The effect of awareness raising activities in ICS security


  • Ann-Sofie Stenerus
  • Camilla Trane

Publish date: 2017-06-12

Report number: FOI-R--4433--SE

Pages: 64

Written in: Swedish


  • industrial control systems
  • ICS
  • IT security
  • course effects
  • standards


Through its ICS security programme, the Swedish Civil Contingencies Agency (MSB) is working actively to create greater national capacity in the prevention and management of IT-related threats to ICS. In MSB's guidance document, the agency recommends that training and exercises focused on IT incidents affecting ICS should be held regularly. MSB also finances courses in the area of ICS security, held at NCS32, to which critical operators are offered to send their personnel. The question is what effect training and exercises in ICS have in practice. Previous course participants of the MSB financed NCS3-courses describe several examples of how their participation have led to improved security within their respective organisation. Even though most of the effects described are on an individual level, such as increased awareness or behavioural changes related to ICS security, a few of the respondents also describe that participation lead to concrete changes on an organisational level, such as increased separation of control systems from other organisational systems. Awareness-raising measures as a method to increase security in ICS is a common recommendation in standards and guidance documents like the one MSB publishes. Research within the area confirms that the participation of personnel in awareness-raising measures in general leads to improvements in the operations of organisations. Specifically within the area of ICS there is however a lack of research on how awareness-raising measures affect organisations. Recommendations about awareness-raising measures could therefore generally be understood as being based on experience, on what has shown itself to be functional and useful in the practical activities.