The rapid digitalisation of recent years has opened new doors for cyber criminals. Borås Elnät works actively to find them.
"We now have a process for managing different types of crisis situations," says CEO Lars Hedendahl.
Cyber attacks are increasing. Hacker groups have become more targeted and sophisticated. Being aware of what the threats are and what can be done to protect important information is a national concern. This has been established by the Swedish Civil Contingencies Agency (MSB).
It is particularly important that socially critical operations, such as electricity supply, have effective protection against data breaches, as they must be able to maintain their services even in the event of attempted intrusions and attacks. Borås Elnät has recognised this.
Almost two years ago, the company, which manages, operates and develops the electricity and fibre network in the city of Borås, began mapping its processes to identify vulnerabilities. In September 2023, they became the first in the industry to have their information security management system certified according to the ISO 27001 standard. The certification shows that Borås Elnät works to manage information securely, protect customer data and minimise the risks of integrity and security threats.
Since there have been incidents at other municipal companies, the City of Borås has decided that we should have a systematic approach to information security. In addition, our fibre network operations will soon be affected by a new EU directive linked to this issue, and our electricity network already has the requirement," says Lars Hedendahl, CEO of Borås Elnät, and continues:
"There is also a competitive perspective. If we can be early and work with information security in a good way, we should be more attractive to our customers and thus also more competitive.
Borås Elnät was certified by RISE, which a month earlier became the first in Sweden to receive accreditation for the certification of management systems in socially critical operations in electricity, gas and water supply.
But what does it mean to be certified according to ISO 27001? Camilla Rosswill, audit manager for management systems at RISE, explains that certification to this standard is proof that an organisation has a systematic approach and procedures for maintaining information security.
"The advantage of introducing a systematic management system and taking guidance from the standard is that it raises the organisation's awareness. The standard requires organisations to identify, assess and treat risks," says Camilla Rosswill.
"We cannot say that we are completely protected because we work according to ISO 27001. It's more about the fact that we have a process for handling different types of crisis situations, such as an intrusion, and in that situation we try to minimise the damage and make the best of the situation. "
We who work here should know what to do when something happens
Part of the work to strengthen information security is to build solutions, physical and digital, that protect the information. For example, this can involve creating backup files that reduce the vulnerability to attacks where hackers lock data and demand a ransom, known as ransomware attacks. Another example is a strong password policy. However, perhaps the most important part of the work is getting people on board.
"We who work here should know what to do when something happens. It's not just a few people who have been involved, but everyone to a greater or lesser extent. Of course, the easiest thing to do would be to have an information security officer who managed everything, but then you don't build resilience over time. If that person leaves, the systematisation and our protection disappears," explains Lars Hedendahl.
The management system for information security helps Borås Elnät to maintain a stable delivery in all situations.
"Our fibre operations form the basis for a large part of communication in Borås, and no one can do without electricity today. Perhaps communication and electricity are the most critical aspects of society? Disruptions can have serious consequences. That is why it is so important that we maintain operations," says Lars Hedendahl.
The certification was a milestone for Borås Elnät – but the work has really only just begun.
"A major advantage of being certified is the systematic review. We come and carry out an audit every year to check that the management system continues to fulfil the requirements, and the business itself must carry out internal audits. You can't sit back," says Camilla Rosswill.
"The world is changing. Tomorrow, new threats may have emerged. Therefore, we need to evaluate our methods and see if there is something better. This is a long-term endeavour," says Lars Hedendahl.
The standard: ISO 27001 is a standard for managing information security through a documented and well-functioning management system with a focus on continuous improvement.
Certification: Organisations can undergo a certification process to prove their compliance with ISO 27001. An independent certification body conducts an audit to determine whether the organisation's information security management system meets the requirements of the standard.