Securing critical infrastructure requires action from companies – and quickly
Companies play a key role in maintaining and securing the functionality of critical infrastructure. Security expert Jarno Anttalainen, who appeared on Fimpec’s “Kumppanit” podcast, emphasizes the need for companies to establish clear roles and substitute arrangements, develop realistic contingency plans, adopt a self-sufficiency mindset, and foster closer cooperation between companies and authorities.
Jarno Anttalainen ended his career as an officer in the Finnish Defence Forces in 2004 at the Jaeger Brigade in Sodankylä and transitioned to the corporate sector. He entered the energy industry about seven years ago, having served as the CEO of Viafin Gas Oy, Energy Director of Lahti Energia, and, starting in February 2025, as Contingency Manager at Gasgrid Oy. Anttalainen is also one of Fimpec Advisors.
From the Defence Forces, Anttalainen brought with him a strong interest in security matters. Early on, he noticed a certain naivety in companies regarding security, with an overly open approach to related issues.
“I realized that there was a lot of room for improvement in this regard, and that sparked my interest. After moving into the energy sector, the importance of this issue became even more pronounced and tangible, as I was responsible for maintaining infrastructure and ensuring its functionality. Over the years, I have discussed this matter extensively with various stakeholders and delved deeper into it,” he explains.
Much responsibility lies with companies
Russia’s invasion of Ukraine and its systematic destruction of energy infrastructure, cable disruptions in the Baltic Sea, and increasing break-ins at infrastructure sites have all brought this issue into public discussion. Listening to Anttalainen, one is convinced that this attention is not coming a moment too soon.
“Critical infrastructure consists of the fundamental structures and services essential for maintaining vital societal functions. It is often overlooked that most of these are privately owned, and because we have lived in peacetime, real contingency scenarios have not always been seriously considered. Instead, there has been a reliance on the assumption that authorities will step in when needed. However, companies must remember that, in all situations, they are responsible for ensuring they can fulfill their missions,” he states.
Anttalainen urges that security and preparedness issues become a key agenda item for every company.
“Threats affect all companies, not just those involved in infrastructure. Unfortunately, my observation is that although many companies have created risk management plans for ISO 9001 quality management systems, they have not truly engaged with the subject at the level they should.”
Is Finland really a model country for preparedness?
Finland is often portrayed in international news as a model country for preparedness. However, Anttalainen warns against a false sense of security. While Finland may appear as a forerunner from the outside, a deep dive into the details reveals much room for improvement. A useful starting point is to ask individuals if they are personally prepared.
“A good example is that I only created my power of attorney and will a few years ago, meaning I was not prepared, and this is very common. Similarly, in the workplace, it is essential to consider how things will be handled if an employee is absent for an extended period, such as six months. True responsibility means not just having a vacation substitute but ensuring that the replacement is trained to genuinely take over responsibilities.”
“When scaling this up to team and organizational levels, companies need to ask whether their risk management plans have been thoroughly tested and whether they have prepared for worst-case scenarios. I argue that, in most cases, they have not, and the current global situation is a wake-up call for us to address these issues seriously.”
Preparedness is key to protecting critical infrastructure
Anttalainen has especially considered the protection of energy infrastructure due to his work, but it is also one of the most crucial aspects of critical infrastructure. Disruptions in this sector can have widespread effects on society. The excessive openness he previously mentioned is a major concern in energy infrastructure.
“This is a significant risk factor in the energy sector. More attention needs to be paid to this in the future. Unfortunately, information that has already been published cannot be retracted, and it is not worth expending too much energy trying to conceal it. Instead, the focus should be on the future, carefully considering whether all new information should be made publicly available.”
There is much more that can be done. According to Anttalainen, preparedness must be properly established, and action must be taken quickly.
“Roles and substitute arrangements must be clearly defined. Additionally, there needs to be closer cooperation between companies, various authorities, the Defence Forces, and the police. Companies should have designated individuals, along with deputies, who actively maintain communication with authorities and ensure information flows appropriately.”
Another crucial aspect is reviewing risk and management plans. These should support strategic objectives by preparing for worst-case scenarios. They should also clearly outline the warning signals that indicate when the company should escalate its preparedness level.
“Bluntly put, companies should prepare for war rather than hide from it. The better we are prepared, and the more evident this is to potential adversaries, the less likely they are to engage in any form of disruption,” Anttalainen explains.
He emphasizes the importance of considering the entire supply chain in preparedness efforts. It is not enough for a company to simply secure the operation of a power plant. It must also consider how fuel will be delivered, how logistics will function if many drivers are called up for military service, and other similar factors.
From a broader perspective, Anttalainen stresses the importance of cooperation among companies within the same sector. Security-related information should be shared more effectively.
“Companies could have different levels of information exchange personnel who share their experiences with one another. This way, knowledge would spread, allowing other companies to refine and tailor it to their needs.”
Legal changes should not be the only focus, even though they are needed
Legislative reforms concerning the protection of critical infrastructure and resilience improvements are underway. However, Anttalainen believes companies should not wait for legal changes but should take necessary actions within the framework of current legislation. He particularly highlights the need for changes in the Conscription Act.
“Russia has demonstrated its ability to act quickly. If Finland were to start calling up large numbers of reservists, the minimum call-up period under the Conscription Act is three months. This is one area where changes could be made.”
“Similarly, the Conscription Act could be adjusted to include individuals who have not completed military service or are over the conscription age. They could be assigned to critical sites near their locations. This could be addressed swiftly to ensure soldiers can focus on military duties while critical sites are guarded by local protection units,” Anttalainen suggests.
Jarno Anttalainen was a guest on the Kumppanit podcast, hosted by Maiju Aaltonen and Panu Rahikka.
Listen to episode 20 of the Kumppanit podcast: Securing critical infrastructure
Please note that the podcast is available only in Finnish.
