Abstract
The potential for digital vulnerabilities causing breakdowns of functions critical to society is increasing, due to both growing complexity and emerging threats leading to unexpected events and disruptions. The oil and gas sector is one example of a critical sector where cybersecurity incidents may have negative consequences for both the safety of the personnel operating the facilities and societal safety, where the resilience with regard to cyber-threats needs to be strengthened.
This study explores how resilience engineering perspectives may contribute to strengthening cybersecurity for safety practices. The exploration is based on three research questions:
1. What are the needs and grounds for resilience engineering for managing cybersecurity in the oil and gas sector?
2. How may fundamental concepts for resilience engineering be applied in a cybersecurity for safety context?
3. How may adaptive capacities be developed within existing safety and cybersecurity practices?
The three research questions are addressed through four research papers. The study employs qualitative methods and adopts an abductive research approach. The primary source of data is interviews with personnel working with cybersecurity in information and operational technology systems in the oil and gas sector. The abductive preunderstanding has been the resilience ABC taxonomy, which presents three explanations regarding the achievement of cyber resilience. Theory A represents technical measures, Theory B represents practices associated with risk management, emergency preparedness, and business continuity, and Theory C represents practices associated with resilience engineering through the development of adaptive capacities. The pragmatic purpose of the simplified ABC taxonomy is to visualize key differences in the understanding of resilience as a concept, and to facilitate the introduction of resilience as an adaptive capacity (Theory C) into domains in which a risk-oriented (Theory B) understanding is likely to be more intuitively apprehended.
The main finding is that Theory C – adaptive capacities that enable a range of adaptive behavior to meet unforeseen challenges – may be based on robust Theory B processes, while being attentive to the risk of saturation of these processes. However, the practices associated with Theory C may also serve as the foundation for more robust and suitable Theory B processes. The practical contribution is the description of cybersecurity practices through the lens of resilience engineering that may offer insight into how the practices can be strengthened. The theoretical contribution is both the exploration of the combination of resilience perspectives (Theories B and C) and the exploration of the interconnection and overlap between safety and security.