Have you ever wondered if the buildings your organization owns or uses are proofed for cyber weather?
An enabler for almost any business is the built environment - a property, even several properties. But! As Antti Nyqvist from Finnish National Emergency Supply Agency mentioned in a webinar on March 2022: “Neither NIS2 directive (Network and Information Security Directive) nor CER directive (Critical Entities Resilience Directive) consider the building and construction industry as a critical industry even though power and heat production, water supply and waste management unite in the built environment and are considered as highly critical industries.”. This was then and is still today a hot topic meanwhile the Russian troops are invading Ukraine by force and destroying critical infrastructure. And at the same time we witness cyber attacks around the globe.
A property is the one we use for living, for leisure time and for work. Payment and search engine transactions are run via properties. Our personal data under EU GDPR is stored in servers located in properties. Hospitals, schools and other important public and private services are run in or between properties. Even AI might live in a property. A factory or a power plant is indeed located in a real property. And in one building there can be a huge amount of systems and solutions that may not be noticed, nonetheless the impact of this operational technology (OT) can be seen even from space. So, it’s time for an open discussion related to the topic. Let’s incorporate cyber security with the built environment.
Digitalization of operational technology has evolved in the shades and in strong-built silos. Still, APIs are something new (the level of maturity is usually “fake it till you make it”), as is identity and access management (IAM) as well. You can find unused potentials everywhere and link some of the discussions to fifteen years back, when ITIL was in its infantry. Many of the topics refer to lacking abilities to manage and lead the huge responsibilities under too few specialists. There is an unfilled spot for OT specialized leadership. There is a lot to learn, develop and still a lot of hidden knowledge to spread. Unfortunately it required a war to make cyber security a daily life matter as any crisis-driven inevitable innovation or change.
So, let's tear down the structures of strong-built silos and open the discussion for new perspectives. The discussion has already started and there is an urgent need for knowledge. However the reports of Cyber Weather by Finnish National Cyber Security Centre don’t tell it all but should show the guidelines for our thoughts and missions. The next step is to roll up sleeves, dive deep and start the hard work. We all have our role in ensuring a cyber secure society because cyber security is or should be a natural part of the processes - not only part of paper flavored reporting responsibilities of a company’s risk management function.
Material related to the topic:
Groothuis, B., Maydell, E., Kaili, E., Andersen, R., Mariani, T., Tošenovský, E. & Matias, M. 2021. The NIS2 Directive A high common level of cybersecurity in the EU. European Parliament. 16.12.2021. Linked 7.4.2022. PDF document.
European Comm<ssion. 2020. Proposal for a directive of the European Parliament and of the council on the resilience of critical entities. 16.12.2020. European Commission. Linked 7.4.2022. PDF document. https://ec.europa.eu/home-affairs/system/files/2020-12/15122020_proposal_directive_resilience_critical_entities_com-2020-829_en.pdf
European Commission Migration and Home Affairs. 2020. The Commission proposes a new directive to enhance the resilience of critical entities providing essential services in the EU. 16.12.2020. European Commission Migration and Home Affairs. Linked 7.4.2022. HTML document.
European Parliament. 2021. The NIS2 Directive: A high common level of cybersecurity in the EU. Think Tank European Parliament. 1.12.2021. Linked 7.4.2022. HTML document. https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333
Nyqvist, A. 2022. Huoltovarmuuden ja digitaalisen turvallisuuden vahvistaminen KIRA-alalla. 18.3.2022. KIINKO. Linked 7.4.2022. Video / webinar recording. https://studioannak.fi/kyberturvallisuus-kiinteistoalalla-tallenteet-katsottavissa/
TRAFICOM. 2022. Cyber Weather. 24.3.2022. Kyberturvallisuuskeskus. Linked 7.4.2022. HTML document.