Usbek & Rica is a French publication available in digital, print and event-based formats. Its mission is to “explore the near, distant and very long-term future”, enthusiastically and optimistically. open_resource magazine invited it to indulge in this forward-looking exercise.
The Verizon Risk Team1 2016 report looked into an attack against a wastewater treatment plant, in which data was stolen and the volumes of chemical additives in the water were altered. Fortunately, the damage was minimal and quickly brought under control. But this event demonstrates the scale of the risks incurred. And water is not the only sector at risk. All the critical infrastructures that are essential to life and to a nation’s economy, such as energy and transport, are exposed to cyberattacks. Not to mention connected objects. The generally accepted consensus is that they are massively exposed to attack.
An overview of the risks incurred today.
Illustration by Camille Jacquelot
Forecasts of the number of connected objects worldwide in the coming years vary from one study to another. 12 billion in 2018 according to Gartner, an expert in information technologies, and 28 billion by 2020 according to the International Data Corporation consultancy firm, with a worldwide population of more than 7.5 billion. In addition to our computers, smartphones and tablets, our waste bins, vehicles and houses are getting equipped with sensors connected to the network and communicate with one another. The 2017 International Cybersecurity Forum gave pride of place to the Internet of Things (IoT), which is the victim of more and more security breaches, including the hijacking of electric cars, central servers or even connected light bulbs. Problems that affect the protection of our privacy and the security of the systems, industrial and otherwise, around us.
For Adrien Facon, Special Projects Manager at Secure-IC, which specialises in the security of onboard systems: “The IoT offers an unprecedented attack surface, with an ever rising number of targets and interconnections, which is why the IoT is also known as the Internet of Targets/Threats. Adapting our protection strategies represents an essentially scientific and technological challenge, but also a challenge in terms of change management, in particular in our production processes.”
Awareness of the risks
Attention is shifting higher up the chain, to the protection of components, further the simple installation of firewalls and anti-virus software. Security by design offers the means of taking harmful events into consideration right from the first stages of the design cycle and, when instances of vulnerability are detected, of asking questions about the impact, the probability of occurrence and the measures that need to be taken.
“Objects do not only need to be protected when they are working,” insists Cédric Lévy-Bencheton, an independent expert in security (Cetome). “Measures must be taken at every stage of the production process.” These security imperatives are all too often ignored because of the strategically decisive time-to-market factor, which demands that products reach the market and are available for sale more and more quickly. This is the reason why the European Union Agency for Network and Information Security (ENISA) is currently working on the definition of basic rules adapted to different sectors. “It is also up to customers and consumers to demand security and the manufacturers will have to adapt to the demand.”
Collaboration between the public and private sectors
Cybersecurity is no longer a matter of concern for Information Technology (IT) only, but also for every IT function that can have an impact on the physical world. And this is where regulation comes in. Faced with this crucial issue, France set the example by creating the French National Cybersecurity Agency (ANSSI) in 2009 in an effort to combat cyber-risks. The creation of the agency was quickly followed by the introduction of a national strategy in 2011. The 2013 military programming law sets forth the basic rules to be obeyed by 200 operators of vital importance (OIV), defined in terms of defence and security for their economic and societal impact.
In February 2017, the UN Security Council adopted its first resolution on the protection of critical infrastructures against terrorist attacks. This unprecedented text, unanimously adopted by the members of the organisation, lists banks, telecommunications, emergency services, transport and energy and water supplies as “essential components of modern life”. Consequently, States must take “preparatory measures” for intervention in the event of an attack, by creating or strengthening partnerships between the private and public sectors in order to “pool their information and their experience” through “common training” and “communications and emergency alert networks”.
No cybersecurity without cyber-resilience
The number of points of entry requiring protection against attack have proliferated, from the central systems used to manage resources, to driverless vehicles and electronic data files. Enterprises must now consider the creation of a Security Operations Centre (SOC) and the taking of appropriate measures as a priority. “The first operational step towards cybersecurity consists of detecting and interpreting events,” points out Adrien Facon. “Managing disruptive events must enable certain systems to guarantee the continuity of service and operations, for both vital or simply financial reasons.”
Since 2012, ANSSI has been recommending “defence in depth”, or protecting the critical parts of a system by stacking up layers of varied forms of defence. Whenever an assailant overcomes one obstacle, he is faced with another layer of security. According to the manifesto published by Symantec, a leading American software publisher, this means “creating an inhospitable environment that is more difficult and less profitable to break into”. The goal no longer consists of reacting to the fire and taking stock of the damage after the storm has passed, but of being proactive.
The “threat landscape” continues to become more diversified and this former security architecture is not always sufficient. For vital operators, restarting the systems is fundamentally important. This is known as cyber-resilience. As Adrien Facon explains, cyber-resilience “guarantees continuity of service, even when attacks are in progress and can be established through various technical strategies, such as the methods used to isolate the threat, or adaptive methods that detect in real time and correct the infected task on the fly.”
In the energy sector, the nuclear industry is an exception, with duplicated equipment and communications processes, an independent cable network and backup generators. Should these “sensitive” infrastructures be viewed as an example?
“Duplicating all the equipment on a railway line, for example, would be too expensive in terms of investments and maintenance. It is better to identify the priority measures and to concentrate on them,” claims Cédric Lévy-Bencheton. But the expert in cybersecurity also believes that shying away from the “all-digital” and keeping a share of analogue technology is not realistic either.
As Adrien Facon states, “the technology itself must become a factor of trust. Our electronic systems must not remain complicit in the attacks, but become the operator’s ally.”
1 – The risk analysis team of the American telecommunications operator Verizon
This article was published in the fifth issue of open_resource magazine: “The resource management in the digital age”
optimising rainwater management in Singapore27.08.2018
forests in the city05.07.2018