Kymen Vesi acquires a Chief Information Security Officer from Netum: “Our ranks are now uniform in information security matters”
The Outsourced Chief Information Security Officer (CISO) service has brought new expertise and created a culture of working together in the information security management of Kymen Vesi. Next, a new information security strategy will be implemented in the organisation, and the lessons learned from the cyber security exercise will be put into practice.
Kymen Vesi Oy produces and supplies clean water to residents and companies in the entire southern Kymenlaakso region, including Kotka, Pyhtää, Hamina, Vehkalahti and Anjalankoski. Therefore, it plays a critical role in terms of the security of supply. The increasingly digitalised operating environment of water services has made information security an even more critical issue. Timo Leppänen, who works as an electrical and automation engineer at Kymen Vesi, describes the different dimensions of information security.
- “Information security is essential not only for the production and distribution of clean water but also for the safe treatment of wastewater through automated solutions. Information security also plays an important role in customer data management. In recent years, especially questions related to the integrity and availability of information have surfaced,” Leppänen says.
In autumn 2021, Kymen Vesi decided to start working with Netum in information security matters and began to purchase the Outsourced Chief Information Security Officer service. Netum’s expert works one day a week as Kymen Vesi’s Information Security Officer, guiding the company towards better information security management.
- “In the past, we operated within our own departments and practically only dealt with department-specific issues. Thanks to Netum, our ranks are now more uniform. We seek solutions to information security issues together and create common operating models for everyone. This has definitely been the most significant benefit of the partnership,” Leppänen says.
Timo Leppänen, an electrical and automation engineer at Kymen Vesi
Kybermittari – Cybermeter as a basis for a new strategy
With the help of the Outsourced Chief Information Security Officer service, Kymen Vesi has undergone a wide range of measures to improve information security. The cooperation started with a current state analysis using the National Cyber Security Centre’s Kybermittari, which charted the company’s starting level of information security. The analysis was led by Marko Hämäläinen, Head of Cyber Security Consulting at Netum, and based on it; a new information security strategy was drawn up for Kymen Vesi.
- “With the help of Kybermittari, we were able to highlight the most important development targets in different areas and set concrete goals with which Kymen Vesi could improve its information security,” Hämäläinen says.
One key reform was the establishment of an information security team. The information security team, which consists of four experts from Kymen Vesi, meets weekly and is led by Netum’s Information Security Officer, who guides the achievement of the goals set out in the strategy.
- “The results are monitored annually with the help of Kybermittari. The last inspection was carried out in January 2023, which showed that significant progress had been made in almost all 11 areas,” Hämäläinen says.
A cyber exercise revealed the risks
One of the highlights of the cooperation was a cyber exercise held in autumn 2022. In the exercise, Kymen Vesi’s experts and management were given the task of solving three different cyber attack scenarios related to both systems critical to security of supply and entities containing personal data. The planning of the scenarios was guided by Netum, but the actual company and system-specific expertise came from Kymen Vesi’s information security team. This ensured that the scenarios were realistic. Based on the planned scenarios, Netum designed a morning-long exercise with scripts and minute schedules. The exercise received a lot of praise.
- “The exercise was great, and I learned a lot from it. I have participated in and led similar exercises before, but this was definitely the best experience so far, partly because the scenarios were tailored to us. Netum showed that it is possible to build an exercise that really takes all aspects into account,” Leppänen says.
Tailoring cyber security exercises precisely to the customer’s operating environment makes Netum’s exercises particularly popular.
- “This way, the risk scenarios are as realistic as possible, and the training provides good tools for the future. The scenarios provide concrete information on how the existing practices in terms of technical capabilities, communications, situation management and maintaining a situational picture work,” says Hämäläinen.
Netum’s Senior Cyber Security Consultant Atte Karhu and Timo Leppänen
Agile changes
Currently, Netum’s Senior Cyber Security Consultant Atte Karhu operates as the Outsourced Chief Information Security Officer and is in charge of Kymen Vesi’s information security team. Strategy work has progressed systematically, and measures will be implemented when the organisation is ready for them. According to Karhu, Kymen Vesi is on a solid path towards better information security.
- “The most important change has already taken place, as Kymen Vesi is now systematically working to improve information security, and different units are cooperating. Operations are assessed based on risks, and both shortcomings and capabilities have been made visible,” Karhu says.
The Outsourced Chief Information Security Officer service has proven to be a flexible and cost-effective solution. Not every project requires a new assignment.
- “Large-scale reforms can be achieved within the Information Security Officer service framework. The communication is continuous, and a close partnership is formed with the customer. The implementation of measures according to the organisation’s receptivity is a definite strength of the service, as the work can always be targeted correctly according to the situation. This ensures that every hour worked is meaningful to the customer,” Karhu says.
Leppänen is also satisfied with the service.
- “An outside expert who has no previous ties to the company often sees the issues that need to be addressed more clearly. With this cooperation, we are no longer at such a risk of becoming too set in our ways,” Leppänen says.