At DTU Wind, cybersecurity has become a daily concern, not only to avoid classic hacker attacks that can paralyze the department's IT systems, but also to prevent technology and data from falling into the hands of competitors or being misused for military purposes. Such attacks can have consequences far beyond DTU Wind and threaten both national security and the global competitiveness of Danish industry. That is why the department has enrolled all employees in targeted training.
"The mandatory training will ensure that all employees, not just technicians, have basic cybersecurity understanding,” says Kenneth Thomsen, Head of Division at Wind Turbine Design, one of four divisions at DTU Wind. He has been involved in introducing awareness training for the department's 450 employees.
Obvious target for both espionage and misuse
DTU Wind works closely with industry, especially within wind energy, handling critical and commercially sensitive data from prototype turbines which are being used to improve the design, performance, and safety of future products.
Kenneth Thomsen emphasizes that this industry collaboration relies on DTU Wind being able to protect this data:
“Our customers’ data is the lifeblood of their development, and if it falls into the wrong hands, it can negatively impact customers’ competitiveness and lead to a loss of trade secrets.”
Of particular concern is the risk that technology could be misused for military purposes or transferred to competing companies abroad.
“If industry can’t trust us to look after their data, the collaboration we enjoy will cease. So increased cyber and information security is not just a technical necessity. It’s a prerequisite for trust and our continued collaboration with industry,” says Kenneth Thomsen.
Eight out of ten have completed
The training takes place via the CyberPilot platform. Before the summer holidays, each employee had to complete four modules lasting approx. five minutes each with questions about the threat landscape, how to recognize phishing, and how to protect passwords.
In his managerial capacity, Kenneth Thomsen has access to a dashboard showing who has completed the training:
“As of early August, about 80 per cent of the employees have completed the programme, which is quite impressive, as many employees had already started going off on holiday when the programme was rolled out.”
At the same time, he is aware that 20 per cent of employees have yet to complete the course, and he and the management team are dedicated to following up and motivating them, for example by praising all those who have completed the training course at staff meetings.
“Cybersecurity is a shared responsibility, and even employees without direct access to data can pose a risk, for example by clicking on a dangerous link or using weak passwords.”
Part of DTU’s overall cybersecurity strategy
The initiative at DTU Wind is part of a broader effort at DTU, where cybersecurity is a high priority across the various departments and central functions. The awareness training at DTU Wind has been developed in dialogue with DTU’s IT-support, and reflects the University’s ambition to create a secure digital workplace where all employees, regardless of role, contribute to protecting data and knowledge.
Anders Fosgerau, Head of Cyber and Information Security at IT Service at DTU, emphasizes the importance of the joint effort:
“Cybersecurity is not just a technical issue - it’s just as much about behaviour and culture. That’s why we are focusing on awareness and training across DTU, and we see DTU Wind’s commitment as a very good example of how DTU departments can take responsibility and lead the way.”
Closed data systems
DTU Wind’s other initiatives aimed at improving data security include the closed data systems that are completely disconnected from DTU’s other networks and from which employees are unable to extract data. The systems are developed together with DTU’s IT-support, IT Service, and are used in connection with projects involving Vestas and Siemens Gamesa, among others, where data security is crucial.
The department is also working to ensure that all the processes for accessing, processing, and deleting data comply with international security standards.
“It’s about being able to show and document who has had access to data, how rights are granted, and how we ensure that data is not shared unintentionally. And this is all part of our work to become compliant with the ISO 27000 standards,” says Kenneth Thomsen.
With these initiatives, DTU Wind is showing its employees and partners that the department takes its role in protecting critical data and cooperating with industry seriously, and that security is up to scratch when world-leading wind technology is developed and tested at DTU.
