Topical questions and answers concerning critical infrastructure and preparedness

On Sunday, Gasgrid Finland Oy notified the authorities that a leak and a resulting malfunction had been detected in the Balticconnector gas pipeline between Finland and Estonia in the early hours of 8 October. The leak is located in the Finnish exclusive economic zone. Led by the National Bureau of Investigation, the Finnish authorities have initiated an investigation into the matter. From the perspective of security of supply, the situation is stable.

In addition, the Finnish authorities were notified about a malfunction in the data transmission cable between Finland and Estonia on Sunday. The damage to the data transmission cable does not affect the critical telecommunications connections in Finland, and they operate normally. The critical connections are secured by several different arrangements, and Finland has also prepared for damage to the submarine infrastructure with various security of supply measures.

Special attention has also been paid to protecting the critical infrastructure in connection with the change in the security environment. The authorities have intensified their mutual cooperation and exchange of information. Operators critical to security of supply have been instructed to review their own level of preparedness in the prevailing situation.

Which companies are critical to security of supply?

A company critical to security of supply produces or provides services that are central to the vital functions of society. A company may also be critical because it provides support services important to the operation of other critical services or functions, which also makes it a critical part of the supply chain.

Companies critical to security of supply are a part of a network that works together for the good of Finland’s operating capability and the security of supply necessitated by it, called the National Emergency Supply Organisation (NESO). It includes the National Emergency Supply Agency (NESA), the National Emergency Supply Council as well as companies critical to security of supply in different industries through the pool of their own industry. The NESO also engages in cooperation with regional actors, such as Regional State Administrative Agencies, municipalities, cities and several regional committees. The NESO network includes approximately 1,500 companies and communities.

How do security of supply operations help companies critical to security of supply prepare for risks?

In Finland, security of supply has been organised as a cooperation network, in connection with which industry-specific cooperation networks of companies called pools operate. The pools support the operative preparedness of the private sector by developing the security of supply and continuity management of their own industry. The activities include information exchange, training, exercises, reports, instructions and, if necessary, identified key measures. In addition, the pools advise companies and participate in forming the situational picture of security of supply for their own industry.

Why is NESA instructing companies critical to security of supply to raise their level of preparedness, and what does it mean?

NESA has instructed companies critical to security of supply to raise their level of preparedness with regard to critical infrastructure in particular due to the changed security situation. Raising the level of preparedness means a situation in which the company prepares better for various challenges that may affect the continuity of its business. Preparedness measures include, for instance, strengthening security practices, sharing situational awareness and close cooperation with the authorities. Various measures that help with ensuring the continuity of operations have been listed in the answer to the following question.

Companies are responsible for the risk management of their own activities, including continuity management and preparing for threats against it. The preparedness is mainly based on the companies’ own risk assessments. Some key companies in critical sectors also have a preparedness obligation based on legislation and minimum requirements on preparedness. These sectors include e.g. telecommunications, energy, water supply, healthcare and the financial sector. In that case, the supervisory authority of the sector monitors preparedness. NESA supports companies with continuity management and preparedness by means such as providing instructions and situational awareness as the security situation changes. Even if the company was not defined as a critical operator with regard to security of supply, it should still take care of the continuity and risk management of its own business.

What kind of preparedness measures should companies now take?

Companies should prepare to ensure the continuity of the operation of key critical services and infrastructure at a heightened level:

1. Check the access control, locks, monitoring and physical protection of physical sites and take any other measures required depending on the needs of the site
2. Check the protective measures and incident management practices of the cyber security and critical core functions of the business in particular
3. Ensure sufficient backup telecommunications connections for critical operations from the perspective of tolerance of disturbances
4. Ensure the energy supply of critical operations by means such as ensuring the availability of replacement energy sources and reviewing the ability of functions to tolerate interruptions in energy supply
5. Check the organisation’s preparedness and continuity management measures and plans
6. Encourage the personnel to stay alert and ensure that the employees receive up-to-date information
7. Keep the threshold of reporting observations to the authorities and the network low to obtain an overall situational picture and start possible support measures

What is critical infrastructure?

Critical infrastructure is defined as basic structures, services and related functions that are necessary to maintain the vital functions of society. From the perspective of security of supply, production and services that require fixed infrastructure and enable the vital functions of society and their continuation should also be considered as critical infrastructure. Most of the critical infrastructure is owned by the private sector.

Critical infrastructure includes both physical facilities and structures as well as digital functions and services. Energy production, transfer and distribution systems, information and communications systems, transport and logistics as well as water and waste management, among other things, are a part of critical infrastructure.

Who is responsible for protecting critical infrastructure?

Each critical organisation is responsible for protecting its own critical infrastructure. A company can outsource the implementation of critical infrastructure and the services related to maintaining it, in which case the required level of protection is agreed in an agreement between the companies. The responsibility cannot be outsourced. Some critical infrastructure also includes statutory obligations; the company maintaining the infrastructure in accordance with laws or regulations is responsible for implementing them. The company can purchase services for protection from companies in the field of security, for instance.

What should I do if critical infrastructure is targeted by influencing or incidents?

Observations of influencing or incidents involving critical infrastructure should be reported to the competent authorities via the following channels, and the threshold for reporting should be kept low:

• Cyber incidents: https://www.kyberturvallisuuskeskus.fi/en/report
• Criminal matters: https://poliisi.fi/en/report-a-crime; for the Åland Islands, instructions in Swedish can also be found at https://polisen.ax/brott/gor-en-brottsanmalan
• Finnish Security and Intelligence Service: https://turvaviesti.supo.fi/ota-yhteytta

It is also important to remember to contact the sector-specific supervisory authority, such as in the financial and energy sectors.

Where can I find up-to-date and reliable additional information on the situation?

The competent authorities will provide more information on the matter as it becomes available, so we recommend that you follow their press releases.

We also recommend following the media in Finland and always seeking the source of the information. We will keep updating this list of topical questions in which we answer the most frequently asked questions concerning security of supply.

NATURAL GAS

How has NESA prepared to ensure the availability of gas, if similar disturbances occur?

NESA carries out the official duties laid down in the EU Regulation concerning measures to safeguard the security of gas supply. NESA is tasked with ensuring that natural gas is available for the protected customers in all possible situations. In accordance with the Natural Gas Market Act, in addition to households, protected customers include small and medium-sized enterprises in the food industry as well as services related to healthcare, key social welfare matters, emergencies, security, education or public administration. NESA has drawn up plans and related tasks in case of exceptional situations.

NESA has October 27 declared an alert level concerning the security of gas supply in Finland as per the Regulation. The decision is based on a major gas import connection being unavailable for at least five months during the 2023/2024 winter season. At alert level, the gas market and the security of gas infrastructure in Finland are more closely monitored by the NESA and other authorities. The NESA can also give companies permission to tap into their compulsory stockpiles of gas. The Finnish gas market is actively monitored by Finland’s gas transmission system operator Gasgrid Finland.

For whose gas supply is NESA prepared to be responsible?

NESA is prepared to ensure gas supply to protected customers, namely households, healthcare and social welfare service providers, and small and medium-sized food businesses, for instance. Together with gas distribution companies and the authorities, NESA ensures that there are sufficient methods of ensuring gas supply.

How important is the Inkoo LNG terminal vessel from the perspective of security of supply?

The floating LNG terminal of Gasgrid Finland Oy that arrived in Finland in March 2022 strengthens the security of supply of gas. NESA was one of the actors ensuring that the commissioning of the terminal vessel went smoothly.

How important is gas for Finland’s security of supply compared to other energy sources?

The share of gas has been approximately 5% of the energy sources used in Finland. Major gas users include the chemical industry, the forest industry and energy production companies. Last year, the importance of gas decreased as its price increased steeply and imports from Russia ended. All of the gas usage in Finland can be covered via the Inkoo terminal. In addition, the energy companies in Finland are obliged to maintain compulsory stockpiles to replace gas.

How does the disruption of the natural gas pipeline affect the safeguarding of electricity production in Finland?

According to current information, recent events do not affect Fingrid’s previous estimate that electricity adequacy will be stable in the coming winter. According to Gasgrid Finland’s press release, the LNG terminal in Inkoo has the ability and capacity to deliver the gas Finland needs. For electricity adequacy, it is important that electricity production based on gas is available during peak periods of electricity consumption during the winter season. (Source: Fingrid website)

TELECOMMUNICATIONS

How important are submarine cables for international telecommunications in Finland?

The international connections of Finnish companies are based on high capacity connections via several submarine cables with route verification. There are several routes from Finland to Sweden, Germany and Estonia. The submarine connections are an extremely important part of the infrastructure of Finnish communications networks, and therefore there is already a long history of investing in preparedness for exceptional situations and protecting the connections. This is done as a part of the preparedness work in cooperation with telecommunications companies and various official parties.

Does the damage to the data transmission cable between Finland and Estonia have any impact on companies or consumers?

The critical telecommunications connections function normally, and they have been secured by several different arrangements. The broken cable has now been repaired. The damage did not have any impact on companies or consumers.

How is the continuity of telecommunications ensured?

The requirements on the protection of telecommunications connections are laid down in the Act on Electronic Communications Services. According to the Act, public communications networks and services must be planned, built and maintained in such a manner that they withstand normal, foreseeable climatic, mechanical, electromagnetic and other external interference. In addition, it must be possible to detect any defects and disruptions that significantly interrupt their functionality.

Traficom has specified the requirements of law by various means, including a regulation on securing communications networks and services and synchronising communications networks that sets requirements on matters such as protecting the submarine cable landing points and securing international connections.