Cyber threat analysis of people and organizational processes in critical submarine infrastructure

Cyber threat analysis of people and organizational processes in critical submarine infrastructure

This thesis investigates cyber threats targeting critical submarine infrastructure (CSI). The study focuses on people and organizational processes of operators of submarine telecommunications cables, power cables, and gas pipelines critical to Europe’s energy transmission and data communication. The...

Täydet tiedot

Bibliografiset tiedot
Päätekijä: Julkunen, Petro
Muut tekijät: Informaatioteknologian tiedekunta, Faculty of Information Technology, Jyväskylän yliopisto, University of Jyväskylä
Aineistotyyppi: Pro gradu
Kieli:eng
Julkaistu: 2025
Aiheet:
Kyberturvallisuuden maisteriohjelma
Master's Degree Programme in Cyber Security
Linkit: https://jyx.jyu.fi/handle/123456789/103167
_version_ 1834856795023081472
author Julkunen, Petro
author2 Informaatioteknologian tiedekunta Faculty of Information Technology Jyväskylän yliopisto University of Jyväskylä
author_facet Julkunen, Petro Informaatioteknologian tiedekunta Faculty of Information Technology Jyväskylän yliopisto University of Jyväskylä Julkunen, Petro Informaatioteknologian tiedekunta Faculty of Information Technology Jyväskylän yliopisto University of Jyväskylä
author_sort Julkunen, Petro
datasource_str_mv jyx
description This thesis investigates cyber threats targeting critical submarine infrastructure (CSI). The study focuses on people and organizational processes of operators of submarine telecommunications cables, power cables, and gas pipelines critical to Europe’s energy transmission and data communication. The thesis outlines the cyber threat landscape, identifies vulnerabilities associate to people and processes, and estimates potential impacts. The methodology is a qualitative cyber threat analysis based on targeted literature review and expert consultations. The thesis utilizes frameworks from ENISA, NIST, and the MITRE ATT&CK Matrix to structure the classification of threats and vulnerabilities. Cyberattack scenarios are developed to illustrate how threat actors may exploit the identified vulnerabilities in people and or-ganizational processes—such as insufficient training, poor cybersecurity policies, and insider threats—to compromise the submarine infrastructure. The thesis found that the CSI may be susceptible to cyberattacks due to gaps in organizational cybersecurity. Potential key vulnerabilities include lim-ited cybersecurity skills, lack of awareness, insufficient investment, fragmented policies, and inadequate monitoring. Additional concerns arise from private ownership and multinational supply chains. These conditions may complicate coordinated protection and risk management efforts across jurisdictions. The thesis emphasizes the requirement for improved cybersecurity awareness, harmonized policy implementation, increased investment in training, and enhanced protection strategies, some of which have been recently implemented at the regulatory level in the EU but need to be brought to the organizational level. Addressing vulnerabilities associated with people is essential for ensuring the resilience and operational security of the systems that enable global communications and energy transmission. Tässä pro gradu -tutkielmassa tarkastellaan ihmisistä ja organisaatioprosesseista lähteviä kyberuhkia, jotka kohdistuvat vedenalaiseen kriittiseen infrastruktuuriin. Tutkimuksen kohteena ovat merenalaiset tietoliikennekaapelit, sähkökaapelit ja kaasuputket, joita käytetään laajasti Euroopan energiavirtojen ja tiedonsiirron mahdollistamiseen. Työssä analysoidaan kyberuhkia, haavoittuvuuksia ja vaikutuksia infrastruktuurioperaattoreihin, ja niiden operatiivisiin prosesseihin liittyen. Tutkimuksen menetelmänä käytettiin laadullista uhka-analyysia, joka perustui kirjallisuuskatsaukseen ja asiantuntijakeskusteluihin. Työ hyödyntää ENISAn, NISTin ja MITRE ATT&CK -viitekehyksiä kyberuhkien ja haavoittuvuuksien luokittelussa. Kyberuhkia mallinnettiin skenaarioiden avulla, jotka havainnollistavat, miten uhkatoimijat voisivat hyödyntää organisaatiotason puutteita, kuten riittämätöntä osaamista, puutteellisia kyberturvallisuuskäytäntöjä ja -resursseja, sekä sisäpiiristä tulevia hyökkäyksiä, merenalaisen infrastruktuurin vahingoittamiseen tai vakoiluun. Tutkielma osoitti, että kriittinen vedenalainen infrastruktuuri on haavoittuvainen hyökkäyksille mm. henkilöstön kyberturvallisuusymmärryksen puutteiden vuoksi. Haavoittuvuuksia lisäävät mm. yksityinen omistus, riippuvuudet toimitusketjuista, ja rajallinen valvontakapasiteetti. Tutkimus painottaa kyberturvallisuustietoisuuden ja yhtenäisten prosessien merkitystä organisaatioissa, sekä yhteisen eurooppalaisen suojausstrategian tärkeyttä. Ihmisiin liittyvien haavoittuvuuksien hallinta on tärkeää globaalin viestinnän ja energiansiirron mahdollistavien järjestelmien resilienssin ja toimintavarmuuden varmistamiseksi.
first_indexed 2025-06-06T20:00:59Z
format Pro gradu
free_online_boolean 1
fullrecord [{"key": "dc.contributor.advisor", "value": "Lehto, Martti", "language": null, "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "Julkunen, Petro", "language": null, "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2025-06-06T08:38:02Z", "language": null, "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2025-06-06T08:38:02Z", "language": null, "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2025", "language": null, "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/103167", "language": null, "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "This thesis investigates cyber threats targeting critical submarine infrastructure (CSI). The study focuses on people and organizational processes of operators of submarine telecommunications cables, power cables, and gas pipelines critical to Europe\u2019s energy transmission and data communication. The thesis outlines the cyber threat landscape, identifies vulnerabilities associate to people and processes, and estimates potential impacts.\n\nThe methodology is a qualitative cyber threat analysis based on targeted literature review and expert consultations. The thesis utilizes frameworks from ENISA, NIST, and the MITRE ATT&CK Matrix to structure the classification of threats and vulnerabilities. Cyberattack scenarios are developed to illustrate how threat actors may exploit the identified vulnerabilities in people and or-ganizational processes\u2014such as insufficient training, poor cybersecurity policies, and insider threats\u2014to compromise the submarine infrastructure.\n\nThe thesis found that the CSI may be susceptible to cyberattacks due to gaps in organizational cybersecurity. Potential key vulnerabilities include lim-ited cybersecurity skills, lack of awareness, insufficient investment, fragmented policies, and inadequate monitoring. Additional concerns arise from private ownership and multinational supply chains. These conditions may complicate coordinated protection and risk management efforts across jurisdictions.\n\nThe thesis emphasizes the requirement for improved cybersecurity awareness, harmonized policy implementation, increased investment in training, and enhanced protection strategies, some of which have been recently implemented at the regulatory level in the EU but need to be brought to the organizational level. Addressing vulnerabilities associated with people is essential for ensuring the resilience and operational security of the systems that enable global communications and energy transmission.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "T\u00e4ss\u00e4 pro gradu -tutkielmassa tarkastellaan ihmisist\u00e4 ja organisaatioprosesseista l\u00e4htevi\u00e4 kyberuhkia, jotka kohdistuvat vedenalaiseen kriittiseen infrastruktuuriin. Tutkimuksen kohteena ovat merenalaiset tietoliikennekaapelit, s\u00e4hk\u00f6kaapelit ja kaasuputket, joita k\u00e4ytet\u00e4\u00e4n laajasti Euroopan energiavirtojen ja tiedonsiirron mahdollistamiseen. Ty\u00f6ss\u00e4 analysoidaan kyberuhkia, haavoittuvuuksia ja vaikutuksia infrastruktuurioperaattoreihin, ja niiden operatiivisiin prosesseihin liittyen.\n\nTutkimuksen menetelm\u00e4n\u00e4 k\u00e4ytettiin laadullista uhka-analyysia, joka perustui kirjallisuuskatsaukseen ja asiantuntijakeskusteluihin. Ty\u00f6 hy\u00f6dynt\u00e4\u00e4 ENISAn, NISTin ja MITRE ATT&CK -viitekehyksi\u00e4 kyberuhkien ja haavoittuvuuksien luokittelussa. Kyberuhkia mallinnettiin skenaarioiden avulla, jotka havainnollistavat, miten uhkatoimijat voisivat hy\u00f6dynt\u00e4\u00e4 organisaatiotason puutteita, kuten riitt\u00e4m\u00e4t\u00f6nt\u00e4 osaamista, puutteellisia kyberturvallisuusk\u00e4yt\u00e4nt\u00f6j\u00e4 ja -resursseja, sek\u00e4 sis\u00e4piirist\u00e4 tulevia hy\u00f6kk\u00e4yksi\u00e4, merenalaisen infrastruktuurin vahingoittamiseen tai vakoiluun.\nTutkielma osoitti, ett\u00e4 kriittinen vedenalainen infrastruktuuri on haavoittuvainen hy\u00f6kk\u00e4yksille mm. henkil\u00f6st\u00f6n kyberturvallisuusymm\u00e4rryksen puutteiden vuoksi. Haavoittuvuuksia lis\u00e4\u00e4v\u00e4t mm. yksityinen omistus, riippuvuudet toimitusketjuista, ja rajallinen valvontakapasiteetti. Tutkimus painottaa kyberturvallisuustietoisuuden ja yhten\u00e4isten prosessien merkityst\u00e4 organisaatioissa, sek\u00e4 yhteisen eurooppalaisen suojausstrategian t\u00e4rkeytt\u00e4. Ihmisiin liittyvien haavoittuvuuksien hallinta on t\u00e4rke\u00e4\u00e4 globaalin viestinn\u00e4n ja energiansiirron mahdollistavien j\u00e4rjestelmien resilienssin ja toimintavarmuuden varmistamiseksi.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by jyx lomake-julkaisija (jyx-julkaisija.group@korppi.jyu.fi) on 2025-06-06T08:38:02Z\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2025-06-06T08:38:02Z (GMT). No. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "77", "language": null, "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.format.mimetype", "value": "application/pdf", "language": null, "element": "format", "qualifier": "mimetype", "schema": "dc"}, {"key": "dc.language.iso", "value": "eng", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "CC BY 4.0", "language": null, "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.title", "value": "Cyber threat analysis of people and organizational processes in critical submarine infrastructure", "language": null, "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202506064973", "language": null, "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Kyberturvallisuuden maisteriohjelma", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Master's Degree Programme in Cyber Security", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.copyright", "value": "\u00a9 The Author(s)", "language": null, "element": "rights", "qualifier": "copyright", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "openAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.format.content", "value": "fulltext", "language": null, "element": "format", "qualifier": "content", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://creativecommons.org/licenses/by/4.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}, {"key": "dc.description.accessibilityfeature", "value": "ei tietoa saavutettavuudesta", "language": "fi", "element": "description", "qualifier": "accessibilityfeature", "schema": "dc"}, {"key": "dc.description.accessibilityfeature", "value": "unknown accessibility", "language": "en", "element": "description", "qualifier": "accessibilityfeature", "schema": "dc"}]
id jyx.123456789_103167
language eng
last_indexed 2025-06-06T20:00:59Z
main_date 2025-01-01T00:00:00Z
main_date_str 2025
online_boolean 1
online_urls_str_mv {"url":"https:\/\/jyx.jyu.fi\/bitstreams\/0969de36-9abb-4eae-a9e8-f7b3e4bf145a\/download","text":"URN:NBN:fi:jyu-202506064973.pdf","source":"jyx","mediaType":"application\/pdf"}
publishDate 2025
record_format qdc
source_str_mv jyx
spellingShingle Julkunen, Petro Cyber threat analysis of people and organizational processes in critical submarine infrastructure Kyberturvallisuuden maisteriohjelma Master's Degree Programme in Cyber Security
title Cyber threat analysis of people and organizational processes in critical submarine infrastructure
title_full Cyber threat analysis of people and organizational processes in critical submarine infrastructure
title_fullStr Cyber threat analysis of people and organizational processes in critical submarine infrastructure Cyber threat analysis of people and organizational processes in critical submarine infrastructure
title_full_unstemmed Cyber threat analysis of people and organizational processes in critical submarine infrastructure Cyber threat analysis of people and organizational processes in critical submarine infrastructure
title_short Cyber threat analysis of people and organizational processes in critical submarine infrastructure
title_sort cyber threat analysis of people and organizational processes in critical submarine infrastructure
title_txtP Cyber threat analysis of people and organizational processes in critical submarine infrastructure
topic Kyberturvallisuuden maisteriohjelma Master's Degree Programme in Cyber Security
topic_facet Kyberturvallisuuden maisteriohjelma Master's Degree Programme in Cyber Security
url https://jyx.jyu.fi/handle/123456789/103167 http://www.urn.fi/URN:NBN:fi:jyu-202506064973
work_keys_str_mv AT julkunenpetro cyberthreatanalysisofpeopleandorganizationalprocessesincriticalsubmarineinfrastruc

Samankaltaisia teoksia