23 Nov 2016 ANSSI Reinforces Highest Standard of ICS Cybersecurity
This past month we have witnessed another win in the world of ICS security standards coming from France’s preeminent information systems security standards body. The French are known for being the best in the world at many things, it would be silly to even list the obvious. But what is not as obvious to many people is that they are also world class at protecting their national critical infrastructure from cyber crime. First, the National Agency for the Security of Information Systems (ANSSI), has recently issued directives enforced by military law (Loi de la programmation militaire) to protect “Operators of Vital Importance” or critical infrastructure operators of various industries including water utilities, food manufacturing, healthcare, electric energy, natural gas, petrol hydrocarbons, and transportation – ground, maritime and aviation. Second, it has also published a comprehensive study depicting how to protect industrial operations from cyber crime.
The directives require critical infrastructure operators to partition and protect their industrial network perimeters to prevent cyber attacks. As we all know, there are always certain networks within an organization that are more important than others for preserving the safety and reliability of physical, industrial operations. The ANSSI directives offer a classification system for networks that operators must implement, classes 1 through 3, whereby class 3 (C3) networks are the most important networks and must be protected with the strictest of security measures. These directives require all operators to classify and declare their ICS networks to ANSSI, to partition these networks appropriately through approved security methods, to implement intrusion detection mechanisms and report any attack to the agency, as well as to preserve the integrity of proprietary logs.
The agency takes these measures very seriously. In an effort to reinforce both these directives and their strongest existing ICS security recommendations, ANSSI issued this month a fictional use case describing the cyber strategy and operation of a through-way tunnel as an example for critical infrastructure operators. This document provides a step by step, exhaustive case study of how to secure industrial control systems with multiple vendors, multiple classifications and functions, risk and threat scenarios, vulnerabilities and possible targeted attacks from a cyber security perspective. The Tunnel Use Case is divided into two documents: Classification and Measures. The “Measures” document includes the specific technological recommendations on how to properly secure a C3 network. Unidirectional technology is featured throughout in conjunction with C3 industrial information networks. The key to securing the partitioning of these networks is to restrict the flow of information to one direction – with one-way data flow technology – such that no messaging or attack can penetrate the network perimeter. According to ANSSI’s strongest recommendations, the direct interconnection of a C3 industrial network with a management network must not be protected with logical partitioning (firewalls and software based security), rather, it must be protected by the strongest of technologies available – unidirectional gateway technology.
Bringing your organization to the highest echelons of cyber security standards does NOT necessarily mean that the technological solutions required need to add layers of unnecessary complexity to the organization. Waterfall Security Solutions’ product suite based on patented unidirectional gateway technology can assist organizations which must comply with standards such as the ones recently published by ANSSI, as well as any organization that seeks best-in-class ICS cyber security.
She has over 10 years of experience as a strategic consultant for tier 1 global consulting firms across multiple industries in four countries.
Latest posts by Courtney Schneider (see all)
- Announcing Waterfall’s Industrial Security Podcast - March 12, 2019
- Building Your Board’s Industrial Cybersecurity Risk Awareness - January 8, 2019
- Ministry of Environmental Protection regulation emphasizes industrial cybersecurity best practice - October 23, 2018