Context and challenges
This client, a player in the nuclear sector, wanted to carry out a diagnostic of the logical safety of its nuclear power plants on all its tertiary sites in France:
- CTM/BMS information systems (Centralized Technical Management, Building Management System), from sensors to the supervision and remote control of technical installations such as air conditioning, lighting, meters, fire, blinds, etc.
- Information systems contributing to the physical protection (PP) of buildings, i.e. video surveillance, access control, intrusion detection, alarm signalling and means of communication...
Several hundred sites (offices, training centres, R&D, tertiary buildings, engineering centres) are concerned by this global approach.
In this context, this client has entrusted Assystem with the establishment of a methodology for studying the security of its tertiary sites, from a cybersecurity perspective.
Development by Assystem of a methodology based on a risk-based approach, inspired by the ANSSI (French National Agency for the Security of Information Systems) methodologies for the classification of industrial systems and EBIOS (Expression of Needs and Identification of Security Objectives) and enabling:
- To classify sites according to their security issues and risks
- To propose, for each class of site, a reference system of safety requirements related to CTM/BMS and PP systems, responding to the main risk scenarios identified for this class
- Establish a security action plan for each site, based on a reference system of security measures, to address the main risk scenarios.
Three pilot sites were studied during the mission for the development, testing and fine-tuning of this methodology, with the aim of future application to several hundred sites.
- Development of an effective classification tool and creation of a reference system of measures, taking into account the evaluation of the impacts related to the identified risks as well as the technical complexity of the industrial systems of CTM, BMS and Physical Protection listed on the client's sites.
- Assistance with safety diagnosis and bringing these systems into compliance with the expected level of requirements
- Good anticipation of the particularities of each installation and each system thanks to skills in cyber risk management coupled with historical know-how in control-command, industrial IT, BMS/Safety and cybersecurity of industrial systems.