Over the past decade, the risk of cyber-attacks has moved high on the agenda in most enterprises and organisations. Traditional risks from changing markets, shifting demographics, and new legislation generally happen slowly, so responsible management has the time and opportunity to react and manage the risk. However, cyber-attacks may happen over- night and target systems in unpredictable ways, potentially threatening the organisation’s very existence.

By Christian Damsgaard Jensen, Applied Mathematics & Computer Science, DTU (Technical University of Denmark)

Organized cyber-criminals have previously focused on private companies, such as the attack on Sony Pictures in 2014 or the NotPetya attack on Maersk in 2017. Still, they are now increas- ingly targeting public institutions and organisations, such as the ransomware in Baltimore in 2019 or the Conti group’s attack on HSE (Irish Health Services) in 2021. Since the outbreak of war in Ukraine, we have started to see attacks on critical infrastructure, such as the 2016 Christmas Ukraine power outage (the war in Ukraine began with the annexation of Crimea in 2014) and the Colonial Pipeline attack in 2021; critical infrastructure has previ- ously been considered off-limits for cyber-criminals. District heating (DH) services both private and public custom- ers. Examples include homes, from individual homes to large housing estates, private companies and production facilities, and public buildings, such as hospitals and prisons. DH must, therefore, be considered critical infrastructure, where the board, directors, and all the employees share a common re- sponsibility to ensure continuity of service to all their custom- ers. From a cybersecurity perspective, this means that DH will be subject to existing and emerging legislation that governs the online world, both EU regulation, such as the Cybersecurity Act, NIS 2, the Cyber Resilience Act, and, of course, GDPR, but also national regulation from the country where the district heating utility operates.


As indicated above, we have recently come to realize that crit- ical infrastructure is not simply a label to put on systems, but the infrastructure is critical to both individuals and society. If a DH company fails because of a ransomware attack, thousands of individual households may be without heat in the middle of the winter, but if the company’s customers include a hos- pital or a prison, people who cannot or should not be moved may be without heat. Moreover, commercial customers, such as factories, who require high temperatures for their processes, will be unable to operate, and if district cooling is part of the services provided by the utility, cold storage facilities, and data centers may fail to deliver their services, which will have seri- ous knock-on effects for food security and cloud computing services. There is, therefore, an increasing focus from regulators and the public concerning the cybersecurity of critical infrastruc- ture. The EU recently adopted the NIS 2 directive, which sets the baseline for cybersecurity risk management measures and reporting obligations across all sectors covered, includ- ing most critical infrastructure. NIS 2 is not an EU regulation, unlike GDPR, but it is a directive defining measures that each

Made with FlippingBook - Online magazine maker