Criteria for Realistic and Expedient Scenarios for Tabletop Exercises on Cyber Attacks Against Industrial Control Systems in the Petroleum Industry

Digitalization of the petroleum industry entails a greater interconnection between Information Technology (IT) and Industrial Automation and Control Systems (IACS), and has led to an increased attack surface. To mitigate the consequences of incidents and to ensure a safe operation, the industry uses preparedness exercises. Previously, these exercises have concerned safety-related incidents. Today, digitalization requires the industry to also exercise security incidents, especially incidents that are directed towards IACS. While the need for more detailed guidelines in the area of cyber security and IACS has been explicitly called for by the industry, few guidelines are currently available. We aimed to lessen this shortcoming by investigating descriptions of events to use in exercises, known as scenarios. This project investigated what characterizes a scenario to be realistic and expedient for preparedness exercises on cyber attacks against IACS in the petroleum industry, with a focus on tabletop exercises. Based on data collected through interviews, a list of criteria that characterize such scenarios was created. The list was validated and approved by respondents from two different operator companies. The results highlight the importance of basing the scenario on today’s threat landscape, making the scenarios plausible, and design the scenario such that it leads to a challenging tabletop exercise which also gives a sense of empowerment for the participants.