Fortum operates critical infrastructure across Nordic energy markets: nuclear plants, hydropower dams, wind farms, district heating networks, and power trading desks serving 2+ million customers across 13 countries. The company generates electricity (99% from nuclear or renewables), manages variable and flexible generation assets, trades in electricity markets, and operates district heating/cooling systems - all infrastructure that underpins regional grid stability and industrial operations.
The technical surface area is substantial. Nuclear facilities present their own threat model. Hydropower and wind require real-time generation forecasting and grid balancing. District heating networks operate as distributed infrastructure with customer touchpoints. Power trading systems interface with volatile electricity markets across multiple regions. Smart energy solutions extend to 2+ million customer endpoints. Each domain carries different attack surfaces: SCADA and industrial control systems in generation, market data feeds and trading platforms, customer-facing applications, billing and metering infrastructure.
Fortum operates across Finland, Sweden, Norway, and Poland with approximately 4,500 professionals. The organization manages both legacy critical infrastructure and modern digital-first customer platforms. Grid operators, traders, and energy engineers work alongside software teams building consumer-facing products. That operational complexity - mixing decades-old power plants with modern smart grid integrations - creates the security perimeter: legacy industrial systems, modern cloud infrastructure, third-party integrations, and cross-border data flows all within the same organizational boundary.
The company has committed to net-zero emissions by 2040 with Science Based Targets initiative validation. That decarbonization mandate drives technology choices and infrastructure upgrades, which in turn shape the security roadmap: new systems, system replacements, vendor integrations, and grid modernization all happening concurrently with the need to defend legacy critical infrastructure.