Paulina Waltila is helping to solve the climate crisis in her own way. Her job is to protect Statkraft against cyber attacks and help the company secure important assets and the production of renewable energy.

With a hacker on the team

"I'm a super nerd," says the 32-year-old IT Security Architect Lead in Statkraft.

Not everyone gets paid to hack, nor does Paulina risk getting arrested for her "malicious" hacking. Instead of demanding a ransom for hacked data files or deleting or downloading important, protected information from the servers, she tries to uncover weaknesses in Statkraft's data security and write reports that provide a basis for taking further action.

The purpose is to enable the company to close any security gaps, stay up-to-date on threat methods and be able to withstand real-world, malicious cyber attacks.

Because the threats are many and varied. In 2020, the National Security Authority (NSM) registered three times as many serious cyber incidents in Norway as in 2019. Attacks via e-mail are still among the biggest threats to companies, but attacks via text messages and social media are also on the rise.

Security architecture

Consider that term for a moment. According to Paulina Waltila, security architecture is about protecting people, data centres, power plants, important infrastructure, e-mail accounts and other things using various security mechanisms.

Although demanding and complicated, the task often boils down to one thing:

"We must always be at least one step ahead of those planning a cyber attack," she says.

One method Paulina and the team use to stay ahead is to "trick" their own employees.

"We’re actually allowed to hack our bosses," she says, with a coy smile. "So they can't be angry with us either. We report to them that 'x number of people got caught in the trap, while x number of people reported the incident'".

"It's cool that we're allowed to be a bit devious, too!"

Paulina and the security team regularly send phishing emails. They can also call employees and tell strange stories to lure them into traps, so-called social engineering.

"That feels unpleasant, because you don't want to deceive anyone. But it's better that we deceive people than let someone with malicious intent do it," she says, adding that everyone they attempt to deceive is anonymised in their reports. And while it is a bit of a shock for people to discover they've been duped, they appreciate the lesson it teaches them.

• Social engineering, sometimes also called social manipulation, is tricking someone into giving up access credentials or other confidential information. Social engineering is probably the most used method for hacking and obtaining information.

Major growth within data security

In Statkraft, a relatively small group that once ‘worked on security’ has now become a large specialist department with several working groups. Paulina Waltila leads one of the teams. And the department is getting bigger and bigger, which means even more people to work with.

"Cooperation is important for protection. People, systems, facilities – everything must work as a kind of orchestra to produce the best possible result."

She points out that cyber security has become the focus in many areas. The perception of cyber security is changing; it is being taken more seriously than before. This area of specialisation is an important part of the IT department, a fact which Pauline thinks must be pushed higher up the agenda in all boardrooms.

"It's been exciting to see how my department has grown in just a couple of years; continuous development is a major focus area for Statkraft. You don't just do your job and go home. Everyone is passionate about their work."

Paulina also has other places where she finds energy and motivation; when she is not hacking and testing, tricking the company and employees and teaching everyone about cyber security, she does aerial acrobatics – a “grown-up hobby" she took up a few years ago.

"In my profession, you spend much of your time bent over a computer, with a rounded back and tense shoulders. So I benefit a lot from heavy training involving my hands, feet and knees. I forget about everything else. When I'm hanging upside down from a rope using only my knee and spinning around and doing acrobatics in the air, I don't have time to solve the world's problems. Then my head clears, and I feel great afterwards!" she says, laughing, but then she turns serious again:

"We don't do cyber security just to protect Statkraft. We also protect the work being done to find climate solutions and develop a cleaner world. I think that's pretty cool."