– Incomplete understanding of assessment – E24

Authorities have yet to make plans to bring Europe’s largest hydropower producer under the relatively new safety law.

• copy Link
• copy Link
• Share on Facebook
• Share on Facebook
• Share via Email
• Share via Email

Hydropower accounts for about 95% of electricity Energy production in Norway. At the same time, Statkraft is Europe’s largest producer of renewable energy such as hydropower, solar and wind power.

– When Statkraft was assessed by the authorities as not being significant enough to be subject to the Security Act, I did not fully understand this assessment.

That’s according to Cathrine Lagerberg, a threat analyst and founder of security firm Crown Defense.

– From a threat and preparedness perspective, I only know that Statkraft plays an important and critical role in maintaining energy supplies to Norwegian and European homes and businesses, she said.

– Because when Statkraft stops working, most of Norway stops working.

But Jo Henrik Jarstø, an adviser to the Energy Ministry, wrote in an email to E24 that there is no concrete work yet to get more companies involved in the safety bill.

He added that work on the Security Act is ongoing and the ministry regularly evaluates and analyses the work.

The Act has been open since 2019 Consider enterprises, objects and infrastructure with essential state functions as worthy of protection.

Each ministry must designate and outline these operations within its area of ​​responsibility.

‘Weakening national security’

In February 2023, the National Audit Office criticized the coordination and promotion responsibilities of the Ministry of Justice and Emergency Preparedness.

It took time, “but the Ministry of Petroleum and Energy has finally started to assess which companies in the industry should be subject to the security law,” it said in a statement. The reportand directly further:

“The Ministry of Justice and Emergency Preparedness believes that slow work could undermine national security because the values ​​that need to be protected have not yet been identified and adequately protected.”

National Audit Office Respected Among other things, the Ministry has made greater contributions to ensure that all ministries make adequate progress in their work under the new security law.

The Ministry of Justice wrote in an email that it had held several ministerial meetings on the implementation of the security law. In addition, the National Security Agency has implemented its own guidelines for ministries.

– It’s also important to clarify that it’s not necessarily a mistake or a flaw for companies to be exempt from the SECURE Act, press officer Camilla Fosse writes in JD.

– It does not automatically mean that it is not important or that objects and infrastructure are not adequately protected, as there may also be security requirements in individual sectoral regulations.

– Planning is more important

Catherine Lagerberg of the Royal Defence Service took into account that the authorities have a good database.

– But given today’s threat landscape and relatively clear threat trends from other partner countries, I think it’s interesting to ask the following question: why do Norwegian authorities consider Statkraft not important enough.

She pointed out that some U.S. intelligence agencies, Cybersecurity Company Microsoft warns of various types of cyber operations targeting the renewable energy industry and critical infrastructure such as wind, solar, nuclear, hydro and biofuels.

– Lagerberg said that whether we are talking about targeted Russian cyber operations or more long-term and pre-targeted Chinese destructive viruses, I think it is more important to plan ahead than what has already happened.

‘And then Norway stopped working’

Kjetil Lund, Director General, Norwegian Water and Energy Directorate (NVE) E24 in early June Norway’s electricity system deserves better protection.

“If the electricity system stops working, Norway stops working,” Lund said.

NVE is responsible for leading the nation’s electricity supply preparedness and overseeing the operations of the electricity industry and compliance with the Safety Act.

In June, the Agency hosted a seminar on the electricity industry and safety law. Participants included Glitre Energi Nett, Elvia and Statkraft.

– We participated in a seminar on this issue organized by NVE. As an industry player, we want to participate constructively in the discussion on this issue, says Tore Morten Wetterhus, Managing Director of Glitre Nett.

They own the grids in Agder, Buskerud and Hadeland.

– This is a timely discussion as security threats have intensified. “There are advantages and disadvantages to complying with the Security Act and we see NVE’s invitation to discuss this as an advantage,” he said.

Statkraft spokesman Lars Magnus Günther pointed out that no Norwegian power producers are currently subject to the Safety Act.

– Safety is ensured through the Energy Act, the Backup Power Supply Ordinance, the Dam Safety Ordinance, etc., and is followed up by NVE. Günther said that we are in constant contact with NVE and the Ministry of Energy on safety and preparedness issues.

– Therefore, this must be considered with the above authorities.

normal

KraftCERT, the power industry’s own security company, wrote in June Threat Assessment Businesses in this sector could be vulnerable to attacks with operationally disruptive effects.

At the same time, KraftCERT wrote that Chinese-backed actors likely have significant capabilities and willingness to “avoid detection” in their cyber operations.

– They mention “Volt Typhoon,” which threat analyst Cathrine Lagerberg noted should be able to pre-position harmful viruses that can lie dormant for years without being detected and then be activated to perform various destructive operations on critical infrastructure.

She argues that we are now facing a new normal, which will be characterized by varying degrees of dissatisfaction and threats from different risk states for a long time to come.

– Although there have been no reports of corresponding Chinese state-sponsored cyberattacks that U.S. authorities have warned about, this threat to critical infrastructure has such serious consequences that I believe the threat trend should be given greater weight in threat assessments.

– As a threat analyst, I share Kjetil Lund’s belief that Statkraft has too much public information. Lagerberg said that if Statkraft had been subject to the Security Act, this vulnerability, among many others, would have likely been assessed and eliminated.

The Energy Department’s Justo stressed that work related to the SECURE Act is ongoing and not something that just started recently. He wrote that it has been happening since the law took effect.

– What evaluations, if any, have been conducted on Statkraft?

– Evaluation and analysis information related to the Security Act is exempt from public disclosure and in many cases is confidential. In addition, the power supply is well protected through strict and comprehensive industry regulations.

besides KBO, the independent emergency organization of the power industry.