01 Dec Pan-European Cybersecurity Campaign – Report on the 1st Webinar, 23.11.2021
Protection of Industrial Systems and the IoT
On November 23, 2021, the ECA launched its first Webinar of the Cybersecurity Campaign series as step to create a space of trust for the Cybersecurity community in Europe, a space where CISOs and suppliers can have a high-level exchange without any “intent to sell”.
Over 80 attendees took interest in the discussion on tuesday evening.
Our six speakers Eleonore Nantas (Thalès), Roland Atoui (RedAlertLabs), Hervé Bury (Framatome), Nicolas Cote (Tehtris), Vincent Nicaise (Stormshield) and Gweltas Radenac (Wisekey) had a good time while keeping the discussion high-end and answering many questions from the crowd.
Their contributions told their expertise and were insightful, on the following topics: What are the priorities when securing industrial OT+IIoT systems? How can a large industrial company makes sure its IIoT is totaly secure? Are retrofits in security possible? How do plant level staff implement security measures ? Are European users and providers ready to scale up their business ? And finally: When will we have common standard and certification rules across the EU?
This Webinar was a demonstration of the maturity of the European industry, in a domain of high importance as a transition to industry 4.0 is planned. Such maturity can be seen as a lever for European strategic autonomy.
The discussion started with a reference to the challenges of Industrial systems: In many cases, they rely on equipments whose lifecycle is long and in a number of plants equipment has been installed prior to any Cybersecurity thought. As the transition to Industry 4.0 is unfolding, remote access from or to meters and sensors becomes a general feature, which puts stress on security solutions.
All speakers advocate implementation of a security by design approach, as early as possible (Ideally by the prototype stage), as the later the more compromised and difficult it will become. This should be backed up by a security by default approach. Raising awareness in your team comes first, only then executing the technical part (See below main recommendations) becomes feasible. Running maturity tests and testing on a regular basis are necessary to ensure high quality security over time. Overall, a willingness to provide consistent effort is central.
Another imortant issue is knowing your supply chain. In the industrial world, many pieces of connected equipment come from third parties. Therefore, reviewing and checking origins and certifications is of paramount importance.
As the OT network was designed 20-30 years ago, it was not designed for security. Hence, network segmentation should also be considered to reduce attack surface and damage. A possibility for this is sorting by zone, grouping the equipment with the same level of security. Our speakers advised encapsulating communication by VPN and security protocols adapted to user profiles. As a last resort, hardening workstations allows for higher security if you cannot exploit the potential of your equipment any further.
Looking at “real life” a specific issue was mentioned: Ownership! Clear articulation of responsibility for cybersecurity solutions is needed between carriers of responsibility (CISO and COO – not the same game as in classical information systems). Moreover, you need close relations with “fieldworkers”, embedding teams and having contact points in remote regions to ensure everybody is on the same page. Easy access to equipment at risk is not always a given, so workers need to be autonomous in their ability to react to threats. There needs to be good coordination between reaction points locally and the HQ team.
Another point of attention was retrofit. Is a retrofit possible? The answer came in a decicive manner: It´s not only possible, but a neccessity. You need to update and add new features frequently to help recover security functions in assets that were not designed at the time to cover a certain threat level. Threats are evolving faster than the refurbishment process so retrofits are a common requirement. They are complex and difficult and usually there are two ways to do it: 1. Identify the security functions to be implemented and deploy them one by one over time in separate projects. Or 2. design a cybersecurity core model, deploy it in a test location and, after approval, in all sites.
As one of the ECA´s core goals is to create European champions, we had to ask: Are European Cybersecurity supplier and users ready for a pan-European scale up? The answer was optimistic: Companies are growing more and more mature and so is the system. Regulations are keeping up with this process and standardization organizations are working hard to pave the way to success.
You missed out? Download the Replay here.