The National Emergency Supply Agency, Finnish Communications Regulatory Authority (FICORA) and a group of energy companies have jointly launched the KYBER-ENE project, to improve cyber-caution as digitalisation changes the world.
A high level of cyber caution is required in the production and distribution of energy, as these are critical infrastructure. Although Finnish energy companies have traditionally been well prepared, there is still a need for development, particularly now that digitalisation is changing the world.
Fingrid's Security Manager Jyrki Pennanen points out that cyber threats have become increasingly serious in the energy sector. For example, a group of advanced hackers attacked power plants in Ukraine in 2015 and 2016, leaving over 250,000 people without electricity.
– On the other hand, the latest threats include the harnessing of access control systems to extract cyber currencies, which is incredible in itself, he says.
As digitalisation advances, companies are introducing new IoT devices, which is increasing security risks. For example, Pennanen points out that Fingrid has begun piloting IoT-based microphones, which listen to components and detect faults on the basis of their sounds, in a certain substation.
–This is an excellent project in itself, which serves our business, but it creates a new dimension in security, says Pennanen.
As a transmission system operator, Fingrid is well prepared for cyber threats, with five persons working in the area of information security. Many small energy operators, on the other hand, have only one person combatting cyberthreats, as well as performing the company's other IT tasks.
– That is why KYBER-ENE involves seeking good cybersecurity for companies of all levels, in addition to the research, he sums up.
Taking collaboration to a new level
For Business Continuity Manager Kalle Luukkainen, the main objective of the project is to raise awareness of and develop expertise on the cyber threats facing the energy sector. The project was begun by organising confidential cyber-security workshops for energy companies.
– What's new is that energy players have become so actively involved in promoting cyber safety, supported by the National Emergency Supply Agency and the National Cyber Security Centre Finland, Luukkainen says.
He explains that these workshops have focused on the development of competencies, mapping the cybersecurity situation within the production network, and securing remote connections for users and during emergencies.
– Although the project is still at an early stage, it has been progressing well. The right things have been done in the workshops, and those involved have been very active. Cooperation with companies is not new, but it has now risen to a new level of activity.
He points out that, because the project is short, it is only intended to launch cooperation and its continuation is being planned.
– Preparation for cyber threats should be viewed as a kind of continuum, i.e. we need to maintain the good cooperation we have achieved.
The bar must be kept high
One of KYBER-ENE's sources of background information is a situational snapshot of the Finnish energy sector's readiness to counter cyber threats, which was created in 2015 by the Power Supply Pool of the National Emergency Supply Organisation.
According to Petri Nieminen, Senior Advisor, Power Systems at the National Emergency Supply Agency, the report shows that much remains to be done in both large and small companies.
– All companies should now raise the bar. It was once enough if the firewall was okay, but firewalls don't hold anything back anymore. As part of critical infrastructure, the energy sector is an ideal target for attacks, and we need to prepare for the threats together, he says.
Although two years have elapsed since the report, Nieminen explains that cyber threats have become more serious since then and cyber security has become increasingly important.
– Although no major national security problems have occurred in Finland, we should consider whether an attack like that on Ukraine would be possible here.
He regards mutual peer support among companies as important to combating the cyber threat.
– Consultants and the authorities can certainly provide companies with support, but the message really gets through if another company is doing the talking.
New cyber-threat management model
Pasi Ahonen, Coordinator of the KYBERENE project and a Principal Scientist at VTT, explains that a cyber threat management model was developed in the workshops, which should be duplicated in regional workshops and could be introduced more widely.
– It would be important for the energy sector to create a model for the systematic and rapid development of cybersecurity in the private sector. Good progress was made in developing cyber security at the Kuopio and Mikkeli workshops in particular, because the executives were motivated.
Incidents such as the attack on Ukraine were discussed in the workshops, where we pondered whether the same could happen in Finland. In this way, the participants were given a tangible demonstration of exactly how energy companies can be attacked.
According to Ahonen, preparedness for cyber attacks is about more than just IT resources.
– A large number of IT staff is not sufficient to improve the level of preparedness; the key issue is integrating preparedness in all activities. The entire organisation must understand cyber-safe practices.
KYBER-ENE is part of the National Emergency Supply Agency's KYBER 2020 programme
The KYBER-ENE project involves improving the cybersecurity of critical infrastructure in society. The aim is to improve preparedness among energy companies. VTT is coordinating the project, whose first phase began in November 2017 and ended in April 2018.
The project steering group include energy companies such as Fingrid, Kuopion Energia, Suur-Savon Sähkö, Helen and Neste. In addition, the National Emergency Supply Agency and National Cyber Security Centre are on the project steering group.
The KYBER 2020 programme was preceded by the KYBER-TEO project, in which VTT and industry players developed and tested services that ensure industrial cybersecurity.
