The French industrial sector has long been isolated from the world of information technology. From traffic light regulation to automated luggage sorting to the coordination of assembly robots on an assembly line, these operational technologies have long been developed away from the digital revolution. As such, today the interconnectivity between machines, networks and systems makes this industrial fabric vulnerable to constantly increasing cyber-attacks. But not all sectors are correctly protected.
The latest data from the French General Directorate of Enterprises (DGE) are clear: the cyber threats weighing on the fabric of French industry have never been so great. A trend confirmed by a Check Point Research study, which notes a 26% increase in computer attacks in 2022 alone. Companies such as Leader, a specialist in temporary employment and recruitment, have been the target of cyber-attacks. And some parts of the industry have long understood the value of implementing state-of-the-art cyber security.
“The defence sector was the quickest to look at this dimension of cybersecurity, a field that was very quickly renamed cyberdefence,” says Jean-Luc Gibernon, cybersecurity director at Sopra Steria and administrator of the Cyber Campus. “Today, if we talk about defence, we think of land battles with tanks, for example. We also think of naval combat with ships or frigates. There is also air combat with aircraft. But today there is now a fourth department: cyberspace.”
Security: a new paradigm
Since 2010, under the impetus of the then Minister of Defence Jean-Yves Le Drian, cyberdefence has become an integral part of military operations. Guillaume Poupard, former Director of Anssi, the French National Agency for Information Systems Security confirms: “When you talk about security with people from the arms industry, they already have the vocabulary and know what it is basically about. Conversely, there are other players in heavy industry, such as the gas or chemical industries, where, historically, the question of security was essentially limited to the physical integrity of industrial sites. I am caricaturing a little, but all that was needed was three rounds of barbed wire around the sites to be protected and that was the end of the matter, so to speak.”
The culture of perimeter security has been turned upside down by the digital transition.
This culture of perimeter security has been turned upside down by the digital transition, leading to an increasing fragility of these devices in the face of interconnectivity needs. According to Jean-Luc Gibernon, this represents a real philosophical break in the very approach to security: “Even today, digital technology continues to progress, but the question of cybersecurity always comes later. We are going to put digital technology into industrial systems or urban spaces, for example, but the security of the devices always comes as an afterthought. The good news is that cybersecurity does not slow down the digital transition. On the other hand, it is also good news for cyber-attackers, because there are vulnerabilities, they can take advantage of.”
State threat and criminal threat
The first threat, probably the most dangerous and insidious, is of state origin, with the aim of spying on and destabilising strategic industries such as arms, space, pharmaceuticals, etc. “Sensitive data from high-tech industries are obviously the most prized by high-level attackers,” confirms Guillaume Poupard. “We are in the world of intelligence and espionage. There are no real friends or enemies, and everyone is suspicious of everyone else. These very real attacks are not widely publicised, because it all remains discreet.”
The second type of threat is criminal in origin. Less discreet, their objective is generally to extort funds with the threat of blocking the target’s activity and having very strong economic consequences for the company. Phishing, identity theft, malware, Trojan horses, spam, and other attacks have become commonplace. For the attackers, the type of company targeted does not matter as long as their information system is faulty. As for ransomware, software that encrypts files on the computer system of the future victim, it represents a very important threat for companies.
“In practice, ransomware aims to disrupt the proper functioning of the target via its information system, its website or even its production tool. This is when the ransom demand comes in,” explains Jean-Luc Gibernon. If the target pays the ransom, the attacker then allows them to recover the integrity of their system thanks to a decryption key. “But in reality, there is no guarantee that everything will work as before,” sighs Jean-Luc Gibernon. “Moreover, once the system is up and running again, there is usually a second blackmail based on the industrial data recovered by the attackers. The attackers threaten to disseminate these documents, often confidential, on the Internet. They are criminals, they have no laws or limits.”
Many would rather pay than face a massive data leak and a damaged brand image with customers, partners, and users. Although the number of ransomware attacks has stabilised, according to the latest figures from the Paris public prosecutor’s office, the level remains high and not all the attacks are revealed in broad daylight, as discretion is essential.
Cyber-attacks: which targets?
Faced with cyber-attacks, the least vulnerable are the major industrial players. They have both the means to ensure their security and are already structured in this sense with a department dedicated to IT, safety, and security. Governance is in place and can be adapted more easily to new threats.
In addition, the obligation to implement cybersecurity by law, at national or European level, means that most of the major players can cope with it. “But if we look at smaller players such as SMEs or ETIs, the situation is more complex,” Guillaume Poupard points out. “They are much less structured in terms of digital governance, and they can become more interesting targets, either for criminals or for spies. This fragility leads to another scenario that has already been observed on several occasions, that of attackers targeting a large industrial group by targeting one of its service providers. This is a kind of indirect raid that is very fashionable and is called a « value chain attack ». As the security of large groups has been strengthened, hackers are taking advantage of the weaknesses of subcontractors to carry out these indirect attacks and reach their information systems.”
The cost of cybercrime worldwide in 2021 was somewhere around $1 trillion. This is colossal.
While cyber attackers are becoming more numerous and more professional, “it is difficult to measure cybercrime precisely. But the order of magnitude of the cost of cybercrime worldwide in 2021 is $1 trillion. This is colossal. The figure is rising and affects all sectors,” analyses Jean-Luc Gibernon. While there is no such thing as 100% effective security, industry professionals now know how to make information systems sufficiently complex to attack to push cybercriminals to give up and move on to another target. This is a situation that should push the major industrialists to take a leading role in convincing subcontractors to apply their security standards.
“In the nuclear industry, for example, whatever the sector, there are myriads of subcontractors with whom the risks are shared. All the players must be made safe. This is what we call securing the supply chain, the value chain,” explains Jean-Luc Gibernon. “But there is still a lot of work to do.” In this new world, it is no longer a question of securing an isolated player, but an entire ecosystem. “And this will not come from the bottom up, i.e. from subcontracting SMEs. It must come from the top.” By integrating more and more interconnectivity, industries are now facing the same threats as companies. And although the awareness of the players is real, it is not yet complete.
