{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,8]],"date-time":"2025-12-08T22:15:06Z","timestamp":1765232106999,"version":"3.41.2"},"reference-count":42,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2012,6,1]],"date-time":"2012-06-01T00:00:00Z","timestamp":1338508800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2012,6,1]]},"abstract":"Purpose<\/jats:title>The purpose of this paper is to support the implementation of safety and security guidelines in the Norwegian oil and gas industry and verify the actual use of the guidelines by industry and authorities.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>An action research approach was used, exploring organisational learning as described by Argyris and Schon and by Nonaka and Takeuchi as \u201cThe knowledge\u2010creating company.\u201d Interviews (analysis of interviews), workshops and reviews of guidelines and audits were performed in addition to \u201clearning workshops\u201d trying to create understanding and compliance related to the guidelines among industry and authorities.<\/jats:p><\/jats:sec>Findings<\/jats:title>The guideline OLF104 is used in the Norwegian oil and gas industry, by operators and by suppliers and checked through audits. However, the guideline should influence working procedures at operators more. The guideline seems to have improved resilience.<\/jats:p><\/jats:sec>Research limitations\/implications<\/jats:title>The impact of the guideline on safety and security should be more systematically assessed. It is suggested that improvement of experience and knowledge related to safety, security and resilience of distributed control systems could improve the guidelines.<\/jats:p><\/jats:sec>Social implications<\/jats:title>The paper shows that there is improved awareness, safety, security and resilience when process control systems are integrated with ICT systems.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>The contribution of the paper is the exploration of a broad\u2010based action\u2010based approach, involving key stakeholders in a structured manner, to improve practices and facilitate implementation of safety and security guidelines. The contribution is also an empirical documentation of the implementation of key issues of security and safety in guidelines between two different areas of competence, ICT and process control. The paper will be of interest to the key stakeholders: the industry, authorities and the media.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685221211235607","type":"journal-article","created":{"date-parts":[[2014,1,23]],"date-time":"2014-01-23T11:06:43Z","timestamp":1390475203000},"page":"71-87","source":"Crossref","is-referenced-by-count":9,"title":["Resilience at interfaces"],"prefix":"10.1108","volume":"20","author":[{"given":"Stig","family":"Ole Johnsen","sequence":"first","affiliation":[]}],"member":"140","reference":[{"key":"key2022031220270358100_b1","doi-asserted-by":"crossref","unstructured":"Aas, A.L., Johnsen, S.O. and Skramstad, T. (2009), \u201cCRIOP: a human factors verification and validation methodology that works in an industrial setting\u201d, Lecture Notes in Computer Science, Vol. 5775, pp. 243\u201056.","DOI":"10.1007\/978-3-642-04468-7_20"},{"key":"key2022031220270358100_b2","unstructured":"Argyris, C. and Sch\u00f6n, D.A. (1996), Organizational Learning II: Theory, Method and Practice, Addison\u2010Wesley, Reading, MA."},{"key":"key2022031220270358100_b3","doi-asserted-by":"crossref","unstructured":"Butler, B.S. and Gray, P.H. (2006), \u201cReliability, mindfulness and information systems\u201d, MIS Quarterly, Vol. 30 No. 2, pp. 211\u201024.","DOI":"10.2307\/25148728"},{"key":"key2022031220270358100_b4","doi-asserted-by":"crossref","unstructured":"Davison, R., Martinsons, M. and Kock, N. (2004), \u201cPrinciples of canonical action research\u201d, Information Systems Journal, Vol. 14 No. 1, pp. 65\u201086.","DOI":"10.1111\/j.1365-2575.2004.00162.x"},{"key":"key2022031220270358100_b5","unstructured":"DnD (2008), \u201cRosing ICT\u2010security award\u201d, available at: www.dataforeningen.no\/it\u2010sikkerhetsprisen.4796706\u2010160557.html (accessed October 10, 2010)."},{"key":"key2022031220270358100_b6","doi-asserted-by":"crossref","unstructured":"Firesmith, D.G. (2003), \u201cCommon concepts underlying safety, security, and survivability engineering\u201d, Technical Note CMU\/SEI\u20102003\u2010TN\u2010033, Carnegie Mellon University.","DOI":"10.21236\/ADA421683"},{"key":"key2022031220270358100_b7","unstructured":"Hauge, S., Johnsen, S.O. and Onshus, T. (2009), \u201cUavhengighet av sikkerhetssystemer\/functional independence of safety systems\u201d, SINTEF Report, available at: www.ptil.no\/nyheter\/ny\u2010rapport\u2010om\u2010sikkerhetssystemers\u2010uavhengighet\u2010article7292\u201024.html (accessed January 1, 2011)."},{"key":"key2022031220270358100_b8","unstructured":"Hollnagel, E., Woods, D. and Leveson, N. (2006), Resilience Engineering, Ashgate, Aldershot."},{"key":"key2022031220270358100_b9","doi-asserted-by":"crossref","unstructured":"Hopkins, A. (2011), \u201cRisk\u2010management and rule\u2010compliance: decision making in hazardous industries\u201d, Safety Science, Vol. 49, pp. 110\u201020.","DOI":"10.1016\/j.ssci.2010.07.014"},{"key":"key2022031220270358100_b10","unstructured":"IEC 61508 (2010), Functional Safety of Electrical\/Electronic\/Programmable Electronic Safety\u2010Related Systems."},{"key":"key2022031220270358100_b11","unstructured":"IEC 62443 (2008), Security for Industrial Process Measurement and Control \u2013 Network and System Security."},{"key":"key2022031220270358100_b12","doi-asserted-by":"crossref","unstructured":"Igure, V.M., Laughter, S.A. and Williams, R.D. (2006), \u201cSecurity issues in SCADA networks\u201d, Computers & Security, Vol. 25, pp. 498\u2010506.","DOI":"10.1016\/j.cose.2006.03.001"},{"key":"key2022031220270358100_b13","unstructured":"IsaSecure (2010), International Society for Automation, ISA Security Compliance Institute, Research Triangle Park, NC, available at: www.isasecure.org\/ (accessed January 1, 2011)."},{"key":"key2022031220270358100_b14","unstructured":"ISO 11064 (2000), \u201cErgonomic design of control centres\u201d."},{"key":"key2022031220270358100_b15","unstructured":"ISO\/IEC 27002 (2005), \u201cInformation technology \u2013 code of practice for information security management\u201d."},{"key":"key2022031220270358100_b17","doi-asserted-by":"crossref","unstructured":"Johnsen, S.O., Skramstad, T. and Hagen, J. (2009), \u201cEnhancing the safety, security and resilience of ICT and SCADA systems using action re\u2010search\u201d, in Palmer, C. and Shenoi, S. (Eds), Critical Infrastructure Protection, Vol. III, Springer, Berlin, pp. 113\u201023.","DOI":"10.1007\/978-3-642-04798-5_8"},{"key":"key2022031220270358100_b16","unstructured":"Johnsen, S.O., Bj\u00f8rkli, C., Steiro, T., Fartum, H., Haukenes, H., Ramberg, J. and Skriver, J. (2008), \u201cCRIOP \u2013 a scenario method for crisis intervention and operability analysis\u201d, SINTEF, available at: www.criop.sintef.no (accessed October 10, 2010)."},{"key":"key2022031220270358100_b18","doi-asserted-by":"crossref","unstructured":"Johnsen, S.O., Okstad, E., Aas, A.L. and Skramstad, T. (2010), \u201cProactive indicators of risk in remote operations of oil and gas fields\u201d, paper presented at SPE International Conference on Health, Safety and Environment in Oil and Gas Exploration and Production.","DOI":"10.2118\/126560-MS"},{"key":"key2022031220270358100_b19","unstructured":"Leveson, N. (1995), Safeware \u2013 System Safety, Addison\u2010Wesley, Aldershot."},{"key":"key2022031220270358100_b20","unstructured":"Luders, S. (2006), \u201cCERN tests reveal security flaws with industrial networked devices\u201d, The Industrial Ethernet Book, pp. 12\u201023, Issue 35, November, available at: www.iebmedia.com (accessed May 12, 2009)."},{"key":"key2022031220270358100_b21","doi-asserted-by":"crossref","unstructured":"Lund, J. and Aar\u00f8, L.E. (2004), \u201cAccident prevention \u2013 presentation of a model placing emphasis on human, structural and cultural factors\u201d, Safety Science, Vol. 42 No. 4, pp. 271\u2010324.","DOI":"10.1016\/S0925-7535(03)00045-6"},{"key":"key2022031220270358100_b22","unstructured":"McAfee (2011), Global Energy Cyber attacks \u2013 Night Dragon, available at: www.mcafee.com\/us\/res\u2010ources\/white\u2010papers\/wp\u2010global\u2010energy\u2010cyberattacks\u2010night\u2010dragon.pdf (accessed February 20)."},{"key":"key2022031220270358100_b23","unstructured":"NC (2011), The National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling's Final Report, available at: www.oilspillcommission.gov (accessed February 1)."},{"key":"key2022031220270358100_b25","doi-asserted-by":"crossref","unstructured":"Nonaka, I. and Takeuchi, H. (1995), The Knowledge\u2010creating Company, Oxford University Press, New York, NY.","DOI":"10.1093\/oso\/9780195092691.001.0001"},{"key":"key2022031220270358100_b26","unstructured":"NTSB (2002), Pipeline Rupture and Subsequent Fire in Bellingham, Washington, June 10, 1999. Pipeline Accident Report NTSB\/PAR\u201002\/02, National Transportation Safety Board, Washington, DC."},{"key":"key2022031220270358100_b27","unstructured":"OLF104 (2006), \u201cInformation security baseline requirements for process control, safety and support ICT Systems\u201d, ISBR, By Ask, R, R\u00f8isli R., Johnsen S., Line M., Ueland A., Hovland B., Groteide L., Birkeland B., Steinbakk A., Hagelsteen E., Rong C. and Losnedahl T., available at: www.olf.no\/no\/Publikasjoner\/Retningslinjer\/Kronologisk\/ (accessed January 1, 2011)."},{"key":"key2022031220270358100_b28","doi-asserted-by":"crossref","unstructured":"Pietre\u2010Cambacedes, L. and Chaudet, C. (2010), \u201cThe SEMA referential framework: avoiding ambiguities in the terms \u2018security\u2019 and \u2018safety\u2019\u201d, International Journal of Critical Infrastructure Protection, Vol. 3, pp. 55\u201066.","DOI":"10.1016\/j.ijcip.2010.06.003"},{"key":"key2022031220270358100_b29","unstructured":"PSA (2010a), \u201cAudit of BP Norge's follow\u2010up of new work processes within drilling and well activities using information and communication technology (ICT)\u201d, PSA Journal 2010\/1112, available at: www.ptil.no\/news\/audit\u2010of\u2010bp\u2010s\u2010follow\u2010up\u2010of\u2010new\u2010work\u2010processes\u2010article7566\u201079.html (accessed January 1, 2011; November 9)."},{"key":"key2022031220270358100_b30","unstructured":"PSA (2010b), \u201cAudit of Norne\u201d, PSA Journal 2010\/93, available at: www.ptil.no\/nyheter\/tilsyn\u2010med\u2010beredskap\u2010norne\u2010fpso\u2010article6834\u201024.html (accessed January 1, 2011)."},{"key":"key2022031220270358100_b31","unstructured":"PSA (2010c), \u201cSafety system independence\u201d, available at: www.ptil.no\/news\/safety\u2010system\u2010independence\u2010in\u2010focus\u2010article7293\u201079.html?lang=en_US (accessed January 1, 2011)."},{"key":"key2022031220270358100_b32","doi-asserted-by":"crossref","unstructured":"Rasmussen, J. (1997), \u201cRisk management in a dynamic society: a modeling problem\u201d, Safety Science, Vol. 27 Nos 2\/3, pp. 183\u2010213.","DOI":"10.1016\/S0925-7535(97)00052-0"},{"key":"key2022031220270358100_b33","unstructured":"Renn, O. (2005), Risk Governance \u2013 Towards an Integrative Approach, White Paper No. 1, IRGC, Geneva."},{"key":"key2022031220270358100_b24","unstructured":"Robson, L.S., Shannon, H.S., Goldenhar, L.M. and Hale, A.R. (2001), Guide to Evaluating the Effectiveness of Strategies for Preventing Work Injuries, NIOSH, Cincinnati, OH."},{"key":"key2022031220270358100_b34","doi-asserted-by":"crossref","unstructured":"Smith, S., Jamieson, R. and Winchester, D. (2007), \u201cAn action research program to improve information systems security compliance across government agencies\u201d, Proceedings of the Fortieth Annual Hawaii International Conference on System Sciences, p. 99.","DOI":"10.1109\/HICSS.2007.58"},{"key":"key2022031220270358100_b35","doi-asserted-by":"crossref","unstructured":"Stouffer, K., Falco, J. and Kent, K. (2008), Guide to Supervisory Control and Data Acquisition and Industrial Control Systems Security, NIST Special Publication 800\u201082.","DOI":"10.6028\/NIST.SP.800-82e2008"},{"key":"key2022031220270358100_b36","doi-asserted-by":"crossref","unstructured":"Susman, G. and Evered, R. (1978), \u201cAn assessment of the scientific merits of action research\u201d, Administrative Science Quarterly, Vol. 23, pp. 582\u2010603.","DOI":"10.2307\/2392581"},{"key":"key2022031220270358100_b37","unstructured":"Symantec (2011), W32. Stuxnet Dossier, available at: www.symantec.com\/content\/en\/us\/enterprise\/media\/security_response\/whitepapers\/w32_stuxnet_dossier.pdf (accessed March 1)."},{"key":"key2022031220270358100_b38","unstructured":"Taleb, N.N. (2007), The Black Swan: The Impact of the Highly Improbable, Random, New York, NY."},{"key":"key2022031220270358100_b39","unstructured":"TR1658 (2009), \u201cStatoil governing document \u2018Technical Network and Security of Automation Systems\u2019\u201d."},{"key":"key2022031220270358100_b40","unstructured":"TU (2009), \u201cComputer incidents may halt oil and gas production\/Dataangrep kan stoppe Olje\u2010Norge\u201d, available at: www.tu.no\/it\/article193101.ece (accessed January 14)."},{"key":"key2022031220270358100_b41","doi-asserted-by":"crossref","unstructured":"van Eynde, D. and Bledsoe, J. (1990), \u201cThe changing practice of organizational development\u201d, Leadership & Organizational Development Journal, Vol. 11 No. 2, pp. 25\u201030.","DOI":"10.1108\/01437739010135529"},{"key":"key2022031220270358100_b42","unstructured":"Westrum, R. (2003), \u201cRemoving latent pathogens\u201d, paper presented at the Sixth International Australian Aviation Psychology Conference."}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685221211235607","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685221211235607\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685221211235607\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:24Z","timestamp":1753402164000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/20\/2\/71-87\/179731"}},"subtitle":["Improvement of safety and security in distributed control systems by web of influence"],"short-title":[],"issued":{"date-parts":[[2012,6,1]]},"references-count":42,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2012,6,1]]}},"alternative-id":["10.1108\/09685221211235607"],"URL":"https:\/\/doi.org\/10.1108\/09685221211235607","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2012,6,1]]}}}