The impact of NIS 2 on the Swedish energy sector : A qualitative interview study about the greatest changes and challenges faced when implementing NIS 2

Linderoth, William

January 2024

Society is becoming increasingly digitalized and interconnected. This includes the infrastructure and systems that help operate society’s functions. One of the most integral services in our societyis the distribution of power and electricity. Power distribution is confined within the energy sector and is one of several sectors deemed essential for society by the EU. The EU is therefore actively trying to increase the level of cybersecurity within these sectors. The NIS-directive was tried in 2016 but failed to meet expectations. Trying again, the EU released the NIS 2 directive which comes into power at the start of the next year. This study aims to get an early look at the impacts NIS 2 is having on the Swedish energy sector. The aim of the study is being pursued using a qualitative approach where experiences and perceptions from security professionals are being gathered through semi-structured interviews. In total, 10 informants from different energy companies were interviewed, and their views have been analyzed and presented as the result of this work. The results found that the biggest organizational change when implementing NIS 2 seems to bean increased focus and involvement from management in information security questions. And the biggest challenge seems to be ensuring supply chain compliance towards NIS 2. Additionally, it seems like small organizations are lacking the resources necessary to address the new requirements under NIS 2. It is concluded that NIS 2 is having a positive impact on information security work in the Swedish energy sector. Organizations are allocating more resources towards information security management and the level of security seems to be increasing. While NIS 2 seems to be positively received, organizations working with NIS 2 are facing several previously known hurdles of information security management work.

NIS 2

information security

energy sector

Information Systems, Social aspects

Förändringar vid införande av cybersäkerhetsdirektiv hos kommuner : En kvalitativ kartläggning över vilka förändringar som kan uppstå i svenska kommuner till följd av EU-direktiv för cybersäkerhet / Changes when implementing cybersecurity directives in municipalities : A qualitative survey of the changes that may occur in Swedish municipalities as a result of EU cybersecurity directives

Ström, Sandra, Plyhr, Matilda

January 2024

The purpose of this study is to investigate changes in municipalities that occur when the NIS and NIS 2 directives are introduced. The changes refer to internal and external changes that municipalities experience. Furthermore, an increased threat of cyber attacks as well as a lack of cyber security is the basis for conducting the survey. A research gap has been identified regarding municipalities' work with EU directives for cyber security, which the study intends to contribute to. The study's empirical data consists of six semi-structured interviews with various Swedish municipalities, where the result is the identified changes that the municipalities state. In a thematic analysis, the following themes are presented: IT focus, IT systems, competence development and cooperation, employment, clarity, conflict of interest, prerequisites for the NIS 2 directive and meaningfulness. The study uses Bolman and Deal's (2021) framework Four frame model, which forms the structure for the results and the analysis and strengthens the study by contributing with a comprehensive theory for possible changes. The study contributes with insight into the changes that municipalities may face upon the introduction of the NIS 2 directive, as well as what changes municipalities have experienced upon the introduction of the NIS directive. / Denna studie har till syfte att undersöka förändringar hos kommuner som uppstår vid införandet av NIS- och NIS 2-direktivet. Förändringarna avser interna och externa förändringar som kommuner upplever. Vidare ligger ett ökat hot om cyberattacker samt en bristande cybersäkerhet till grund för undersökningens genomförande. Ett forskningsgap har identifierats kring kommuners arbete med EU-direktiv för cybersäkerhet, vilket studien ämnar bidra till. Studiens empiri utgörs av sex stycken semistrukturerade intervjuer med olika svenska kummuner, där resultatet utgörs av de identifierade förändringar som kommunerna uppger. I en tematisk analys presenteras följande teman: IT-fokus, IT-system, kompetensutveckling och samarbete, anställning, tydlighet, intressekonflikter, förutsättningar för NIS 2-direktivet samt meningsfullhet. I studien tillämpas även Bolman och Deals (2021) ramverk Four frame model, vilken utgör strukturen för resultatet och analysen samt stärker studien genom att bidra med en heltäckande teori för möjliga förändringar. Studien ämnar bidra med insikt i de förändringar som kommuner kan ställas inför vid införandet av NIS 2-direktivet, samt vilka förändringar kommuner har upplevt vid införandet av NIS-direktivet.

NIS directive

NIS 2 directive

Municipality

Cyber security

Information security

IT security

EU directive

Change

NIS-direktivet

NIS 2-direktivet

Kommun

Cybersäkerhet

Informationssäkerhet

IT-säkerhet

EU-direktiv

Förändring

Information Systems

Hur arbetar IT-leverantörer med att skydda deras kommunikationsvägar? / How do IT-suppliers protect their communication paths?

Jonsson, Rasmus

January 2024

Kommunikationsvägar i business-to-business-kommunikation (B2B-kommunikation), så som e-post och telefoni, är idag utsatta för ett ökande hot från cyberattacker. Tidigare forskning har visat att många vanliga kommunikationsvägar är sårbara för hot, inklusive social manipulation och ransomware.  Studien undersökte hur IT-leverantörer arbetar för att säkerställa att deras B2Bkommunikationsvägar är säkrade, vilka sårbarheter de ser i sin befintliga miljö och vilka metoder de använder för att förhindra attacker. För att besvara frågorna genomfördes en kvalitativ fallstudie med en IT-leverantör. Semi-strukturerade intervjuer genomfördes för att ta reda på respondenternas åsikter och erfarenheter i relation till kommunikationsvägarna. Totalt 19 frågor inom olika kategorier ställdes till respondenterna.  Resultaten och analysen av intervjuerna indikerar att e-post och telefoni är de primära kommunikationssätten hos den IT-leverantör som deltog i fallstudien. Det skiljer sig också åt hur olika avdelningar föredrar att kommunicera. Resultaten visar även en oro över den växande hotbilden inom IT-sektorn. Som en följd är respondenterna medvetna om relevanta cyberattacker, så som ransomware eller andra attacker som involverar social manipulation. Respondenterna delar också hur de arbetar för att skydda sina kommunikationsvägar, samt identifierar områden för förbättring i en nära framtid. Slutligen kräver lagar och regler att IT-leverantören förbättrar och stärker sin IT-säkerhet, med framträdande exempel som GDPR och NIS-2-direktiven. / Communication paths in business-to-business communication (B2B-communication), such as email and telephony, are today exposed by an increasing threat of cyber attacks. Previous research has demonstrated that many common communication paths are vulnerable to threats, including social engineering and ransomware.  The study examined how IT-suppliers work to ensure that their B2B-communication paths are secured, what vulnerabilities in their existing environment do they see and what mitigation techniques they are using to prevent attacks. To answer the questions a qualitative case study was conducted with an IT-supplier. Semi-structured interviews were conducted to find out the respondents’ opinions and experiences in relation to the communication paths. A total of 19 questions across various categories were posed to the respondents.  The results and analysis of the interviews indicate that email and telephony are the primary modes of communication at the IT-supplier involved in the case study. It also differs in how different departments prefer to communicate. The results also indicate a concern about the growing threat landscape in the IT sector. As a result, the respondents are aware of relevant cyber attacks, such as ransomware or other attacks involving social engineering. The respondents also share how they work to protect their communication paths, as well as identify areas for improvement in the near future. Finally, laws and regulations requiere the IT-supplier to enhance and improve their IT-security, with prominent examples being GDPR and the NIS-2 directives.

Communication paths

email

telephony

phishing

social engineering

NIS-2

GDPR

Kommunikationsvägar

e-post

telefoni

nätfiske

social manipulation

NIS-2

GDPR

Information Systems, Social aspects