The role of cybersecurity in the preparedness of critical infrastructure

Digita’s nationwide radio and TV networks, which company maintains and operates, along with other services, are part of Finland’s critical infrastructure. From the beginning, TV and especially radio broadcasts have played an important role not only in societal communication but also in direct emergency communication, such as in serious accidents causing public danger. Even today, citizens’ access to information is ultimately ensured through the FM radio network in the event of a society’s crisis situation. For these reasons, preparedness has been and continues to be a significant part of Digita’s operational planning.

The Evolution of Preparedness: From Physical Infrastructure to Information Security

Previously, preparedness scenarios focused more on protecting physical infrastructure and recovering from problems that affected it. Spare parts management and restoring services by alternative means were the foundation of preparedness. The widespread adoption of automated data processing and the development of information technology have, at least since the advent of the internet, elevated information security to one of the most central areas of preparedness.

The New Era of Information Security: From Threats to Preparedness

Networked services of companies have opened routes for hostile actors to infiltrate a company’s network services and information along with business opportunities. A company or organization can become a target of state-sponsored or purely criminal actors at any time. Various bots, now assisted by artificial intelligence, opportunistically scan for security vulnerabilities in devices online continuously. State actors, if they choose, have the ability to allocate endless resources to search for security vulnerabilities in their targets. Therefore, in terms of information security, emergency conditions are always present, and thus preparedness and information security must be part of an organization’s normal daily business processes.

Cloud Service Integration and Information Security Management

Previously, cloud services offered from the cloud, such as SaaS and PaaS, were considered problematic for preparedness due to physical servers often being located outside Finland’s borders, and the use of cloud services was restricted and even categorically prohibited for services critical to society. Fortunately, the mindset regarding cloud services has changed or is changing. Finland is also increasingly clearly part of the West and Europe, where cloud servers are generally located. However, when planning the use of cloud services, it is necessary to ensure that the company can deliver its services despite long-lasting communication disruptions. Cloud service providers have the opportunity to continuously focus on the design, implementation, and monitoring of information security solutions, many times over compared to an individual company. However, the information security of cloud services is not automatic, and it is the company’s responsibility to choose reliable partners and the right services and to ensure secure configuration.

Business services and related technical solutions must be designed from the outset with information security risks in mind. Organizations must approach information security problems from the perspectives of people, processes, and technologies. An information security management system provides a good framework for managing and governing all this, and ready-made processes for managing information security risks and controls and for continuous improvement. In addition, the possibility of certification facilitates inter-company operations by providing proof of the certified company’s reliability and demonstrating that the company recognizes information security risks and works determinedly to develop information security. The most common information security management model in Europe is ISO 27001, which is also used by Digita.

The Multidimensionality of Information Security: From Technology to Culture

However, information security management is not only about technology or processes but also about culture. One of the biggest, if not the biggest, reasons leading to an information security breach is the successful phishing of an individual’s credentials. It is important that all employees act in accordance with information security practices and guidelines and participate regularly in information security training.

Regulation of information security is also seen as a central part of modern information security. Communication networks and service providers have been regulated for years by requirements defining the quality and availability of the service, so the European Union’s new NIS2 directive does not in itself bring significant new requirements to the industry. In the future, the directive will also cover other critical actors in society, such as the energy, transport, banking, and healthcare sectors. The NIS2 directive is a significant step towards a more unified and effective information security management, which will strengthen the information security and preparedness of companies and society to respond to future threats.

Sami Salmela
The author is Digita’s CDO