Information and assessments on foreign, security and defence policy are provided by the NIS to support Norway’s civilian authorities.
Its Focus 2023 report analyses the status of and expected developments in thematic and geographical areas which the service considers particularly relevant for Norwegian security and national interests. Topics covered include Russia, China, international terrorism and conflict areas.
Combined with the National Threat Assessment 2023 from the PST, the NIS report describes national and international conditions which influence the threat picture.
The PST’s assessment concentrates on the intelligence threat, with particular emphasis on Russian and Chinese espionage. It also describes politically motivated violence – extremism and threats to people in authority.
Intelligence work can be pursued in a variety of ways, including network operations, recruitment of sources, and digital and physical sabotage.
Risk can be reduced
Risk assessments and safety measures must be updated in line with changes to the risk picture. The war in Ukraine has demonstrated that Norway must be prepared for a broad range of threats.
In its Risk 2023 report, the NSM calls attention to how the petroleum sector should reduce vulnerabilities to make the job of threat agents more difficult.
Cyber vulnerabilities exploited
Phishing attacks will still be the simplest and most widely used method for obtaining access to information about a person or an enterprise. The NSM is constantly seeing human, technological and organisational vulnerabilities being exploited to assist malicious cyber operations directed at a number of Norwegian enterprises.
Digital threat agents also exploit such vulnerabilities as weak passwords, outdated software and lack of two-factor authentication to secure unlawful access to ICT systems.
Such attacks are not always aimed directly at networks belonging to enterprises. Individuals and third-party services on which enterprises depend may be exploited because they are regarded as easier to assault than the actual targets.
Insider risk
The Norwegian security services are devoting much attention to insider risk, which can arise at any point in an insider’s period of employment. This means background checks or security declarations are not an adequate means of avoiding such risk. These issues are dealt with in more detail in the PSA’s report on maniging insider risk (Håndtering av innsiderisiko - in Norwegian only).
Industry players can help improve the national picture
Good situation and threat pictures at sectoral and national levels depend on a functioning chain which extends from alertness by the individual through reporting systems at companies to filing reports with the authorities.
Routines at enterprises for internal notification, combined with a system for onward reporting to the PSA, the power sector’s computer emergency response team (KraftCERT), the PST or the NSM, make it easier for employees to report.
The PSA has entered into an agreement with KraftCERT, which discharges the operational role as the sectoral response team for the petroleum sector and receives reports of all cyber incidents in the industry.
What must be reported?
Suspicion of, attempts at or successful security incidents, both digital and physical.
What must be notified to the PSA?
Section 29 of the management regulations specifies the requirements for notifying and reporting hazards and accidents. These also apply to cyber and security incidents. The notification/reporting form can be found at https://hendelser.ptil.no/?language=engelsk
How can other government agencies be notified?
Cyber incidents: cert@kraftcert.no
Activities and incidents which represent a security threat: varsel@nsm.no or the PST website at www.pst.no/tips-oss
It should be made clear whether the notification is a tip-off, accusation or request for assistance.
Advice and guidance
Get in touch with the business contacts in the relevant police district:
https://www.politiet.no/kontakt-politiet/naringslivskontakter/ (in Norwegian only)
Unclassified threat and risk assessments
The five ICS Cybersecurity Critica Controls