Cybersecurity flaws make French industry vulnerable

The French indus­tri­al sec­tor has long been isol­ated from the world of inform­a­tion tech­no­logy. From traffic light reg­u­la­tion to auto­mated lug­gage sort­ing to the coordin­a­tion of assembly robots on an assembly line, these oper­a­tion­al tech­no­lo­gies have long been developed away from the digit­al revolu­tion. As such, today the inter­con­nectiv­ity between machines, net­works and sys­tems makes this indus­tri­al fab­ric vul­ner­able to con­stantly increas­ing cyber-attacks. But not all sec­tors are cor­rectly protected. 

The latest data from the French Gen­er­al Dir­ect­or­ate of Enter­prises (DGE) are clear: the cyber threats weigh­ing on the fab­ric of French industry have nev­er been so great. A trend con­firmed by a Check Point Research study, which notes a 26% increase in com­puter attacks in 2022 alone. Com­pan­ies such as Lead­er, a spe­cial­ist in tem­por­ary employ­ment and recruit­ment, have been the tar­get of cyber-attacks. And some parts of the industry have long under­stood the value of imple­ment­ing state-of-the-art cyber security. 

“The defence sec­tor was the quick­est to look at this dimen­sion of cyber­se­cur­ity, a field that was very quickly renamed cyber­de­fence,” says Jean-Luc Gibernon, cyber­se­cur­ity dir­ect­or at Sopra Steria and admin­is­trat­or of the Cyber Cam­pus. “Today, if we talk about defence, we think of land battles with tanks, for example. We also think of nav­al com­bat with ships or frig­ates. There is also air com­bat with air­craft. But today there is now a fourth depart­ment: cyberspace.”

Since 2010, under the impetus of the then Min­is­ter of Defence Jean-Yves Le Dri­an, cyber­de­fence has become an integ­ral part of mil­it­ary oper­a­tions. Guil­laume Poupard, former Dir­ect­or of Anssi, the French Nation­al Agency for Inform­a­tion Sys­tems Secur­ity con­firms: “When you talk about secur­ity with people from the arms industry, they already have the vocab­u­lary and know what it is basic­ally about. Con­versely, there are oth­er play­ers in heavy industry, such as the gas or chem­ic­al indus­tries, where, his­tor­ic­ally, the ques­tion of secur­ity was essen­tially lim­ited to the phys­ic­al integ­rity of indus­tri­al sites. I am cari­ca­tur­ing a little, but all that was needed was three rounds of barbed wire around the sites to be pro­tec­ted and that was the end of the mat­ter, so to speak.”

The cul­ture of peri­met­er secur­ity has been turned upside down by the digit­al transition.

This cul­ture of peri­met­er secur­ity has been turned upside down by the digit­al trans­ition, lead­ing to an increas­ing fra­gil­ity of these devices in the face of inter­con­nectiv­ity needs. Accord­ing to Jean-Luc Gibernon, this rep­res­ents a real philo­soph­ic­al break in the very approach to secur­ity: “Even today, digit­al tech­no­logy con­tin­ues to pro­gress, but the ques­tion of cyber­se­cur­ity always comes later. We are going to put digit­al tech­no­logy into indus­tri­al sys­tems or urb­an spaces, for example, but the secur­ity of the devices always comes as an after­thought. The good news is that cyber­se­cur­ity does not slow down the digit­al trans­ition. On the oth­er hand, it is also good news for cyber-attack­ers, because there are vul­ner­ab­il­it­ies, they can take advant­age of.”

The first threat, prob­ably the most dan­ger­ous and insi­di­ous, is of state ori­gin, with the aim of spy­ing on and destabil­ising stra­tegic indus­tries such as arms, space, phar­ma­ceut­ic­als, etc. “Sens­it­ive data from high-tech indus­tries are obvi­ously the most prized by high-level attack­ers,” con­firms Guil­laume Poupard. “We are in the world of intel­li­gence and espi­on­age. There are no real friends or enemies, and every­one is sus­pi­cious of every­one else. These very real attacks are not widely pub­li­cised, because it all remains discreet.”

The second type of threat is crim­in­al in ori­gin. Less dis­creet, their object­ive is gen­er­ally to extort funds with the threat of block­ing the tar­get’s activ­ity and hav­ing very strong eco­nom­ic con­sequences for the com­pany. Phish­ing, iden­tity theft, mal­ware, Tro­jan horses, spam, and oth­er attacks have become com­mon­place. For the attack­ers, the type of com­pany tar­geted does not mat­ter as long as their inform­a­tion sys­tem is faulty. As for ransom­ware, soft­ware that encrypts files on the com­puter sys­tem of the future vic­tim, it rep­res­ents a very import­ant threat for companies. 

“In prac­tice, ransom­ware aims to dis­rupt the prop­er func­tion­ing of the tar­get via its inform­a­tion sys­tem, its web­site or even its pro­duc­tion tool. This is when the ransom demand comes in,” explains Jean-Luc Gibernon. If the tar­get pays the ransom, the attack­er then allows them to recov­er the integ­rity of their sys­tem thanks to a decryp­tion key. “But in real­ity, there is no guar­an­tee that everything will work as before,” sighs Jean-Luc Gibernon. “Moreover, once the sys­tem is up and run­ning again, there is usu­ally a second black­mail based on the indus­tri­al data recovered by the attack­ers. The attack­ers threaten to dis­sem­in­ate these doc­u­ments, often con­fid­en­tial, on the Inter­net. They are crim­in­als, they have no laws or limits.”

Many would rather pay than face a massive data leak and a dam­aged brand image with cus­tom­ers, part­ners, and users. Although the num­ber of ransom­ware attacks has sta­bil­ised, accord­ing to the latest fig­ures from the Par­is pub­lic pro­sec­utor’s office, the level remains high and not all the attacks are revealed in broad day­light, as dis­cre­tion is essential.

Faced with cyber-attacks, the least vul­ner­able are the major indus­tri­al play­ers. They have both the means to ensure their secur­ity and are already struc­tured in this sense with a depart­ment ded­ic­ated to IT, safety, and secur­ity. Gov­ernance is in place and can be adap­ted more eas­ily to new threats.

In addi­tion, the oblig­a­tion to imple­ment cyber­se­cur­ity by law, at nation­al or European level, means that most of the major play­ers can cope with it. “But if we look at smal­ler play­ers such as SMEs or ETIs, the situ­ation is more com­plex,” Guil­laume Poupard points out. “They are much less struc­tured in terms of digit­al gov­ernance, and they can become more inter­est­ing tar­gets, either for crim­in­als or for spies. This fra­gil­ity leads to anoth­er scen­ario that has already been observed on sev­er­al occa­sions, that of attack­ers tar­get­ing a large indus­tri­al group by tar­get­ing one of its ser­vice pro­viders. This is a kind of indir­ect raid that is very fash­ion­able and is called a « value chain attack ». As the secur­ity of large groups has been strengthened, hack­ers are tak­ing advant­age of the weak­nesses of sub­con­tract­ors to carry out these indir­ect attacks and reach their inform­a­tion systems.”

The cost of cyber­crime world­wide in 2021 was some­where around $1 tril­lion. This is colossal. 

While cyber attack­ers are becom­ing more numer­ous and more pro­fes­sion­al, “it is dif­fi­cult to meas­ure cyber­crime pre­cisely. But the order of mag­nitude of the cost of cyber­crime world­wide in 2021 is $1 tril­lion. This is colossal. The fig­ure is rising and affects all sec­tors,” ana­lyses Jean-Luc Gibernon. While there is no such thing as 100% effect­ive secur­ity, industry pro­fes­sion­als now know how to make inform­a­tion sys­tems suf­fi­ciently com­plex to attack to push cyber­crim­in­als to give up and move on to anoth­er tar­get. This is a situ­ation that should push the major indus­tri­al­ists to take a lead­ing role in con­vin­cing sub­con­tract­ors to apply their secur­ity standards. 

“In the nuc­le­ar industry, for example, whatever the sec­tor, there are myri­ads of sub­con­tract­ors with whom the risks are shared. All the play­ers must be made safe. This is what we call secur­ing the sup­ply chain, the value chain,” explains Jean-Luc Gibernon. “But there is still a lot of work to do.” In this new world, it is no longer a ques­tion of secur­ing an isol­ated play­er, but an entire eco­sys­tem. “And this will not come from the bot­tom up, i.e. from sub­con­tract­ing SMEs. It must come from the top.” By integ­rat­ing more and more inter­con­nectiv­ity, indus­tries are now facing the same threats as com­pan­ies. And although the aware­ness of the play­ers is real, it is not yet complete.

Jean Zeid