Cybersecurity flaws make French industry vulnerable

The French indus­tri­al sec­tor has long been iso­lat­ed from the world of infor­ma­tion tech­nol­o­gy. From traf­fic light reg­u­la­tion to auto­mat­ed lug­gage sort­ing to the coor­di­na­tion of assem­bly robots on an assem­bly line, these oper­a­tional tech­nolo­gies have long been devel­oped away from the dig­i­tal rev­o­lu­tion. As such, today the inter­con­nec­tiv­i­ty between machines, net­works and sys­tems makes this indus­tri­al fab­ric vul­ner­a­ble to con­stant­ly increas­ing cyber-attacks. But not all sec­tors are cor­rect­ly protected. 

The lat­est data from the French Gen­er­al Direc­torate of Enter­pris­es (DGE) are clear: the cyber threats weigh­ing on the fab­ric of French indus­try have nev­er been so great. A trend con­firmed by a Check Point Research study, which notes a 26% increase in com­put­er attacks in 2022 alone. Com­pa­nies such as Leader, a spe­cial­ist in tem­po­rary employ­ment and recruit­ment, have been the tar­get of cyber-attacks. And some parts of the indus­try have long under­stood the val­ue of imple­ment­ing state-of-the-art cyber security. 

“The defence sec­tor was the quick­est to look at this dimen­sion of cyber­se­cu­ri­ty, a field that was very quick­ly renamed cyberde­fence,” says Jean-Luc Giber­non, cyber­se­cu­ri­ty direc­tor at Sopra Ste­ria and admin­is­tra­tor of the Cyber Cam­pus. “Today, if we talk about defence, we think of land bat­tles with tanks, for exam­ple. We also think of naval com­bat with ships or frigates. There is also air com­bat with air­craft. But today there is now a fourth depart­ment: cyberspace.”

Since 2010, under the impe­tus of the then Min­is­ter of Defence Jean-Yves Le Dri­an, cyberde­fence has become an inte­gral part of mil­i­tary oper­a­tions. Guil­laume Poupard, for­mer Direc­tor of Anssi, the French Nation­al Agency for Infor­ma­tion Sys­tems Secu­ri­ty con­firms: “When you talk about secu­ri­ty with peo­ple from the arms indus­try, they already have the vocab­u­lary and know what it is basi­cal­ly about. Con­verse­ly, there are oth­er play­ers in heavy indus­try, such as the gas or chem­i­cal indus­tries, where, his­tor­i­cal­ly, the ques­tion of secu­ri­ty was essen­tial­ly lim­it­ed to the phys­i­cal integri­ty of indus­tri­al sites. I am car­i­ca­tur­ing a lit­tle, but all that was need­ed was three rounds of barbed wire around the sites to be pro­tect­ed and that was the end of the mat­ter, so to speak.”

The cul­ture of perime­ter secu­ri­ty has been turned upside down by the dig­i­tal transition.

This cul­ture of perime­ter secu­ri­ty has been turned upside down by the dig­i­tal tran­si­tion, lead­ing to an increas­ing fragili­ty of these devices in the face of inter­con­nec­tiv­i­ty needs. Accord­ing to Jean-Luc Giber­non, this rep­re­sents a real philo­soph­i­cal break in the very approach to secu­ri­ty: “Even today, dig­i­tal tech­nol­o­gy con­tin­ues to progress, but the ques­tion of cyber­se­cu­ri­ty always comes lat­er. We are going to put dig­i­tal tech­nol­o­gy into indus­tri­al sys­tems or urban spaces, for exam­ple, but the secu­ri­ty of the devices always comes as an after­thought. The good news is that cyber­se­cu­ri­ty does not slow down the dig­i­tal tran­si­tion. On the oth­er hand, it is also good news for cyber-attack­ers, because there are vul­ner­a­bil­i­ties, they can take advan­tage of.”

The first threat, prob­a­bly the most dan­ger­ous and insid­i­ous, is of state ori­gin, with the aim of spy­ing on and desta­bil­is­ing strate­gic indus­tries such as arms, space, phar­ma­ceu­ti­cals, etc. “Sen­si­tive data from high-tech indus­tries are obvi­ous­ly the most prized by high-lev­el attack­ers,” con­firms Guil­laume Poupard. “We are in the world of intel­li­gence and espi­onage. There are no real friends or ene­mies, and every­one is sus­pi­cious of every­one else. These very real attacks are not wide­ly pub­li­cised, because it all remains discreet.”

The sec­ond type of threat is crim­i­nal in ori­gin. Less dis­creet, their objec­tive is gen­er­al­ly to extort funds with the threat of block­ing the tar­get’s activ­i­ty and hav­ing very strong eco­nom­ic con­se­quences for the com­pa­ny. Phish­ing, iden­ti­ty theft, mal­ware, Tro­jan hors­es, spam, and oth­er attacks have become com­mon­place. For the attack­ers, the type of com­pa­ny tar­get­ed does not mat­ter as long as their infor­ma­tion sys­tem is faulty. As for ran­somware, soft­ware that encrypts files on the com­put­er sys­tem of the future vic­tim, it rep­re­sents a very impor­tant threat for companies. 

“In prac­tice, ran­somware aims to dis­rupt the prop­er func­tion­ing of the tar­get via its infor­ma­tion sys­tem, its web­site or even its pro­duc­tion tool. This is when the ran­som demand comes in,” explains Jean-Luc Giber­non. If the tar­get pays the ran­som, the attack­er then allows them to recov­er the integri­ty of their sys­tem thanks to a decryp­tion key. “But in real­i­ty, there is no guar­an­tee that every­thing will work as before,” sighs Jean-Luc Giber­non. “More­over, once the sys­tem is up and run­ning again, there is usu­al­ly a sec­ond black­mail based on the indus­tri­al data recov­ered by the attack­ers. The attack­ers threat­en to dis­sem­i­nate these doc­u­ments, often con­fi­den­tial, on the Inter­net. They are crim­i­nals, they have no laws or limits.”

Many would rather pay than face a mas­sive data leak and a dam­aged brand image with cus­tomers, part­ners, and users. Although the num­ber of ran­somware attacks has sta­bilised, accord­ing to the lat­est fig­ures from the Paris pub­lic pros­e­cu­tor’s office, the lev­el remains high and not all the attacks are revealed in broad day­light, as dis­cre­tion is essential.

Faced with cyber-attacks, the least vul­ner­a­ble are the major indus­tri­al play­ers. They have both the means to ensure their secu­ri­ty and are already struc­tured in this sense with a depart­ment ded­i­cat­ed to IT, safe­ty, and secu­ri­ty. Gov­er­nance is in place and can be adapt­ed more eas­i­ly to new threats.

In addi­tion, the oblig­a­tion to imple­ment cyber­se­cu­ri­ty by law, at nation­al or Euro­pean lev­el, means that most of the major play­ers can cope with it. “But if we look at small­er play­ers such as SMEs or ETIs, the sit­u­a­tion is more com­plex,” Guil­laume Poupard points out. “They are much less struc­tured in terms of dig­i­tal gov­er­nance, and they can become more inter­est­ing tar­gets, either for crim­i­nals or for spies. This fragili­ty leads to anoth­er sce­nario that has already been observed on sev­er­al occa­sions, that of attack­ers tar­get­ing a large indus­tri­al group by tar­get­ing one of its ser­vice providers. This is a kind of indi­rect raid that is very fash­ion­able and is called a « val­ue chain attack ». As the secu­ri­ty of large groups has been strength­ened, hack­ers are tak­ing advan­tage of the weak­ness­es of sub­con­trac­tors to car­ry out these indi­rect attacks and reach their infor­ma­tion systems.”

The cost of cyber­crime world­wide in 2021 was some­where around $1 tril­lion. This is colossal. 

While cyber attack­ers are becom­ing more numer­ous and more pro­fes­sion­al, “it is dif­fi­cult to mea­sure cyber­crime pre­cise­ly. But the order of mag­ni­tude of the cost of cyber­crime world­wide in 2021 is $1 tril­lion. This is colos­sal. The fig­ure is ris­ing and affects all sec­tors,” analy­ses Jean-Luc Giber­non. While there is no such thing as 100% effec­tive secu­ri­ty, indus­try pro­fes­sion­als now know how to make infor­ma­tion sys­tems suf­fi­cient­ly com­plex to attack to push cyber­crim­i­nals to give up and move on to anoth­er tar­get. This is a sit­u­a­tion that should push the major indus­tri­al­ists to take a lead­ing role in con­vinc­ing sub­con­trac­tors to apply their secu­ri­ty standards. 

“In the nuclear indus­try, for exam­ple, what­ev­er the sec­tor, there are myr­i­ads of sub­con­trac­tors with whom the risks are shared. All the play­ers must be made safe. This is what we call secur­ing the sup­ply chain, the val­ue chain,” explains Jean-Luc Giber­non. “But there is still a lot of work to do.” In this new world, it is no longer a ques­tion of secur­ing an iso­lat­ed play­er, but an entire ecosys­tem. “And this will not come from the bot­tom up, i.e. from sub­con­tract­ing SMEs. It must come from the top.” By inte­grat­ing more and more inter­con­nec­tiv­i­ty, indus­tries are now fac­ing the same threats as com­pa­nies. And although the aware­ness of the play­ers is real, it is not yet complete.

Jean Zeid