Strengthening industrial cybersecurity
In all sectors, the challenge of cybersecurity intensifies as connectivity increases. This is also true in the industrial field.
For several years, industrial systems have been targeted by attacks that fall into two main categories.
Those from major institutional or state actors, targeting networks in critical industries - on the model of STUXNET, malware used to target control systems of nuclear power plants.
Those from hackers, groups or individuals, using ransomware to block information systems pending payment of a ransom, with potentially catastrophic economic consequences and reputational risk.
Given the evolving geopolitical context, this challenge is paramount for Critical National Infrastructure (CNI) and companies concerned by the Network & Information Security Directive (NIS2) at the European level. CNIs like energy, nuclear, aeronautics, and utilities historically benefit from a culture of computer security, further reinforced by regulatory obligations and close cooperation with nation states.
Much as we approach Digital Continuity globally - in terms of the identification, analysis, and prioritization of discontinuity points according to their potential impacts - it’s also essential to consider cybersecurity globally, pursuing deeper analysis in order to secure, intercept, and discourage.
To be effective, some simple points must be understood by industrial companies and the organizations that support them:
Before implementing a defensive system, it’s first necessary to know what you want to defend. This involves precise physical and functional inventories of all assets to be protected, in order to categorize the criticality levels of systems.
Just as we cannot eliminate all blockers to digital continuity, it’s probably impossible to protect everything, due to the sheer costs. As such, we must choose where to focus, through risk analyses, by studying the likelihood and potential impact, in order to construct an optimized roadmap of the protective measures to be implemented.
3. We then manage the deployment by:
Securing physical networks according to a principle of impermeability
Securing the machines themselves (eg. disabling USB ports)
Managing access to systems
4. Implement real-time vigilance - with dedicated monitoring and an immediate response team.
5. This process must be followed for all new machines, systems, updates, etc. And it must much have management sponsorship, so that it is not seen as an ‘IT project’.
Digital Continuity projects are good opportunities to revisit computer security, as cyber risk must be integrated ‘by design’ into the Digital Continuity process. As with Digital Continuity, cyber risk must include initiatives that concern the company culture - because risk often comes from humans. It must also concern the extended enterprise, the company’s ecosystem, and subcontractors.
The cyber challenge becomes more complex as connections multiply, sensors are added and links are created. This dimension must be taken into account from the outset of Digital Continuity projects by asking (and answering) a simple question: How will the actions and connections necessary to address this point of digital discontinuity impact cyber risk?
Author DIDIER APPELL, OT/IoT Cybersecurity Global - Offer Leader
