since these updates need to be tested by the ICS vendor before deploying the new
patches. Therefore, ICS shutdowns must be planned and scheduled days/weeks in advance .
Thus, any computers’ shutdowns or components’ reboots within the OT network are not
permitted. For that reason, the ICS system is built on redundant components running in
parallel to maintain high availability and reliability of the operations when primary devices
fail (Stouffer, 2011).

In the IT systems, confidentiality of data is at the highest priority whereas in the OT system
the integrity of data is at the highest importance, because the control function of the plant is
fully dependent on the accurate data. For example, if the measurement of pressure,
temperature or flowrate in a pipeline is manipulated incorrectly, it will have a significant
safety issues to the plant.

In the ICS, the response time is very critical to any action within the plant operation. For
example, the response time for change in pressure in a gas line must occur in milli seconds
(e.g. 500 milli second or less). With this, delays like password requirements in HMI must not
obstruct any emergency actions for ICS.

One of the issues in the ICS systems is that the third-party security solutions are normally not
permitted by ICS vendor due service contracts, loss of service support and loss of warrantee
36
if these solutions were used without vendor notice and approval. Sometimes, third party
software can create issues within the OT as it might conflict with the functionality of the ICS.
From the surveys, third party contractors’ security solutions in the ICS environment are not
preferred as these solutions might contradict with the functionality of the ICS. Another reason
is to avoid sharing ICS security knowledge with foreign companies.

In summary, organizations must very careful in dealing with OT networks. There should be a
cross-functional team of network engineers, ICS engineers and IT security professionals’ to
work together. There should be an understanding of the differences between both networks.
This helps to ease the challenges of operation and maintenance of security solutions within
the control system networks. Moreover, the senior management must be aware about both
teams working in the company and should provide appropriate support to the OT systems
similar to the IT systems.

4.3 ICS Threats & Vulnerabilities

Each ICS component has different threats and vulnerabilities depending on the
communication protocol and network structure. Major manufacturers of automation systems
(e.g. Siemens, Schneider Electric, General Electric, ABB, etc.) have been found to have
number of vulnerabilities in their systems (Robert, 2016). In 2021, several ICS systems from
different vendors disclosed vulnerabilities. For example Siemens (146 vulnerabilities),
Schneider Electric (65) and Rockwell Automation (35) (Eduard, 2021).

As per study performed by the U.S. Department of Homeland Security (DHS) National Cyber
security Division’s Control Systems Security Program (CSSP) in 2011, it was identified the
most common vulnerabilities to ICSs are:

 42% Improper input validation (the input provided to an application may grant an
attacker access to unintended functionality).
 30% Credential verification (attackers may be able to capture usernames and
passwords sent across the network in clear text).
 12% Improper authentication.
 6% Permissions and access controls (weak access controls).

37
  6% Security Configuration and Maintenance (misconfigurations, or poor maintenance
of platforms and operating systems).

These threats can be as simple as a tea boy use an industrial computer for personal purposes
such as Internet browsing or plugging USB drive. This simple act could affect the control
system, which in turn can result in shutting down a complete manufacturing facility.
With these vulnerabilities surrounding the ICS system, organizations should take necessary
actions to invest in the improving the physical security and cyber security of their systems to
keep the business running smooth.
One of the major ICS network risk is the lack of logical separation from the business
network. This problem gives attackers the opportunity to penetrate into the system and to
have full control, if they got access through one entry point (Robert, 2016).

One of the risk is the increasing number of websites that share information related to ICS
systems connected to the internet (such as https://www.shodan.io/). These websites expose
ICS systems to the public. With this, the ICS devices are not hidden anymore and can be
easily found in the internet (Robert, 2016).

Recent reports from Kaspersky Lab (2021) showed that the global percentage of attacks on
ICS computers was 38.6%. This means that more than one third of the ICS computers were
attacked. Middle East attacks were 40.2% in the second half of 2019. The oil and gas
industries have the second highest Percentage of ICS computers’ cyberattacks with 44% of
incidents (figure 14) after the building automation. The report indicated that South-East Asia
and Africa are having the most percentage of attacks by 47.5% and 46.4% respectively
(Figure 15).

38
Figure 14: Percentage of ICS computers on which malicious objects were blocked in selected
industries
(Kaspersky Lab, 2021, p.16)

Figure 15 Percentage of ICS computers on which Malicious objects were blocked, by global
region
(Kaspersky Lab, 2021, p.17)

39
The Kaspersky Lab report indicated that the internet, removable media and email are the
main sources of threats for computers in the industrial infrastructure organizations (Figure
16). These sources for vulnerabilities should be the focus areas for the organizations.

Figure 16: Main sources of threats blocked on ICS computers

(Kaspersky Lab, 2021, p.19)
These data proves how massive is the risk that surrounds the national infrastructure control
systems specially the oil & gas industry in terms of number of cyberattacks and financial
losses which these attacks can cause, which will be discussed later in this report.
What makes the risk is even worse, is the interconnections between the infrastructures.
Organizations depend on each other’s. For example, the power generation plants depend on
gas supply from gas plants. So, if the first one is affected, the other one will be affect, as a
result.

4.4 Historical Cyberattack to DCS

For many years, the Industrial Control Systems (ICSs) were targeted by malicious
cyberattacks. Many of these attacks were not reported to the community and they are not as
recognized as IT cyber incidents. This section shall highlight the publically reported cyber-
incidents to critical infrastructure (Hemsley, 2018). Note that I have selected some of the
incidents that are applicable for this study. Table-2 details the significant cyber-incidents
occurred to the ICSs referenced in this study.

40
Below details were collected from cyber security companies, security researchers, news and
other published reports. The list is not inclusive, but it emphases on important cyber
incidents, and campaigns affected ICS devices and critical infrastructure.

S/N Year Name Type Description

The world most sophisticated

1 2010 Stuxnet Malware malware in history targeted Iran
nuclear plant.
Malware target large energy
2 2012 Shamoon Malware companies in the Middle East,
including Saudi Aramco and RasGas.
The first known successful
Ukraine Power
3 2015 Attack cyberattack on a country's power
Grid Attack
grid.

TRITON/ Malware targeted industrial safety

4 2017 Malware
Trisis systems SIS in the Middle East

Malware attacked several ICS

5 2017 WannaCry Malware
systems around the world
Table 2: ICS cyber-incident timeline
(Hemsley, 2018)
4.5 Cyber-incidents
4.5.1 Stuxnet
Stuxnet was one of the most sophisticated malwares ever known at the time. It affected
control system networks. It was anticipated to cause the centrifuges to function at self-
destructive parameters in the Iranian Nuclear power plant at Bushehr Natanz. It was taking
advantage of security gaps in Windows that were unknown to Microsoft (Robert, 2016). This
malware was the first publically known threat that targeted the ICS where the attacker got the
full control on the control system (Hemsley, 2018). It was develped to attack any ICS system
operating with Siemens S7 PLCs software and spread through USB removable media drive.
The same malware affected about 10% of the systems across India running Siemens SCADA
(Venkatachary, 2017).

41
 4.5.2 Shamoon
Shamoon was a destructive malware that attacked Saudi Aramco computer systems and on
15th August 2012. The virus attacked Qatari Natural Gas Company, RasGas during public
holiday forcing their full network to be down for days. The malware was overwriting data
over 30,000 computers keeping the computers unrecovered. It was an information-stealing
malware, which also included a destructive module. It spreads itself to other devices on the
local network.
Shamoon returned a second wave in 2016 attacking Saudi Arabian civil aviation agency and
some Gulf state organizations (Hemsley, 2018).

4.5.3 Ukraine Power Grid Attack

This is the first known successful cyberattack on a power grid that cut electricity to nearly a
quarter-million Ukrainians in 2015. The attackers shut down the power at 30 electrical
substations and left more than 200,000 without electricity for six hours. The investigation
showed that the attackers used a BlackEnergy malware that exploited Microsoft Excel
macros.
The Ukrainian power grid was targeted again on 2016 caused HMI workstations to suddenly
go blind which opens 30 electrical breakers in 30 substations turning off electricity to
approximately 225,000 customers. The attackers denied the call center telephone services to
prevent customers from reporting the outage. The second attack used a sophisticated malware
that directly manipulated SCADA systems (Hemsley, 2018).

4.5.4 TRITON/Trisis
TRITON is the first known malware that developed to attack Safety Instrumented System
(SIS) from Schneider Electric named Triconex. This system is designed to safeguard people,
assets and environment. This malware had the ability to modify the firmware of the system to
allow the attacker to disable, inhibit, or modify the ability of a process or equipment to fail in
safe manner.
This attack was a shock to the security personnel, since the attacker showed skills in targeting
the functionality of a safety system, which is an upper layer of protection apart from the
control system. This has increased the danger to harm human lives and environment that
represent an additional threat to critical infrastructure (Hemsley, 2018).

42
 4.5.5 WannaCry ransomware
In May 2017, a ransomware named WannaCry attacked more than 200,000 systems in 150
countries around the world. Kaspersky stated that Russia had the worst effects with about
60% infected systems and many other countries like Brazil, China, Egypt, India, Italy,
Ukraine, Romania, Taiwan and Spain. Approximately 59000 computers were assumed to be
affected at the beginning of the malware release in almost 100 countries, in addition to
individuals (Venkatachary, 2017). One of the affected industries were the Romanian car
manufacturer Dacia, which led to Renault car manufacturing to temporarily stopping
production at several sites to prevent the spread of the cyberattack including UK
manufacturing branch of Nissan (Kaspersky Lab, 2017).

4.6 Recent ICS Cyber Attacks

As per the Kaspersky Lab, there were cyberattacks discovered and reported in recent years
like:

The Colonial Pipeline incident which occurred in May 2021 in the largest pipeline system for
refined oil products in the US, which includes gasoline, diesel, heating oil, jet fuel and fuel
used by the military. The cause was a cyberattack using DarkSide ransomware, which forced
the team to shut down some of the OT systems to stop it from spreading. This caused the
pipeline’s operation being totally blocked (Kaspersky, 2021) till the Colonial Pipeline Co.
paid nearly $5 million to the hackers to help restore the country’s largest fuel pipeline
(William, 2021).
The same ransomware attacked Brenntag a German world-leading chemical distribution
company in May 2021. The company paid $4.4 million Bitcoins to get a decryption utility
and prevent data stolen by the attackers from being leaked to the public (Kaspersky, 2021).

Another recent cyberattack occurred in JBS Company, the world largest beef supplier. The
company was attacked by a ransomware named REvil resulting in shutting down the meat
production plants across the U.S. and Australia for at least one day. The company was forced
to pay hackers who breached its computer networks about $11 million.
Some of cyber security threats in ICS systems can certainly result in days, if not weeks, of
stoppage (Kevin, 2021).

43
 4.7 ICS Security
There are several strong cyber security controls and practices to protect systems such as
computer login policies, firewalls and user authentication.

Companies should implement security procedures to protect the full network, to avoid
hackers from penetrating to the system. Critical considerations include:

 Provision of corporate policy, guidelines or procedure.

 Physical access control to ICS premises.
 CCTV cameras.
 Network segmentation with multiple layers of firewalls between OT & IT.
 Password management.
 Deep packet inspection.
 VPN when using remote access.
 Two factor authentication.
 Patching management.
 Vendor/supplier support.
 Network management software (Jim, 2013).

44
Chapter 5: Discussion and Data Analysis
5.1. Chapter Aim
This chapter discusses analyzes the cost of ICS cyberattack and challenges in implementing
security solutions in the ICS system and implementing ADRI model as a road map to ICS
security.

5.2 Cost of ICS cyber attack

The objective of this research is to analyze the data for several reports to evaluate the
effectiveness of implementing ICS cyber security. These data include representative sample
of annual losses from targeted companies to obtain assurance of the effectiveness of the ICS
security.

According to several security companies, very few companies are willing to share their cyber
losses on their infrastructure. This might indicate that the costs for global cyberattacks are
estimated based on non-reliable information. Nations have made appreciated efforts to
estimate their losses from cyber incidents. The main reason not to do so is the “fear of
exposure”. With this, few companies published their data on potential breaches in the security
(Venkatachary, 2017).

As mentioned above, in oil and gas industries, safety is the first priority. Safety of people,
assets and environment have the top importance. Hence, injuries, people lives, loss of
production or services are much more significant to the business than anything else.
Surveys showed that cyber incidents could result in loss of life and dropping the reputation of
company. Many companies reported major cyberattacks suffered a drop in their market value
by 1-5% (Venkatachary, 2017). This might lead to mistrust in industries and cause companies
to close.

45
As per the 2017, global report of Kaspersky Lab, the consequences of the cyber incident can
be very significant and are usually far greater than the associated financial losses and
reputational damage. Cyber security incidents in an ICS environment could:
 Cost lives due fatalities.
 Might have a long-lasting impact on the environment.
 It can cause fines from regulators who have been put at risk.
 Could increase insurance premiums.
 Result in loss of a product or service because of the breach.
 Companies can close down completely.

As per the surveys conducted by Kaspersky Lab (2017), it was found that over half of the
sampled companies have experienced at least one cyber incident on their industrial control
systems in 12 months. With just over one in five (21%) experiencing two incidents in the
same timeframe (Figure-17). An average of 71% of these large companies have experienced
between two and five cyber security incidents in one year (Kaspersky Lab, 2017).

Figure 17: Number of security incidents in 12 months

(Kaspersky Lab, 2017, p.7)

As per the survey conducted by the Control System Cyber security Association International,
1% of respondents admitted that cyber incident caused injury and 1% said that incidents led
to loss of life. Roughly, a quarter of respondents responded that the incident resulted in
operational disruptions (Eduard, 2019).

46
Although there are available surveys in this subject, however, many incidents are not reported
or companies are not willing to provide a financial declaration of the impact of the industrial
cyberattack in their organization as they are seen as potential embarrassments. Thus, the
actual cost of the cyber incidents might be greater than what is reported. In fact, only 30%
companies were able to provide such estimation (Byres, 2004). Though the data indicates that
almost 50% of reported incidents have led to large financial losses that exceeded $1,000,000
(Byres, 2004).
It was reported that 41% of the cyber incidents led to loss of production whereas 29%
reported a loss of ability to view or control the plant that lead the plant to be out of control
(Byres, 2004. Robert, 2016)) and it will depend on the safety system to shut down the plant in
a safe manner. However, if the safety system is compromised by a malware like Trisis, then
the whole ICS infrastructure is out of service. With this, companies should consider cyber
security not for the control systems, only, but for the safety system, too.

The Kaspersky Lab report 2017 indicated that the average yearly accumulative economical
loss to medium businesses was $347,603 which is significant amount including the actual
costs of the incident and charges for software upgrades, staff and training expenses. Other
costs might include the cost of cyber risk insurance.

For larger companies with more than 500 workers, the impact is even greater where the
annual cumulative losses reached $497,097. In addition, companies spent an average amount
of $381,529 to rectify the impacts and recovery from such attacks which additional cost to the
actual loss due to the cyberattack (Kaspersky Lab, 2017). Literature indicated an increase in
the insurance cost reaching $750 million in 2011 (Brangetto, 2015).

By analyzing several literature and reports such as Ponemon Institute Research Reports, it is
obvious that the number of cyberattacks is increasing over the years globally resulting in
increasing of the cost of these attacks.

Table 3: Total costs of cyber-crimes in seven countries (in Million)

47
 (Venkatachary, 2017)

Other reports later than mentioned above indicates losses by hundreds of million dollars, for
example:
Merck: $780 million losses from production shutdown, lost sales and remediation costs.
Maersk: $300 million losses from business disruption, loss of profits and remediation costs.
Fed Ex: $300 million in lost revenue for one quarter (Heather, 2018)
According to the US Federal Bureau of Investigation (FBI), there are more than 4,000
ransomware attacks on organizations each day. More than 330,000 malware applications are
created daily, these figures are expected to get worse as cyberattacks continue to increase and
become more sophisticated (Hasan, 2021).

Additionally, the Australian Cyber security Centre estimated the cost of cybercrime to the
Australian economy to be as high as $29 billion annually (ACSC, 2020). As per study by
Garneau (2016), the Cyber security breaches have happened in every industry and caused
losses between $375 and $575 billion dollars annually. In addition, The Cyber security
Ventures forecasts that cyberattacks would cost the world more than $6 trillion yearly by
2021 (Menlo, 2017). In 2017, nearly half of international organizations experienced business
losses due to cyberattacks. These losses might include losses of profits and reputation as well
as leaks of sensitive data (Hasan, 2021). This is a call for all organizations to take the cyber
security matter seriously to avoid such unpredictable losses.

5.3 ICS Survey Outcomes

A total of 36 responses were received from targeted ICS professionals, representing a 90%
response rate. Of the 36 participants, 35 were from Oman. The participants belonged to
different positions in the Instrumentation and control who deals with ICS systems, with the
largest percentage are technicians, engineers and senior technicians. More than 50% of the
respondents have more than 10 years’ experience in this field that give credible responses.
Most of the respondents are using the ICS system for troubleshooting very often.

One of the excellent responses that 82% of the respondents think that ICS security is effective
for the organizational performance (Figure 18).

48
 Figure 18: ICS Security Survey respondent
The survey indicated good security practices in the organizations such as the password
management. Although 38% of the respondents stated that they use a common password for
the DCS/SCADA systems, however, 76% claimed the users and passwords are secured and
not shared with anyone. Additionally, the DCS/SCADA documents are not shared in the
public drives, 58% of respondent declared that the documents are not shared.
Another good indication that 76% of the responses showed that their organizations have ICS
security guidelines in place. In addition, more than 50% have attended an ICS security
training, which is another good indication. This indicates the management commitment and
accountability towards ICS security. However, still the knowledge of most of the respondent
is in the level of awareness and knowledge. That is why 47% of the respondent heard few
cyber incidents in the ICS systems, 18% have never heard about any incidents and 12%, they
do not know. In addition, 88% of the respondent could not mention any name of ICS security
standards (figure 19). This indicates that leaders need to put more efforts in establishing
awareness sessions and training programs for the staff in this field to elevate their knowledge
and skills.

Figure 19: Survey respondent on ICS security

49
 5.4 Challenges of Managing ICS Cyber security
With these potential and significant risks to ICS, organizations realized the effectiveness of
implementing various security measures to protect their businesses from any cyberattack.
Also, to enhance the reputation and facilitate their core competence and organizational
performance (Ravichandran, 2005). The 2017 Kaspersky Lab survey showed that 67% of the
companies had implemented anti-malware solutions in their ICS systems, 62% conducted
security awareness training and 55% of companies implemented intrusion detection software
(Kaspersky Lab, 2017) (refer to figure 20).

Figure 20: Perceived Effectiveness and Implementation of ICS Security Measures

(Kaspersky Lab, 2017, p.8)
Although ICS cyber security start getting adequate considerations within many organizations.
However, there are several challenges encountering the implementation of the security
solutions.

One of the main challenge is the lack of government regulation in many countries to enforce
companies to implement cyber security solutions. In fact, The United Nations Institute for
Disarmament Research report, 2013, claims that Government efforts to safeguard
infrastructure and undertake law enforcement in the cyber sphere are complicated because
most of these infrastructure are operated by private sector (Al Neaimi, 2015). With this,
companies relaxed in taking necessary decisions to invest in cyber security in their ICS.
Consequently leading to insufficient support from organization leadership, which
subsequently lead to shortage of financial resources (Eduard, 2019).

50
Additionally, Lack of government conventions result in absence of coordinating roles among
stakeholders and government agencies during the occasions of cyber incident to facilitate the
emergency response (Lamba, 2018).

The cyber security solution in the OT environment should have the flexibility to operate and
interconnect with different legacy systems and modern devices from different vendors with
no issues (Lamba, 2018). This is because the OT network often have combinations of
different systems from different suppliers. It also comprises of mixtures between old and new
systems working together.

One of the challenges for industrial users is the need for regular updates to software and
hardware, which is not a well-understood or recognized concept in OT environment, yet. In
fact, industrial users will normally avoid updating or upgrading their software to avoid any
issues that might disturb their operations in unanticipated ways with the new software. From
my experience, many updates ended up with glitches in the system, which require further
updates to resolve them. However, this facilitates the cyberattacks to the hacker, as these
systems considered soft targets, running with outdated operating systems and unpatched
applications.

The hacking communities who become aware of DCS/ SCADA systems and started to focus
their attention on them (Byres, 2004) creating another challenge. The increasing
sophistication and frequency of cyber threats to OT networks are other challenges to the
industry (Lamba, 2018).

One of the issues of implementing ICS security is the way vendors offer their solutions to
companies. It seems to be a promotional advertisement for their product, which let
stakeholders to hesitate from investing in this field since the plant running in a smooth
manner, there is no requirement to spend more money with no value in return.

Other vendors carryout risk assessment to the installed systems and show the management
how poor is their security system, thus, leading the senior management to pay no attention to
vendor recommendations.

51
Additional challenge is finding the expertise to work in ICS security. Companies are
struggling to find the right skilled workforces and external support to manage industrial cyber
risks. As per the Kaspersky Lab report 2017, it was observed that half of the companies
consider having the right employees with the right skills to manage ICS cyber security is a
top priority. However, 48% of the companies are struggling to find the reliable contractors
capable to implement (Figure 21).

Figure 21: Challenges of Managing ICS Cyber security

(Kaspersky Lab, 2017, p.15)

5.5 ADRI Model to ICS security

As per the explanation of ADRI in section 3.3 of this report, ADRI is an evaluation
methodology to assess the organization's effectiveness, considering the following stages
(Figure 22):

A. Approach: refers to the organizational guiding statements. It represents the company

goals and targets by written policies and corporate planning.

B. Deployment: considers on how effectively, the approach is put into practice i.e. its
operationalization through business process.

C. Results: how well is the organization accomplishing the anticipated outcomes, how
is the deployment achieving the planned approach?

52
 D. Improvement: is the organization actively and continuously engaged with
understanding its performance measures in each stage of the Approach, Deployment,
Result extents? Is the organization using this understanding to bring the change in its
Approach and Deployment to achieve enhancements?

Figure 22: ADRI Quality Cycle

ADRI is one of models to assess the organization when something is not working properly in
a company. ADRI provides an examination activities and results to determine why it is not
working and then to determine what needs to be done. The ADRI Model will be implemented
to the ICS security subject.
(1) Approach
Approach refers to the thinking and planning at the area of ICS security by analyzing the
followings:
 Clarity of the goals: to implement ICS security.
 Buying Stakeholders approval to fund the implementation project.
 Desired results: to have less than two cyber incident per year.
 Develop strategies and processes to meet the results by developing ICS security Policy
and procedure.
 Identify the measures of success by setting KPIs of number of cyber incidents per year.
The development of the approach is determined by the senior management team or their
delegates with support of specialists from other departments.

53
 (2) Deployment
Deployment refers to implementing the ICS security policies and guidelines by
analyzing the followings:
 The extent to which the developed strategies and processes have been implemented across
the ICS systems in the company.
 The extent to which employees understood and have adopted the organisation’s approach.
 How well the ICS security strategies and processes have been incorporated into the day-
to-day operations of the organisation.
 The workers who are responsible of everyday activities know most about how the daily
work is performed. Those workers are anticipated to implement the ICS security approach
and they know most whether it has been appropriately deployed.

(3) Results
Results discusses the monitoring and evaluating of the implemented strategies.
Considering the Results measurement leads to examining the following:
 How the performance is monitored after implementing the ICS security.
 How the data related to the measures of success are gathered and reported.
 The extent to which trends of improvement are obvious in these data.

The monitoring and evaluating is totally a management accountability. The senior

managers and leaders are responsible for monitoring and evaluating the data used as
measures of accomplishment of the approach to ICS security. Unless these data are
collected and adequately reported, the effectiveness of the organizational approach and its
deployment will not be identified.

(4) Improvement
Improvement means the processes of reviewing and improving the approach and
deployment processes. This leads to examining the following:
 The effectiveness of the approach and deployment process are properly reviewed.
 How the evaluating process have led to improvement.
 How the lessons learned been captured and shared.

Improvement process is another management accountability or their delegates. This

assessment dimension studies the processes by which they are performed, the improvements
54
that have resulted and how these enhancements are documented, shared among the staffs and
other key stakeholders.

Below table represents a quantitative review for organizations to apply ADRI Model to their
ICS security. The review process shall be performed by forming a team including
representatives of key stakeholders and technical team from respective department to conduct
the review.
a. Study the status of ICS security as it currently is.
b. Classify things that are going well (strengths) and opportunities for improvement.
c. Produce ideas and identify problems.
d. Document these issues as the team proceeds.
e. Use the scoring to rate the ICS security program in each assessment dimension giving
each a score from 0 to 100. The total score should be 400, which is the best score, & the
worse score is 0.
f. Discuss and clarify the recommendations on the strengths and opportunities for
improvement.
g. Document the findings of the review.
h. Prioritize your findings into a plan for action.
i. Use ADRI to deploy the new actions and continue the ADRI process.

55
 Table 4: ADRI Quantitative approach

I have performed the ADRI model for one of the companies considering the qualitative
model. The results were as follow:

Approach Deploy Results Improve Total

25 60 10 30 125

Table 5: ADRI implementation

56
The company did have ICS security guideline but not a comprehensive approach with no
KPIs for performance measurement, thus the score is 25.
The deployment was obvious in the organization. Several locations and systems implemented
the ICS security guidelines, thus the score is 60.
The results are not clear to staff with no measurement of the deployment, thus the score is 10.
There are no regular reviews of the performance, but ad-hoc review are in place, thus the
score is 30.
The total score is 125 out of 400 which means that the company needs to put more efforts to
develop a clear ICS security approach, goals and strategies with proper performance
measurement. The approach should be shared with the concerned staff and it should be
incorporated with the daily activities. The deployment should be widely recognized with
regular reviews and continuous improvement to be in place.

57
Chapter 6: Findings, Results and Conclusions

6.1 Chapter Aim

Having reviewed the different literature, published reports and standards in chapter 2.
Reviewed past and recent cyber incidents occurred in ICS systems in Chapter 4, and then
reviewed various costs implications in ICS cyberattack which includes loss of production,
cost of insurance, payment to hackers, cost of reputation in chapter 5, the intent of this
chapter is to draw together the findings.

6.2 Review of Research Question

This research begun with the following research questions:

What are the effects of implementing security measures into Industrial Control Systems?
How does the ICS cyber security affect organizational performance?

Preliminary research performed prior to this research indicated that few previous similar
studies were performed. In the last 4 months duration of studying and literature reviewing,
found no available reports were published that answer this research question particularly.

It is surprising that although there are several published studies and reports that no indication
at all could be found that attempted to answer the same research question. Most of the
existing literature focuses on the technical side of the subject or IT cyber security, only.

The reasons of why the subject of the ICS security effectiveness to organizational
performance is not studied and published could be the followings:

 There is no doubt that ICS security should have a good effect on the performance of
organizations. Therefore, there is no requirement to prove this statement. If this is
true, then why many companies are not implementing any security measures into their
ICS systems.
 Lack of government regulations to oblige companies to implement ICS security in
their organizations. Subsequently leading senior managements to totally neglect this
subject and not supporting funding it. Thus, there is not motive to study this subject.

58
  Lack of OT expertise to study this subject and to justify the need of protection to the
ICS systems in the companies.

6.3 Conclusions & Recommendations

In summary, this research paper provided a detailed study on the effects of implementing ICS
security to organizations particularly oil and gas organizational performance. The ICS
represents the core and the backbone of any systems in energy and industrial sectors
(Venkatachary, 2017). The cost of not implementing ICS security is significant as per the
numbers presented in this research. The cost could reach to hundreds of million dollars
(Heather, 2018). Apart from the cost of the reputation of the company, there is a cost of
losing the market rivalry. Indeed, senior management awareness of the problem will support
in funding the implementation of ICS security. In fact, it is the senior management
accountability to demonstrate the “due of care” (Al Neaimi, 2015). Whether there is a
government regulation or not, the cost of losing the business is considerably high. It is
therefore critical for the businesses to realize what their duties, responsibilities are and they
need to comply with it.

I strongly recommend designating an independent trusted government agency to monitor and

study ICS cyber security incidents, produce regular reports and provide statistics in this
regard. This agency should share the available data to the government as well as the private
sector.

It is recommended that organizations take more initiatives to improve values and culture
related to ICS security among the workforce. This will possibly keep Organizations more
prepared to secure their ICS infrastructure and services and to combat cyberattacks (Hasan,
2021). A continuous cultural training and awareness plans need to be in place to elevate staff
perception of information and cyber security. Lack of awareness of information security has
the extreme risk to the effectiveness of cyber security in many organizations. Followed by
absence of cyber regulation, funding and the fast changing of technologies (Al Neaimi,
2015).

59
A team from automation professionals and IT experts should be formed to facilitate the
understanding of the differences between the IT and OT and to support the implementation
requirements of the ICS security.

A framework for ICS security is proposed in this research, which I feel it represents a
comprehensive approach for companies to follow.
The ADRI model is an appropriate tool, which can support in assessing the current ICS
security approaches. It helps in developing a road map to the future approach with regular
monitoring and deployment. A quantitative evaluation scheme is developed in this study
specifically for ICS security to assess and evaluate the requirements of ICS security.

AT the end, the cyber security challenge remains a worldwide concern that needs an
extensive collaboration from all stakeholders internationally.

6.4 Research Difficulties

This research was accomplished during a hard time due to the COVID-19 disease pandemic
where people’s lives were at real risk. Strict rules were implemented during the pandemics,
which make visiting sites and meeting people much difficult to collect information.
Another difficulty is that companies are not willing to provide their financial losses occurred
by cyberattack. This made the data collection harder to be obtained.
Additional issue was the unexpected “Shaheen” cyclone that hit the country cutting the
electric power and the internet services in many locations and caused a massive destruction in
some areas. This has delayed the process in getting the information on time.

6.5 Future Recommendation

Future recommendations to enhance the research of ICS security effectiveness to oil and gas
organizational performance, I would suggest the following. Firstly, support the findings of
this research by conducting interviews with ICS security experts, senior management team
and IT security experts. This will help the research to be more comprehensive to obtain more
in-depth understanding of ICS security effectiveness. Secondly, develop a survey
questionnaire to understand the employee’s issues, thoughts and gap in the subject of ICS
security. This helps to understand the mind-set of the employees who are dealing with ICS

60
systems.This will also help in understanding the team gaps and developing the team
competencies in ICS security.

References
ACSC, 2020. Australian Cyber security Centre ACSC Annual Cyber Threat Report July 2019
to June 2020.

Al Neaimi, A., Ranginya, T. and Lutaaya, P., 2015. A framework for effectiveness of cyber
security defenses, a case of the United Arab Emirates (UAE). International Journal of Cyber-
Security and Digital Forensics, 4(1), pp.290-301.

Brangetto, P. and Aubyn, M.K.S., 2015. Economic aspects of national cyber security
strategies. Brangetto P., Aubyn MK-S. Economic Aspects of National Cyber security
Strategies: project report. Annex, 1(9-16), p.86.

Byres, E. and Lowe, J., 2004, October. The myths and facts behind cyber security risks for
industrial control systems. In Proceedings of the VDE Kongress (Vol. 116, pp. 213-218).

Creswell, J.W. and Creswell, J.D., 2017. Research design: Qualitative, quantitative, and
mixed methods approaches. Sage publications.

Eduard Kovacs, 2019.Some ICS Security Incidents Resulted in Injury, Loss of Life: Survey.

Eduard Kovacs, 2021. Over 600 ICS Vulnerabilities Disclosed in First Half of 2021: Report.

Edwards, B., Hofmeyr, S. and Forrest, S., 2016. Hype and heavy tails: A closer look at data
breaches. Journal of Cyber security, 2(1), pp.3-14.

Dwight Anderson, 2014. Protect Critical Infrastructure Systems with Whitelisting.

61
Garneau, C.J., Erbacher, R.F., Etoty, R.E. and Hutchinson, S.E., 2016. Results and lessons
learned from a user study of display effectiveness with experienced cyber security network
analysts. In The {LASER} Workshop: Learning from Authoritative Security Experiment
Results ({LASER} 2016) (pp. 33-42).

Gutta, R.R., 2019. Managing security objectives for effective organizational performance
information security management (Doctoral dissertation, Walden University).

Hasan, S., Ali, M., Kurnia, S. and Thurasamy, R., 2021. Evaluating the cyber security
readiness of organizations and its influence on performance. Journal of Information Security
and Applications, 58, p.102726.

Heather MacKenzie, 2018. Why Business Leaders Need to Focus on Industrial Cyber
security. Nozomi Networks.

Hemsley, K.E. and Fisher, E., 2018. History of industrial control system cyber incidents (No.
INL/CON-18-44411-Rev002). Idaho National Lab.(INL), Idaho Falls, ID (United States).

Hieb, J., Graham, J. and Patel, S., 2007, March. Security enhancements for distributed control
systems. In International Conference on Critical Infrastructure Protection (pp. 133-146).
Springer, Boston, MA.

Ismail, W.B.W., Widyarto, S., Ahmad, R.A.T.R. and Abd Ghani, K., 2017, September. A
generic framework for information security policy development. In 2017 4th International
Conference on Electrical Engineering, Computer Science and Informatics (EECSI) (pp. 1-6).
IEEE.

James Shires and Joyce Hakmeh, 2020, March. Is the GCC Cyber Resilient?

Jim Toepper, 2013. Industrial Networking Security Best Practices.

Kaspersky Lab, 2017. The State of Industrial Cyber security. Global report

Kaspersky Lab, 2021. Threat landscape for industrial automation systems

62
Kaspersky, 2021. DarkChronicles: the consequences of the Colonial Pipeline attack

Kevin Collier, 2021.Meat supplier JBS paid ransomware hackers $11 million. CNBC.

Lamba, A., 2018. Protecting ‘Cyber security & Resiliency’of Nation’s Critical Infrastructure–
Energy, Oil & Gas. International Journal of Current Research, 10, pp.76865-76876.

Lee, S., Choi, D., Park, C. and Kim, S., 2008, November. An efficient key management
scheme for secure SCADA communication. In Proceedings of world academy of science,
engineering and technology (Vol. 35).

Malik, S.I., 2016, December. Enhancing practice and achievement in introductory

programming using an ADRI editor. In 2016 IEEE International Conference on Teaching,
Assessment, and Learning for Engineering (TALE) (pp. 32-39). IEEE.

Menlo Park, 2017. Global Ransomware Damage Costs Predicted To Hit $11.5 Billion By
2019

Mark Bristow, 2021. A SANS 2021 Survey: OT/ICS Cyber security

Nishioka, Y., SUZUMORI, K., KANDA, T. and WAKIMOTO, S., 2008. A new pneumatic
control system using multiplex pneumatic transmission. In Proceedings of the JFPS
International Symposium on Fluid Power (Vol. 2008, No. 7-2, pp. 439-442). The Japan Fluid
Power System Society.

Ravichandran, T., Lertwongsatien, C. and Lertwongsatien, C., 2005. Effect of information

systems resources and capabilities on firm performance: A resource-based
perspective. Journal of management information systems, 21(4), pp.237-276.

Razvi, S., Trevor-Roper, S., Goodliffe, T., Al-Habsi, F. and Al-Rawahi, A., 2012, February.
Evolution of OAAA strategic planning: using ADRI as an analytical tool to review its
activities and strategic planning. In Proceedings of Seventh Annual International Conference

63
on Strategic Planning for Quality Assurance and Accreditation of Universities and
Educational Arab Institutions

Richard C.. Dorf and Bishop, R.H., 2008. Modern control systems. Pearson Prentice Hall.

Robert Botezatu, 2016.Cyber security for SCADA and DCS systems A summary of the
current situation and Key points to consider.
Segovia, V.R. and Theorin, A., 2012. History of Control History of PLC and DCS.
University of Lund.

Stouffer, K., Falco, J. and Scarfone, K., 2011. Guide to industrial control systems (ICS)
security. NIST special publication, 800(82), pp.16-16.

T. Angevaare, L. Dodge, J. Krebbers and B. Weltevrede, 2003. Data Acquisition and Control
Architecture (DACA) for Smart Fields. SHELL publication, EP 2003-5547, pp.26

Venkatachary, S.K., Prasad, J. and Samikannu, R., 2017. Economic impacts of cyber security
in energy sector: A review. International Journal of Energy Economics and Policy, 7(5),
pp.250-262.

William Turton, Michael Riley and Jennifer Jacobs, May 2021. Colonial Pipeline Paid
Hackers Nearly $5 Million in Ransom, Bloomberg.

Zak Ali, 2021. Global Industrial Cyber security Market to Reach $22.3 Billion by 2026

64
Appendix

A. Ethical Checklist Review Ethics

The research includes data gathered from various statistics, international standards, guidelines
reports around the world, and the ethical review checklist is provided below for this research.
Yes No

Are the dignity, rights, safety and well-being of participant considered?  ☐

Is the researcher suitable? Does he has the necessary skills?  ☐
Are there any obvious gaps, ambiguities or uncertainties in how the
research will be carried out?
☐ 
Are relevant supporting documents included? (e.g. information sheets,
consent forms, interview schedules, questionnaires)
 ☐
Is the researcher likely to uncover any issues unrelated to the research?
(e.g. illegal activity, illness or disease, etc.)
☐ 
Does the research involve participants who are particularly vulnerable?
(e.g. refugees, prisoners, victims of violence)
☐ 
Will the study involve discussion of sensitive topics (e.g. sexual
activity, drug use)
☐ 
Will the study involve prolonged or repetitive testing?
☐ 
Could the research cause stress, physical or psychological harm to
anyone, or environmental damage?
☐ 

65
 Do the research need to be brake any of Covid19 government rules.
☐ 
Table 6: Ethical Checklist Review

B. Timeline of the Dissertation Research

The research started from the month of June 2021 until September 2021. A Gantt chart was
developed to support in achieving the project in the estimated target as shown below:

Table 7: Research Gantt chart

C. Survey Questions
Industrial Control systems (ICS) are control systems that monitor, control and safeguard
critical infrastructure such as oil and gas plants. Examples of ICS systems are DCS, IPS
and SCADA.
This questionnaire is meant for any person who works on ICS systems.

Position:
Country:
Years of Experience:

66
 1. How often do you use DCS/IPS/ SCADA systems?
Very often
Sometimes
Not often
I do not use them at all
Other….
2. For which purpose do you use DCS/IPS/SCADA?
For troubleshooting
For daily operation
For monitoring only
For configuration
I do not use them
Others….

3. The DCS/IPS/SCADA users and passwords are shared with the team:
Yes
No
Not shared with everyone
I do not know
Others…

4. The team uses common user and password for the DCS/IPS/SCADA system:
Yes
No
I do not know
Others

5. The documents of the control system (like DCS or SCADA) are widely distributed
even in live link, SharePoint or public drives?
Yes
No
I do not know
Others…

67
 6. In your organization, do you have an ICS (DCS/IPS/SCADA) security policy,
procedure or guideline?
Yes, we have
No, we do not have
Maybe
I do not know
Others….

7. Have you attended Industrial Control System (ICS) cyber security training?
Yes
No
Not required for me
Not interested
Other….

8. What is your knowledge of Industrial Control System (ICS) cyber security?

I have no idea about ICS cyber security
Awareness level
Knowledge
Skill
Expert
Others ….

9. Who is responsible for installing and maintaining security software (e.g. Antivirus in
DCS/IPS)?
Maintenance team
Vendor
IT Person
I do not know

10. Which version of Windows is installed on the DCS workstations or servers?

Windows 10
Windows 7
Windows XP
68
 Mixture of operating systems
I don’t know
Other …

11. Do you have anti-virus software installed your control system (e.g. DCS or SCADA)?
Yes
No
Do not know

12. How often do you update your antivirus software in the control system in your
organization?
It is done automatically
At least once a week
At least once a month
Occasionally
Never
I do not know
During vendor visit
Others….

13. The system vendor is directly connected to the control system via modem:
Yes
No
In some locations
I do not know
Others….

14. Do you think that ICS security is effective for the organizational performance?
Yes
No
Maybe
I do not know
Other….

69
 15. Have you ever heard about any cyber incident occurred in any oi and gas industry in
your country or worldwide?
Yes
No
I do not know
Other
16. Can you mention any ICS security standards?
I do not know
I know the following standards….

Totally Totally
Suitable Moderate Unsuitable Validity
Questions Suitable Unsuitable
(4) (3) (2) (%)
(5) (1)
Question 1 1 1 1 80%
Question 2 2 1 87%
Question 3 3 100%
Question 4 2 1 93%
Question 5 1 2 87%
Question 6 3 100%
Question 7 3 100%
Question 8 2 1 93%
Question 9 2 1 73%
Question 10 1 2 67%
Question 11 3 100%
Question 12 2 1 93%
Question 13 3 100%
Question 14 3 100%
Question 15 3 100%
Question 16 3 100%
92%

D. Survey Validation

Table 8: Survey Validation

70
71