Third-party risks in industrial control systems: : A case study in the wind power sector

Sammanfattning: This report investigates third-party risk for SCADA systems, using Swedish wind power as an empirical case study. Supervisory, Control, and Data Acquisition (SCADA) systems are used in the wind power industry to monitor and control the operational process. The paper also proposed potential strategies for reducing third-party risks and exposures. Supply chain threats are becoming more common as attack strategies today. Most businesses rely on items and services made or provided by third-party companies that often are part of a lengthy and complex supply chain. The attacker's primary purpose is to infect programs and spread malware. However, little thought was given to safeguarding the SCADA networks from global supply chain penetration or internet-based attacks when the network was designed. As a result, SCADA systems are now vulnerable to risks they were not prepared to encounter, such as worms, viruses, and hackers. The Swedish wind power sector is essential to Sweden's goal of generating 100% renewable electricity by 2040. Threat actors are looking for susceptible server architecture, insecure network protocols, and dangerous coding techniques. To answer the research question, qualitative research design was chosen as the suitable methodology. A literature review and nine semi-structured interviews were used to collect data from two Swedish power companies, a SCADA developer corporation, a SCADA researcher, a government agency's chief information security officer, and three cybersecurity professionals. The empirical findings from the interviews revealed that organizations have not seen cybersecurity as a crucial aspect of the business, much alone third-party risk from vendors. SCADA system developer suppliers are concerned not just of their own internal security considerations, but also of third-party risks, i.e., external elements that impact the organization's product and, consequently, its end consumers. After all, SCADA system designers must incorporate security into their product development since their reputation is at stake if an attack occurs. In conclusion, future agreements between wind power owners and SCADA developers must require that the owners have completed a comprehensive third-party risk assessment.