Industrial Cybersecurity- A matter of risks

Issues Approach Solutions Projects Contact

Stakes

Industrial cybersecurity relates to industrial information systems. It includes all that involves studying the risks to which they are exposed, defining and implementing measures (technical and organisational) to reduce these risks to an acceptable residual level. Anticipating threats and vulnerabilities watch must ensure the lasting effectiveness of these measures in response to evolving threats and risks.

Industrial Automation and Control Systems (IACS) play a leading role in responding to the strategic challenges of complex industries and infrastructures. Under the influence of technological developments based on digitalization, artificial intelligence and IoT, IACS have undergone profound changes in recent decades. Hyperconnectivity and standardization of communication protocols open up immense possibilities. But they increase the exposure of equipment and systems to the cyber threats that are a daily reality. Increasingly numerous and complex attacks can indeed lead to operating losses, theft of technological information or alteration of sensitive data. In the worst case, the dreaded events can even lead to the destruction of the industrial facility or major industrial accidents.

In this context, the criticality of the functions performed by Industrial Information Systems leads to reassessing the design strategies of these systems’ architectures. The same applies to the choice of their components. The governance of engineering, operations and maintenance activities is also concerned for each stage of the Systems lifecycle.

National standards (LPM and ANSSI Guides), European (NIS Directive) and international (IEC 62 443 standard) provide answers to address the cyber issue of IACS. They combine approaches derived from information security standards (ISO 27 000 series) and reference systems specific to IACS such as IEC 61 511, which is related to functional safety. These different frameworks provide gradual responses based on risk analysis and defence in depth.

The sites physical protection is also to be taken into consideration and is part of a global security approach to be deployed in particular among OIVs (Operators of Vital Importance) and OSE (Essential Service Operators).

201 days to discover a cyber attack And another 70 days to overcome the damage done Source : Ponemon Institut

Our approach

Assystem integrates Industrial Automation and Control Systems in the areas of BMS, Safety/Physical Protection and Control systems for the Nuclear, Transport, Defence and Life Sciences sectors. We design and deliver systems that meet cybersecurity requirements. We advise our customers on the vulnerability status of their systems and on measures to improve their cyber-protection.

Our approach is based on risk assessment and extends to Maintenance in Operational Conditions (MOC) which is now inseparable from Maintenance in Security Conditions (MSC). In this way, the IACS will ensure their missions on a permanent basis by also providing a response to the sustainability issues that are central to these systems.

The objective is to preserve the functions of the concerned IACS: process management, safety functions, air conditioning of a building, protection of people or the environment, electrical distribution, etc.

Our offer is summarized in 3 parts developed according to the project context in positions of Assistance to the owner, Project management consultancy, design/development, or maintenance:

Assess the risks, specify the appropriate measures, validate the effectiveness of measures in place or monitor their implementation supported by other actors. This approach covers, for example, support for security accreditation (e.g. french LPM context), which consists, throughout a project, in ensuring that the systems developed are properly designed and documented but also that the activities for operating and maintaining them are leading to an acceptable level of residual risks.
Design / implementation of industrial systems (new projects or renovations) that must incorporate cybersecurity and in this case the consideration of cybersecurity is coupled with our “traditional” systems integration activities.
Maintenance / MOC of systems coupled to the MSC which helps to maintain the level of efficiency of the measures over time (monitoring, patch management, awareness, etc.).

Our assets

Historical expertise in OT fields

Dual Positioning of Engineer and Integrator/ Maintainer

Multiple-sector expertise

Independent from technology

Our solutions

Initial risk assessment

Mapping, Classification, Preliminary and Detailed Risk Analyses, Combined Approaches

Risk Treatment Plan

Specification of Technical and Organizational Measures, Cyber Roadmaps, Documentation

Monitoring the deployment of measures

Support for security accreditation (LPM), Audits, Residual risk characterisation

Secure IACS design and implementation (new projects and renovation)

PLC/DCS network architectures, secure SCADA, technical measures (filtration, authentication, encryption, detection, etc.) and organisational (training, O&M procedures, etc.)

IACS MOC and MSC

Maintenance in operational conditions, Sustainability engineering, Obsolescence and vulnerability monitoring, Patch management (CVSS databases), Stakeholder awareness, Risk reassessment, etc.