The Importance of Cybersecurity Governance Model in Operational Technology Environments


  • Jussi Simola University of Jyväskylä
  • Arttu Takala University of Jyväskylä
  • Riku Lehkonen University of Jyväskylä
  • Tapio Frantti University of Jyväskylä
  • Reijo Savola University of Jyväskylä



Governance model, Cybersecurity strategy, Supply chain management, Continuity management


There is a common will to unify regulation in the Western world regarding overall security, including cybersecurity. European cyber security regulations aim to create a foundation and guidelines for international standards in various industries and the operation of critical infrastructure. Protected critical infrastructure is a common goal for Western allies. Allies of NATO and EU member states mainly support the anti-aggression policy in Europe. The unstable situation in the world forces states to find solutions that represent the thoughts of the allies.  Defending common values is crucial when the purpose is to protect critical infrastructure and vital functions in societies. The research will demonstrate the industrial needs of IT/OT-related cybersecurity governance. The study analyzes EU-level cybersecurity requirements and how those requirements affect standardization regarding cybersecurity governance in the operational technology environment. There will be four primary governance levels: Political, Strategical, Operational and Tactical. Many criminal state-linked operators do not care about international agreements or contracts. Some rogue states have even taken to inciting violations of international agreements. We cannot trust the loose contracts between states anymore. The research will find the main challenges concerning the cybersecurity governance of the industrial organizations that use operational technology-related technology in their daily businesses. We have seen that Information and Operational Technology are based on something other than similar threats and risk basements. Operational Technology-related threats threaten the cyber-physical ecosystem where anomalies affect the physical world, so operational functions of equipment, devices, sensors, components, and production lines are interrupted. As a result, continuity management and supply chain management are compromised. The study's primary purpose is to describe the cybersecurity governance elements of the OT environment for enhancing situational awareness. Standardizing the cybersecurity level among industrial stakeholders requires EU member states to have a national cybersecurity strategy that follows main EU-level guidelines.  Despite the EU member states' implementation level of the regulation, the EU-level cybersecurity requirements obligate companies to take steps to solve future cybersecurity challenges.

Author Biographies

Jussi Simola, University of Jyväskylä

PhD Jussi Simola is a postdoctoral researcher at the University of Jyväskylä, and his current research focuses on developing the cybersecurity governance model of operational technology for industry stakeholders. He has worked as a cybersecurity specialist at Laurea University of Applied Sciences and participated in developing a common early warning system for EU member countries.

Arttu Takala, University of Jyväskylä

Arttu Takala is a D.Sc. student who holds the degree MSc. from the Faculty of Information Technology, University of Jyväskylä, as well as a BSc. in Information Technology, Jyväskylä University of Applied Science. He is a certified IT teacher, competent to teach at all levels of education. At the University of Jyväskylä, Arttu has worked as a cybersecurity teacher/researcher since 2017 and is currently working as a project researcher. Previously, Arttu has worked, among other firms, Nokia and Tieto, with software development. His research interest is in technical cyber security.

Riku Lehkonen, University of Jyväskylä

Riku Lehkonen is currently a Research Assistant at the University of Finland, working on the CSG project. He holds a Bachelor’s Degree in Information Technology and is in the process of completing his Master’s Degree in Information Technology. He has a special interest and experience in internal network security-oriented detection, with a focus on detecting backdoor and covert channel communication.

Tapio Frantti, University of Jyväskylä

Tapio Frantti holds degrees of MSc, LicTech and Dr. Tech. from the Department of Automation and Information Technology, University of Oulu. He is also an Adjunct Professor in the University of Oulu. Currently, he works as a cybersecurity professor at the University of Jyväskylä. He also works in FRE company doing security, communication and control engineering consultation. He has been on the field about 30 years and he has published +100 scientific and technical papers in journals, magazines, books and international conferences. He has also authored several patents.

Reijo Savola, University of Jyväskylä

Mr. Reijo Savola is currently working as a Project Manager in cybersecurity, at the University of Jyväskylä, Faculty of Information Technology, Finland. He has experience in cyber security systems engineering, risk analysis and risk-driven methods, software engineering, telecommunications, and digital signal processing. Earlier, he has worked as Principal Scientist, cybersecurity at VTT Technical Research Centre of Finland. He received the degree of M.Sc. in Electrical Engineering from the University of Oulu, Finland, 1992, and the degree of Licentiate of Technology in Computer Science from the Tampere University of Technology, Finland, 1995. In addition to research experience, he has seven years of industrial experience in telecommunications sector, having worked as a software engineering and digital signal processing projects for Elektrobit Group Plc. in Oulu, Finland and in Redmond, WA, United States. Mr. Savola acts as the Chairman of the Finnish Mirror Group for ISO/IEC JTC1/SC27 standardization (Information security,
cybersecurity and privacy protection) and CEO of the Northern European Cybersecurity Cluster (NECC).