Energy production must be protected from cyber threats – a NATO exercise increased understanding of the challenges

Petri Puhakainen

Energy systems and green electricity production are critical functions for society, and subject to new, significant cyber threats. VTT was strongly involved in a Nordic NATO exercise, where companies related to electricity production jointly looked for ways to protect themselves from possible threats.

Energy production plays a crucial role in the functioning of societies, and the energy system is therefore a key target in hybrid warfare. Renewable energy production is particularly vulnerable to attacks, and its cyber security faces growing challenges. At the same time, the regulation of the industry is increasing in Europe, and requires critical infrastructure operators to carefully prepare for threats.

The joint NATO Nordic Pine 2023 exercise, organized in Finland and Sweden in September, focused on the cyber security of green energy production. Companies producing critical services were brought together to practice for cyber threats and hostile information campaigns. For NATO, one of the aims was to find common, cross-border development targets.

– The focus of the exercise was green energy production, and our example case was related to wind power. The participants secured an imaginary operating environment, which was subjected to various threats, attacks and hostile acts at an accelerating pace, describes Petri Puhakainen, VTT's Cybersecurity Lead.

Realistic scenarios required solutions

29 Finnish and Swedish companies and organizations of different sizes, related to the production of electrical energy, participated in the exercise. The participants included security personnel, power plant managers and cyber security management, among others. For some companies, preparing for cyber threats is already an everyday activity, while for others the exercise was an eye-opener.

The training groups evaluated together the meaning of the threats to the imaginary environment and how to react to them. The scenarios were realistic, but did not limit thinking too much.

– When people get together to think about how to solve a problem, they usually learn something. This exercise increased the participants' understanding of possible risks and attacks, and how to act in those situations. For example, communication, creating a situational picture and notifying the authorities sparked a lot of discussion, says Puhakainen.

The companies shared information on best practices, and identified areas for improvement in their operating methods. At the same time, they gained insight on what kind of cyber security expertise will be needed in the future and how it should be organized, for example.

– Cyber ​​security exercises are an essential part of companies' cyber security risk management. They help companies identify, prevent and respond to cyber threats, which is critical for ensuring business continuity and maintaining customers’ trust. From Fortum's point of view, cyber exercises always promote cooperation with other companies and authorities in the energy sector. Joint exercises and sharing experiences help to create a broader information security ecosystem and improve the cyber defense of the entire energy sector, says Jarmo Huhta, Cyber ​​Security Manager at Fortum.

VTT’s role strong – expertise on the industry and cyber security is a must

VTT planned the situation and events on the first day of the two-day exercise, while the second day's exercise was planned by the Swedish research institute RISE. VTT facilitated both exercises in Finland, recruited participants and evaluated the exercises for NATO.

– During the planning phase, we were able to make use of our understanding of the industry's challenges and our strong expertise in cyber security. We need to know what cyber threats mean in wind energy production and what kind of industry-specific challenges exist. In addition, we must understand how a potential attacker views the world and what countermeasures are needed, Puhakainen says.

VTT has a strong background in solving cyber security challenges in several different sectors, such as the energy industry, intelligence, national defense and telecommunications. The solutions of VTT's multidisciplinary research team have been applied to both ensuring the safety of consumer products and protecting critical infrastructure as well as challenging operational needs. In addition, VTT helps its customers and partners to find new commercial opportunities in the cyber security sector.

Petri Puhakainen
Petri Puhakainen
Our vision beyond 2030

A safe society is a wonderful thing. It should be treasured and strengthened so that known and unknown threats both in the real and virtual worlds do not jeopardise it.