The digitalization of industry holds new kinds of cyber threats. At the same time, there is an alarming shortage of industrial cybersecurity experts. Cybersecurity expert Musa Jallow explains a problem that has been exacerbated by the changing security situation in Europe.
The increasing autonomy of industrial systems brings with it significant cybersecurity challenges. As systems operate more autonomously and the need for manual labor decreases, systems are also exposed to new threats.
Musa Jallow, a cybersecurity expert working with Finland’s leading industrial operators at technology house Huld, sees the seriousness of the situation.
“Finland’s GDP and exports rely heavily on industry. If an attack cripples the factory and production lines grind down, the entire economy will be affected,” Jallow stresses.
As an example, he points to the Agco Group, which also includes the Finnish forest machine company Valtra. In 2022, the group was hit by a massive cyberattack, which reduced the company’s revenue by 13% while factories were at a standstill.
The same risks also apply to critical infrastructures such as energy production.
“If cybersecurity is neglected, hackers could stop our power generation, which would have huge consequences,” Jallow warns.
Enclosed spaces are no longer enough
The industry sector has long focused on physical security, and enclosed spaces are seen as the most important protectors. However, focusing solely on physical security blinds us to the new threats that digitalization holds.
According to Jallow, digitalization, increasing hardware complexity, and expanding supply chains create a challenging combination that exposes industry to cyber threats.
“Remote management, maintenance and cloud services have changed the field. For example, previously mechanical, pressure-removing valves have evolved into intelligent systems that automatically collect data, make decisions and adapt based on inputs,” he says.
When hundreds of valves around the world are connected to the cloud to collect data, a huge number of new attack surfaces are created.
“The number of IoT devices has exploded. According to Gartner, 4.9 billion devices were connected to the internet in 2015, and by 2020 the figure had risen to 25 billion. Industrial cybersecurity has not previously had to take such risks into account,” Jallow points out.
The situation is further complicated by long and complex supply chains.
“Even if a system or device is assembled in Finland, its key components, such as chips, often come from China, for example. These parts can take years to go into production,” Jallow describes.
Cyber security on the agenda in industry
Industrial safety thinking must evolve to meet the challenges of the digital age. Cybersecurity is a broad entity involving autonomous systems, digitalization, increasing network connections. Moreover, it includes complex regulations such as the NIS2 Directive, the Cyber Resilience Act, and sector-specific regulations, for example in the medical devices and marine.
“No device can be made completely attack-proof. The most important thing is to show that the risks have been mapped, measures have been taken, and a continuous plan is in place. This way, the customer knows that you are prepared and have the ability to act if something unexpected happens,” says Jallow.
The lack of cybersecurity expertise is one of the biggest challenges facing industry. There are too few experts, and many companies still have room for improvement in understanding the basics.
“We are constantly in discussions with our customers about what cyber security means in practice in an industrial environment. The topic is new to many and requires a deeper understanding,” Jallow describes.
There is also currently a major shortage of industrial security experts in Finland and globally. There are not enough training programmes available that combine cybersecurity and industrial automation.
“We train information security experts and automation engineers, but not both together. This forces experts to study another area on top of existing expertise,” Jallow points out.
Jallow also emphasizes the importance of generating interest in industry.
“Industrial security has not yet received the attention it deserves, even though it is a critical pillar of the economy and society.”
The whole society is responsible
Industrial cybersecurity is much more than a challenge for individual companies – it is a critical part of national security. Jallow emphasizes that responsibility must be taken both at the level of cybersecurity actors and society.
“Industrial cybersecurity is crucial for Finland’s comprehensive security. If we do not understand the importance of competence in maintaining critical infrastructure, we are jeopardizing national security,” he stresses.
Ensuring security requires expertise and the ability to react quickly to changing requirements. The process begins with the identification of sector-specific requirements, after which the current situation is assessed, and a plan is drawn up to address the shortcomings.
However, for many organizations, this work is new, and the scale of the requirements may come as a surprise.
“Without a clear understanding of how to achieve harmonization, there is a risk of significant sanctions if, for example, the requirements of the NIS2 Directive or the CRA Regulation are not met in time,” Jallow points out.
In addition, schedules can be challenging. For simple products, the process can take up to six months, but for large, complex organizations, the work can take years.
Jallow reminds of the importance of planning.
“Proactive work is essential. Being left at the last minute can jeopardize both the company’s operations and reputation.”
More information
Musa Jallow, +358 440 824 221,