With their increasing exposure to digital risks, our public transport authority and transport system operator clients have become aware of the importance of protecting themselves from cyberattacks, but do not always know how to approach the issue.
Cybersecurity is defined as all the technical and non-technical measures of protection that enable an information system to withstand events liable to compromise the availability, integrity, confidentiality or associated proofs (identity, authenticity, traceability) of data stored, processed or transferred. Already back in 2008, the White Paper on defence and national security had established that cybersecurity had become a major issue. Since then, cyberattacks have tended to intensify. Organised groups, but also governments, directly contribute to this development by voluntarily or involuntarily disseminating tools which can be studied, modified, reused and combined.
While cybersecurity is often reduced to its technical component, it is crucial to understand it as a global approach which does not depend purely on technical measures but also on an equal proportion of organisational measures: awareness, training, procedures, organisation and policies. It should also be emphasised that cybersecurity is not just about applying restrictive conditions on everyone without discrimination. It is a considered approach which, according to the issues at stake, helps to achieve the right balance between protection and restriction. It should also be borne in mind that absolute security does not exist and therefore firms should make careful preparations for the consequences of a successful attack. Several main principles should guide any approach to cybersecurity, among which the following:
- Security by design: this aims to ensure that, from the very first stages of working on a new project, cybersecurity already lies at the centre of concerns.
- Defence in Depth (DiD), based on the implementation of multiple layers of security controls so that any hackers depending on their determination and resources, are deterred or their progress to the most critical zones is impeded.
- Cyber resilience: the ability of an organisation to minimise the impact of an attack on their business requires a form of business organisation that enables it to ensure continuity and return to nominal operations following an attack.
Industry: a sector sensitive to cyber threats.
Industrial systems are exposed to these risks, even when they are not connected to the Internet. The computer worm Stuxnet, which first appeared in 2010, succeeded in destroying a large number of centrifuges in an Iranian uranium enrichment facility, despite the fact that this site’s IT network of was physically isolated from the rest of the world. This attack is tangible proof that our worst fears on the security of sensitive installations could become reality. We could also mention damaged pumps in wastewater treatment stations in the United States in 2011, electricity blackouts in Ukraine in 2015 and 2016 or pipeline operation shutdowns in the USA in 2018: there is no shortage of examples.
Industrial systems are therefore just as affected by cybersecurity issues, and possibly more so, than other information systems. In fact, industry has adopted digital technology at the same pace as technological development, without a global vision, sometimes with insufficient technical expertise in information technology, by connecting heterogeneous systems together with the priority placed on productivity, efficiency and safety, but rarely security. It is therefore the role of the top management of these firms to fully come to terms with these issues and adopt proactive policies to reinforce the security of industrial systems by allocating the necessary material, financial, organisational and human resources to it.
To help industry players unfamiliar with cybersecurity methodology and techniques - which are more widespread in the traditional IT or banking sectors -, standardisation bodies have focused their attention on the specificities of industrial cybersecurity. Their work led to the publication, starting in 2009, of the first volumes in a series of reference technical documents: IEC 62443. Some components of this standard are still being drafted, but the main concepts are now well established: security policy, threats, risks, safety measures, maturity, security zones, security levels, etc. and act as foundations for the approaches led by each specific job discipline. Also worth noting is the simplification work conducted by ANSSI (the French national agency for cybersecurity and cyber defence) with the publication of dedicated guides offering easy access to the analysis and definition of the main necessary measures.