Nätkraft Borås tackles cyber threats: ”It is important that we maintain operations”

Cyber attacks are increasing. Hacker groups have become more targeted and sophisticated. Being aware of what the threats are and what can be done to protect important information is a national concern. This has been established by the Swedish Civil Contingencies Agency (MSB).  

Critical organisations must have effective protection against data breaches 

It is particularly important that socially critical operations, such as electricity supply, have effective protection against data breaches, as they must be able to maintain their services even in the event of attempted intrusions and attacks. Nätkraft Borås has recognised this.  

Almost two years ago, the company, which manages, operates and develops the electricity and fibre network in the city of Borås, began mapping its processes to identify vulnerabilities. In September 2023, they became the first in the industry to have their information security management system certified according to the ISO 27001 standard. The certification shows that Nätkraft Borås works to manage information securely, protect customer data and minimise the risks of integrity and security threats.  

Since there have been incidents at other municipal companies, the City of Borås has decided that we should have a systematic approach to information security. In addition, our fibre network operations will soon be affected by a new EU directive linked to this issue, and our electricity network already has the requirement," says Lars Hedendahl, CEO of Nätkraft Borås, and continues:  

"There is also a competitive perspective. If we can be early and work with information security in a good way, we should be more attractive to our customers and thus also more competitive.  

Nätkraft Borås was certified by RISE, which a month earlier became the first in Sweden to receive accreditation for the certification of management systems in socially critical operations in electricity, gas and water supply.

Certification is proof of systematic working methods 

But what does it mean to be certified according to ISO 27001? Camilla Rosswill, audit manager for management systems at RISE, explains that certification to this standard is proof that an organisation has a systematic approach and procedures for maintaining information security.  

"The advantage of introducing a systematic management system and taking guidance from the standard is that it raises the organisation's awareness. The standard requires organisations to identify, assess and treat risks," says Camilla Rosswill.  

Lars Hedendahl:

"We cannot say that we are completely protected because we work according to ISO 27001. It's more about the fact that we have a process for handling different types of crisis situations, such as an intrusion, and in that situation we try to minimise the damage and make the best of the situation. "

The most important part is getting people on board

Part of the work to strengthen information security is to build solutions, physical and digital, that protect the information. For example, this can involve creating backup files that reduce the vulnerability to attacks where hackers lock data and demand a ransom, known as ransomware attacks. Another example is a strong password policy. However, perhaps the most important part of the work is getting people on board.  

"We who work here should know what to do when something happens. It's not just a few people who have been involved, but everyone to a greater or lesser extent. Of course, the easiest thing to do would be to have an information security officer who managed everything, but then you don't build resilience over time. If that person leaves, the systematisation and our protection disappears," explains Lars Hedendahl.  

The management system for information security helps Nätkraft Borås to maintain a stable delivery in all situations.

"Our fibre operations form the basis for a large part of communication in Borås, and no one can do without electricity today. Perhaps communication and electricity are the most critical aspects of society? Disruptions can have serious consequences. That is why it is so important that we maintain operations," says Lars Hedendahl.

Certification is audited and leads to continuous development 

The certification was a milestone for Nätkraft Borås – but the work has really only just begun.  

"A major advantage of being certified is the systematic review. We come and carry out an audit every year to check that the management system continues to fulfil the requirements, and the business itself must carry out internal audits. You can't sit back," says Camilla Rosswill.

"The world is changing. Tomorrow, new threats may have emerged. Therefore, we need to evaluate our methods and see if there is something better. This is a long-term endeavour," says Lars Hedendahl.