by Maria Bartnes Line and Nils Brede Moe

Recent attacks and threat reports show that industrial control organizations are attractive targets for attacks. Emerging threats create the need for a well-established capacity for responding to unwanted incidents. Such a capacity is influenced by organizational, human, and technological factors. A response team needs to include personnel from different functional areas in the organization in order to perform effective and efficient incident response. Such a cross-functional team needs to be self-managing and develop a shared understanding of the team’s knowledge.

We conducted a case study involving ten Distribution System Operators (DSOs) in the electric power industry in Norway. As they control parts of critical infrastructures, they need to be well prepared for responding to information security incidents, as consequences of such might be significant for the society. Our aim was to identify current incident management practices and pinpointing ways to improve them. We interviewed representatives from three different roles in the DSOs:

  • IT manager
  • IT security manager
  • Manager of control room/power automation systems.

In addition, we observed preparedness exercises for IT security incidents as performed by three of the DSOs.

Current practices for incident management
We identified three main factors affecting current practices for incident management: risk perception, organizational structure, and resources. We found that in light of current threats, the detection mechanisms in use will not be capable of detecting all incidents. As long as no major incidents are experienced, the perceived risk is unlikely to increase significantly, thus there will be little incentive to improve the current detection mechanisms. The risk perception is further affected by: (i) the size of the organization, and (ii) whether IT operations are outsourced. Organizations that outsource their IT operations tend to place a great deal of confidence in their supplier and put less effort into planning and preparatory activities compared with those that do not outsource. Size matters, too: small organizations have a lower risk perception than large organizations owing to the belief that they are not attractive targets for attacks, as well as their ability to operate the power grid without available control systems.

Figure 1: A team evaluating the preparedness exercise.
Figure 1: A team evaluating the preparedness exercise.

In addition to organizational and technical factors, human factors have been found to be important for incident management. Different personnel (e.g. business managers and technical personnel) have different perspectives and priorities when it comes to information security. In addition, there is a gap between how IT staff and control system staff understand information security. This finding is in agreement with Jaatun et al. [1], who studied incident response practices in the oil and gas industry. All perspectives need to be represented in the team handling a crisis. Therefore, an organization needs to rely on cross-functional teams. Relying on cross-functional teams will ensure a holistic view during the incident response process.

Cross-functional teams
Incident response is a highly collaborative activity and requires cooperation of individuals drawn from various functional areas, with different perspectives, to make the best possible decisions [2]. To create good cross-functional response teams, it is important to acknowledge that the team members might have conflicting goals. Different functional areas within an organization possess complementary goals that are derived from a set of general, organization-wide goals. Consequently, in order for one functional area to achieve its goals, another functional area may be required to sacrifice, or at least compromise, its primary goals. Therefore, the cross-functional team needs superordinate goals. Superordinate goals will have a positive and significant direct effect on cross-functional cooperation. The team further needs to be able to update its initial superordinate goals if the initial conditions change during the incident response process.

Not only does the cross-functional team need participants from various functional areas within the organization, it also needs participation from, or communication with, suppliers. The organizations in our study assumed that collaboration with suppliers functioned well, but acknowledged that this should be given more attention, as common plans were rare and collaborative exercises were not performed.

In addition to a cross-functional team having the right competence, the team members need a shared understanding of who knows what is needed to solve a task, such as a crisis, effectively [3]. Exercises provide a means for growing shared understanding of the team knowledge. The organization needs to perform exercises for a broad variety of incidents. Different incidents will require different configurations of the cross-functional team. Frequent training is important because these teams exist only when an incident occurs.

Training for responding to information security incidents is currently given low priority. Evaluations after training sessions and minor incidents are not performed. Learning to learn would enable the organizations to take advantage of training sessions and evaluations, and thereby improve their incident response practices.

The project was carried out at NTNU, in close cooperation with SINTEF and the Norwegian Smart Grid Centre. The project period was 2011-2015.


[1] M. G. Jaatun, et al.: “A framework for incident response management in the petroleum industry”, International Journal of Critical Infrastructure Protection, vol. 2, pp. 26–37, 2009.
[2] M. B. Line, N. B. Moe: “Understanding Collaborative Challenges in IT Security Preparedness Exercises”, International Conference on ICT Systems Security and Privacy Protection (IFIP SEC) 2015, Hamburg, Germany.
[3] K. Lewis and B. Herndon: “Transactive Memory Systems: Current Issues and Future Research Directions,” Organization Science, vol. 22, no. 5, pp. 1254–1265, Sep. 2011. [online], available:

Please contact:
Maria Bartnes Line
NTNU, Norway
Tel: +47-45218102
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Next issue: October 2024
Special theme:
Software Security
Call for the next issue

Image ERCIM News 102 epub
This issue in ePub format

Get the latest issue to your desktop
RSS Feed