Protecting your business: Navigating cybersecurity challenges in the industrial sector
Author: Terhi Hietamäki
Estimated reading time: 6 minutes
As industrial companies become more interconnected, the complexity of the cyber threat landscape grows. Geopolitical uncertainties, intricate supply chains, and rapid technological advancements have created a highly unpredictable risk environment. How can companies effectively address these evolving cybersecurity challenges?
Cybercriminals are increasingly leveraging emerging technologies to launch more sophisticated attacks, while regulatory requirements worldwide are becoming stricter – yet often fragmented – adding to the compliance burden. For instance, the new NIS2 Directive, also known as the Cybersecurity Directive, establishes measures aimed at achieving a high common level of cybersecurity across European Union member states.
Further complicating these challenges is the ongoing cybersecurity skills gap, making it increasingly difficult for organizations to manage risks effectively.
To explore how industrial companies can strengthen their cyber resilience, we spoke with Harri Koivunen, Senior Specialist at the Finnish Transport and Communications Agency Traficom (NCSC-FI).
What are the biggest cybersecurity challenges for industrial companies?
The challenges companies face depend on their size, business environment, and cybersecurity maturity. However, many risks can be mitigated by addressing basic security measures, many of which are mandated by regulations. This includes the ability to detect and respond to attacks, recover from incidents, and continuously improve security measures.
At its core, the most critical step for any organization is understanding its environment, identifying its most valuable assets, and ensuring they are protected from key cyber threats.
What challenges arise when implementing new technologies in an industrial environment?
The adoption of new technologies, such as artificial intelligence (AI), should be carefully managed and controlled. Security must be a priority from the outset rather than being added as an afterthought – this principle is known as security by design.
One critical aspect is data classification. It is crucial to define what data AI can access and how that access is controlled. If AI is granted admin-level privileges, it could gain access to all company data, potentially exposing sensitive information to unauthorized users.
Additionally, organizations must invest in employee training – not just in how to use the technology effectively, but also in how to respond to security incidents. Also, there must be clear reporting channels for employees to flag irregularities.
What are the most significant opportunities of artificial intelligence from a cybersecurity perspective?
AI has been used in cybersecurity for over 20 years, significantly enhancing threat detection and prevention. However, its application remains challenging, requiring deep expertise in both AI and cybersecurity. Nevertheless, AI offers significant business benefits, making it essential to explore its potential. Its use, however, must be guided by best practices and established guidelines.
It is crucial to define what data AI can access and how that access is controlled. If AI is granted admin-level privileges, it could gain access to all company data.
Do you see cybersecurity playing a role in companies’ competitiveness beyond preventing damage?
Many perceive cybersecurity as a hurdle, but it provides significant advantages, such as enhancing reputation and building customer trust. Today, the question is no longer if an incident will happen, but how an organization responds when it does. Therefore, it is crucial to understand cybersecurity’s impact on customer operations. Companies must take responsibility by minimizing disruptions and ensuring clear contractual agreements that define each party’s role and obligations.
What should business leaders do to ensure that the cybersecurity strategy aligns with the company’s overall strategy?
Business leaders must set clear objectives, and based on these, a cybersecurity action plan can be developed to support the organization’s strategic goals. Therefore, the business leader, who is responsible for the company’s performance, must understand the significance of cybersecurity for their specific business. For instance, if the business handles confidential information, the goal might be to ensure secure information exchange with customers, preventing any data breaches.
Company management should remember that responsibility cannot be outsourced, even if IT handles the technical side or services are purchased externally. Ultimately, the management is responsible for the company’s risks and must oversee, implement, and uphold the cybersecurity risk management model.
What tools and approaches do you recommend for ensuring effective risk management?
Effective risk management requires a consistent approach across the organization. Cybersecurity risks should be managed using the same model as other operational risks, though assessing their impact can be more challenging due to limited understanding of the company’s digital environment. Without a clear grasp of the company’s critical assets, as well as the software and data involved in key processes, identifying potential cyber risks becomes difficult.
A solid risk management plan is essential, one that includes identifying and analyzing risks and threats – keeping in mind that threats and risks are not the same. Accepting certain risks can be an effective approach, depending on the company’s risk tolerance.
A critical yet often overlooked step is identifying key suppliers and customers within the supply chain and implementing tailored risk management strategies.
What is the significance of international frameworks, such as ISO 27001, for industrial companies?
Organizations should utilize established standards, frameworks, and best practices, as they provide structure, facilitate communication, and can offer a competitive edge. National Cyber Security Centre Finland has compiled a list of widely recognized frameworks, but we do not advocate for any single standard, as many of them share similar principles. It is advisable to consider potential country- and industry-specific nuances.
What is your view on the requirements of the NIS2 Directive?
One aspect I particularly appreciate about the NIS2 Directive is its emphasis on a risk-based approach, recognizing that there is no one-size-fits-all solution. Organizations are required to assess risks specific to their operations, taking into account the unique characteristics and threats within their industry. Additionally, they must continuously monitor the evolving risk landscape and adapt their strategies accordingly.
How should an organization be trained?
First and foremost, general training is essential to ensure that everyone in the organization is aware of standard procedures and understands basic information about current threats. With AI, highly convincing phishing attacks can be created, making continuous training vital for all employees.
Additionally, specialists require targeted training as they are responsible for managing access to sensitive information, for instance. Cybersecurity is a challenging environment due to its constantly evolving nature, and professionals need to stay updated on both the technical side and emerging global trends. When considering the specific skills needed for an industrial company, it is often more effective to train production staff to become cybersecurity experts rather than hiring externally.
How can companies manage their supply chains to keep risks under control?
One common challenge is unclear accountability – understanding who is responsible for what and defining the full scope of services. To mitigate this, companies must ensure that contractual terms are clearly defined, understood, and enforced throughout the entire service lifecycle.
Each party in the supply chain must proactively manage risks related to its operations and ensure the security of communication networks and systems. The NIS2 Directive also highlights the increasing threat of supply chain attacks, reinforcing the need for robust cybersecurity measures. However, while regulations establish a minimum baseline, many companies require stronger protections to safeguard their operations.
A critical yet often overlooked step is identifying key suppliers and customers within the supply chain and implementing tailored risk management strategies. This proactive approach helps ensure business continuity in an evolving threat landscape.
Want to know more?
Towards crisis-resilient production operations
In Finland, crisis preparedness is based on a comprehensive security approach and security of supply. Industrial companies ensure the survival of society as a whole in crises, so developing their crisis resilience is also important from a societal perspective.
From data to heat network safety: Elomatic helps Lempeä Lämpö manage geospatial data
When energy company Lempeä Lämpö set out to modernize its geospatial information system, it chose Elomatic as its partner and implemented the GroundWork platform. The new system’s flexibility has made further development seamless, while significantly enhancing safety.