Proceedings of the
35th European Safety and Reliability Conference (ESREL2025) and
the 33rd Society for Risk Analysis Europe Conference (SRA-E 2025)
15 – 19 June 2025, Stavanger, Norway
Cybersecurity Barriers and Performance Requirements
SINTEF Digital, Trondheim, Norway.
ABSTRACT
The cybersecurity barrier management project aims to develop new knowledge and guidance to secure industrial control and safety systems against cyberattacks. With several threat actors targeting the petroleum sector, the number of publicly known cyberattacks is increasing, revealing a larger threat landscape. At the same time, extensive digitalisation of the sector has led to increased vulnerability. Cyberattacks against control and safety systems in the petroleum industry can cause physical damage to facilities, harm personnel, and affect security of gas supply to Europe. Barrier management systems have been introduced for traditional safety against accidental events, but to a lesser extent against intentional events such as cyberattacks. In this paper, we focus on the identification of cybersecurity barriers, and the development of corresponding cybersecurity barrier requirements, i.e., how well the barriers should perform. The main research approach is iterative empirical research where the research and exploration are carried out in several iterations in close interaction with industry partners, advisors, experts and professional forums. A literature survey has been performed and considerations about the distinction between cybersecurity barriers and non-barriers have been made. The main result described in this paper is a nine-step methodology for identification of cybersecurity barriers and establishment of performance requirements for the barriers. This includes a definition of cybersecurity barriers. However, a definition is not sufficient in itself to distinguish between cybersecurity measures that are considered cybersecurity barriers versus those that are considered non-barriers; expert insights in cybersecurity measures are a prerequisite for the identification of cybersecurity barriers and the establishment of performance requirements.
Keywords: Barriers, Barrier management, Cybersecurity barriers, Barrier requirements, Security measures, Oil and gas industry.
