Abstract
The number of significant cyberattacks targeted by national state actors is growing in critical infrastructure. Companies rely on detecting and responding appropriately to such attacks by practicing and developing procedures for the cyber-incident response. This paper presents the findings from seven semi-structured interviews to identify distinct practices, challenges, and roles regarding cyber-incident response in the petroleum industry. The literature has previously addressed specific IT, security, or Operational Technology (OT) teams only, but has not considered the holistic view of cyber-incident response in industrial control systems between internal roles, and external actors, such as Security Operations Centers, Computer Security Incident Response Teams, emergency response teams, and on-site personnel. To address this, a novel framework for empirical inquiry consisting of document analysis, and workshops as preparation for interviews, were conducted. The stakeholder diagram displays the most relevant incident response roles and a list of current challenges extracted from the interviews. Future research should consider extending the sample, and include other, organizational and procedural factors.