This is why resilience is the new security
The threat landscape has changed how Nordic companies handle security. In this chapter, we take a closer look at some of Norway’s most important companies, asking ourselves what would happen if public broadcaster NRK, the country’s largest bank DNB, or energy company Equinor were attacked today?
The global threat landscape has rarely been more complex. This has led to several changes in how some of Norway’s most important companies handle security and manage security incidents. A big part of this is about being adaptable to keep everything running smoothly, even during a crisis.
”Robustness and redundancy in infrastructure and systems have become necessary to protect against threats. So has the ability to withstand and recover from a serious incident,” says Rolv R. Hauge, Business Continuity Manager at Telenor Norway.
Like many others, Telenor has expanded its measures in recent years to ensure business continuity and the ability to quickly recover after an incident.
Hauge believes this evolution in security thinking has taken most companies on a journey.
”At first, it was all about protection. For a long time, having a firewall was considered sufficient security. Then came the gradual realisation that breaches still occur, and you need the ability to detect and manage incidents.”
”Today, most have shifted their focus to survival and recovery after an incident”.
That’s why resilience has been chosen as the main theme for this year’s edition of Nordic Digital Security.
Robustness and redundancy in infrastructure and systems have become necessary to protect against threats.
Resilience – from A to Z
Resilience is about an organisation’s ability to endure and recover from a major incident, whether it’s a cyber-attack or a natural disaster.
”In most organisations, critical inputs are essential for key processes. If these inputs become unavailable due to an incident, the first step is incident management, followed by recovery efforts. At the same time, we need to think about business continuity during the phase when critical inputs are missing”, explains Hauge.
These business continuity measures can take many forms, from backup solutions that provide almost fully functional processes and production to emergency solutions that ensure only the absolute minimum operations. Measures to maintain business continuity and enhance recovery capability often need balancing, referred to collectively as Business Continuity and Disaster Recovery (BC/DR).
Serious incidents often create a crisis for the organisation, requiring a specific form of leadership that ensures proper prioritisation and clear communication throughout the process. To strengthen the ability to recover, implement continuity measures, and manage crises, good planning, training, and testing against various scenarios are necessary.
This approach has also been central to the efforts of NRK, DNB, and Equinor in recent years. Like Telenor, these organisations cannot simply pause operations. If their systems go down, critical societal functions must still operate.
This is resilience
|
NRK: “Must be able to communicate, no matter what”
As media organisations are continually targeted by complex DDoS attacks from hostile actors, having concrete contingency plans and backup solutions has become critical. At Norwegian public broadcaster, NRK, plans are in place in case a crisis occurs at their HQ.
”The biggest difference between traditional security thinking and working with resilience is the level of complexity. Today, most organisations rely on many systems, and it’s not always easy to decide what to prioritise in a crisis,” says Øyvind Vasaasen, Head of Security at NRK.
NRK has always needed a backup solution in case TV or radio broadcasts suddenly go dark. Today, NRK’s role in ensuring crisis information for the public is also governed by the country’s Security Act.
”NRK must be able to convey messages from the authorities to the public, whether we’re at war or facing a cyber-attack. Continuity and resilience are things we work on constantly,” says Vasaasen.
Ten years ago, NRK established a continuity plan, including measures to keep publishing if the systems at their Oslo headquarters are hit. In recent years, the plan has been further strengthened to adapt to today’s threat landscape and NRK’s production structure.
Even though technology has changed a lot, just having a PC isn’t enough to broadcast news to all of Norway. That’s why NRK must practise using alternative solutions.
”We regularly broadcast from our backup location because we need a ’warm’ solution. If the main location goes dark, the alternative site can continue news updates and broadcasts until the NRK system is back up and running,” Vasaasen explains.
NRK’s own threat assessment identifies several current threats, such as influence and disinformation, activism, uptime and publishing capability, weakened trust in content, misuse of the brand, data leaks, and information theft.
”Overall, the security situation for media houses is more challenging now than before. We face more DDoS attacks from actors trying to take us down, while fake news tests our editorial teams on a daily basis.”
NRK has an emergency plan to handle crises and a security management system inspired by ISO 27001.
”We have management documents at the organisational level, broken down into guidelines and procedures. When we work on security principles, our overarching document sets the framework for security work at NRK,” says Vasaasen. He adds, ”Different threats are often connected. Digital security also involves physical security, so procedures for who you let into the building are part of our digital resilience.”
Resilience is an ongoing focus for NRK, including better operational IT security and detecting potential digital attacks. In recent years, they’ve significantly strengthened their IT security environment.
”NRK’s emergency plan is based on the national crisis incident management (CIM) system. This system is separate from NRK and will function even if everything at NRK goes down. NRK has plans for various situations, down to detailed action cards,” Vasaasen explains.
Vasaasen believes the most crucial step they’ve taken to enhance preparedness is having concrete plans and using them regularly.
”Many often think they don’t need to use the crisis plan because they can handle the situation without it. However, it’s often shown that things could have been managed better with more systematic decision-making and actions. It’s a much more efficient way to work,” he emphasises.
Overall, the security situation for media houses is more challenging now than before.
DNB: “Redundancy at every level”
Despite a grim digital threat landscape characterised by ransomware and an aggressive Russia, the financial industry cannot revert to analog solutions. At DNB, a robust defense-in-depth strategy has led to a decrease in serious cyber-security incidents.
Norway’s largest bank, DNB, has also placed great emphasis on continuity planning and robustness in recent years. For them, digital solutions are non-negotiable.
”It’s no longer just about getting the IT system back up and running, but about how we can operate under such conditions,” says Anders Hardangen, Chief Security Officer at DNB.
In 2023, DNB handled 20,208 cyber-security incidents and managed eleven incidents with ”high potential for negative impact on DNB.” Both figures are lower than the previous year, primarily due to efforts to make the bank’s IT systems more resilient, according to Hardangen.
”Thanks to a robust defence-in-depth approach, we can stop more attacks at an earlier stage and mitigate their consequences. When we develop new products and services today, we think about redundancy throughout the entire process. The same goes for how we interact with customers.”
In the financial industry, uptime and the ability to deliver digital services have been crucial for decades. However, recent developments in the risk landscape have led to changes at DNB as well.
”The many ransomware attacks have shown that anyone can be hit, and the business and customer consequences can be enormous. Russia’s aggression is another factor that has underscored the importance of having good continuity plans and alternative solutions,” says Hardangen.
”There are many important things in daily operations, so in a crisis, you have to prioritise. For the capabilities we prioritise, we need to be resilient and have good alternatives that work even under suboptimal conditions.”
In recent years, DNB has renewed its entire business continuity framework, adopting an international standard that defines the most critical services and functions within the organisation.
”This involves setting up a structured process with impact analysis, risk assessments, establishing continuity plans, and testing them. This is challenging in a large digital ecosystem, and much of it is about prioritising the most important things first and ensuring they are adequately covered.”
For a financial institution like DNB, digital solutions are essential. Thus, DNB focuses on finding digital solutions that meet their security needs.
”We can’t go back 50 years to cash and bank branches on every corner. The global financial market moves too fast for that today. Even in extreme situations like in Ukraine, maintaining digital financial services became the only solution because it was too dangerous to transport cash.”
”As a society, we are completely dependent on information and on having power and telecom infrastructure as the foundation. As a financial institution, we depend on digital services functioning – even in an emergency situation,” says Hardangen.
For a financial institution like DNB, digital solutions are essential. Thus, DNB focuses on finding digital solutions that meet their security needs.
Equinor: “It’s not enough to just endure the crisis”
Changes in the geopolitical landscape and an increased focus on the renewable market are among the reasons Equinor is now making changes to its emergency preparedness organisation. The company is now taking a more holistic view of security challenges.
Another company that must deliver during emergencies is Equinor. Norway’s largest energy company has faced some of the most severe security incidents in Norwegian business, such as the hostage crisis at In Amenas in Algeria in 2013.
With a broad international presence and operations that sometimes carry high potential risks, preparedness and crisis management are integral to most of the company’s activities. Changes in the geopolitical landscape, the adoption of the Security Act in Norway, and the company’s shift towards the renewable market have also driven changes in their security and preparedness efforts.
”To adapt, we have made several adjustments to our emergency organisation. We have also developed and practised new scenarios that reflect the current geopolitical situation,” says Asbjørn Ringstad, Director of Emergency Preparedness at Equinor. Equinor’s role as a supplier of energy to Europe brings responsibilities beyond Norway’s borders.
”A lot of it is about being able to endure crises longer than we are used to. Additionally, we conduct exercises and coordinate across the private and public sectors,” Ringstad explains.
Equinor takes a holistic approach to security and emergency preparedness.
”Simply put, it’s the recognition that everything is interconnected. To handle and learn from incidents effectively, we must understand why and how they occur. This requires close collaboration and open communication between different specialist areas,” says Ringstad.
That is why Equinor has structured itself so that leaders with different responsibilities — cyber-security, physical security, personnel security, emergency preparedness, and business continuity — are part of the same leadership team, ensuring comprehensive risk understanding.
”Today, many external threats affect our operations. These are often closely tied to the geopolitical situation, over which we have little control but must still prepare for the consequences,” Ringstad states.
Building robustness and resilience has been central in recent years, especially concerning the cyber threat landscape.
”This approach is now integrated into our overall preparedness work. Our complex operations make it challenging to quickly find alternative solutions to maintain operations unless we are trained and prepared.”
”For us, it is crucial to do this work in advance, to practise, and to be conscious of priorities in collaboration with our partners. This creates the robustness we seek and makes the unpredictable more predictable in a crisis situation,” says Ringstad.
Ultimately, having a strong organisational culture is most important, according to Ringstad.
”We have a strong culture when it comes to exercises and training. This commitment is found at all leadership levels. Our CEO practises his role in the emergency organisation four times a year. This culture is, and always will be, the cornerstone of everything we do,” concludes Ringstad.
Building robustness and resilience has been central in recent years, especially concerning the cyber threat landscape.