16/07/2025

Reading time: 4min

KK

Konsta Karttunen

ICT design protects factories from cyber threats

ICT

Cybersecurity affects almost all industrial plants, as the processes require the reliable operation of control and safety automation systems. ICT design is increasingly needed in industry.

State actors and cyberattacks

The OT systems of industrial plants are thought to be more secure than IT systems from potential threats, such as malware or malicious actors. This is partly true: not many people have the necessary expertise to disrupt industrial intelligent control systems (ICS). In most cases, the malicious actor is unable to perceive the system to which they have gained access.

However, the risks have increased. Although many system intruders are confused in an OT environment, the harassment may be caused by a state actor for whom costs or expertise are not a problem. In addition, the mere act of “breaking places” can have serious consequences for industrial activities. The operating environment is completely different from five years ago.

The change is largely due to Russia’s invasion of Ukraine, but technology is also developing. OT systems increasingly use the same components as the IT systems of office machines. In addition, few processes can be controlled without data from production: industrial automation and ICT systems are increasingly intertwined. Cybersecurity has become an issue that should be taken into account in process risk assessments.

There are differences in cybersecurity between IT and OT systems

The handling of cyber risks threatening IT and OT systems is different. To put it bluntly, while an IT department can grab a laptop with a virus under its arm and “clean” it, cleaning OT systems is not as straightforward. Industrial ICT systems are tied to the factory’s operations. If the process does not run, production will stop or the product will come out in the wrong condition.

Different situations pose different risks to industrial processes. The handling of many OT problems can be postponed to a maintenance break in a year’s time with relative safety, if the deviation management processes are in order. ICT and cyber threats must be able to be dealt with according to their severity. This is not possible if the risks are not known.

The scale of the risks increases if the cyber threat affects the factory’s security automation. This requires interaction between the IT department and the plant’s process security, and we consultants also combine functional and cyber security expertise.

The NIS2 directive highlights the change in the security situation

The change in the security environment is reflected in legislation. The war in Europe has made states pay attention to the protection of critical infrastructure. The NIS2 Directive also requires industry to protect its operations from cyber threats, and cybersecurity risk assessments are required as part of the chemical permitting and risk assessments of boiler plants.

Industry needs more and more ICT planning and information security risk management. The worst of the consequences are not the extra costs or the slowing down of processes. Unauthorized activity in an OT environment may pose a risk of explosion and endanger human life.

The risks may also be reflected in the industrial plant’s business operations and customer relationships. For example, the partners of an actor such as NATO are expected to have identified and assessed cybersecurity risks.

Cyber threats can be mitigated without expensive hardware purchases

Cyber threats can be mitigated without significant investments in equipment. At first, it is enough that it is not the easiest target. Cybersecurity can be tackled at the administrative level. Once the risks have been mapped, it is easier to target control measures. Cybersecurity can be increased gradually.

  1. Find out the cybersecurity requirements of the authorities in your industry. For example, the NIS2 Directive requires operators covered by the legislation to register.
  2. Assess the current situation with a gap analysis, for example. It helps to identify what kind of skills and measures are needed.
  3. Invest in dialogue. Effective protection requires the coordination of IT and OT systems and an understanding of the entire operating environment.

At Sweco, we combine cybersecurity expertise with solid industrial process design expertise.

Follow our blogs during the autumn to get to grips with the different perspectives of cybersecurity! There will be issues such as functional security, physical security, and the design of a physical telecommunications network.

Konsta Karttunen, Cyber Security Architect, konsta.karttunen@sweco.fi

Contact Us!

  • This field is for validation purposes and should be left unchanged.