Emergency preparedness and cybersecurity
Business strategy, business model and core values
Hafslund operates in an industry that is undergoing a major transition in terms of digital transformation and the development of new and modern technology. The Group’s core business, renewable energy production, must be able to exploit these changes with innovative technology and technological disruption. Hafslund will create added value from data by developing new smart and intelligent models, and models that provide better understanding of risk and market decisions. Hafslund’s data and information shall ensure that Hafslund has more insight and better solutions for more efficient management of production, consumption and storage of energy. Hafslund will exploit changes in the market with new technology and contribute towards creating a balance in the energy system by developing and making available distributed energy solutions that can act faster in existing and new markets.
The digital transformation and the rapid pace of change in the industry also make us an attractive target for criminal actors. Hafslund’s external risk and threat landscape therefore requires active and continuous preventive work with information security and physical security. This work shall provide protection for and reduce the risk of loss of life and health, impact on and loss of external environment, loss and failure of operational continuity, and loss of reputation, market share and financial profits. Hafslund will make continuous improvements in cybersecurity, information security and emergency preparedness which facilitate and ensure that the Group has a high level of innovation and competitiveness, while at the same time, Hafslund secures its production facilities and the power it supplies to society. Measures shall be initiated to reduce the risk of undesirable incidents, sabotage, damage and vandalism to an acceptable level of risk.
Impact, risks and opportunities
The world is currently experiencing a period of uncertainty and unpredictability. International conflicts and security policy situations are intensifying and require higher levels of preparedness and increased vigilance, both physically and digitally. At the same time, the cyber domain has reduced the need for having a physical presence and has facilitated advanced digital information and network operations.
Hafslund is part of an international market and is a market player with significant importance for power production at national level. The Group is reliant on stable and predictable supply and production chains and that these are protected from unwanted physical and digital attacks. The loss or failure of these could result in everything from minor operational disruptions to major impacts on the Group’s supply of power to society and obligations in international markets. Hafslund must protect and secure its production facilities, supply chains, personal data and services and systems against impacts that may cause operational interruptions, undesirable incidents, privacy breaches, and breaches of confidentiality, integrity and availability.
The table below summarises the Group’s significant risks and opportunities:
| Risks | Opportunities | |
|---|---|---|
| Loss of operational continuity, power generation and power supply | Innovation by utilising new and modern technology and new computer models | |
| Failure and loss of information, data and services due to cyber attacks or undesirable IT incidents | Greater competitiveness through better analytics and more insight into data | |
| Breach of privacy and personal data security | Digital adaptability to more quickly exploit changes in the power markets | |
| More effective and better work tools for Hafslund’s employees |
Policy/Guidelines
Hafslund is governed by strict laws and regulations that set high standards for the protection of information, services, systems, power stations and production facilities. Digital and physical security are a prerequisite for ensuring that there is trust in Hafslund’s ability to provide society with a continuous power supply and to preserve the trust of owners, partners, customers and employees. Everyone needs to be confident that Hafslund fulfils its statutory and regulatory obligations, and that the Group has established measures to ensure the protection of the confidentiality, integrity and availability of the Group’s information, services, systems and production facilities.
The Group’s executive management team has decided that the control and management of information security, privacy and physical security shall take place via a management system based on the ISO27K standard. This is an internationally recognised standard and a strategic decision for the Group.
The management system defines and describes Hafslund’s policy and security strategy and sets out the framework for how Hafslund shall achieve adopted security goals, comply with Hafslund’s statutory and regulatory obligations, and meet the requirements and expectations of owners, the Board, executive management, and other stakeholders. The management system must also ensure there is a holistic and structured approach to the work with physical security, information security and privacy, with a clear description of requirements and guidelines, methods, processes and measures for preventive protection of the company’s digital and physical assets.
The management system is based on a continuous process of improvement and quantification, and correction and adaptation in accordance with amendments to laws and regulations, the Group’s goals and strategies, and the external risk and threat landscape.
Digital and physical security are a prerequisite for ensuring that there is trust in Hafslund’s ability to provide society with a continuous power supply and to preserve the trust of owners, partners, customers and employees.
Actions
Hafslund takes physical security, cybersecurity and privacy seriously, and in 2023 implemented several projects, improvement initiatives and activities to address a more intensified threat and risk landscape.
In 2023, Hafslund further developed and continued implementation of the information security management system following previous changes in the Group. Work processes, procedures and technological measures were further developed and implemented in guidelines, processes, routines and technological solutions. This will collectively provide the Group with a well-functioning management tool that ensures an acceptable level of risk for Hafslund’s business activities. Control of implementation and compliance takes place through separate and independent audits and monitoring, security tests, security reviews, emergency preparedness exercises, and measuring of maturity.
Improvement work and activities are defined through a multi-year and quarterly roadmap. The most important and significant activities for 2023 are described below:
Security management
Improvement and further development of the Group’s management system/information security management system, and ensuring that the Group complies with statutory and regulatory amendments relating to information security, privacy and emergency preparedness.
Safety culture
Training, work that shapes attitudes and improving safety culture and understanding of risk in connection with digital and physical risks/threats, with the objective of reducing the risk of social manipulation, undesirable incidents and errors on the part of employees and contractors. The goal is to ensure that Hafslund’s personnel execute and maintain good practices for physical security, information security and privacy at all times.
Staffing and capacity
Further development of organisation and staffing for emergency preparedness and information security in accordance with changes in the Group. Conducting of impact analysis to achieve the Group’s defined ambition level of maturity for information security and privacy. Increased emergency preparedness and security as a result of a more intensified threat and risk landscape.
Technology
Further development of IT services and system portfolio to improve and optimise service delivery within the Group. Continual improvement and modernisation of technological security measures and security solutions in accordance with changes in the risk and threat landscape, and in accordance with recommendations from government authorities.
Privacy
Improvement of privacy and management of personal data to comply with requirements for processing, including safeguarding the rights of data subjects and ensuring lawful processing, as well as protecting personal data. This included the creation of a dedicated position to ensure compliance with the privacy regulations.
Emergency preparedness and emergency response exercises
Holding of emergency response and IT emergency response exercises in different areas and parts of the Group. Practicing by IT emergency response personnel of the activation of emergency response roles and emergency response organisation in various emergency situations. This included conducting mobilisation exercises, theoretical table-top/discussion exercises, technical hands-on exercises and physical exercises.
Measuring, auditing and compliance:
Conducting of several types of audits and controlling activities in order to ensure continuous improvement and compliance with external and internal requirements for security and emergency response. This included compliance with laws and regulations, requirements in the information security management system, as well as maturity analysis and benchmarking. In addition, the area of information security was audited by the Group’s internal audit function. The purpose of this was quality assurance and to ensure that the work on information security was consistent with the Group’s needs and expectations from owners, the Board and executive management.
Metrics and targets
This important topic and the associated management system constitute a process that focuses on continuous improvement and adaptation to the prevailing risk landscape. The following metrics and targets are defined for the topic:
| Metrics and targets | Result 2023 | Result 2022 | Comment |
|---|---|---|---|
| No IT security incidents that were not dealt with | 0 | 0 | |
| No IT security incidents with serious consequences | 0 | 2 | The extreme weather event “Hans” and the incident at Braskereidfoss were not considered an IT security incident |
| Minimum 1 IT emergency response exercise held | 3 | 3 | |
| No breach of privacy, including personal data security, which entails a high risk for Hafslund’s employees | 0 | - | New |
Indicator table
Security and preparedness
| Secure IT-services and systems | Unit | 2023 | 2022 | Comment | |
|---|---|---|---|---|---|
| Number of IT security incidents that were not dealt with | Number | 0 | 0 | ||
| Number of IT security incidents with serious consequences | Number | 0 | 2 | ||
| Number of IT emergency response exercises | Number | 3 | 3 | ||
| The number of breaches of privacy that may pose a high risk to our registered users | Number | 0 | - | New indicator |
