Where does the sector stand? 

The rise of Part-IS has been gradual. After the progressive entry into force of the texts in 2022 and 2023, 2025 was marked by the preparation of compliance files and the structuring of ISMS.

Since 22 February 2026, the implementing regulation has been fully applicable, meaning that new scopes are now covered — in particular, maintenance and repair activities through Part-145. Part-IS now applies across the entire operational chain, from design through to operations and support. 

Today, the organisations concerned by Part-IS have acknowledged the subject and submitted their ISMS. In this context of broad engagement, EASA has on its side adjusted the framework by clarifying and easing certain modalities through the update of the Part-IS AMC and GM. 

EASA provides for an 18-month development phase after the applicability date to reach a fully operational implementation. This progression can be read simply in three steps: a system that is first present and suitable (P+S), then operational (O), before reaching effective long-term functioning (E). 

EASA updates: What you need to know in practice

In late 2025, EASA updated the AMC and GM relating to Part-IS and consolidated these changes in a new version of the associated Easy Access Rules. 

In concrete terms, these changes introduce several significant easements: 

• Declared organisations no longer need prior approval of their ISMS.
  • As a reminder, approved organisations are subject to a formal approval process by the authority (EASA or national authority). They must obtain approval, have their ISMS manual approved, and submit certain modifications for prior validation — unlike declared organisations, which are supervised ex post by the authority. The list of declared organisations subject to Part-IS can be found here. 
• ISMS modifications, when covered by a defined internal procedure, no longer require formal sign-off from the authority: a notification is sufficient. 
• The role of the authority is refocused on supervision and audit, rather than on a systematic approval logic. 

However, expectations remain the same: the ISMS (SGSI in the regulatory sense) must be robust, consistent, traceable, and genuinely applied. The relief brought by the AMC and GM update is therefore administrative, not operational. 

On the ground, this resonates with the first OSAC feedback on ISMS: governance around the ISMS appears as a central point. Authorities are paying increased attention to the cybersecurity dimension that identified actors must demonstrate. Document quality is also scrutinised — not only in substance, but also in form (structure, consistency…). 

The five key challenges for scaling Part-IS across the sector 

Beyond these initial observations, we have seen during our support engagements that the implementation of Part-IS brings five recurring challenges for most organisations: governance & coordination, inventory validation, completion of risk analyses, training of managers and teams, HR constraints and personnel controls. 

The most time-consuming, however, remains the risk analysis — particularly for large multi-site organisations. This can no longer be purely centralised; it must be broken down locally, integrating the realities of each site, functional chains, and subcontractors. This holistic approach is demanding, but essential to demonstrate consistent application of Part-IS. 

A pragmatic approach to scaling up 

Faced with these challenges, the key lies in anticipating deployment. An effective ISMS relies on a solid common foundation, but also on concrete tools enabling local adaptation: templates, guides, risk analysis methods tailored to operational realities. 

The success of Part-IS depends on coordination between cybersecurity teams, business teams, and quality and compliance functions. Part-IS is not an additional layer: it is a cross-cutting framework that durably structures cyber risk management in the service of aviation safety. 

Conclusion 

In 2026, Part-IS enters its implementation phase. The consolidation of the AMC/GM sets a clear baseline and reduces the administrative burden compared to the first version. 

In addition, the late-2025 updates notably extended the scope of Part-IS.D.OR to ground handling service providers via Delegated Regulation (EU) 2025/22 amending (EU) 2022/1645, applicable from 27 March 2031. No immediate operational impact in 2026, but a useful signal to anticipate interface mapping — with no short-term urgency. 

Cet article Part-IS in 2026: from regulatory framework to operational reality est apparu en premier sur RiskInsight.

This guide directly follows the publication of the second version of ANSSI’s Industrial Systems Classification Method in March 2025, which we had already analyzed in a previous article. 

An update built on continuity: the same structure, the same underlying logic

Key differences between the first and second versions of the detailed measures guide 

In terms of structure, the 2025 guide remains very close to the 2014 version. It opens with a reminder of the constraints and weaknesses specific to industrial environments, followed by a clear separation between organizational and technical measures. The themes themselves will come as no surprise: governance, access control, network segmentation, remote access, backups, supervision, vulnerability management, cybersecurity integration throughout the system lifecycle, and incident preparedness. Continuity is clearly intentional. 

This stability has an advantage: organizations already aligned with the 2014 guide do not have to start from scratch. At the same time, it also highlights the fact that most of the “core topics” were already well identified more than a decade ago. The real question is therefore less “what is new?” than “what has become more actionable — and at what cost?”. 

On this point, the guide is explicit about its scope. It proposes a minimum baseline intended, among other things, to support security accreditation processes. However, it does not claim to replace IEC 62443, nor does it position itself as a certification framework. It simply reuses some of its principles and requirements, while clearly stating that the measures alone are not sufficient for the most critical systems. 

What has changed in concrete terms 

The most visible change is not the introduction of new topics, but a new way of expressing requirements. 

In 2014, the guide relied on a structuring distinction between recommendations (R) and directives (D), with a hardening mechanism depending on the cybersecurity class. In 2025, this grammar disappears. The guide now introduces a class based reading (C1 to C4) and several variants: 
– state of the art recommendations, 
– lower level alternatives, indicated by a “–”, 
– and reinforced complementary recommendations, indicated by a “+”. 

Typical structure of a recommendation 

A second major evolution is the explicit introduction of a fourth cybersecurity class and the strengthened alignment with IEC 62443, in line with the updated classification method. For each recommendation, a correspondence with an IEC 62443 requirement is indicated when it exists and referenced in a dedicated appendix. 

According to Appendix B, a large proportion of the 214 recommendations have a direct equivalent in the previous version. This confirms that the overhaul is primarily based on reorganization and reformulation rather than a fundamental shift in doctrine. After analyzing the 35 measures identified as having no direct equivalence, it appears that they are not necessarily new. They typically reflect: 

Categories of reasons for no direct equivalence, with illustrated examples 

Summary of recommendations with no direct equivalents in Annex B 

A more architecture-driven doctrine on interconnections and remote access 

Where the 2025 version truly changes the dynamic is in certain topics that are handled in a more structured way. In the first version, the doctrine on interconnections and remote access was already relatively prescriptive: it emphasized that remote management greatly increases the attack surface, set out operational rules, and even went as far as banning remote maintenance in class 3, using a logic of one-way (unidirectional) data flows. 

The modernization brought by the 2025 version makes the whole set more coherent and better structured: it moves from a reasoning mainly centered on components and means (firewalls, VLANs, data diodes, VPNs) to an interpretation in terms of security functions that must be combined and positioned according to the classes and the flow directions in Table 3. The rows of the latter correspond to the issuing class (“from”) and the columns to the receiving class (“to”); the icons indicate the security functions to implement in order to authorize the flow in that direction. For example, from class C1 to IT, only a system that can verify whether the data comes from an authorized source—Aut(IT)—is required. 

Summary of Table 3 – Section 4.2.1: all listed measures are associated with a data transfer unidirectionality function 

It should be noted, however, that the definition of Inno (OT) is not explicitly provided in the document. 

From framework to on-the-ground implementation 

The 2025 version of the Detailed Measures logically brings to a close the overhaul initiated with the publication of the second version of the classification method, and it strengthens compatibility with IEC 62443. In a context where the threat to industrial environments is now highly visible, this document comes at just the right time: it’s an opportunity to adjust your action plan—or even to launch a full 2030 roadmap. A guide that isn’t put into practice has never stopped an attacker! 

Among the priority workstreams that are regularly identified, we often see: 

• Revisit the IT mapping and the business’s dependencies on IT 
• Adapt the technical architecture by trading “new authorizations” for stronger authentication and better content control 
• Harden and centralize remote access, especially given the many suppliers present in industrial environments 
• Strengthen industrial environments or connect them to your SOC 

Cet article Industrial cybersecurity: the ANSSI “Detailed Measures” guide overhaul  est apparu en premier sur RiskInsight.

Quantum Threats: a new era for industrial cryptography 

Quantum computing represents a threat to traditional cryptographic algorithms which guarantee integrity, authenticity and confidentiality of communications, including those of OT systems and products. Even if “Q-Day” (the day quantum computers will break current cryptography) is still several years away, the risk is already present: threat actors can already use « Harvest Now, Decrypt Later » attacks by storing encrypted data today to decrypt them as soon as current cryptographic algorithms are broken. Another risk, just as critical, is already appearing: « Trust Now, Forge Later ». Digital signatures or certificates seen as reliable today could be falsified tomorrow, allowing transparent deployment of malwares or even compromising supply chains. Unlike progressive data breach, this attack triggers an immediate collapse of trust and integrity, with massive impacts on industrial environments and smart products. With the European roadmap, structuring 2026, 2030 and 2035, the question hinges on the sequencing of the transition. 

Within the industrial sector, where assets are used for multiple decades, this represents a major concern: OT environments and embedded products depend on critical cryptographic usage that will be directly impacted by the arrival of post-quantum algorithms. 

Key OT and product use cases include: 

• Secure administration of OT systems and products: guarantee the integrity and confidentiality of operations. 
• Digital signatures and firmware integrity: guarantee the reliability of software updates (secure boot, code signing, X.509…). 
• Secure remote access to industrial assets and products: protect VPN, SSH, RDP connections as well as other protocols from future attacks. 
• Data exchanges IT/OT: secure flows between information systems and industrial environments (TLS, MQTTS, HTTPS…). 
• Data confidentiality of industrial processes: preserve the confidentiality of sensitive data in transit or at rest. 
• Secure logging and event history: ensure the traceability and integrity of logs and historical data. 

PQC for OT & Products: Address the constraints while preserving crypto-agility 

OT & Products context: specific constraints 

OT systems and products were never conceived for crypto-agility. Numerous industrial protocols, for instance DNP3, Modbus or MQTT, are not encrypted as of today because OT architecture historically depends more on network isolation than on cryptography, thus there is no reason to think they will be encrypted tomorrow with post-quantum algorithms. 

Nevertheless, encrypted communications will undergo this cryptographic disruption. 

In a second step, multiple OT devices face significant hardware constraints (CPU, memory, storage capacity) and have a very long lifespan, often between 10 and 30 years. Those characteristics make updates difficult and expensive: secure remote update mechanisms are still rare, and firmware signing is not consistently implemented, which is in fact bad practice. 

Those constraints explain why OT environments cannot integrate new cryptographic primitives at the same speed as IT, and why PQC isn’t yet natively considered. 

Nevertheless, even if current products and OT systems aren’t conceived for post-quantum cryptography, the emergence of PQC standards, the evolution of regulatory obligations and the rise of risks linked to quantum computing make this transition essential in the medium term. 

Making crypto-agility operational for the industry and products 

The scoping of the PQC project for Products and OT can be broken down into four main components: 

1. Conduct the cryptographical inventory and prioritize critical assets  

Start the dialogue with your cryptographic platform providers (PKI, KMS, HSM) now, to anticipate the migration. 

2. Conceive and deploy crypto-agile architectures 

Rely exclusively on NIST-standardized algorithms (for instance: ML-KEM, ML-DSA, SLH-DSA) and prohibit any internal development or non-standard library for cryptographical components; prioritizing validated and proven solutions. 

Conceiving crypto-agile architecture implies accounting for the embedded aspect and its constraints (limited memory, PCBs, energy resources). The implementation of PQC algorithms on those systems remains uncertain. Nevertheless, optimized algorithms for embedded systems are starting to emerge and open the way to its realistic adoption. 

3. Progressively migrate through hybridization and iteration  

Transition towards post-quantum cryptography cannot be approached as a one-off project or a “one-shot” migration. It is an iterative process that must be managed and governed over time, by starting with hybridization of algorithms: this is explicitly recommended by ANSSI (France’s National Cybersecurity Agency) and the European Commission. 

Crypto-agility isn’t an option, but a necessity to ensure resilience and compliance for industrial environments and products from the quantum threat. This depends on a structured approach, driven by inventory, architecture, hybrid migration and governance.  

Operational feedback & concrete use cases: stakeholders at different stages 

Our field experience reveals a noteworthy maturity gap between two industrial organizations when dealing with post-quantum cryptography: 

1. Organizations with a rudimentary understanding 

•  Observation: In numerous industrial environments, PQC remains an abstract concept, often seen as distant or limited to experts.  
• Symptoms:  
  • Operational and business teams aren’t part of strategic deliberations on cryptography. 
  • Current roadmaps lack maturity and clarity; the underlying projects costs are often underestimated. Priority remains on service availability; quantum security is therefore deprioritized. 
  • HNDL & TNFL concepts are poorly understood, if not outright ignored.  
• Risks:  
  • Disruption of industrial production processes and data breaches: vulnerable communications between critical assets, based on outdated algorithms, expose sensitive data and can cause interruptions or major disturbances in industrial operations (loss of integrity of the data). 
  • Production downtime caused by abrupt migration: A forced transition towards post-quantum cryptography, without preparation nor crypto-agility, can lead to production interruptions, significant additional costs and severe impacts on operational continuity. 

2. Product suppliers: pioneers already undergoing industrialization 

• Observation: On the contrary, some product suppliers are already ahead (including automotive and smart objects). 
• Symptoms:  
  • PQC projects are prioritized over critical use cases: firmware and update signatures (OTA), device identity management, secure remote access, etc. 
  • Pilot projects are being launched on product lines or representative environments, with concrete feedback on performance, compatibility and robustness of hybrid solutions  
  • The process is being industrialized: Integration of PQC clauses in supplier contracts, automation of cryptographic inventory CBOM, team upskilling, and dedicated governance.

Conclusion & Roadmap: Take action to build a quantum-safe future 

Quantum threat is no longer a distant prospect: it already demands a significant transformation of industrial and product cybersecurity. 

1. Plan ahead to protect the future 

Demystify quantum concepts and incorporate them in your cybersecurity processes, including your products, your OT environments or your IT systems. Planning ahead is the key to preventing a major disruption. 

2. Make crypto-agility a strategic vision

Stop viewing it as merely a technical project, but as a pillar of your resilience and of your digital sovereignty. Build a clear roadmap, with milestones in the short, medium and long term. 

3. Rely on trusted partners 

The market is ready: experts and solutions exist to support you through the modernization and securing of your critical infrastructure. Don’t face complexity on your own.  

4. Industrialize the process

Move from pilot projects to broader rollout:  

• Implement a PQC strategy to map out, prioritize and pilot the migration of critical uses (include PQC clauses in contracts). 
• Start a transition program to modernize trust infrastructure components (PKI, CLM, HSM), automate the inventory and ensure the operational continuity. 
• Rely on peers’ feedback as well as feedback from sectors already engaged in PQC. 

Quantum risk is already there: weakened asymmetric encryption, leaving signatures and data exposed. 

As mentioned previously, we start from the observation that elements that aren’t encrypted today in OT environments are not meant to be encrypted tomorrow with post-quantum algorithms, because already existing measures ensure a risk level judged acceptable. 

In other words, PQC doesn’t aim to transform the entirety of OT, but to protect the uses that really rely on cryptographical components exposed to quantum risk. 

However, this observation doesn’t reduce the importance of planning. 

The two priorities remain as follows: 

• Migrate your assets before 2030 and act today to protect data confidentiality 
• Define your perimeter, build your roadmap, and above all, begin the migration process today. 

Cet article Post-Quantum Cryptography for products & OT: From trends to industrial reality est apparu en premier sur RiskInsight.

As cyber threats become more targeted, sophisticated and persistent—particularly against industrial systems and critical infrastructure—the ANSSI (French Cybersecurity Agency) has strengthened its cybersecurity framework by publishing a revamped version of its guide for the classification of industrial systems, originally released in 2012. 

This guide is intended for all stakeholders involved in industrial system security: operators, operators of vital importance (OIV), essential service operators (OES), integrators, and service providers responsible for aligning technical requirements with business imperatives. 

Its aim is to provide a methodology for determining the criticality of industrial systems, classifying them into one of four cybersecurity levels—minor, moderate, major or catastrophic—based on the maximum severity of potential impacts on: the population, the economy, and the environment. This classification helps identify the appropriate level of security needed and guides the implementation of cybersecurity measures. 

Figure 1: The 4 cybersecurity classes of the guide 

Why revisit the existing framework? 

The first edition of the classification guide, published in 2012, laid the foundation for a tiered security approach by introducing a three-class segmentation model based on risk (impact × likelihood). 

Figure 2: Key differences between the first and second versions of the guide 

While this initial version played a key role in fostering a culture of industrial cybersecurity in France—at a time when sector-specific references were still scarce—it encountered several limitations over time. 

Firstly, the integration of likelihood into the classification process led to a so-called “looping effect“, as described in the new guide. As security measures were implemented, the likelihood of an attack was considered to decrease, which in turn could lower the system’s classification level. This phenomenon compromised the stability of classification over time, making it difficult to maintain consistency between classification and actual protective measures. 

Moreover, the initial guide proposed only three classes, which resulted in systems being assigned to the highest one too often. There was also a lack of granularity in perimeter definition and limited alignment with international standards such as IEC 62443. 

The new version addresses these challenges by basing classification exclusively on impact, ensuring more stable classifications, consistent comparisons between zones, and better integration with structured risk analysis frameworks like EBIOS RM. This evolution also makes the approach more adaptable to the diversity and complexity of modern industrial systems. 

A methodology compatible with existing frameworks 

Figure 3: Classification methodology diagram from the new guide 

The new methodology is structured around three key activities: 

1. Definition of the technical perimeter 
2. Segmentation into coherent zones 
3. Classification of each zone based on the potential severity of impacts in case of compromise 

This approach enables organizations to assign each zone to one of the four cybersecurity classes according to the severity of potential impacts. It provides a rational and scalable understanding of security needs, with a focus on two key criteria: availability and integrity, which align with the core concerns of industrial environments. 

The guide does not replace risk analysis frameworks but is designed to integrate seamlessly with them. It was specifically built to feed into EBIOS RM workshops, providing a classification baseline that supports the identification of feared events and associated security measures. This structure eliminates the need to adapt or distort EBIOS RM to accommodate industrial contexts. 

The guide also draws on concepts from IEC 62443, such as zones, conduits, and security levels, helping align with international industrial cybersecurity best practices. 

This alignment is part of a broader push toward a structured deployment of cybersecurity. The guide provides a practical framework organized around key thematic areas, as illustrated below, to help effectively integrate cybersecurity into industrial environments. 

Figure 4: Key themes for deploying cybersecurity (Chapter 3.1 of the guide) 

What comes next: a detailed measures guide — bridging the gap between strategy and action 

Expected in the coming months, the detailed measures guide is the logical continuation of the classification methodology. It aims to equip industrial stakeholders with practical tools to move from theory to implementation, translating the cybersecurity classes into concrete operational requirements. 

Inspired by the 2012 guide, which already proposed a set of baseline measures for each class, this new version promises a more refined, up-to-date approach that reflects current threat landscapes and security practices. It will offer decision-makers and system owners a clear and actionable toolbox, detailing technical, organizational, and human measures adapted to the criticality level of each zone. 

Scheduled for publication in 2025, the guide will ensure continuity with risk analysis and compliance efforts already underway, while clarifying expectations regarding the concrete implementation of protective measures.  

Securing the present, anticipating the future 

Beyond its publication, the real challenge now lies in adopting the methodology and integrating it into the cybersecurity strategies for both existing and upcoming industrial systems. 

For existing systems, the new guide naturally fits into the security lifecycle recommended by ANSSI in its EBIOS RM guide. Impacts should be assessed on a case-by-case basis to determine whether modifying current architectures is worthwhile, weighing the cost of change, evolving business needs, and expected security benefits. Integration can occur:  

• During the strategic cycle, typically conducted periodically or following a major change, which offers an opportunity to revise perimeter definitions, update functional zones, and reassess system classifications using the new methodology; 
• Or during the operational cycle, focused on reviewing feared events, checking whether existing measures align with the defined cybersecurity classes, and adjusting protection strategies as needed. 

For new industrial projects, the new guide officially replaces the 2012 version and should be incorporated from the earliest design phases. It provides a framework for building a secure architecture aligned with business priorities, while also easing compliance with current and upcoming regulatory frameworks (NIS2, LPM, etc.) or contractual obligations. 

At Wavestone, we are integrating this guide into our industrial cybersecurity maturity evaluation framework and Cyber Benchmark methodology, alongside international standards such as IEC 62443 and NIST SP 800-82. All that remains is to wait for the operational measures guide to complete the picture!

Cet article Enhancing Industrial Cybersecurity: Changes Introduced by the New ANSSI Guide for Industrial Systems Classification est apparu en premier sur RiskInsight.

This innovation is due to increasing numbers of cybersecurity standards, regulations, and directives- such as NIS2 (Network and Information Systems Security Directive), the Cyber Resilience Act (CRA), and sector-specific regulations. This expanding regulatory framework reflects the need to secure critical infrastructures and technological products in the face of growing threats.  

This article explores the PART-IS regulation, its implication, scope, stakeholders involved, essential requirements, and steps involved in complying with it.  

What is PART-IS? Why is it essential?  

PART-IS was introduced to enhance aviation security by protecting critical information systems in aviation. Its main objective is to ensure that these systems, which include technologies such as avionics communications and air traffic management, are resilient in the face of cyber threats to guarantee the continuity and safety of aviation operations in a sector where any failure can have serious consequences. With the growing integration of digital technologies into aviation operations, from navigation systems to ground infrastructure, the sector’s vulnerability to cyber-attacks has increased considerably.  

By requiring aviation industry players to identify and assess the vulnerabilities of their systems, PART-IS is a proactive response to today’s challenges.  

Which systems are concerned?  

PART-IS applies to all digital systems used in civil aviation. This includes, for example: 

• On-board systems, such as Flight Management Systems (FMS)  
• Air Traffic Management (ATM) infrastructures  
• Predictive maintenance systems  

Due to the increasing interconnectivity between these systems, a vulnerability in one component can cause a chain reaction across the entire aviation ecosystem; jeopardising the safety of operations.  

Who are the stakeholders?  

The implementation of the PART-IS is based on collaboration between several stakeholders. The main players involved include: 

• Airline operators, who are responsible for the safety of on-board systems  
• Manufacturers, who must incorporate cybersecurity measures into the design of aircraft and equipment  
• Air navigation service providers, responsible for protecting traffic management systems  
• National authorities, whose role is to supervise and verify regulatory compliance  
• Ground service providers   

Part-IS will be mandatory from October 2025 for organisations approved by EASA under Delegated Regulation (EU) 2022/1645, i.e. production and design organisations. Maintenance organisations under Delegated Regulation (EU) 2023/203 will have to comply by February 2026.  

What are the PART-IS requirements?  

The PART-IS regulation imposes fundamental principles for guaranteeing the security of critical systems. The organisations concerned must adopt a rigorous approach to meet these requirements and ensure their compliance.  

Risk management (ISMS)  

This regulation is part of a proactive approach aimed at identifying, analysing, and mitigating the risks that could compromise the confidentiality, integrity, and availability of sensitive information. Based on a structured framework such as ISO/IEC 27001, the ISMS becomes a central tool for establishing robust security policies, deploying appropriate technical and organisational measures, and raising stakeholders’ awareness of cybersecurity issues.  

Risk management, a fundamental pillar of this approach, enables efforts to be prioritised on the basis of identified vulnerabilities, while ensuring continuous improvement through the PDCA (Plan-Do-Check-Act) cycle. Regulations require civil aviation operators and entities to have robust information security governance in line with best practice.   

Risk assessment  

Organisations must establish a structured methodology for identifying, analysing, and mitigating the cyber risks associated with their information systems. This includes carrying out vulnerability analyses, assessing the impact in the event of a compromise, and implementing appropriate controls.  

Continuous monitoring 

Real-time monitoring of systems is essential for detecting and responding rapidly to security incidents. This requires the use of advanced tools and the implementation of incident response protocols. All incidents must be reported quickly and accompanied by a clear response plan to limit their impact.  

Training and awareness  

Staff must be trained in cyber security best practice to reduce the risk of human error. Regular awareness programmes are essential to maintain a high level of vigilance.  

Audits and documentation  

Compliance with PART-IS is verified through regular audits conducted by EASA or national authorities. Organisations must also maintain full documentation covering safety policies, procedures implemented, and incidents encountered.  

What are the key stages in achieving compliance?   

Compliance with PART-IS offers a strategic opportunity for companies to strengthen the security of their critical systems and modernise their practices.  

With the compliance deadline set for October 2025 for at least part of the perimeter, is an appropriate time to start the compliance process.  

To achieve this, we are currently supporting our customers in 3 main areas:   

• Firstly, it is essential to precisely define the scope concerned, based on the scope of the approvals issued by the EASA, in order to effectively frame the efforts.   
• Next, drawing up an Information Security Management System (ISMS) will help structure the policies and processes required for proactive risk management.   
• Finally, carrying out the first risk analyses to identify vulnerabilities and draw up appropriate action plans.   

These steps lay the foundations for a solid, long-term information security strategy, which will then have to be nurtured and developed in the spirit of the continuous improvement process advocated by PART-IS. 

Cet article PART-IS: A pillar of cybersecurity in European aviation est apparu en premier sur RiskInsight.

The Current Perception of Cybersecurity in OT

In industrial environments, cybersecurity does not always have a positive image and is seen as a potential obstacle to business development. Cybersecurity teams are often criticised for defining rules but delegating their implementation without providing a solution or any help for the implementation of requested changes. For example, it is difficult to regularly change the passwords of dozens of generic industrial accounts, even though this rule is standard on a traditional IT perimeter. As a result, OT teams are often left alone to meet the criteria for security policy requirements.

Left alone, industrial operational teams develop “homemade” solutions designed with their very local point of view, at the scale of their site. These solutions are beyond the group’s control and are very specific (dependence on a local supplier, in-house solution designed for the site’s specific network architecture, etc.), and scalability capabilities are not evaluated. All these solutions are developed by expert and passionate teams who can question security practices and standards, but who rarely have in mind any strategic vision, even at the local scale, making the integration of their solutions at the scale of a group of industrial sites nearly impossible.

Short-term solutions… or even dangerous

In the long run, these local solutions have many disadvantages:

• They are not up to production standards and remain in the POC phase.
• They are poorly documented, which makes maintenance difficult.
• Scaling up to a group of industrial sites is nearly impossible in the long term.

As shown below, some of the “homemade” solutions encountered have even proven to be dangerous:

Real-life examples taken from the 2020-2023 industrial sites audits

Standardise cybersecurity integration in operations

Industrial companies stand out by their strong needs of availability and the substantial real-world implications of the operations. Consequently, investments in this sector must align with the magnitude of these challenges which require cybersecurity solutions of very large scale and complexity. IT, cybersecurity, and OT departments must cooperate throughout the development process to ensure that solutions are suitable for operations while meeting the group’s security standards. The goal is to industrialise the development of cybersecurity solutions for the OT perimeter, providing ready-to-use solutions ready to be deployed at scale.

The solution is the development of a catalogue of cybersecurity services in which services are selected and developed at the group level, in collaboration with all the players (Cyber, operations, IT) and integrating the management of the entire life cycle of the solution (maintenance, documentation, decommissioning, etc.). Thus, the cybersecurity department and the IT department can create, with the industrial department, a product management roadmap, with an industrialized process for the creation of solutions.

Designing an OT Cybersecurity Solution

The process of creating a solution must address several issues:

• Collect the needs of all stakeholders.
• Transcribing needs
• Ensuring Large-Scale Adoption by all industrial sites.

To ensure the efficiency of the process and the solutions, the development of the different solutions is necessarily long and can extend over a period of 2 to 3 years. Wanting to go faster means exposing oneself to poor coverage of operational needs, which could lead to the development of uncontrolled local solutions or poorly controlled and incomplete deployment.

Providing security solutions: a 6-step process

 Solution Factory Process

1.     Research & Development

The goal of the R&D phase is to find the best solution to meet all cybersecurity needs. Thus, in the event of an audit of the central office, compliance with security policies is guaranteed if the tool is used. During R&D, a few points are crucial:

• Assemble a project team with representatives from IT, cybersecurity as well as the operations, to guarantee the usefulness and usability of the solution.
• Define operational constraints at the right level (availability, resistance in a harsh environment, support, etc.) in order to control costs without compromising the usability of the product.
• Plan maintenance, update and release processes as early as R&D to avoid getting stuck with an imperfect or obsolete product.
• Plan the budget and business model of the product. In particular, who has to pay and what are the operating and investment costs. This helps prevent the project from getting stuck at the deployment step due to budget issues.

During the R&D phase, it is also interesting to start from what already exists. This makes it possible to identify talents or solutions that could be adapted at scale and across an OT perimeter. There are two possible approaches to finding solutions:

• Find solutions that OT teams use locally and scale them up.
• Search for cybersecurity solutions from the IT for IT catalogue and adapt them to the industrial world.

Two methods to take into account the existing situation

2.     Prototype

It is essential to think about the user experience and to take care of the image of the product from the prototype. The prototype is first and foremost a showcase that should facilitate the adoption of the product, but which can also damage its image if it is not practical and functional. When presenting the prototype, it is important to frame the use cases covered, and to have a functional and simple product. The first image of the prototype is the one that the operational staff will remember.

3.     Minimum Viable Product

The MVP phase has two main challenges: to test the product, and to bring together promoters. Communication around the MVP must be neat, and everything must be done to avoid failures. When testing, you should not only test the solution itself, but also all the support functions and the integration with the rest of the production environment.

Because the MVP can be a Single Point of Failure for production, it is also necessary to take into account the needs of high availability and set up bypass mechanisms in case of problems to reassure operational team and facilitate the integration. A MVP can severely damage a product’s reputation in the long run if it fails.

4.     Packaging

The packaging stage allows you to define all the prerequisites for the deployment of the product. It is necessary to define:

• Processes throughout the life cycle such as the management of deployment requests, defining the obligation or not to deploy, maintenance processes, update processes considering operational needs, etc.
• Define responsibilities, but considering that industrial sites must maintain a stronger independence than what is usually done on IT perimeters. There needs to be a clear definition of what is delegated to on-site managers in nominal mode and in the event of an emergency.
• The cost model, including long-term cost, must be clearly defined and compared to external solutions.
• Support should be considered as Support as a Service and all processes and tools should be set up and communicated.

5.     Preparing for maintenance

The last step before the actual deployment is the preparation for operational maintenance. For each product, a Solution Owner must be identified to manage the relationships between users, suppliers and – during the integration – the integrator. This person should be identified internally prior to deployment to ensure that maintenance is operational throughout the lifecycle without having to rely on an external.

Prior to deployment, there are three things that need to be taken care of to prepare for the product lifecycle and promote its widespread adoption:

6.     Deployment

During the deployment of the product, early adopters must be supported as much as possible to maximize the chances of adoption of the project by other sites. Financial incentives, such as discounts for early adopters, can also be put in place. Different scenarios of speed of adoption must be anticipated in order to be able to deploy quickly enough in case of great success, but without cost issues in case of adoption difficulties.

Conclusion

In an industrial environment, cybersecurity is still seen as too restrictive, an obstacle to productivity, and too prescriptive. IT departments set up security policies but do not provide solutions to comply with them, which leads to the development of poorly controlled local solutions. To control these risks, one solution is the development of an IT solution catalogue for OT. The development of these solutions is a lengthy process that can take several years, especially when several projects are launched in parallel. To maximize the chances of success, the operational needs must be considered from the R&D phase up until deployment. Integration with operational processes, support processes, and all budget issues must be considered. Finally, the final key to the success of the solution development process is communication. The image of the product must be carefully maintained and controlled to maximize adoption by industrial sites after the start of deployment.

Cet article IT for OT: What process to develop cybersecurity solutions adapted to industrial businesses? est apparu en premier sur RiskInsight.

The energy sector is made up of vital infrastructures and provides essential services for a country. The sector, shaped by increasing digitalization, is undoubtedly a prime target for cyber attackers with consequences that are liable to create shockwaves throughout the service industry as well as all major infrastructure. Taking electricity as an example, an outage spanning a few days would have grave consequences on transport, health and communication almost guaranteeing they cannot perform their core functions.

A sector undergoing transformation

The energy sector began its transition with the arrival of renewable energy. The shift in the sector is also due to innovative techniques and systems that have been integrated into the power grid to help manage the complex task of balancing energy levels, because it is vital that the energy pumped in and out of the grid at any one time always remain equal. This level of transformation leads to an increased need for flexibility to ensure security of both the power supply and the significant investments in the power grid. These are the objectives that have and will continue to drive concepts such as smart grids, to enable the control of energy consumption and optimization.

In response to these business evolutions (market shifts), the energy sector is undergoing a digital transformation that is disrupting the way energy is produced, processed, stored, transported, and consumed. Overall, information and communication technologies have helped optimize the supply chain. An example being the widespread deployment of industrial internet of things (IIOT) devices. The switch to these devices has led to an explosion in the volume of data in day to day activities. While energy companies must now use this data to be more agile in their decision making by effectively leveraging it, the large volumes of data expose the industry as a whole to a host of data based malicious actions, making cyber security a priority for the energy sector.

Here is a concrete example: remotely piloted, wind turbines and solar panels are by nature connected objects. They must be accessible remotely and therefore secure. However, these new projects do not systematically consider all cybersecurity constraints and related technical solutions (secure protocols, appropriate access technologies, etc.) from the design phase.

An increasingly targeted sector

Let’s look at the “history” of cybersecurity in relation to this sector: the discovery of Stuxnet in 2010 created a shock wave within the energy industry. This attack highlighted unknown vulnerabilities at the time.

In December 2016, some inhabitants of Kiev and its periphery were deprived of electricity for about 1 hour due to the disconnection of the substation of the Pivnichna electricity transmission power grid. The attack began as part of a massive phishing campaign in July of the same year, which exploited a vulnerability in Windows XP. The failure was caused by the remote switching of the circuit breakers to cut power.

Since then, cyber events have become recurring occurrences. Another example: renewable energies are new targets for cyber attackers. In 2019, in Utah in the United States, a wind and solar power system suffered connection losses with the company’s control center for 12 hours, causing power outages in surrounding homes. Cyber attackers had exploited a known vulnerability on unpatched firewalls causing a denial of service of equipment.

In 2021, the executives of Colonial Pipeline, which connects refineries across the United States, decided to block all their distribution operations following the spread of ransomware. The company said they paid $4.4 million in ransom for hackers to provide a computer tool to restore their business ^[1].

The energy sector is one of the most targeted sectors. According to the X-Force Threat Intelligence Index 2022 ^[2], the energy sector ranked as the fourth most affected sector in 2021, with 8.2% of all observed attacks, behind the manufacturing industry, the financial sector, and the professional services sector.

In 2021, ransomware was the most common type of attack against energy organizations with 25% of attacks. Oil and gas companies are particularly affected by this phenomenon. Remote Access Trojan (RAT), DDoS and Business Email Compromise (BEC) follow with 17% of attacks each.

While cyber-attacks are most often targeted for profit and espionage, the energy industry also deals with sabotage intentions, sometimes for geopolitical reasons. Some hacktivists can also pose a threat by attacking critical infrastructure. The recent ongoing major geopolitical destabilization events reinforce these risks.

The energy sector has critical infrastructure. In an increasingly interdependent world, any disruption, even initially limited to an entity or geographic area, can produce broader cascading effects as outlined below:

Impact Chain-Wavestone

To fight effectively against these new threats, the States and the European Union have adopted binding regulations to ensure a higher level of cybersecurity on the most critical facilities.

What role for regulation?

In France, the competent authority for cybersecurity is the Agence nationale de la sécurité des systèmes d’information (ANSSI). To respond to the increase in threats, the concept for the defence strategy has been based on the Military Programming Law (LPM) since 2013 in order to secure the Operators of Vital Importance (OIV). ANSSI mainly insists on procedures for the approval, control, and maintenance in security conditions of Vital Information Systems (SIIV).

At European level, the objective is also to protect sensitive organizations such as operators of essential services (OES) in the energy sector. The reference point for cybersecurity is currently the Network and Information System Security (NIS) directive. Its primary objectives are to increase cooperation between EU Member States, by facilitating the exchange of strategic and operational information, and to improve the cyber resilience of public and private entities in key sectors such as energy. When it comes to energy, ENISA wants to protect from large-scale threats with increasingly cross-border and interdependent power grid.

The complexity lies in the operational application of specific measures in industrial environments where equipment and means of production are expected to last several decades. Thus, modifying operational processes and/or equipment to incorporate additional cybersecurity is a concrete challenge. The impacts of this transition are significant both in financial and operational terms. This makes cooperation and sharing even more important for energy stakeholders to find pragmatic and adapted solutions: adapted network architecture, technical solutions compatible with the industrial world, vulnerability management processes and updates built with operational teams for example.

Conclusion

Considering the critical nature of the energy sector infrastructure, it is essential that business and cybersecurity actors in the energy sector communicate on good cybersecurity practices, learn from previous attacks, and contribute to changing the overall level of protection. It is in this context that the first forum dedicated to energy stakeholders «Cyber4Energy» will be held in Marseille on 30-31 March 2022. This event will be an opportunity for professionals to discuss cybersecurity challenges and dedicated solutions available to the sector.

Références :

[1] Etats-Unis : les oléoducs Colonial Pipeline ont versé une rançon de 4,4 millions de dollars à des hackeurs (lemonde.fr)

[2] X-Force Threat Intelligence Index 2022, IBM Security X-Force Threat Intelligence Index 2022 (ibm.com)

Cet article Energy sector: A cybersecurity obligation in the face of attacks to ensure the provision of essential services est apparu en premier sur RiskInsight.

Let us make a detour through a page of history, before plunging into the heart of our subject :

• In the 18th century, James Watt’s steam engine and coal mining changed the way of working. The use of hydraulic machines made the artisan workshops evolve into much more efficient factories: the 1st industrial revolution was in full swing.
• Then, the 2nd industrial revolution known for Taylorism and mass production is based on the use of electricity and oil. The long assembly lines, dear to Charlie Chaplin, replace the hydraulic and steam engines that are now obsolete.
• The development of new information technologies, from 1970 onwards, supporting operators in the most difficult tasks characterizes the 3rd industrial revolution. In particular, it allowed for increased robotization and production of larger batches.

This 4th industrial revolution marks the arrival of new technologies that are increasingly connected, leading to a high level of dependence on information technology.

Industry 4.0 brings together a set of technological advances and technical tools for optimising industrial processes.

Let’s take a concrete example of a use case:

A company needs to accelerate its production rate and to robotise part of its actions to save time. For example, screwing actions. It chooses to use a collaborative robot, also called a « cobot »^[1], capable of carrying out actions simultaneously or on the same workspace as an operator. The operator will be responsible for presenting the parts to be screwed to the cobot.

In addition to reducing turnaround time, the implementation of this binomial makes it possible to increase the quality of the finished product.

Industry 4.0 use cases increase the cyber risk to business processes. There are two reasons for this: the need for new interconnections of industrial systems with the outside world and the increased potential impact in the event of compromise..

What are the impacts for cybersecurity in this whole story? If we continue with this cobot, the screwing, initially done manually by an operator, is now made easier by the use of the cobot. The cobot has to be connected to receive orders and be updated.

• The manual operation is replaced by a computerised operation that is now exposed to a cyber attack

On a conventional robot, a “safety cage” is present to prevent intrusion by an operator during the operation of the machine tool. On a cobot, as there is collaboration with the operator, this protection does not exist. An impact in case of contact between the cobot’s screwdriver and the operator’s hand would be particularly serious for the operator !

• The introduction of new technologies can increase the severity of a cyber attack

This is not the only consequence of unsafe use of such technology :

• Changing a value in the cobot regarding the screwing torque can lead to a quality defect in case of incorrect tightening ;
• Greater importance of assisted operations means that in the event of a failure, the impact on production will be greater… which will quickly lead to a financial impact.

Let’s sum up a little simplistically :

The question now is how to deal with these risks, without blocking the legitimate demands of operational staff. Spoiler: no, refusing the project is not the solution!

The teams responsible for cybersecurity can anticipate the needs for the implementation of 4.0 technologies by drawing up adapted reflex sheets

From a technical point of view, we can group the advances linked to Industry 4.0 around a few major themes: augmented reality, connected objects, additive manufacturing, etc. Upstream of projects and with a few well-informed industry players around the table, it is possible to anticipate potential demands.

The objective for the cyber security team will then be to draw up a profile of typical use cases, deduce the potential risks and begin to identify appropriate security measures to respond to them. It is also an opportunity to propose “Industry 4.0” checklists to raise awareness upstream of projects.

Concretely, here is an example of a typical reflex card applied to our cobot seen previously :

By preparing upstream, cybersecurity teams are more relevant and effective when a new project is about to start.

Ready to embark on a “4.0” project? This is the ideal opportunity to support the industry in the transformation of its factory by offering adapted cyber security services.

The advantage of “Industry 4.0” projects lies in their ability to make in-depth changes to the foundations, sometimes a little dusty, of systems and networks already installed in the factory.

Does a conveyor project need to exchange information with the outside world? This is an opportunity to propose a secure file exchange server in your industrial DMZ (if you don’t have one, this is also a good time to think about it). Does an augmented reality system need a more stable wireless connection? This is the time to start thinking about strengthening the control of the devices that can be connected to it…

At the risk of repeating the obvious here, the ideal is to arrive upstream of the projects, through a constructive approach, rather than through a 100-page ISSP and guides to standards and technical rules that are not adapted to the cases of use presented.

For the risk analysis of an “Industry 4.0” project, the EBIOS RM risk analysis method facilitates exchanges by sharing strategic scenarios that can be understood by the business

Once discussions have begun on a concrete project, it is useful to carry out a risk analysis to support the discussions. Its depth and method will depend on the size and risks of the project.

This analysis will make it possible to refine the objectives we wish to protect, take a step back from the existing ecosystem and define the most convincing attack scenarios.

Here are some examples of frequently found scenarios :

• Logical sabotage for financial purposes (long version of the Ransomware scenario): A targeted or non-targeted attack, making equipment unavailable for financial gain.
• Stopping/Slowing down production: Targeted sabotage to gain a competitive advantage, revenge by ideology or just by defiance can be carried out by a malicious competitor, an avenger, a terrorist, an activist or even a thrill-seeking amateur. Also be careful not to forget the errors of manipulation !
• The alteration of the quality of the part produced: rather sophisticated and targeted sabotage impacting the quality of the products to discredit the company or simply create damage.

The conclusion of the risk analysis will make it possible to precisely define the cybersecurity measures to be put in place and the associated residual risks.

To move away from the “fortified castle” model, i.e. to focus on the isolation of its industrial IS and perimeter security, and to propose adapted security measures: finer detection, encryption, MCS … in a way, it’s time to move on to “4.0” measures

Our feedback shows that the definition of an action plan is a balancing act in these “4.0” projects. Indeed, by applying an overly restrictive safety model, based on IEC 62443-3-3 type zones and ducts, we run the risk of misunderstanding between the stakeholders. In fact, not all business solutions are compatible or mature, and many have not yet integrated the standards we would like to see applied.

So what to do? One way might be to propose appropriate security measures, “4.0” measures (for the industrial environment in any case) that have already proved their worth in other environments:

• To prevent a threat from spreading, one shall strengthen detection resources, especially the flows from and to industrial IS. This is the time to take advantage of this opportunity to dock with the Group SOC if it has not already done so.

• To ensure the integrity and traceability of transmitted/received data, encryption and authentication can be implemented. Do you already have a Group PKI? Why not think about extending it to industrial perimeters.

• It is also the right time to strengthen its OCM / SCM process. Is the solution connected with the outside? No more excuses for not installing an antivirus, updating it, installing security patches for your favourite OS, etc. This point should be anticipated prior to purchasing the solution, rather than once the product has already been installed!

• Finally the solution is critical for the business? A cyber-resilience component must be anticipated so that the solution can be quickly rebuilt and restarted in the event of an attack.

As we have just seen, there is no shortage of solutions, but they require adapted support from the cybersecurity teams and going beyond theoretical models. So, let’s take advantage of these “4.0” projects to make our industrial cyber security models evolve without a priori!

[1] https://commons.wikimedia.org/wiki/File:Cobot.jpg license CC : https://creativecommons.org/licenses/by-sa/4.0/deed.en

Cet article Industrial Cybersecurity in the Age of Industry 4.0 : how can we secure these new use cases and support business projects? est apparu en premier sur RiskInsight.

Industrial networks also called ‘OT’ (Operating Technology) or ‘Production Networks’ include: production networks in factories, test benches, research laboratories or embedded networks in technological products: trains, cars, planes, etc.

USB flash drives, the real swiss army knives of industrial it, are proving to be formidable vectors for cyber attacks

Particularly vulnerable industrial networks

Industrial systems have long service lifecycles lasting for several decades. These service lifecycles are much longer than those in traditional IT and often lead to problems of hardware or software degradation. These legacy systems are then no longer maintained by their suppliers as they stop publishing security updates for them. Maintaining their security is therefore complex or even impossible.

Even when updates are published, there are issues. For example, they require a maintenance window which can have an operational impact. In some cases, it may also be necessary to requalify the system or perform technical and functional testing before restarting.

In addition, system standardisation has become the norm. Windows or Linux operating systems are commonly found with fewer security patches and therefore may be more easily exploited by computer viruses.

The degradation of industrial systems, the difficulty of maintaining them in a secure state and their standardisation make them increasingly vulnerable to cyber threats. However, it is still necessary to access the industrial network to exploit these vulnerabilities, as they are historically less exposed….

These vulnerabilities are regularly exploited using removable media as a vector

Removable media is often used as a bridge between the internal office network or an external network and the industrial network. For example:

• USB storage devices can be used to deploy configurations or patches on disconnected systems. These configuration files or patches come from workstations that have an internet connection via the company network. These workstations are exposed to cyber threats, and as a result so are the USB storage devices, and through them, the disconnected systems.
• Many service providers operating on the industrial network use USB sticks to deliver configuration files, debugging tools and other software. The multitude of subcontractors means there are many data exchanges from uncontrolled networks to industrial networks, each potentially representing a threat vector that can be exploited.

These exchanges expose the industrial network to several types of threats:

• There are many viruses designed to exploit Windows vulnerabilities by spreading through removable media. One of the best-known ones is the Conficker virus, which exploits the automatic task launch mechanism of removable media and thus manages to automatically launch a virus or viral payload when the media is connected. Once a computer is infected, it can spread to other hosts through the network.
• The original intended use of storage devices can also be maliciously changed; this type of attack is called a “Bad USB”. Rubber Ducky is an example: it makes a USB key look like an input device such as a keyboard, and then launches commands when connected to a computer.
• When connected to a computer, USB killers, which look like ordinary USB sticks, store energy until they reach a high voltage, they then release this energy into the host computer to destroy its physical components.

However, the use of these removable media devices is difficult to circumvent

Removable media has several common uses such as data storage, backup, transfer or information sharing.

These different use cases have gradually emerged, often at the ingenuity of users without any real supervision from the IT department or the business. When we study these different scenarios, we can classify them into two categories:

• Those that can be easily removed by offering either a more secure alternative or an improved way of working. For example, with two industrial networks connected to each other, the implementation of a file sharing space on the network can replace a direct exchange by removable media.
• Those that could be eliminated with major investment or be very difficult to remove immediately. For example, using an isolated network to install a new computer whereby the deployment of a master image by USB can be difficult to replace.

It is difficult to do without removable media entirely, but their use remains problematic. Faced with these threats, solutions are beginning to emerge.

Multiple technical solutions exist but provide only a partial solution

A myriad of increasingly available technical solutions

There are different technical solutions for controlling the content or use of removable media. They can be categorised into several families of solutions:

• Decontamination terminals or boxes, using one or more antivirus databases, allow us to analyse the USB key content, and if necessary, (re)format or quarantine files if they are considered malicious. Several manufacturers offer this type of solution, including KUB, HOGO, Orange and SOTERIA.
• More complex ones can issue a certificate to the key after it has gone through the decontamination terminal. This certificate validates (to the host) that the key has been scanned. This requires that an agent is deployed on all workstations to enable certificate authentication. OPSWAT and FACTORY Systems are among the manufacturers. Previously mentioned KUB, also offers this more complex option on these boxes.
• Lastly, there is a solution to group the devices that are used as filters, effectively acting as security airlocks between the host and the removable media. This is a small piece of equipment, connected directly to the USB port of the host on one side, and to the USB key on the other side. Its operation is based on white-list filtering and/or blocking writing from the workstation to the removable media. SECLAB is an example of a manufacturer for this solution.

Since all solution offers have different characteristics, it is necessary to identify the one that best meets the security requirements and constraints of the user.

These technical solutions create additional steps and require time, which may hinder their adoption

Depending on the technical solution, the cleansing of removable media is a step that can be time-consuming.  For example, if the key contains lots of small files that must all be checked, the processing time will increase. This task is also highly dependent on the performance of the media being tested.

Additionally, a problem of sizing the terminal arises if the removable media is used to push several large updates (Microsoft for example) or even a complete WSUS database (Windows Server Update Services) between 2 networks (this can reach a 100GB of data). If this time is not controlled and limited, removable media users will stay clear of this technology.

Difficult access also discourages users. In the industrial sector, there are many constraints depending on where users are located. A change of area may require a change of protective equipment, clothing or special controls. Insufficient equipment could lead to the same accessibility problem.

It is necessary to place the right equipment where decontamination is taking place or is unavoidable (reception, security office), and to find the right compromise between the different implementation of solutions: e.g. a solution applied centrally (terminal) vs. distributed (box or filter).

These technical solutions often require maintenance in operational condition (MOC) and maintenance in safety condition (MSC) which must not be neglected

To properly function, the technical solutions must be maintained by updating them, updating their viral databases for when the solution integrates an anti-virus, updating the filtering rules, as well the certificate database for more complex systems. It is also useful to be able to issue reports and alerts when the tool permits.

For this purpose, the decontamination terminals require several types of access:

• antivirus updates on servers;
• internal operating system updates on servers;
• the supervision network for issuing reports and alerts;
• Sometimes to a dedicated server that will manage the certificate database and centralise administration.

These terminals can therefore be integrated into a more, or less complex architecture as required.

Decontamination terminals are equipped with an operating system and often standard applications, hence the importance of hardening their configurations so they themselves are not the victim of an attack.

It is necessary to conduct a study on the possible technical solutions by putting into perspective the reliability, utility, efficiency and cost of each option. Similarly, it is essential to review the governance of these facilities, which are at the crossroads between the management information system and the industrial information system. This should avoid problems of underestimating the implementation of these solutions and stop users turning away from the chosen solution.

The protection of industrial systems against USB-related threats requires a careful choice of technical solution and availability for users. Without this and without awareness of the cybersecurity issues, systems are exposed, and the impacts of an attack can be significant.

These tools must be the subject of a full project: from the consideration of use cases and change management

The use cases must be known to decide between the different solutions or even eliminate the use of the removable media

Before proposing a technical solution, the first question to ask yourself is why do we need to use the removable media? To answer this question, you must list all the different use cases.

In each case, it must be determined whether their use is appropriate and whether there is no more effective and/or safe alternative. Here are some examples of commonly encountered situations for which alternative solutions exist:

• If a USB key is used as storage for config. files, then a centralised solution or at least storage on suitable equipment can be used.
• In the case of media being used between two devices that are connected to a network, the implementation of an exchange server, for example using a secure protocol such as SFTP, can be considered.
• For maintenance teams working on connected systems that use removable media to update configuration files, an MFT (Managed File Transfer) exchange gateway with antivirus control can be used. This application ensures the safety of a file from an external source before making it available internally. A third-party solution would be able to make secure removable media available to staff or maintenance teams by only allowing editing of media from workstations.

In the remaining cases, an appropriate solution should be considered. The solution should be presented to users and its interest explained. For better adoption, it should have as little influence as possible on the pre-existing business process, and as a minimum, it should not lead to an excessive workload or time commitment.

In addition to being integrated with the business use case, the technical solution must meet the intended security objectives

2 selection criteria must be taken into account when deploying a removable media security solution: the business use case and the security objectives targeted.

The security objectives are often the same: check that a storage device is genuinely a storage device (i.e. not a “Bad USB”) and check that it does not contain a virus or viral payload. These 2 objectives are covered by most solutions on the market.

It is therefore the business use case that will influence the ergonomics of the chosen solution:

• A fixed monobloc terminal integrates well into the entrance of an area reserved for operations such as a laboratory or workshop. On the other hand, a tablet will be much more mobile and can be used in several situations.
• A certificate solution requiring an equipment agent on standard workstations without specific qualifications will not be difficult but can be problematic in qualified or already obsolete environments.
• Mobiles always need a way to control; a filter solution can be considered for this.

Once the type of solution has been chosen, the possibilities of integrating the solution into the existing ecosystem with proposed security measures will make it easier to select the most appropriate one.

The chosen solution must integrate administration and incident reporting functions while guaranteeing an appropriate level of security

The chosen tool must be easily manageable and have a centralised administration function if there is a significant number of facilities being planned. It is also necessary that the following elements of the solution can be updated: the operating system, the embedded applications, antivirus applications, and the signature databases.

These features mean that the solution will need a connection to the administration network and an external connection to retrieve these updates. These connections must be secure, and the update server systematically identified.

In addition, it is necessary to take precautions to ensure that the solution has been hardened and that only the useful functions are available, especially at the operating system level. It would be pointless if the key decontamination tool itself was the vector of key contamination!

Finally, it is preferable that the generated reports and event logs can be sent in a standard Syslog format, centralised and also analysed by an existing SIEM to detect and track any suspicious activities.

In conclusion, the implementation must be approved by the people who will actually use the terminal every day

There are many technical solutions that, by analysing and decontaminating these devices, can reduce exposure by removable media in industrial networks. There are 2 success factors for good implementation:

• A solution designed for business use cases with end users in mind; and
• A solution where administrative factors, the update process and security aspects have been considered upstream.

In addition to these, there is a 3^rd success factor: change management, which must ensure that the new tool is properly integrated into existing processes with appropriate communication to end users.

It is necessary to formalise a procedure in case there is a virus or any other abnormality. Detecting is ultimately only the first step towards an appropriate response.

Cet article Removable media decontamination tools – success factors for effective security gain and successful deployment est apparu en premier sur RiskInsight.