The energy sector is currently experiencing an exceptionally interesting time. Finland is part of a global transition in which fossil fuels are being replaced by electricity. Electricity is taking over from oil, gas, and coal, not only driven by emission reduction targets but also by cost competitiveness. Given the critical nature of the energy sector, safety and fault tolerance are top priorities, now influenced by new technologies, increasing regulation, quantum threats, and the resilience of digital networks.
Read the summary
- The energy sector needs to balance electricity production and consumption due to limited storage options and increasing reliance on renewable sources, necessitating smarter, more flexible transmission systems managed by digital means.
- The sector faces stringent regulations like the NIS2 Directive and Cyber Resilience Act, emphasising the need for strengthened cybersecurity and compliance from company management, with serious consequences for security failures.
- Quantum threats pose significant future risks, with very few organisations prepared for these changes, although quantum-resistant encryption methods exist and should be implemented proactively.
- The development of robust internal data networks is crucial, with examples like Telia building redundancy into their networks and using technologies like edge computing to ensure uninterrupted service, which highlights the importance of ongoing investment and testing in network security.
This summary is written by AI and checked by a human.
Electricity production and consumption need to be balanced and grow hand in hand. As electricity is hard to store, production and consumption must be balanced almost in real-time with limited options for energy storage. This makes the electricity-based energy infrastructure more vulnerable than before, especially if new challenges are not taken into account during its design.
"The green transition is no longer just a dream – it’s a full reality. As primary energy increasingly comes from variable wind and solar sources, more flexible transmission and production systems are required. Meanwhile, digitalisation is taking centre stage: in these fast-paced environments, intelligent systems, not humans, will manage control," explains Antti Arasto, Vice President of Energy at VTT.
Digitalisation ushers in new regulations
In an increasingly digitalised world, the energy sector stands out as one of the most critical industries. Accordingly, it is also subject to extensive regulation, aimed at enhancing digital resilience and protect both citizens and businesses.
Petri Puhakainen, Cyber Security Lead at VTT, has explored the changing regulatory landscape:
"The NIS2 Directive, which came into force in 2023, seeks to harmonise member states’ baseline level of cybersecurity and applies broadly to businesses. The President of Finland ratified the implementing legislation on 8 April 2025. With only a brief transition period remaining, many organizations now face their last opportunity to comply," Puhakainen emphasises.
"Company management teams and boards have undeniable responsibility for cybersecurity for the first time in history. Deficiencies in security measures can lead to serious consequences, such as interruptions of business operations. Therefore, proactive measures and solid cooperation are more important than ever."
Network-connected devices are also regulated, as they may pose unpredictable security risks. Under the Cyber Resilience Act (CRA), no new digital product, whether a processor, operating system, telecommunications device, or Bluetooth headset – may enter the EU market unless its cybersecurity has been assessed to the required standard and it supports updates.
This still raises open questions:
"For example, if a device receives continuous updates, does it also need to be tested continuously? When is a documentation review sufficient, and when is technical testing required? And above all – who is responsible for the testing?" Puhakainen ponders.
Preparation for quantum threats is weak
It is estimated that quantum computers will be able to crack current public key encryption methods within 10–15 years. Hostile states and their cybercriminal associates are already storing encrypted communications, waiting for the moment when the data can be unlocked.
Quantum development may leap forward unexpectedly, which further illustrates the importance of foresight and preparedness. This is particularly relevant for operators within critical fields, such as energy sector organisations.
"We conducted a joint investigation with Digipooli to assess how companies critical to Finland’s security of supply have prepared for the quantum threat. Only three per cent had implemented strategies for replacing vulnerable encryption methods, which is very worrying. There are already quantum-resistant encryption algorithms available. No one yet possesses a quantum computer capable of breaking current encryption, but it’s only a matter of time before that changes," Puhakainen explains.
Standardised quantum-resistant public key encryption algorithms already exist. Organisations should promptly map which vulnerable encryption solutions they have in use so that their replacement can be initiated in a controlled manner.
Building internal resilience in data networks
Fluctuations in energy production and consumption, together with shorter timescales, require automation and digitalisation, namely data networks. Finland's geopolitical location as a neighbour to a country at war necessitates vigilant oversight of national networks.
Submarine cable breaks and GPS jamming are commonly reported threats in the news. The resilience of network traffic is enforced by doubled security measures.
"The locations of submarine cables are generally public knowledge, so they cannot be entirely relied upon. We have various backup links, the locations of which are, of course, confidential," says Tero Maaniemi, Network and Infra Lead Architect at Telia.
Telia is also building its transmission network with regional redundancy and a ring topology so that a fault or maintenance outage in one segment won’t compromise overall network functionality.
Energy sector operators have a keen interest in edge computing and private networks
One way to ensure the continuity of multiple critical digital services is to deploy a dedicated private network in which latency-minimizing edge computing runs smoothly, free of congestion and coverage issues.
"For example, we have built a private network in the Kittilä mine to remotely operate autonomous mining machines," Maaniemi explains.
In some situations, satellite-based coverage extension can become invaluable.
"We have implemented mobile connectivity solutions for the Norwegian Defence Forces, which include satellite connections, a portable base station, and a battery, enabling connections to work even in the most remote areas," he adds.
VTT's Antti Arasto notes that significant investment is being made in network testing, with collaboration spanning government agencies, industry players, and academic researchers:
"Among other initiatives, VTT maintains a pilot environment to test network security and simulate a variety of threat scenarios. One promising technology is line differential protection, which can instantly detect faults in the power grid and enable immediate intervention."
Antti Arasto and Petri Puhakainen from VTT, as well as Tero Maaniemi from Telia, spoke at VTT's event "Security in the Energy Sector in the Future: 5G, Quantum Encryption, and Cybersecurity" in early April.
