21 Feb 2018 ”Is it a revolt? No, sire, it’s a regulation”
Cybersecurity best practice according to ANSSI, France’s National Agency for the Security of Information Systems, points to unidirectional data flow solutions. Why? Because it’s the safest and most reliable way to segregate and protect your critical network from less trusted networks and cyber threats. The regulation is now reality, and we’re here to make sense of it all.
ANSSI’s detailed cybersecurity guidance for Industrial Control Systems issued in 2014 was and is still today seen as the most comprehensive, clear, and sophisticated industrial control system (ICS) security best practice in the world: Cybersecurity for Industrial Control Systems – Classification Method and Key Measures; and Cybersecurity for Industrial Control Systems – Detailed Measures. In 2016 and 2017, on the tails of this important guidance, have come eleven sets of cybersecurity regulations for critical infrastructure – issued by the French Government’s military programming law (LPM) – to protect the Nation’s Operators of Vital Importance (OIVs) for various industrial sectors.
Industrial operators from these industrial sectors are now bound by French law to deploy protective and responsive cybersecurity programs. Though ANSSI has encouraged prescriptive and comprehensive ICS cybersecurity guidelines since 2014, the organization, as charged with enforcing these new LPM regulations, has left considerable discretion as to exactly how operators are to comply with the new cybersecurity directives for critical infrastructure. For operators, the pertinent question now is how to align security program choices with ANSSI auditor expectations to avoid audit failures or costly program revisions. For OIVs, this gap in discretion as to how to protect the most critical networks can be closed if the 2014 guidelines are used as a road map to design security programs to comply with the new regulations to protect critical infrastructure environments.
The 2014 ANSSI guidelines classify ICS networks from least to most sensitive, and much like the NERC CIP classification, it’s based almost entirely on the impact to society of potentially -compromised networks:
- Class 1 – the least sensitive networks, all IT networks by default are in class 3
- Class 2 – networks important to society
- Class 3 – networks that are very important to society, these are often the most critical networks within Class 2 networks
Network segmentation is essential to industrial cyber security and is described clearly in the guideline. Class 3 networks may use firewalls for internal segmentation, but are forbidden from using firewalls to connect to less-critical networks (Class 1 & 2). Only hardware-enforced unidirectional gateways are permitted between network classes.
Strong security simplifies compliance
Applying the 2014 guidance to the 2016-2017 regulations simplifies security programs and reduces their cost. For example, applying security updates can be very costly, and sometimes even dangerous in critical infrastructure control system networks. Such updates must be tested extensively before deployment, to ensure that there are no unwanted consequences of changing the software that controls important physical processes. Unidirectionally-protected networks, coupled with strong removable media controls, dramatically reduce the opportunity for malware to enter a control network. Such protections can be used as a justification for applying security updates at long intervals thus dramatically reducing security update testing costs.
Furthermore, unidirectional replication of a file server from a Class 3 or Class 2 network to a Class 1 network dramatically reduces the need to use removable media, since at most sites, most cross-domain data transfers are from the more-important to the less-critical network.
The most sophisticated unidirectional gateway products support deep filtering of data flows. These technologies do not need to inspect packets and try to decode and intuit their meaning. Instead, unidirectional server replication technology means that the gateways have access to decoded data streams, including the names and values and often the meaning of each data element. Data elements or their values can be filtered or edited in transit.
It’s time to put these regulations into practice
ANSSI directives could not be clearer – network segmentation is essential to industrial cyber security. The only question is, how you choose to implement it. Waterfall’s unidirectional security gateways have been deployed throughout the world since 2007 offering unparalleled value in industrial and critical network cyber security. Every element of our unidirectional security gateway solution suite is stronger-than-firewalls and hardware-enforced. Download our whitepaper to understand how Waterfall’s solutions facilitate compliance with ANSSI’s critical infrastructure directives: ANSSI Issues Comprehensive Regulations to Protect Critical Infrastructure.