Challenges for safety and security management of network companies due to increased use of ICT in the electric power supply sector

Abstract

The generation, transmission, and distribution of energy are among the most vital prerequisites for the functioning of modern societies (Antonsen et al., 2010). Today, information and communication technology (ICT) is used to monitor, control, and operate power generation plants and power distributionon within electric power supply systems (Patel and Sanyal, 2008). Process control systems, e.g., supervisory control and data acquisition systems (SCADA systems) and other ICT systems used within electric power supply systems, are vulnerable to a multitude of physical, electromagnetic, and logical threats, both natural and man-made (Rodal, 2001). The recent trends are toward more general purpose software solutions; and toward use of the Internet for communication related to operations and management of remote processes and production systems. This increases efficiency and cooperation, saves time, and reduces costs. However, this also makes formerly isolated ICT systems vulnerable to a set of threats and risks they have not been exposed to before (Line and Tøndel, 2012). Since the early 1990s, the energy sectors of Western societies have been through a process of institutional restructuring, where large state-owned monopolies have been divided into several independent organizations (Antonsen et al., 2010). Emergent control technologies, making intensive use of ICT, have been useful for dealing with the new situation of enlargement, open access, progressive integration of electricity markets, and intensification of cross-border trade. However, the full application of these technologies has demanded a new approach to system design and operation, and their integration within existing control infrastructures and practices has been a challenge (The GRID Consortium, 2007). With this background as a point of departure, the thesis examines several important elements of safety and security management systems which have been emphasized in previous research (Rasmussen, 1997; Hagen, Albrechtsen, and Hovden, 2008; Renn, 2014; Aven et al., 2004), i.e., government risk regulation, the use of technical standards for safety and security, risk perception among managers and employees, management commitment to safety and security, and awareness creation and training with regard to safety and security. The aim of the study is to follow up on previous research on challenges for safety and security management and to explore, describe, and discuss challenges for safety and security management of network (distribution/grid) companies within the electric power sector that arise due to the increased use of ICT to monitor, control, and operate electric power production and distribution. Thus, the main aim of the thesis is to answer the following question: What challenges for safety and security management of network companies within the electric power sector have arisen in light of the increased use of ICT to monitor, control, and operate electric power production and distribution? Specific research questions have been derived from the main aim, and these research questions are addressed in the four articles included in the thesis. The context for the study is the Norwegian electric power supply sector, and the research questions are answered by presenting results from a survey sent to 137 network (distribution/grid) companies in Norway, supplemented by results from interviews, observation studies, and document studies. The thesis focuses on companies involved in transmission and distribution of electricity, and not generation (production). The generation system in the Norwegian electric power supply consists of many power stations distributed over the whole country. The structure is thus relatively robust, and the dependence on individual plants is small (Fridheim, Hagen, and Henriksen, 2001). However, a failure in the electricity networks and the transmission and distribution of electricity to critical infrastructures and important societal functions, as well as to individual households, would have a huge impact on societal safety (and security). This thesis concentrates on organizational safety and security (risk) management within electric power supply network companies. However, network companies run critical national infrastructure, and the safety and security management of these companies can thus affect societal safety and security. Safety and security management of network companies is also affected by national regulations, and there is no longer a clear distinction between national regulations and safety and security management of network companies. Ideas about internal control and risk management have been increasingly commingled, and risk management and regulation are no longer seen as broadly contrasting methods of assuring safety and security (Power, 2007). The results of the study show that finding the best balance between the use of detailed, prescriptive regulation versus functional regulation (self-regulation/internal control) as principles for controlling risk and ensuring safety and security is a challenge for the safety and security management of the network companies. Next, the thesis finds that technical standards for management of ICT safety and security pose a challenge for the network companies. These standards have both strengths and weaknesses, and both use and non-use of these standards can lead to challenges for the safety and security management of the network companies. The study also suggests that users (both managers and employees) of ICT systems (including SCADA systems) within the electric power supply network companies perceive the risk of attacks on or malfunctions in these systems as low, which can present a challenge for the safety and security management of the companies. Furthermore, the study finds a statistically significant correlation between management commitment to ICT safety and security and implementation of awareness creation and training measures in the companies; however, the use of awareness creation and training measures for ICT safety and security varies quite a bit among the network companies. The lack of awareness of a danger might lead to weak vigilance by users and a greater potential for abuse, which can be a challenge for safety and security management. The thesis also highlights that one main factor ‒complexity ‒ influences all the different challenges studied. The theoretical framework for the thesis (i.e., the sociotechnical perspective and institutional organizational theory) has helped to contextualize the studied phenomena, highlight aspects and elements that are important to consider in relation to safety and security (or risk) management, and show that many different factors can lead to challenges for safety and security management at every level of the sociotechnical system. The thesis illustrates why it is important to consider human, technological, and organizational factors, as well as the dynamic interaction between these factors. It is especially important to consider cultural-cognitive factors and be aware of how these elements affect safety and security management. Institutional organizational theory contributes to illustrate that there is no clear distinction between organizations and their environments and that many socially constructed and institutionalized aspects can influence organizations and create important challenges. Regulative (regulations), normative (technical standards), and cultural-cognitive (sensemaking, risk perception, commitment, and awareness) processes are connected in complex and changing mixtures, and these processes shape organizational structures and activities. The use of institutional organizational theory also sheds light on the important fact that many issues related to safety and security seem to be taken for granted.