Industrial systems are now more interconnected than ever, leaving many threats looming over critical infrastructures, increasingly exposed to bugs and hacking.
The Verizon Risk Team (1) 2016 report looked into an attack against a wastewater treatment plant, in which data was stolen and the volumes of chemical additives in the water were altered. Fortunately, the damage was minimal and quickly brought under control. But this event demonstrates the scale of the risks incurred. And water is not the only sector at risk. All the critical infrastructures that are essential to life and to a nation’s economy, such as energy and transport, are exposed to cyberattacks. Not to mention connected objects. The generally accepted consensus is that they are massively exposed to attack.
An overview of the risks incurred today
Forecasts of the number of connected objects worldwide in the coming years vary from one study to another. 12 billion in 2018 according to Gartner, an expert in information technologies, and 28 billion by 2020 according to the International Data Corporation consultancy firm, with a worldwide population of more than 7.5 billion. In addition to our computers, smartphones and tablets, our waste bins, vehicles and houses are getting equipped with sensors connected to the network and communicate with one another. The 2017 International Cybersecurity Forum gave pride of place to the Internet of Things (IoT), which is the victim of more and more security breaches, including the hijacking of electric cars, central servers or even connected light bulbs. Problems that affect the protection of our privacy and the security of the systems, industrial and otherwise, around us.
For Adrien Facon, Special Projects Manager at Secure-IC, which specialises in the security of onboard systems: “The IoT offers an unprecedented attack surface, with an ever rising number of targets and interconnections, which is why the IoT is also known as the Internet of Targets/Threats. Adapting our protection strategies represents an essentially scientific and technological challenge, but also a challenge in terms of change management, in particular in our production processes.”
Awareness of the risks
Attention is shifting higher up the chain, to the protection of components, further the simple installation of firewalls and anti-virus software. Security by design offers the means of taking harmful events into consideration right from the first stages of the design cycle and, when instances of vulnerability are detected, of asking questions about the impact, the probability of occurrence and the measures that need to be taken.
“Objects do not only need to be protected when they are working,” insists Cédric Lévy-Bencheton, an independent expert in security (Cetome). “Measures must be taken at every stage of the production process.” These security imperatives are all too often ignored because of the strategically decisive time-to-market factor, which demands that products reach the market and are available for sale more and more quickly. This is the reason why the European Union Agency for Network and Information Security (ENISA) is currently working on the definition of basic rules adapted to different sectors. “It is also up to customers and consumers to demand security and the manufacturers will have to adapt to the demand.”
Une collaboration entre le public et le privé
La cybersécurité ne concerne donc plus seulement les technologies de l’information (IT) mais aussi toutes les fonctions informatiques qui peuvent avoir un impact dans le monde physique. C’est là que la réglementation entre en jeu. Face à cet enjeu crucial, la France fait figure de modèle avec la création de l’Agence nationale de la sécurité des systèmes d’information (ANSSI) en 2009 pour lutter contre les cyber-risques, suivie de près par la mise en place d’une stratégie nationale en 2011. La Loi de Programmation Militaire (2013) a quant à elle établi les règles de base à suivre pour 200 opérateurs d’importance vitale (OIV) définis sous l’angle de la défense et de la sécurité, pour leur impact économique ou sociétal.
En février 2017, le Conseil de sécurité de l’ONU adopte sa première résolution sur la protection des infrastructures critiques contre les attaques terroristes. Ce texte inédit, voté à l’unanimité des membres de l’organisation, liste ainsi la banque, les télécommunications, les services d’urgence, les transports et l’approvisionnement en énergie et en eau comme « composantes essentielles de la vie moderne ». Les États doivent donc prendre « des mesures de préparation » pour intervenir en cas d’attaques, en créant ou renforçant les partenariats entre le privé et le public pour « mettre en commun leurs informations et leurs données d’expérience » par des « formations communes » et « des réseaux de communication et d’alerte d’urgence ».
No cybersecurity without cyber-resilience
The number of points of entry requiring protection against attack have proliferated, from the central systems used to manage resources, to driverless vehicles and electronic data files. Enterprises must now consider the creation of a Security Operations Centre (SOC) and the taking of appropriate measures as a priority. “The first operational step towards cybersecurity consists of detecting and interpreting events,” points out Adrien Facon. “Managing disruptive events must enable certain systems to guarantee the continuity of service and operations, for both vital or simply financial reasons.”
Since 2012, ANSSI has been recommending “defence in depth”, or protecting the critical parts of a system by stacking up layers of varied forms of defence. Whenever an assailant overcomes one obstacle, he is faced with another layer of security. According to the manifesto published by Symantec, a leading American software publisher, this means “creating an inhospitable environment that is more difficult and less profitable to break into”. The goal no longer consists of reacting to the fire and taking stock of the damage after the storm has passed, but of being proactive.
The “threat landscape” continues to become more diversified and this former security architecture is not always sufficient. For vital operators, restarting the systems is fundamentally important. This is known as cyber-resilience. As Adrien Facon explains, cyber-resilience “guarantees continuity of service, even when attacks are in progress and can be established through various technical strategies, such as the methods used to isolate the threat, or adaptive methods that detect in real time and correct the infected task on the fly.”
In the energy sector, the nuclear industry is an exception, with duplicated equipment and communications processes, an independent cable network and backup generators. Should these “sensitive” infrastructures be viewed as an example?
“Duplicating all the equipment on a railway line, for example, would be too expensive in terms of investments and maintenance. It is better to identify the priority measures and to concentrate on them,” claims Cédric Lévy-Bencheton. But the expert in cybersecurity also believes that shying away from the “all-digital” and keeping a share of analogue technology is not realistic either.
As Adrien Facon states, “the technology itself must become a factor of trust. Our electronic systems must not remain complicit in the attacks, but become the operator’s ally.”
(1) The risk analysis team of the American telecommunications operator Verizon.
Usbek & Rica is a French publication available in digital, print and event-based formats. Its mission is to “explore the near, distant and very long-term future”, enthusiastically and optimistically. open_resource magazine invited it to indulge in this forward-looking exercise.