Think of oil rigs and gas pipelines, and you imagine big machines and constructions made of steel and concrete. The truth is that much of it is now controlled by sensors, robots and complex digital systems.

Last year it happened in the United States. The attack at Colonial Pipeline on May 7, 2021 cut off gas supplies to much of the United States East Coast. Having access to only one password, the hackers were able to block important documents, bankrupt the company and thus force a stoppage of the gas line. The attack came from DarkSide, a criminal group based in Russia. This time the motive was financial gain and they managed to get a ransom of five million dollars. At other times, states with geopolitical interests may be behind.

A few years ago, it was mainly individuals who were attacked, now it is more and more organizations, but also critical infrastructures such as gas pipelines, wind turbines or railways that are affected.

The digital battlefield has become central to modern warfare. Several major attacks by Russian hackers have hit banks and government institutions in Ukraine. A massive cyberattack on January 13 took down a number of websites and left messages warning Ukrainians to “be afraid and expect the worst”. Several similar attacks also followed in February and March.

Click here to subscribe to the Norsk debate newsletter

Norway more exposed

The war in Ukraine makes Norway’s position as Europe’s oil and gas supplier even more vulnerable. Norwegian oil and gas have acquired a completely different strategic importance for Norway and our allies in Europe. With the massive development of renewable energies, Norwegian gas is essential to push back Europe’s dependence on Russian gas. Russia, for its part, has every interest in maintaining its place in the European energy mix, to the detriment of renewables and to the detriment of Norwegian gas.

After Norway’s support and contribution of weapons to the war in Ukraine, we are on the list of “enemy countries” of Russia. On March 7, Russian authorities released a list of states that “carry out hostile actions against Russia, Russian businesses and Russian citizens.” The list is long and includes all EU countries, in addition to countries like the United States, Canada and Australia.

Overall, this makes a cyber attack on Norwegian targets more likely.

Here you can read more comments from Hilde Nagell

An official responsibility

When attacks become part of war or strike critical infrastructure, authorities have a special responsibility. The attack on the Colonial Pipeline also had political consequences. After the incident, President Biden announced a number of measures strengthen preparedness and increase authorities’ efforts to prevent cyberattacks.

It is doubtful that these measures alone can prevent new attacks like the one against the Colonial Pipeline, but they nevertheless represent a change of direction: Biden has made cyber defense an important issue for his administration.

The EU has also strengthened its cyber defence. In December, they launched an update of the digital defense strategy. In the European Commission’s proposal, for example, energy companies risk fines if they do not have sufficiently good security checks, lack guidelines or have no routines for verifying the security of their suppliers.

In addition, the EU is currently strengthening its preparedness in light of the war in Ukraine. Attacks on European targets have become more likely. Additional efforts are therefore being made to increase the security of “critical” companies, in particular energy and telecommunications infrastructure providers. Cooperation and exchange of intelligence information is an important part of this, and it is also on the table a proposal on the creation of a separate emergency fund for digital attacks.

Norway needs to increase its cyber readiness

The Norwegian Armed Forces and the National Security Agency (MSN) are already doing a lot to ensure digital readiness, but it is questionable whether efforts now need to be stepped up. Here are some measures that may be relevant:

• Modernize and strengthen security standards in the public sector, including the use of cloud services, two-factor identification and encryption.
• Better sharing of information between private sector companies and between the private sector and the authorities
• Using buying power to impose stricter security requirements on software vendors in the public sector
• Best Practices for Event Logging
• Strengthen the knowledge of the population on digital preparation

Read more about the Norwegian debate here

This week there is a budget conference at the Hotel Klekken. The government will decide on short-term and long-term crisis budgeting, including allocations for defense and security. Cybersecurity should take center stage in this discussion.