Digitalization offers enormous opportunities for efficiency, but it also introduces new risks. When OT systems (Operational Technology) are connected to the internet, vulnerability to attacks increases—attacks that threaten not only data, but also lives, health, and critical societal functions.

As a member of the Confederation of Norwegian Enterprise’s Security Council (NSR), we hosted a webinar today focusing on the threat landscape for OT in Norway. Below are our key takeaways.

‍

‍An Escalating Threat Landscape

‍The Norwegian Police Security Service’s (PST) annual threat assessment shows a clear shift: from a “low probability” of sabotage against Norwegian critical infrastructure in 2023, to “elevated” in 2024, and “likely” by 2025.

At the same time, cybercrime has become the world’s third-largest economy. A professional, commercial “Cybercrime-as-a-Service” industry has emerged, offering services such as extortion, data theft, and espionage.

Criminals follow the money, and willingness to pay is highest where the consequences of downtime are severe—such as in manufacturing and energy supply. Internationally, there is a clear trend toward an increasing number of attacks targeting OT systems. One example is the car manufacturer Jaguar, which was forced to halt production for over a month, resulting in the loss of 1,000 unproduced vehicles per day.

We also see a significant rise in hacktivism, often linked to geopolitical conflicts. Following the outbreak of war in the Middle East, several attempted attacks have been observed where hackers exploit internet-exposed equipment and simple system vulnerabilities.

‍

‍When OT Becomes the Target

‍Traditionally, OT systems have been “air-gapped,” meaning physically isolated from the internet. This strategy is becoming increasingly difficult to maintain.Digitalization and remote access enable data to flow between IT and OT, suppliers connect remotely for maintenance, and system owners often have limited visibility into what is happening within their environments.

The incident at the Bremanger hydropower plant is one such example: hackers managed to open valves that remained open for several hours before the attack was detected and handled.

‍

‍Legal Requirements and Increasing Expectations

‍Norway has now enacted the Digital Security Act, which came into force on October 1 this year. The legislation is based on the EU’s NIS Directive from 2016 and imposes requirements on organizations within sectors such as energy, transport, healthcare, water supply, and finance.

In addition, the NIS2 Directive expands the scope to include important private sectors such as food production and the chemical industry.

In short: societal expectations are tightening, and it is wise to begin the work early.

‍

‍Typical Challenges in OT Environments

‍OT systems are often complex and outdated. They typically feature:

• High availability requirements – systems cannot be taken offline without serious consequences
• Long lifecycles – many systems are 10–20+ years old and were built before OT cybersecurity became a concern
• Dependence on vendors for operation, maintenance, and upgrades
• Limited visibility into internal processes, often perceived as “black boxes”

In addition, we see organizational challenges where IT and OT are managed by different teams with different routines and cultures. This creates grey areas where no one takes full responsibility for security.

‍

‍Best Practice: Build Security on OT’s Terms

‍Many cybersecurity frameworks are designed for IT and must be adapted for OT environments. The international IEC 62443 standard is specifically tailored for OT and, when combined with the Norwegian National Security Authority’s (NSM) fundamental principles, provides a strong foundation.The four core principles from NSM are also relevant for OT:

• Identify and map – gain an overview of OT assets and communication patterns
• Protect and sustain – build a secure architecture that separates critical and non-critical systems and controls data flows between zones
• Detect – establish monitoring and alerting systems adapted to each facility
• Respond and recover – integrate operational and security functions for effective incident response

‍

New Systems and Retrofitting Existing Facilities

‍New investments provide a prime opportunity to define clear security requirements. By applying principles from IEC 62443, systems can be structured using zone and conduit models, security levels can be defined, and requirements can be imposed on suppliers already during the tender process.For existing facilities, the work should begin with mapping:

• What equipment and communication exist?
• Which vulnerabilities are most critical?
• What can be attacked, and what are the consequences?

The outcome of this assessment should be documented in a security roadmap that includes both quick wins and measures aligned with long-term objectives.

‍

‍Situational Awareness Is Key

‍No security measure is effective if you cannot see what is happening. Real-time monitoring of OT systems enables organizations to detect and respond to incidents before they lead to physical consequences.

OT security is no longer just about technical barriers—it is about understanding the interplay between operations, technology, and people. With increasing digitalization, stricter regulations, and a more complex threat landscape, Norwegian organizations must take OT security seriously.