Cybersecurity for critical industrial systems

In Europe, about a dozen sectors of activity are considered critical to the economy and to national security[1]. The IT systems deployed in these sectors therefore need to meet very stringent standards of performance, reliability, availability and maintainability. Cybersecurity solutions put in place to protect them — to anticipate threats, handle security breaches and assure compliance with security policies and regulations — need to accommodate all of these factors and mitigate their impact on an operator’s critical processes and workflow.

As an active member of the ANSSI[2] working group on security for industrial systems, Thales provided an update on the latest situation at the recent SANS European ICS Security Summit[3].

 

What the law says

France’s 2014-2019 defence spending plan obliges essential operators (12 sectors, 250 companies) to:

implement qualified systems (Security Operation Centres) to detect any events that could affect the security of their information systems;

immediately alert the authorities in the event of an incident affecting the operation or security of their information systems (detected using ANSSI-approved “sovereign probes”);

allow checks to be carried out on their information systems by ANSSI-approved service providers to gauge the level of security and compliance with security guidelines.

In the event of a major incident, they must follow the instructions given by the authorities, for example if required to disconnect from the Internet.

The same type of regulations — some of them more stringent than others — have been adopted in the United States, the United Kingdom and Germany, as well as by the European Commission, which is currently looking at how to set up a European certification scheme for industrial control systems (ICS)[1].

 

Classing criticality levels

Exposure to risk varies according to the sector of activity and the architecture of the industrial systems in place. Put simply, the more distributed and complex the activity, and the more industrial facilities and systems there are, the higher the risk.

Each ICS can therefore be classed according to risk, from 1 (low) to 3 (critical), and different measures apply to each class of risk:

IT best practice guidelines (ANSSI, CPNI/SANS) for class 1;

proof that adequate safeguards have been established for class 2 (significant risk);

compliance checked by a government agency or approved body for class 3 facilities exposed to the highest level of risk.

 

Use cases

In a plant handling the water supply of an urban area with 500,000 inhabitants, the remotely managed ICS is geographically distributed over several sites (reservoirs, booster stations, pumps). Remote sites communicate with the central site via dedicated lines. The ICS is composed of numerous remote management devices (RTU) and supervisory control (SCADA) workstations. Technicians can connect to the system from their remote location if problems occur. The risk is significant (class 2).

On a household appliance assembly line for a company whose business is essentially operating within national borders, the ICS is limited to a single site. It includes a manufacturing execution system (MES) and permanently-connected engineering stations. Technicians and operators use tablets and wireless scanners to scan bar codes. The risk is low (class 1).

At a production plant for toxic chemicals covered by the Seveso Directive, the ICS has centralised historians, engineering stations and programming consoles that are permanently connected. The industrial networks are connected to the site’s management information system (MIS). Wireless networks are not yet deployed. The risk is significant (class 2) or high (class 3).

In a railway transport network, a computerised railway switch-control system allows management of track assignments and remote control of switches and signalling devices. The risk is high (class 3).

 

The Thales value proposition

Thales is the European leader in cybersecurity, offering a comprehensive, long-term approach that helps essential operators implement the security policies they need to protect their most critical information systems.

As well as complying with all current regulations and standards, Thales solutions and services are certified by a growing number of official bodies. In France, for example, Thales is certified by ANSSI, the national agency for information system security, as a PASSI audit services provider, a PDIS security incident detection provider and a PRIS security incident response provider.

 

Further reading:

Thales enhances its cybersecurity solutions for essential operators

Thales gains ANSSI approval as IT security auditor

 

[1] Transport, energy, nuclear industry, water, chemicals, food, health, finance, telecommunications, space, and research.

[2] Agence Nationale de la Sécurité des Systèmes d’Information, France’s national agency for information system security

[3] Organised by the SANS Institute on 27-28 September in Amsterdam (download the event programme)