Materials for securing critical infrastructure

This page contains a set of public tools, documents and checklists created in various projects for use in the energy industry and other critical infrastructure sectors to improve information security and data protection.

Automaatio

Projects

The KYBER‐ENE project, developing cyber security in the energy sector, was implemented in cooperation with various central operators in the field (External link), the National Cyber Security Centre Finland of the Finnish Transport and Communications Agency Traficom, the National Emergency Supply Agency (External link) and VTT Technical Research Centre of Finland (External link). The objective was to create concrete business-oriented solutions for the needs of businesses in the energy sector. The KYBER‐ENE project was part of the National Emergency Supply Agency programme Kyber2020, which aimed at developing cyber security. It was also part of cooperation between economic life, administration and research in the field of cyber security in critical infrastructure. The commitment of companies in the energy sector was key to the success of the KYBER‐ENE project. The active guidance and peer support from businesses in particular facilitated the creation of practical solutions to help companies.

Other projects funded by the National Emergency Supply Agency, Tekes and/or Business Finland (such as KYBER-VESI (External link)KYBER-TEO (External link), COREQ-VE, COREQ-ACT and TITAN) have also improved the information security of companies critical for emergency supply that use automation systems. The COREQ-VE project, for example, funded by the National Emergency Supply Agency, developed a list of information security and data protection requirements for sourcing automation systems. The use of the list requires some effort by the sourcing organisation and the list is not intended to be automatically attached to each call for tenders as is.

The ‘Kybermittari’ project developed by the National Cyber Security Centre Finland worked on a tool to help business management and organisations take better control of cyber risks and secure the continuation of their operations. Kybermittari tools and instructions can be found on the National Cyber Security Centre Finland website.

The ‘Automaation tietoturva - Verkottumisen riskit ja niiden hallinta’ (External link) (Information security in automation – networking risks and their management) publication by the Finnish Society of Automation contains instructions for all sectors using automation systems. A sequel to the publication (External link) will be published in 2021.

Other material shared on this page may be utilised for improving the information security and data protection of organisations, procurement planning and the assessment and selection of cooperation partners.

Good practices, but no official guidelines

The lists of information security and data protection requirements shared on this page reflect the views on good practices of cyber and information security experts protecting critical infrastructure, but they are not official guidelines or recommendations. The KYBER-ENE project, for example, worked hard to provide examples of how the official requirements concerning information security and data protection objectives for data systems and devices especially in the energy sector could be met.

Versions and editions

National Cyber Security Centre Finland maintains a list of publicly available documents on this website.

If you operate as part of critical infrastructure in the energy sector and want to learn more about the KYBER-ENE documents that are not publicly available, you may request the documents from National Cyber Security Centre Finland or the National Emergency Supply Agency. Similarly, the guides and tools (External link) implemented in the KYBER-VESI (External link) project are available to the members of the Finnish Water Utilities Association (FIWA) in the association’s extranet  (External link)and through the National Emergency Supply Agency.

The IoT procurement instructions produced in the KYBER-ENE2 project and the COREQ-VE documents, for example, are especially useful for reviewing and selecting requirements with experts. Terms and conditions permitting, the various instructions may also be refined to suit your organisation or sector. The results of the COREQ-VE industrial automation information security project by the National Emergency Supply Agency, for example, were utilised in the Cyber Health project in the social welfare and healthcare sector.

It may be sensible to send the requirements taken from the English version to the seller of the product you are about to purchase, because many products are sold by international companies who find processing calls for tender in Finnish challenging and susceptible to mistakes. This page contains the IoT purchasing checklists generated in the KYBER-ENE2 project in Finnish and English.

Use freely – under a few conditions

Please verify document licences and terms of use directly from the publisher if you have any questions!

The public documents generated by the KYBER-ENE project are intended to be freely shared and adapted. They can also be utilised by commercial operators and authorities. The following terms apply:

Kybermittari is intended to be used freely by companies, associations and public operators. It can also be utilised by commercial operators or authorities. The following terms apply:

The online version of Teollisuusautomaation tietoturva - verkottumisen riskit ja niiden hallinta (External link) (Industrial automation information security – Networking risks and their management) by the Finnish Society of Automation from 2010 contains the following condition:

  • © Suomen Automaatioseura ry. Use and copying of the online edition of the publication is allowed.

COMMENTS, PROPOSITIONS AND REQUESTS CONCERNING THE DOCUMENTS

Contact us: kyberturvallisuuskeskus@traficom.fi

TLP:WHITE INSTRUCTIONS, LISTS OF REQUIREMENTS AND OTHER MATERIAL