Cybersecurity for Critical Infrastructure Enters a New Phase in Norway

Norway’s next chapter in cyber defence is not about connecting more systems, it’s about hardening the ones that already run the country. That shift is visible in three converging tracks: (1) research‑driven security led by the Norwegian Centre for Cybersecurity in Critical Sectors (NORCICS, an SFI at NTNU/SINTEF); (2) policy and funding levers that force resilience into energy, health, transport and finance; and (3) operational wake‑up calls from recent OT (operational technology) intrusions, most notably the April 7, 2025 dam incident at Lake Risevatnet. Together they mark a new phase: moving from general awareness to sector‑by‑sector reinforcement and demonstrators that prove resilience at the process layer. 

The dam that changed the conversation

On an ordinary spring day in 2025, a remote‑access screen at a small dam in Bremanger was quietly hijacked; a discharge valve was set to 100% for roughly four hours. No downstream disaster followed, but only because hydrological conditions were forgiving. Evidence later included a three‑minute Telegram video watermarked by a pro‑Russian group; investigators pointed to weak, internet‑exposed credentials as the intrusion vector. Whether you read the technical post‑mortems or later attribution write‑ups, the pattern is consistent: process‑level control was achieved from outside the perimeter, long before any IT‑layer detection raised the alarm. For OT defenders, this was the “Level 0” nightmare made real.

The incident also reframed the policy debate. Norway’s long‑standing National Cyber Security Strategy stresses shared responsibility across public and private operators; the NCSC (NSM/NorCERT) already runs 24/7 national incident response with deep forensics and a cross‑sector sensor network. But the dam event underlined the need to push detection and verification down into the physical process, not merely the network stack.

NORCICS

Founded as an eight‑year Centre for Research‑based Innovation, NORCICS is designed to make Norway “the most securely digitalized country in the world.” The centre’s portfolio reads like a to‑do list for critical infrastructure: modelling distributed subversion attacks in cyber‑physical systems; digital‑twin security; human factors in Industry 4.0; 5G‑enabled IoT defences; secure smart‑districts; and demonstrators in electricity grids, remote medical services, and industrial sites. The partnership spans utilities, heavy industry, hospitals, police, and Norwegian champions such as Equinor, Hydro, Yara, Siemens, and grid operators, ensuring that research outcomes are validated in realistic environments.

What’s new in 2026 is less the vision than the operational tempo. NORCICS has moved beyond concept papers to sector‑specific demonstrators that intentionally target IT/OT convergence weak points, including identity and remote access, 5G backhaul hardening, and digital‑twin attack rehearsal. This aligns with NCSC’s plain‑spoken guidance: assume compromise is possible and instrument for response, including forensics and reverse engineering, across OT, not just IT.

Regulation and money

Policy is catching up with the threat. The Research Council of Norway has announced a 2026 call specifically for societal security and emergency preparedness, covering crises that threaten fundamental functions and infrastructure, a clear umbrella for critical‑infrastructure cyber resilience projects. Budgets in the hundreds of millions of NOK and multi‑year durations encourage serious consortia (industry + public + research) and full‑stack pilots rather than paper compliance.

At the European level, NIS2 obligations are now reshaping the Norwegian market via the EEA track. While Norway is not an EU member, the government has been preparing transposition, signalling amendments to national law, staged timelines (with adoption planned in 2026 and registration windows thereafter), and a significantly expanded scope of regulated entities. The NCC‑NO (NSM + Research Council) was stood up to connect Norwegian actors with Horizon Europe/DIGITAL funding and the European Cybersecurity Competence Centre. The net effect: more entities in energy, water, health, transport, finance, and digital services will need risk management, incident reporting, and oversight approaching EU norms. 

For organizations wondering “how much this will really change,” industry trackers and law‑firm briefs tell a consistent story: across the EU/EEA, NIS2 broadens scope, tightens oversight, and harmonizes ‘significant incident’ thresholds and risk‑management measures. Norwegian operators should expect earlier registration deadlines, board‑level accountability, and auditable technical measures (e.g., identity, patching, monitoring, supply‑chain controls). 

The toughest tests

The energy system remains Norway’s most consequential cyber target. A joint SINTEF–NTNU report presented during Arendalsuka 2025 bluntly framed energy as “the nervous system of society” and called for preparedness upgrades, integrated multi‑vector energy systems (electricity + heat + gas + hydrogen) for restoration, and tighter allied cooperation to secure supply chains. While not a cyber policy per se, the recommendations have cyber‑physical resilience at their core: engineer for rapid recovery across interdependent networks.

Water infrastructure, too often overshadowed by power, was forcibly elevated by the Risevatnet case. Technical analyses argue for out‑of‑band, process‑layer verification (e.g., independent sensors to confirm valve states) to counter “manipulation of control” and “manipulation of view,” two attack classes that can render HMI screens reassuring while the physical process is being subverted. Regulators (NVE) and NSM/NCSC were pulled into the Bremanger response; the lesson is that dams and utilities must treat remote access and credential hygiene as safety‑critical disciplines, not IT chores.

The human and organizational side

One of the quieter strengths of Norway’s approach is its candid treatment of the human layer. NORCICS includes explicit work on organizational behaviour during cyber incidents and training in OT contexts, a thread that draws on post‑incident lessons from Norwegian industry, including the widely studied Hydro attack. The thrust: barrier management and workplace innovation matter as much as firewalls when process safety and business continuity are at stake.

The NCSC complements this by operating as a national exchange hub: 24/7 response, a cross‑sector sensor fabric, and participation in FIRST/EGC communities so Norwegian incidents feed into (and benefit from) international intelligence. That federated posture matters in a threat environment where geopolitics and cyber operations are increasingly synchronized, a point hammered home by recent global risk reports.

2026 patterns

Multiple independent threat reports converge on the same themes: AI‑accelerated intrusion workflows, fragmented but prolific ransomware/extortion crews, and a sustained focus on edge devices and unmonitored appliances as initial footholds. For critical infrastructure, that last point is decisive: routers, gateways, VPNs, and OT vendor links become the path of least resistance, then lateral movement crosses from IT into OT. Norwegian operators can assume the playbook used at Risevatnet, credential weakness + internet exposure, remains popular because it still works.

Closer to home, the Tibber breach (2024) served as another reminder that energy‑adjacent platforms are attractive targets; while that case centred on customer data (German store customers), the public narrative reinforced that energy digitalization expands the attack surface beyond generation and grid.

Follow the money and you’ll see what 2027–2028 will look like. The Research Council’s preparedness call (deadline 20 May 2026) is tailor‑made for cross‑sector coalitions: municipalities + grid operators + water authorities + hospital trusts + vendors + research groups. 

Expect proposals that combine:

• Process‑layer monitoring pilots in water utilities (independent sensors, physics‑based anomaly detection) tied to NCSC incident workflows.
• Electricity grid demonstrators that stress‑test identity, remote access, and 5G backhaul under simulated attacks using digital twins.
• Healthcare OT projects focused on remote care delivery and medical IoT segmentation.
• Supply‑chain risk programs that audit vendors’ secure‑by‑design claims against NIS2‑aligned controls and incident reporting.

The NCC‑NO will continue to funnel Norwegian teams into Horizon Europe/DIGITAL consortia, while NFEA’s 2026 OT‑cyber conference in Oslo suggests demand for hands‑on IDS, barrier management, and incident response in power grids is surging on the practitioner side.

Practical checklist for operators:

1. Assume NIS2 applies (or will soon) and map your entity status, registration, and reporting obligations. If you provide essential services, or are a key supplier, you should plan for auditable controls and board‑level accountability.
2. Eliminate internet‑exposed HMIs/VPNs without strong authentication, and put privileged access behind MFA + PAM with session recording. The dam incident was a password problem with process‑level consequences.
3. Validate the physics: add out‑of‑band sensing for critical actuators/valves and compare reality to screen view to catch manipulation‑of‑view attacks.
4. Segment IT/OT with monitoring at the conduits; deploy OT‑aware IDS (Zeek/Suricata‑class) and build internal playbooks for incident response in substations, plants, and wards, not just data centres.
5. Routinely exercise restoration using digital twins, not just tabletop games. NORCICS is already working on digital‑twin security; bring your operations teams into those rehearsals.
6. Exploit funding windows: build projects that span sectors (e.g., energy‑water‑municipality) and publish findings into Norway’s open research fabric to accelerate national learning.

From maturity to mastery

Norway’s digitalization drive has long been a point of pride. But maturity brings exposure: the more essential services are intertwined with software and networks, the more a single weak credential can ripple into the physical world. The Risevatnet breach was a near‑miss and a gift—the kind that arrives with a watermark on Telegram. It catalysed a shift that Norway’s research community, regulators and operators were already moving toward: research‑based cyber resilience, regulatory teeth, and practical OT defences that respect the physics of dams, grids and hospitals.

If the NORCICS demonstrators, NIS2‑aligned obligations, and funded preparedness pilots deliver as designed, the next time a threat actor tries to “open the valve to 100%,” process‑layer instruments will contradict the HMI, OT‑IDS will light up the right console, NCSC will see the anomaly across sectors, and trained operators will execute restoration playbooks, without waiting four hours. That is what “most securely digitalized” will have to look like.

Sources & further reading

• NORCICS (SFI at NTNU/SINTEF): vision, partners, demonstrators. [ntnu.edu], [sintef.no]
• NCSC (NSM/NorCERT): national incident response, sensor network, FIRST/EGC membership. [nsm.no]
• Risevatnet/Bremanger dam incident (April 7, 2025): technical accounts and attribution overviews. [blog.senthorus.ch], [radiflow.com], [dailysecur…review.com]
• Policy & funding: Research Council call on societal security & preparedness (2026); NCC‑NO (NSM + RCN) and EU ECCC network; NIS2 implementation trackers and Norwegian guidance. [forskningsradet.no], [nsm.no], [ec.europa.eu], [ecs-org.eu], [copla.com]
• Energy resilience (SINTEF–NTNU report, 2025): recommendations for a robust energy system. [sintef.no]
• Threat landscape 2026: AI‑accelerated attacks, edge device exposure. [research.c…kpoint.com]
• Tibber breach (context for energy‑adjacent platforms): Norwegian media coverage. [nrk.no], [dinside.dagbladet.no]