Cybersecurity flaws make French industry vulnerable

The French indus­trial sec­tor has long been iso­la­ted from the world of infor­ma­tion tech­no­lo­gy. From traf­fic light regu­la­tion to auto­ma­ted lug­gage sor­ting to the coor­di­na­tion of assem­bly robots on an assem­bly line, these ope­ra­tio­nal tech­no­lo­gies have long been deve­lo­ped away from the digi­tal revo­lu­tion. As such, today the inter­con­nec­ti­vi­ty bet­ween machines, net­works and sys­tems makes this indus­trial fabric vul­ne­rable to constant­ly increa­sing cyber-attacks. But not all sec­tors are cor­rect­ly protected. 

The latest data from the French Gene­ral Direc­to­rate of Enter­prises (DGE) are clear : the cyber threats wei­ghing on the fabric of French indus­try have never been so great. A trend confir­med by a Check Point Research stu­dy, which notes a 26% increase in com­pu­ter attacks in 2022 alone. Com­pa­nies such as Lea­der, a spe­cia­list in tem­po­ra­ry employ­ment and recruit­ment, have been the tar­get of cyber-attacks. And some parts of the indus­try have long unders­tood the value of imple­men­ting state-of-the-art cyber security. 

“The defence sec­tor was the qui­ckest to look at this dimen­sion of cyber­se­cu­ri­ty, a field that was very qui­ck­ly rena­med cyber­de­fence,” says Jean-Luc Giber­non, cyber­se­cu­ri­ty direc­tor at Sopra Ste­ria and admi­nis­tra­tor of the Cyber Cam­pus. “Today, if we talk about defence, we think of land bat­tles with tanks, for example. We also think of naval com­bat with ships or fri­gates. There is also air com­bat with air­craft. But today there is now a fourth depart­ment : cyberspace.”

Since 2010, under the impe­tus of the then Minis­ter of Defence Jean-Yves Le Drian, cyber­de­fence has become an inte­gral part of mili­ta­ry ope­ra­tions. Guillaume Pou­pard, for­mer Direc­tor of Ans­si, the French Natio­nal Agen­cy for Infor­ma­tion Sys­tems Secu­ri­ty confirms : “When you talk about secu­ri­ty with people from the arms indus­try, they alrea­dy have the voca­bu­la­ry and know what it is basi­cal­ly about. Conver­se­ly, there are other players in hea­vy indus­try, such as the gas or che­mi­cal indus­tries, where, his­to­ri­cal­ly, the ques­tion of secu­ri­ty was essen­tial­ly limi­ted to the phy­si­cal inte­gri­ty of indus­trial sites. I am cari­ca­tu­ring a lit­tle, but all that was nee­ded was three rounds of bar­bed wire around the sites to be pro­tec­ted and that was the end of the mat­ter, so to speak.”

The culture of per­ime­ter secu­ri­ty has been tur­ned upside down by the digi­tal transition.

This culture of per­ime­ter secu­ri­ty has been tur­ned upside down by the digi­tal tran­si­tion, lea­ding to an increa­sing fra­gi­li­ty of these devices in the face of inter­con­nec­ti­vi­ty needs. Accor­ding to Jean-Luc Giber­non, this repre­sents a real phi­lo­so­phi­cal break in the very approach to secu­ri­ty : “Even today, digi­tal tech­no­lo­gy conti­nues to pro­gress, but the ques­tion of cyber­se­cu­ri­ty always comes later. We are going to put digi­tal tech­no­lo­gy into indus­trial sys­tems or urban spaces, for example, but the secu­ri­ty of the devices always comes as an after­thought. The good news is that cyber­se­cu­ri­ty does not slow down the digi­tal tran­si­tion. On the other hand, it is also good news for cyber-atta­ckers, because there are vul­ne­ra­bi­li­ties, they can take advan­tage of.”

The first threat, pro­ba­bly the most dan­ge­rous and insi­dious, is of state ori­gin, with the aim of spying on and des­ta­bi­li­sing stra­te­gic indus­tries such as arms, space, phar­ma­ceu­ti­cals, etc. “Sen­si­tive data from high-tech indus­tries are obvious­ly the most pri­zed by high-level atta­ckers,” confirms Guillaume Pou­pard. “We are in the world of intel­li­gence and espio­nage. There are no real friends or ene­mies, and eve­ryone is sus­pi­cious of eve­ryone else. These very real attacks are not wide­ly publi­ci­sed, because it all remains discreet.”

The second type of threat is cri­mi­nal in ori­gin. Less dis­creet, their objec­tive is gene­ral­ly to extort funds with the threat of blo­cking the tar­get’s acti­vi­ty and having very strong eco­no­mic conse­quences for the com­pa­ny. Phi­shing, iden­ti­ty theft, mal­ware, Tro­jan horses, spam, and other attacks have become com­mon­place. For the atta­ckers, the type of com­pa­ny tar­ge­ted does not mat­ter as long as their infor­ma­tion sys­tem is faul­ty. As for ran­som­ware, soft­ware that encrypts files on the com­pu­ter sys­tem of the future vic­tim, it repre­sents a very impor­tant threat for companies. 

“In prac­tice, ran­som­ware aims to dis­rupt the pro­per func­tio­ning of the tar­get via its infor­ma­tion sys­tem, its web­site or even its pro­duc­tion tool. This is when the ran­som demand comes in,” explains Jean-Luc Giber­non. If the tar­get pays the ran­som, the atta­cker then allows them to reco­ver the inte­gri­ty of their sys­tem thanks to a decryp­tion key. “But in rea­li­ty, there is no gua­ran­tee that eve­ry­thing will work as before,” sighs Jean-Luc Giber­non. “Moreo­ver, once the sys­tem is up and run­ning again, there is usual­ly a second bla­ck­mail based on the indus­trial data reco­ve­red by the atta­ckers. The atta­ckers threa­ten to dis­se­mi­nate these docu­ments, often confi­den­tial, on the Inter­net. They are cri­mi­nals, they have no laws or limits.”

Many would rather pay than face a mas­sive data leak and a dama­ged brand image with cus­to­mers, part­ners, and users. Although the num­ber of ran­som­ware attacks has sta­bi­li­sed, accor­ding to the latest figures from the Paris public pro­se­cu­tor’s office, the level remains high and not all the attacks are revea­led in broad day­light, as dis­cre­tion is essential.

Faced with cyber-attacks, the least vul­ne­rable are the major indus­trial players. They have both the means to ensure their secu­ri­ty and are alrea­dy struc­tu­red in this sense with a depart­ment dedi­ca­ted to IT, safe­ty, and secu­ri­ty. Gover­nance is in place and can be adap­ted more easi­ly to new threats.

In addi­tion, the obli­ga­tion to imple­ment cyber­se­cu­ri­ty by law, at natio­nal or Euro­pean level, means that most of the major players can cope with it. “But if we look at smal­ler players such as SMEs or ETIs, the situa­tion is more com­plex,” Guillaume Pou­pard points out. “They are much less struc­tu­red in terms of digi­tal gover­nance, and they can become more inter­es­ting tar­gets, either for cri­mi­nals or for spies. This fra­gi­li­ty leads to ano­ther sce­na­rio that has alrea­dy been obser­ved on seve­ral occa­sions, that of atta­ckers tar­ge­ting a large indus­trial group by tar­ge­ting one of its ser­vice pro­vi­ders. This is a kind of indi­rect raid that is very fashio­nable and is cal­led a « value chain attack ». As the secu­ri­ty of large groups has been streng­the­ned, hackers are taking advan­tage of the weak­nesses of sub­con­trac­tors to car­ry out these indi­rect attacks and reach their infor­ma­tion systems.”

The cost of cyber­crime world­wide in 2021 was somew­here around $1 tril­lion. This is colossal. 

While cyber atta­ckers are beco­ming more nume­rous and more pro­fes­sio­nal, “it is dif­fi­cult to mea­sure cyber­crime pre­ci­se­ly. But the order of magni­tude of the cost of cyber­crime world­wide in 2021 is $1 tril­lion. This is colos­sal. The figure is rising and affects all sec­tors,” ana­lyses Jean-Luc Giber­non. While there is no such thing as 100% effec­tive secu­ri­ty, indus­try pro­fes­sio­nals now know how to make infor­ma­tion sys­tems suf­fi­cient­ly com­plex to attack to push cyber­cri­mi­nals to give up and move on to ano­ther tar­get. This is a situa­tion that should push the major indus­tria­lists to take a lea­ding role in convin­cing sub­con­trac­tors to apply their secu­ri­ty standards. 

“In the nuclear indus­try, for example, wha­te­ver the sec­tor, there are myriads of sub­con­trac­tors with whom the risks are sha­red. All the players must be made safe. This is what we call secu­ring the sup­ply chain, the value chain,” explains Jean-Luc Giber­non. “But there is still a lot of work to do.” In this new world, it is no lon­ger a ques­tion of secu­ring an iso­la­ted player, but an entire eco­sys­tem. “And this will not come from the bot­tom up, i.e. from sub­con­trac­ting SMEs. It must come from the top.” By inte­gra­ting more and more inter­con­nec­ti­vi­ty, indus­tries are now facing the same threats as com­pa­nies. And although the awa­re­ness of the players is real, it is not yet complete.

Jean Zeid