KONE’s Chief Information Security Officer, Petteri Rantanen, talks about the shifting landscape of cybersecurity in smart cities. How do cyber threats relate to elevators and buildings, what are the future challenges in industry, and what is it like to bring two decades of expertise to a whole new sector?
When people think of cybersecurity and elevators, they often imagine the worst-case scenario. Petteri Rantanen, can elevators be hacked?
Within five minutes of hearing the words “elevator” and “smart cities”, everybody asks that. They want to know if this means somebody can just drop the elevator. To be blunt, everything that is connected to digital networks can be hacked. But even if you could hack a digital component, elevators have physical controls that stop them falling like in the movies. And there are of course plenty of digital safeguards – from multiple layers of security controls to network segmentation – to ensure the safety of the elevator in every aspect.
What are the most common cybersecurity threats right now?
Various industries are embracing IoT technologies, such as smart cameras and home automation, for improved efficiency and cost savings. These innovations also bring security risks that we're still navigating as societies. For example, IoT and Operational Technology (OT) environments, like devices used in factories, are vulnerable to cyber risks.
We're used to facing thousands of cybersecurity cases every year – it's part of our daily work to keep our IT environment secure. This is what many big companies are now dealing with on a day-to-day basis. So, we always need to make sure the IT landscape is in good shape. Phishing and malware, like viruses and ransomware, continue to be significant threats in every industry.
Our dependency on third-party vendors for software and hardware also introduces supply chain-related threats. In recent years, these threats have increased significantly, and that’s why we expect our partners to meet a certain level of security. We monitor this through contracts and assurance activities.
From the perspective of a citizen, one of the trends we are seeing across the cyber landscape is attacks on end user devices like laptops or phones, or data attacks that compromise accounts. It’s about “personal cyber hygiene” in a sense, and it is necessary for everyone to form good habits to protect themselves in the digital world.
You’ve worked over 20 years in security – including key roles at NOKIA and the Mastercard Foundation. How does your experience in these industries compare to your current role at KONE?
In industries like finance and telecommunications, customers are more aware of what they need, and that drives innovation. I think all companies have understood the importance of protecting personal and customer data, but protecting IoT and OT devices and environments are often not treated with the same understanding. If we’re honest, most residents in a block of flats are not giving much thought to the security of their elevator, they just expect that it is there.
It’s a bit of a dilemma for many companies balancing customer’s current needs with features that take care of future security. Customers dealing with critical infrastructure like metros or airports are getting more tech and cyber savvy, but in my view they could do it even faster. Evolving regulation is also ensuring that many industry sectors get more and more educated on cyber topics. Companies that recognize cybersecurity as a strategic imperative for future success and proactively embrace changing regulation can also better tap into the opportunities.
What drew you to work at KONE?
I think it’s quite unique what KONE is doing from the geographical and public industrial perspectives. For me, it is especially appealing to contribute to cybersecurity around smart cities, people flow, IoT and OT. And of course, KONE has long history and great heritage as a strong Finnish brand.
The sense of values resonates with me – not just the words on paper, but the way people explain things openly and transparently and follow up.
What are the keys to top-notch cybersecurity in a global company such as KONE?
Firstly, there’s the internal focus. At KONE, it means that we make sure that the security of the systems, tools and processes has been built in from the ground up, and we meet the standards and regulations of the industry.
Secondly, there are the products and services – and that’s mainly geared around our Technology and Innovation unit and R&D work. Are there any vulnerabilities? Being able to respond and address these is important for us and for our customers.
The best kind of cybersecurity is invisible and effortless, working in the background so you don't have to worry about it.
Thirdly, we are working to ensure our whole supply chain is resilient, robust and performing as it should to get the end product to the customer.
Lastly, it’s the people – how we communicate, share information and train our people. A major challenge here is also securing capability and competence. There are 2.5 million vacancies in cybersecurity worldwide. That’s a lot of demand in a young domain and we are looking forward to expanding our expertise and diversity.
How does KONE’s organizational culture contribute to building effective cybersecurity practices?
It’s not just one team that’s responsible for cybersecurity, it’s all of us. Many companies might see people as the biggest vulnerability, but I see people as the upside, and our best line of defense in many ways.
It starts with the fundamentals. If your work has value, you want to protect it and safeguard it. I do think that all our employees have that mindset that the work they are doing is truly important, not just within KONE but in broader society as well.
In an ever-evolving digital landscape, how do you envision KONE’s role in securing the cities of the future?
Our goal is to be a digital leader in cybersecurity, and a thought leader in the industry. Living and breathing cybersecurity will be a long journey and it’s going to take time. But we are already actively piloting, deploying and monitoring different approaches that could benefit the whole industry.
As an optimist, I do think that with the help of AI and technology we can address some of the basic aspects of cybersecurity really well. We can achieve better threat detection, analytics, automation – all with extreme efficiency and a fast pace.
From my perspective, the best kind of cybersecurity is invisible and effortless, working in the background so you don't have to worry about it. If we can make cybersecurity easy for citizens and integrate it in the flow of their daily lives – then we’re doing it well.
Good cybersecurity is a sign of being responsible and trustworthy, so I think that the more proactive we are on this topic the better things will be all round.
Quick cybersecurity glossary
Phishing: A deceptive attempt to trick an individual into giving sensitive information by pretending to be a trustworthy entity, often via email.
Malware: Malicious computer software designed to damage, disrupt, or gain unauthorized access to computer systems.
Ransomware: A form of malware that locks users out of their files or devices, followed by a payment to restore access.
Iot: Internet of Things – the network of interconnected devices (such as smart home appliances, wearable devices, industrial sensors) that communicate and exchange data over the internet.
Vulnerability: A weakness or flaw in a system, network, or application that could be exploited by attackers.
OT: Operational Technology is the hardware and software used to monitor and control physical devices, processes, and infrastructure in industries like manufacturing and transportation.