Managing cybersecurity risks in critical industry across the Nordics
Due to their location, the Nordics have very particular security threats they must manage – both physically and digitally. This puts real pressure on the need for advanced cybersecurity defenses across public sector and critical industry.
In fact, within Sweden and Finland, the security of critical infrastructure is a matter for the state, and they are actively involved in vetting and approving security personnel and protocols. There is a requirement to be a national citizen and cleared by security services to manage critical infrastructure security needs.
Despite its importance, when it comes to the IT / OT security of critical infrastructure, the Nordics are, like the rest of the world, 10 – 15 years behind being mature.
Securing the convergence of IT / OT
The fourth industrial revolution has seen two different domains forced together causing a convergence that benefits industry and consumers but can also leave operations, sometimes critical operations, open to risk.
The OT environment was not designed to be connected. It is generally extremely expensive to build, complex to change and doesn’t run on the same operating systems that we use in a modern technology environment. Upgrading and adapting these systems is incredibly complex.
When the two environments converge, a potential major cyber risk is introduced, and this must be managed. The Nordic region have seen these vulnerabilities exploited, for both common criminality and ransomware as well as within the context of cyber warfare which threatens international stability and diplomacy.
Convergence is a great opportunity, but it comes with the cost of an increased risk that must be identified, managed, and controlled.
Cyber-insurance
One area where we’re likely to see an evolution is in cyber-insurance for critical industry. How can financial and civil risk be shared through insurance? Cyber-threats are now within the top five risks identified by insurers on their risk register.
Tailor-made insurance offers are made for manufacturers using diligence reports and assessment lists to cover what they know but it is likely that it will become harder and more costly to insure critical infrastructure.
As cyberthreats continue to rise, bringing risk to life, will insurers continue to support this industry?
A longer-term solution is around public and private enterprise working together to accelerate the maturity of IT / OT security. They must work to protect each other’s interests on the understanding that hostile nations can and do use industry as tools in their political campaigns. Given the very real threat seen in the Nordics, they could become a test bed for this teamwork and lead the way.
What does this mean for the Nordics?
There is real pressure on Finland and Sweden to have the right skills within their country. Consultants and security operations centers that are not physically located in these territories are not allowed to be used. There are exemptions, where required, but the workaround is that a non-national would have to work side-by-side with a national to perform their role making them an extremely costly resource. This means constant effort across the public and private sector to upskill and re-skill their experts. Public funds must be invested in this area.
In Norway, Iceland and Denmark they are free to use consultants with global knowledge, which means a wider group of experts to choose from. But with a highly digitalized manufacturing and utilities sector, they are always at risk of disruption.