[FIC REPORT] ORANGE CYBERDEFENSE – Industrial security: when production 4.0 protects itself against cyberthreats

Speakers: Nicolas Arpagian, Director of Strategy and Public Affairs and Olivier LIGNEUL, EDF Safety director

FIC Synopsis : “Harm to industrial control systems is particularly strategic as it generates economic consequences, and can also directly impact the environment and human life. These assets require specific approaches, based on a good understanding and knowledge in complex technological environments and industrial processes. With Olivier Ligneul, Director of cybersecurity of EDF Group we will discuss around customer feedbacks concerning the implementation of operational cyber security measures in industries around the world, in order to ensure the operations, continuously, with safety and security”.

Industrial systems face a lack of governance and IT system hygiene. Following Orange Cyberdefense audits, Orange exposed a Top 10 of industry vulnerabilities, among them:

– Lack of intrusion detection or prevention capabilities
– Lack of supervision of system logs
– Non-hardening of OS
– Obsolete OS and software
– Poor or no account & rights management
– Lack of software and system patch management

     The intensification of cyber-attacks and the increase in data volumes are putting corporate responsibility at risk. Industrial safety includes an industrial system that must produce and deliver results. Orange Cyber Defence highlighted a system security based on an interconnection system and separate systems, favouring an onion and central approach. This approach is isolated and not accessible. The further apart we move, the more interconnected the systems are. IoT sensors are directly positioned as close as possible to the machines and allow calculations to be made in data centers.

Basis of security: deploy cyber resources at the workstation and not the other way around.

The interconnections are therefore multiple and growing. Industrial IT system is characteristic. It understands the myth of the air gap, it has a longer lifespan, it includes an integrated and proprietary IT system. There is not always IT system competence on site and historically and there is a lack of security by design. Plant 3.0 is deployed by lowering production orders and providing information and dashboards, as well as remote maintenance and mobility. Plant 4.0, which is in operation, uses the Internet of Things, Machine to Machine communications, remote control, customized production (small, series, 3D printing), augmented reality (virtual plant), Cloud computing and Big Data.

The security of industrial systems is based on the ability to manage its own knowledge, its digitalization, and its ability to have a certain number of actors who will work together on the industrial process.
The lack of detection is a major problem and ignores the threats to the plant. It is necessary to be able to detect malicious elements that could damage the system and industrial tool.
Example: The reinforcement of the EDF CERT > goes through ANSSI warning sets and exposures to potential vulnerabilities. He then takes care of finding patches, correction systems. It is necessary to find mechanisms with sufficient integrity, capable of repairing so as not to compromise the update by design. In addition, it relies on detection and machine learning skills around elements that would make it possible to detect an attack.

The essential steps: identification > protection > detection > reaction > anticipation

In an industrial complex, there is an operational complex and each actor guarantees the proper functioning of the chain. With machines, the first difficulty is to get the information up to speed. They must be collected and analyzed.

Example of supervision tools:
– Machine learning > ability to transport materials provided to the analyst. It also allows mapping and standardizing data and not only collecting it.
– The multi-level (military system) > move information up from level to level so as not to expose information in the central system.
– Mechanism that verifies nominal operation

These tools are able to react in the control of systems. So upstream: it is necessary to predefine action systems (crisis management), and define circles, example: circle O, minimal circle (we react quickly and automatically). Then wider circle, the longer the crisis lasts and answers are to be expected. In a second step, we take care of the larger circles.
There are also regulations in place such as the NIS Directorate, the (LPM the law on military programming), the Protection of Scientific and Technical Heritage. These systems are confronted with cyberact and regulations that are there to protect information related to industrial capital.

Solutions?

• The problem concerns the large amount of data to be processed >> Doing “bydesign” very early on?
• According to Guillaume Poupard, director of ANSSI, doing prevention as much as possible upstream and “keeping control” so that everyone is within its area of responsibility.
• In an industrial system = the more compartmentalized you are, the more you lose control and vice versa. In design, deploy equipment that does not exist. Have an effective global system. You have to supervise in a reliable way.
• Partition information so that attackers do not have access to it.
• Find solutions that do not exist or have not yet been developed as “best practices”.
• If we trust a fully automated IS, then come the questioning about the beginning of the chain and the ability to give the right orders.

Examples of attacks on an industrial chain
>> On Siemens S7-300 and Schneider M221 PLC starter kits

The vectors of attack are multiple
– Connection of an attack box on the STI and accessed via Wi-Fi or 3G
– Propagation through a USB key
– Intrusion from the Office LAN

Used breaches
– Physical access to the industrial network
– Unsecured / Unauthenticated protocol
– GIS/IRS partitioning
– Accessible USB port