Their Own Rail System, Water Treatment, and More | Episode 128

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome listeners to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to be introducing for us the subject and guest of our show today. Andrew, how’s it going?

Andrew Ginter
I’m very well. Thank you, Nate. Our guest today is Eric Vautier. He is the Group CISO, Chief Information and Security Officer, at Group ADP, which is Aéropore du Paris, the Paris airports, all three of them. And our topic is cybersecurity regulations ah with ah a bit of a focus on, of course, NIS2, which is what everyone’s doing in Europe.

Nathaniel Nelson
Then without further ado, here’s you and Eric.

Andrew Ginter
Hello Eric and welcome to the podcast before we get started. Can you say a few words for our listeners about yourself and about the good work that you’re doing at ADP in Paris.

Eric Vautier
Hey, hi Andrew so my name is ah Eric Vautier I’m the group CISO for a group ADP. So mainly I’m an airport guy I’ve done almost all my careers in ADP. I started something like 15 years with airport and then I moved to to cyber in 2008 and I started with that because I think it’s very important to to know the job to know the company you’re in before doing cyber security. So I was lucky enough to start with airport it and then move to cyber within the same company and in a nutshell ADP. This is the company operating the three airports around Paris Paris France as you can guess from my accent I guess. So  we have CDG which is international. This is the biggest airport in France and I think the third 1 right now in in Europe and something very important also is number 6 is skytracks quality ratings worldwide. Second airport is Orly which is mainly domestic and european so second in France and last is is Le Bourget which is famous for his air show and maybe you don’t know it but Le Bourget is the busiest business airport in Europe.

Andrew Ginter
Cool. Thanks for that background. You know before we dive into cybersecurity. Can we dig a little bit deeper. Can you talk about your airports? You know, can you talk about about automation I mean cybersecurity is relevant to you know when computers are automating physical processes. The automation that passengers see at Airports is you know flight signage they see ticketing they see you know on their on their cell phone apps. They sometimes see baggage tracking. Is that it what what happens under the hood at an airport?

Eric Vautier
No actually. this is kind of the the tip of the iceberg of course of course for us. This is very important for for our passengers to to have this seamless seamless journey throughout our airports used by modern technology and by it.

Eric Vautier
But I think yeah, the the most critical part to make the the outport efficient and or professional is under the radar kind of and very easily you can compare an airports like CDG for instance to to a city. Still taking the example of CDG. We have our own automatic train reaching every terminal we have also a water treatment. Of course you can imagine water on the ramp with pollutants and etc needs to be to be dealt with of course and last thing maybe. People don’t know we have our own power plant to make sure we we have a constant electricity and other than that we have like in a city you have car park management. We have logistics. We call them a baggageaging system or BHS baggage handling systems for the passenger bags of course and. This is this is a key issue for for passengers to to have their bags of course delivered to to the aircraft and last point maybe people don’t see not see it like that. But the ramp as a runway for instance is kind of similar to a road right now. In big airports in major airports and you have these kind of traffic lights to to allow planes to to enter the runway. So really, all this automation is under the radar or under the surface if I want to stick to the iceberg metaphor.

Andrew Ginter
There you go if I could ask just a little bit more. I mean you mentioned rail I’ve visited a you know a metro control center in Spain many years ago. something like 20 operators sitting in the control center while the the metro was running each of the operators has you know five or six of their own screens their own keyboard and mouse they have shared projection screens with a sort of a rendering of the entire system and you know where the locomotives are and where the cars are. Is there is there a control center like that for the airport or you know does every does every bit of the automation like the the baggage have its own little control center somewhere?

Eric Vautier
Actually we have both of course each system has its own team to to make sure it it runs smoothly. And but going back for instance to to the train. Our line is our train is only 1 line of course so very simple in comparison to to a metro. BHS may be more tricky because as you know now BHS embeds x-rags and and tomographs etc. So it. Kind of complicated logistic equipment. So as I mentioned every system has its own controls room control room and but. Of course and I think your question is very relevant to to modern airports. We need someone to to get in realtime information about all these processes because at the end and the end of the day. What the passenger wants it to be in the aircraft with these bags. With caturing etc so you need to to interface or to make sure to coordinate and synchronize all these processes. So we we have this trend in airports for some years now called APOC so airport. Operational center kind of big control route for the airport with all the screens as you mentioned in your metro example so we are we are going in this directionly for for major airports.

Andrew Ginter
Interesting I You know I I wasn’t aware of of trends in the industry but let me ask you? You did not mention some systems that I kind of expected you talk about at some point you know, you did not mention the radar the air traffic control. The. You know the interface to what I assume is a nationwide air traffic control. you know where does where does that fit?

Eric Vautier
Yeah, actually I think it’s my my answer will will will be valid for all Europe It’s more you mentioned nationwide. Actually it’s European-wide. Air traffic control system like the name is Eurocontrol which is a kind of Inter-governmental or I don’t know if its such a right world but trying to coordinate air traffic control all over Europe and but as you mentioned for France it is dedicated to. Civil aviation. So DGAC they are completely responsible for controlling the aircraft up to the docking point in the airport. The only interface we have with aircraft kind of kind of saying. Is the runway which is under the responsibility of ADP. But for the rest talking to the pilots is dedicated to civil aviation.

Nathaniel Nelson
So Andrew, now that we’re getting started here, I recall it must have been years ago that we spoke with another expert specifically in airport security, right? Do you remember the the name of the guest?

Andrew Ginter
I do. That was Mark Lindeke. He was the head of cyber defense at Munich airport. It was a long time ago. That was like episode 12, I believe. And yeah, i you know I dimly recall the episode. Mark was, I think most of the episode we talked about a new training program that you know he and Munich Airport were running for critical infrastructures back in 2019. As far as I know, they’re still running it. But the what what I remember from the episode, what struck me on the episode was um you know Mark used the same words that Eric is using here. He said, look, Andrew, you know you’re thinking about airports the wrong way. Think of them as a small city. I remember him saying the word small city. Now, the rest of his description, I remember talking about escalators and security cameras and elevators. I remember coming away from the episode, you know he said the word small city, but I remember thinking of of you know what he described as a so you know as a large building. because we talked a lot about building automation. but you know What Eric is is talking about today really sounds like a smart city, their own rail system, their own power plant, their own wastewater treatment, their own water distribution system, their own power distribution system. It really sounds like a smart city. Everything is automated and everything’s going to become more automated because of course everyone wants, you know, the experience of of going to the airport to be a more pleasant and be cheaper and that’s what automation gives us. It makes everything cheaper.

Nathaniel Nelson
And then building off that to the theme of this episode, regulation seems like a pretty important or at least maybe ever present thing when you have such a structure as you’re describing, right?

Andrew Ginter
It does, and Eric’s going to get into this, but very briefly, there are differences between smart cities and airports, and there are enormous similarities. The differences to me are, in a sense, obvious. you know You have a huge physical security focus and, of course, you know regulations in airports. You have security lines, you have x-ray machines. And I assume, you know, there are regulations for all this. yeah You don’t tend to see, you know, regulations for X-ray machines in smart cities. But the similarities are are obvious. You know, smart cities have all sorts of regulations either in place or coming into place for critical infrastructures. Airports are critical infrastructures and they’re small cities. So, yeah, we are are seeing a lot of similarities there as well.

Andrew Ginter
So thanks for that introduction I mean our topic is regulation and eventually cybersecurity regulation and this too. But you know can we start with a big picture of regulation. What. What does the regulatory environment look like for an airport in France.

Eric Vautier
Yeah, actually it’s nowadays. It’s quite a complex environment because we have so many different regulation coming from different origins so we are first critical infrastructure regulation. So national one.  national regulation first and then it became the NIS one regulation so we still under these these 2 in France and on top of that we have also sectorial regulations. Aviation ones of course here and 1 with dealing with physical security in airports and the second one of course and it’s very important for our passengers is safety regulation under the umbrella of ICAO International Civil Aviation Organization so this is for for Europe but I think it’s quite similar to to the us where you have different entities or so regulating like TSA, FAA and I guess size sizea or caesar and so this is it actually kind of multiple layers. Dealing with similar topics.

Andrew Ginter
So complexity. and you know our our focus here is is cyber security. you know can you tell us a bit about about sort of the big picture of of cybersecurity in France and eventually you know how how it it starts applying to airports.

Eric Vautier
Yeah, it. It goes it goes back to 2016 when it the French government published as the first national regulation on cyber security for critical infrastructure. It has been a three years work in discussion with the cyber security agency and eventually in in 2016 we had this first regulation asking. Critical infrastructure operators to fulfill quite a number of requirements so he started there but two years later we had kind of similar regulation at the EUROPEAN level called NIS Network and Information Security Directive. So now. It’s NIS one because we have this needs to on the horizon and then later on we we had to implement regulation around as I mentioned before sectorial and the first one was physical security. And on the responsibility of Digimove part of Eu of course and and next year or the end of the year or next year we will have regulation on safety published by EASA which is a european agency for safety and aviation.

Andrew Ginter
Okay, and you know that that all makes sense but you know I’ve a couple of questions there. Let me let me start with ANSSI. You know I saw the the regulation come out in 2016 it I was impressed I mean it’s It’s two volumes. and to me it was surprisingly Readable. You know it is I think the most understandable regulation in the world for critical infrastructure Cybersec Security You know I recommend our listeners look it up and and and read it.

You know search for classification method and detailed measures. ANSSI but let me ask you? when that came out the regulation seemed you know in in my read of the the prologue to the to the the regulation it seemed to me to apply sort of whats. You did an audit once when a new system was created. You know it. It didn’t really apply retrospectively to existing systems. You know I understand that that NIS you know demanded that that that France or that all member nations create regulations. That I thought were sort of ongoing that sort of had ah a permanent effect rather than a one time. Audit requirement. Can you talk about you know where did where did ANSSI start and how did NIS change it and is that you know is that still where it is today where you know how did we get where we are today.

Eric Vautier
It’s it’s a very long story. So I try to to to resume it at best. Yeah so I agree with you about the the clarity of of this regulation. if I may pay a tribute to to ANSSI there, I think. It’s worth it first as they didn’t publish this regulation without consulting different sectors. That’s the way we organize for critical infrastructure in France we have something like 18. Sectors critical sectors and within that of course depending depending on different ministry and they started to to discuss with us so main operators like for instance in aviation like Air France ATC so DGAC and and ADP for instance because they had their own ideas but they wanted to make sure that these ideas were applicable in real life. So it took something like three years of discussion of course ANSSI had his own goal and and so they managed to to public this. Kind of joint result if I may say so of course ninety Ninety Five percent is ANSSI and five percent maybe is due to conversation with with operators. So it started like that but I will slightly contradict you. It’s for each and every system.

Eric Vautier
And we had at the time three years for old system to comply with our regulation which is very extensive as you mentioned and encourage also people to to read it and but and it was also kind of the the beginning of cybersec securityity by design in regulation. So the new system you mentioned. You’re exactly right? They are supposed to be secured when they enter when they when they are implemented operationally implemented but we are we are to go back to the old systems. And and makes them also compliant with compliant with all regulations. That’s that’s the kickstart in France if I may say so and two years later we have this NIS directive and honestly it was promoted and maybe a bit driven by France at the time at EU level. I guess and maybe I’m wrong. But I guess because we already had in France this experience or and see add this experience of of creating the text. So if you look at it this one and and French regulation are very similar. And and it was also very clever from ANSSI if I may say so once again because it means that for critical operators in France we were already compliant to this one if we were compliant with the French regulation. That’s how it all started.

Andrew Ginter
So you know thanks for the history there. I am still confused. NIS I thought was a directive from the european union to the member nations saying the member nations have to produce regulations. So the directive was not regulation by itself. ANSSI already had these regulations that mandated an audit at the beginning of life for the for for a new system. But I thought the the NIS directive said the regulation has to be sort of. More than one audit. I kind of missed. How did how did this you know is there is there more to ANSSI is there another document that people like me should be looking at saying oh here’s the sort of the the current world of NIS in addition to the original ANSSI?

Eric Vautier
Yeah, maybe good question. Maybe I was too too quick or not precise enough. Yeah, you’re right a directive in european sense means that every member state has to transpose it into its own regulation. So what ANSSI did. Very easily they said okay, we already have our own regulation and it fits to the requirement of the directive so they kind of transpose it so you have your rights a specific text which is a NIS directive transposition in in French regulation which is I would say almost exactly because maybe some worlds are different but almost exactly the regulation we already had in place place in France for critical infrastructure. So there. It’s really perfectly aligned. If I may saye. So.

Andrew Ginter
Thanks for that. Let me ask you you mentioned earlier? Cyber security rules for safety systems cyber security rules for physical security systems. can you so you know. NIS was sort of history by now and NIS2 is coming. you’ve got safety. You’ve got physical security. Can you talk a bit more about sort of the modern regulatory environment and and and what you’re facing today?

Eric Vautier
Yeah, it’s actually it’s it’s quite similar. We we still have the same players in place and I think we we can stick to to the european level because it’s valid for France. And we will still have this three origin of texts. So I mentioned EASA for safety I mentioned nijiu for for security and these two is under DigiConnect which is kind of it ministry for europe and so this last one is for each and every sector of the economy. And the two as one are really dedicated to Aviation so the difficulty for us is that these text texts don’t really align and they have some different requirements depending so of course depending on the topic. Of course we have a large share of commonalities kind of actual cybersecurity but we have we have slightly different requirements for instance on safety. They’re applying the safety regulation for. I would say everyday safety regulations and for instance when you investigate an an accident avi accident. You need to to keep track of something like five or more even more data on the on the on the equipment.

So that just transpose it to to cybersecurity and said if you are a cyber incident. You need to keep five years of of records and I’m sure you listen now finds this very important maybe too much. Maybe we we think something similar, but so you see that they didn’t try to. To understand what would be the implications of saying yeah and just just give us five years of records and things like that and risk analysis is slightly different different depending on the on the regulation. So same thing. How do we  conduct a risk analysis for EASA for Digiconnect and so that’s that’s really as a tricky part of it making sure we we don’t do we don’t duplicate our work just to prove something we do once and so. Especially airports we have been advocating for this during the the the rulemaking task of of this this regulation saying you need to you need to align you need to to so to kind of kind of overlap your your regulation and don’t do specifics in your own track.

Andrew Ginter
Paul’s so Nate Eric did not say the word but the word I hear used in lots of other contexts you know talking about this issue is harmonization. Owners and operators are talking about it government authorities are talking about it manufacturers of you know, automation and security equipment are talking about it. And it’s, you know, we’re seeing more and more cybersecurity regulations. I mean, 10, 15 years ago, there was almost nothing. There was NERC-CIP, you know, there was CFATS, which, you know, was chemical facility anti-terrorism in North America had, you know, like three paragraphs on cybersecurity. It was almost nothing. Today, there’s NERC-CIP, there’s NIS2, there’s the original NIS, every country has some kind of critical infrastructure cybersecurity. And often in different regimes, you know for airport safety, for you know the the safety of of water treatment systems, every sort of authority has their own cybersecurity standard. And so everyone is saying, look, if I have to do a cyber risk assessment for six different agencies according to six different rules, do you know how much effort that is to to to to cross all those T’s and dot all those I’s? Can’t you guys sort of harmonize? Can’t you normalize these things? So I only need to do one cyber risk assessment to sort of one uber global set of rules?

And be done with it? And it’s not just risk assessments, you know there’s risk assessments, there’s audits. you know Different authorities coming in every every two months, a different authority drops in on you to to do an audit. At the end of the year, you know youre repeat, it just it costs too much. Incident reports, lots of different authorities are requiring incident reports. if If you’ve got a multinational that operates critical infrastructure in multiple countries or in multiple continents, And there’s a cyber incident at this owner and operator somewhere. How many different authorities do they have to report it to? How many different formats do those reports have to take? How many different kinds of detail do those reports have to supply?

Andrew Ginter
Manufacturers, it’s not just owners and operators, manufacturers are complaining about the same thing, saying, look, increasingly in different jurisdictions, they’re required to report vulnerabilities to different authorities, sometimes in confidence, sometimes in public, with different levels of information. Again, they’re they’re saying, can we not all get on the same page, people? Do you have any idea how much paperwork burden you’re imposing on on you know operators and and manufacturers. and it’s you know It’s not just Europe, it’s not just NIS2. I hear these issues arising in North America. I hear them all over the world. Any time that that you have multiple authorities, any time that you have multinational corporations operating in lots of different jurisdictions, you have these harmonization problems. This is sort of a hot topic, hopefully for the next three, four years until it all gets sorted out across our fingers.

Andrew Ginter
So pulling it all together, you know the the big news in Europe is NIS to it is again a directive to the member nations. Um. And in my experience there is enormous. There is widespread interest in NIS2. We’re you know we’re talking airports here but you know when I attend security events in Europe when I interact with customers or prospective customers in Europe everyone talks about NIS2 How big an impact has NIS2 been for the airport because you’ve been sort of critical infrastructure from the beginning. How big has it been? How big will it be for the airport?

Eric Vautier
It depends on the side actually. And yeah, you’re right? and NIS2 is a very big thing in Europe right now because its coverage is much larger than the previous regulations.  for instance in France right now we have something like 250-300 critical infrastructure operators with NIS2 needs to the estimate because today nobody can really say but estimate is 15,000 companies so you see you see the the difference between the between the two as far as coverage is concerned. This is the first the first change second change or so for for for the size of it or the the wids of it is the number of sectors they want to to extend it to to sectors that were not under previous regulations. So once again, more companies. More operators and going back to your question specifically on airports for ADP won’t change anything and I think for major airports throughout Europe it will be the same thing. But with NIS2 all airports when you read the text but we we need to wait for official lists. But when you read the text you may guess that all airports big or small will be under NIS2 and it sees a big issue of course for small airports that may don’t have the the teams right now may don’t have the the cybersecurity in place exactly like major airport. Have so I think this is really What’s what’s the the main concern for for for people in Europe. I would say small companies more than big companies that are already doing a lot on on cybersecurity.

Andrew Ginter
Okay, so you know it it makes sense that that you know in in a nation that had ANSSI almost ten years ago and and you know it was like I said it was very well done in in my opinion. that the largest airports you know aren’t going to see much change. are you going to see any change? I mean it seems to me that you know the world has changed in the last ten years cybersecurity wise what? what kind of changes you know? do you see coming if any?

Eric Vautier
Yeah I said big air airports one sees a difference internally if I may add. But I think we will see a major difference on the on outside and and when I say outside, I mean the supply chain. It was the the main criticism we had at the time of this one saying that all requirements were on the operator, and as you know and especially airports, no one is really alone doing his job and we need we have in airports quite a number of of suppliers. And IT/OT whatever and this supplier where where suppliers sorry we are outside of this one directive. So this is something that that changed is very important meaning that there will these supply chain companies that will also have requirements.  being kind of indirectly part of critical infrastructure just to give you an example I mentioned previously, cybersecurity and physical security. If you are a passenger you have put your bags in X-rays very yeah, easy easy to spot and this x-rays right now is Tomography plus a computer. So of course we have cyber security questions around it and on NIS1 which could just add question send send question to this manufacturer saying please be gentle and add some cyber security now with needs to they fall under it so they can’t say this is the outport problem but it’s also their own problem now and that would have to to fulfill this requirement too.

Andrew Ginter
Okay, so so coming back to something you said a moment ago. you know 15000 entities lots of smaller airports. the smallest entities don’t have a lot of money to spend on cyber security. you know the smallest nations. Don’t have a lot of but money to to spend you know defining regulations much less enforcing them on smaller entities. Does NIS2 address that? I mean if if there’s going to be that many entities and that many people, you know, getting paid to do cyber security. on the one hand. That’s a lot of money on the other hand saying you know we don’t have the money it costs too much doesn’t make the threat go away. How do you How do you balance security and and cost in NIS2.

Eric Vautier
Yeah, good question I think there have been a lot of discussion around this topic and and for instance, the association of european airport has been advocating for kind of exemption for very small airport but actually airports. But actually small airports I don’t have. But lot of IT OT and if they have the consequence of a failure. Maybe maybe not as important as in the big one where you have this optimization as we mentioned before thanks to IT and OT automations. but but I think cybersecurity maybe is is a proportional issue you you you depending on your size you you you put a kind of proportional amount of money. For instance, if you want to to secure a small system you you want to have. so many equipment cybersec security equipment. We have something which is quite fit fitted to to the size of the airport and a bigger one a bigger airport like ADP will spend a lot of money because we have a lot of system. But when you have smaller systems. And in a limited number I guess this is kind of the same amount of money you said security costs too much I have a kind of sayings which is maybe it costs but lack of security may cost more even more if someone finds you and Destroy or damage your your your system. So I think this is something which is of course this is interpretation. But I think it’s something in needs to it’s I think the right world maybe adequate level of of cybersecurity meaning that. You need to assess your system as set the cybersecurity risk on this system and put the adequate measure to our controls to to reduce that risk So of course it will change things for smaller companies that would have to hire people and and put some equipment in place if Then. Don’t have already said so didn’t do it already. But I think it. It’s not of course it is when when you spend nothing and spending something is a big deal but at the end of the day I don’t think this is such a big deal in comparison to to the impacts. And the consequence a lack of security may have.

Nathaniel Nelson
What was the Andrew, if I could bring us back to small airports for a moment, there’s something timeless in, you know, small organizations, not necessarily having all of the budget that large ones do to deal with cybersecurity, but of course, not having security and then having an incident ends up being much more expensive in the end. So what exactly are we proposing that small airports in this kind of situation do to keep up?

Andrew Ginter
Well, that’s a good question, and it’s a question that is confusing to a lot of practitioners. I think part of the answer is so is what Eric said, which is, look, the smaller airports tend to be automated less. They tend to have less automation. Therefore, they have less exposure on the OT side, you know on the industrial side to cybersecurity attacks. And so they need less security. So that’s a good thing. It means you don’t have to spend a an ADP size budget on cybersecurity for you know a small airport’s OT systems. But what it also means, its it’s a question of economies. I mean, why do we deploy OT automation? Why do we deploy computers there at all? It’s to save money. And what we have to be careful of in small airports is when we look at our existing automation, when we look at new automation opportunities, it’s important that we look not You know don’t don’t just say hey i could spend a hundred thousand dollars and save a hundred and fifty thousand dollars over the course of three years that’s a fifty thousand dollar benefit here we go. You have to say I could spend a hundred thousand dollars on a new system new automation.

And how much more cybersecurity would I need? You’ve got to include the cost of securing your new automation. you can’t just you know If you’ve if you’ got something that is sort of automation that is is marginally beneficial, it’s going to save $50,000 over three years on a $100,000 investment. To me, that’s marginal. If you had a $100,000 investment that would save you $600,000 over three years, well, then you can afford to spend $100,000 of your savings on a proper cybersecurity system for that new piece of automation. But if your if your payback is marginal, we probably shouldn’t be deploying that automation. We need to be deploying automation where the payback is big enough to you know provide protection from the new risks that we’re introducing. This is you know this is the the thing that confuses a lot of a lot of practitioners and that that I think is going to become very crystal clear for small operators in the years ahead.

Andrew Ginter
So that makes sense. you know we’re we’re coming up on the on the the end of our our interview here. Let me ask you? We’ve been talking about sort of the the history. Of cybersecurity in the aviation industry in in France in and in Europe we’ve been talking about the present which is NIS2. You folks at you know the the the paris airports you personally have been working. With authorities with French and european authorities on cybersecurity for a very long time now. Known NIS2 is something that that is sort of the the current big news but you’re talking to these authorities can you look into the future for us a little bit what you know what are you working on now. What are we going to see coming out. In the next year two or three?

Eric Vautier
And yeah I can’t say so I will guess and I hope when we get back to this interview in in three years’ time. maybe it will be  still varied I don’t know but I think there are some some maybe some fields that are not recovered. This is.

Eric Vautier
Continuous improvement loops is these regulations and and for instance right NIS2 is generate to every sector so they don’t go into details I mentioned things we have in aviation for instance, but once again, this is not detailed enough I would say or detailed for the operator for instance in airport I mentioned safety and security. So we are supposed to do our own work on on this topic but they don’t say exactly what do we need to do for to to secure a safety system for instance. So I guess with experience with return of experience from operators and maybe some incidents. maybe as I start defining more precise regulations like maybe they have in nuclear and maybe sometime in rails or so. As far as I know so maybe it will be kind of drilled down for for by sectors. So I don’t know for instance for for pharmaceutical or food industry I don’t know if that’s something specific that that is not detailed enough in the in the on the NIS2. another topic maybe for especially for aviation. But maybe it’s similar to to other sectors is a notion of ecosystem right now there’s a regulation focused on operators so ADP has to be compliant on its own. But of course ADP without an airline without our traffic control without aircraft manufacturers we are useless. So this ecosystem as all needs to be to be secured also by design so we are very at the early stage right now we are kind of sequencing.

Ah, the airport does this the airline does that et.c EASA I mentioned before tried to do that to to work as an ecosystem and share the risk and analysis for instance is on in the text. But I think once again, this is only the early stage. And I think later we will we will need to to reach that ecosystem cybersecurity by design and last point which is not much of a prediction because it’s already in place. We have a new text in Europe called the Cyber Resilience Act which is defining what we should put in place to be resilient I Know this is a kind of gimmick right now but meaning we are doing a lot in prevention with NIS2 and in case we have an incidence. How do we react? This is resilience to me more than business continuity. And so we have also this kind of new topic I would say as far as regulation is concerned and I think we have also a lot of work to do to to be able to recover as quickly as possible in case of a dramatic incident.

Andrew Ginter
So something that you know I’ve been thinking about that occurs to me thinking about the the interview so far. 15000 entities. that’s a lot you know, just in France. That’s a lot of entities to audit if you audit every three years. that’s a lot of auditors is how’s that going to work?

Eric Vautier
Yeah I think this is a good question Andrew actually you should ask ANSSI about this. But for me and once again this this is my interpretation I think it it it shows a way it shows the the way the regulators want want to proceed now before these two let’s say this one and sorry for the technical terms it it was a kind of exantte this is latin sorry for that where in France this is exante regulation meaning that the regulators can come to you and said prove you’ve done. What’s in the regulations or requirements of the regulation with the number of companies as you mentioned I think it will be exposte regulation meaning that in your right ANSSI won’t be able to to go to each. And every company but has put it like that. So we go after after you if you have an incident and you will have to prove that you implemented the regulation as best as you could of course. It’s cybersecurity. It’s not an exact. topic we still have space for interpretation. But I think if you if you are not able to prove you. You did your best then you have a problem and especially something quite strange at the beginning but the the first the first articles of the regulation.

Ah, mention the responsibility of the top management and one article says I don’t know if it will be applied one day that they can remove the CEO or the top management team if they prove unable to to deliver cyber security. So I’m pretty sure that for some operators could be the case and if you have an incident good luck with that because I will come with the text and and maybe use this article.

Andrew Ginter
so Nate, let me let me cover that ground again. I’m not quite sure this is what Eric said, but what I heard was an interesting idea, whether he meant it or not. What I heard was, look the There’s a problem of audits. I mean, that was the question I asked. Do the math. If there’s 15,000 organizations that need to be audited every three years, that’s 5,000 organizations a year. you know If an audit takes, you know I don’t know, a week or 10 days on site and another week or 10 days of of writing up after the the fact, we’re talking, practically speaking, one audit per month per auditor. You know if we have 5,000 person months of audits to do every year, You’ve got to hire you know something like 600 auditors plus their managers and their infrastructure. We’re talking you know six or seven or 800 hires on the part of the regulator. That’s that’s a lot of money. But you know what I heard was, look, in the past, the big fish you know sort of covered by by the original NIS directive and the original ANSI directives, the big fish, yeah, you want to do thorough audits on them because they’re big fish. They’re critical infrastructure. We care a lot about their cybersecurity. If you’ve got a lot of smaller airports and you know smaller entities, that you need to audit, do you really need to do a really thorough audit on every one of them? Are they all equally important? And the answer may be no. You you know you can probably do a less thorough audit. You can burn through these organizations, these smaller entities faster. So do that. Don’t hire quite as many people. But what happens if there’s an incident after the fact It makes sense that you’re going to do a deep dive on cybersecurity at the affected organization.

Andrew Ginter
You know There may be consequences for the affected organization. this It’s going to be a public process, is my guess. You you you can you know publish learnings and best practices to the entire industry, all other smaller players, when you have these incidents. so it it you know the The concept that the regulator might say, we’re going to do a deep dive on a small entity when those entities are breached. That, you know If I heard it right, I haven’t heard anyone else you know talk about that. That strikes me as an an interesting approach and something that probably the regulator could sort of do on their own. It doesn’t have to be specified in the regulation. This can just be the you know a a practical way of of dealing with it. So that that’s something to think about. that’s you know To me, that that was an interesting takeaway.

Andrew Ginter
There’s a lot of ground that we covered here what to What are the big. What are the big takeaways if you wanted to to summarize what’s going on and sort of give people a lesson going forward. What? what should we? What should we learn from this space.

Eric Vautier
Yeah I don’t know if I’m the the best person to say so I’m just a CISO in an operator but things maybe that could be useful to your listeners. First is regulation is not It’s not regulation is not going away. So if you think you can’t avoid it because you’re too small or maybe you’re in the in the in the right within within brackets you’re in the right sector meaning not covered by regulation forget about it actually when you look at the regulation. It’s not rocket science just asking you to do. Everyday cybersecurity but but make sure you you do it actually and and and more importantly I think when you have regulation it is something I’ve observed in ADP for for more than 10 years now when you have a regulation you have the intention of your your CEO or your your top management. So for CISO in the room I think user regulation wisely to to to get you budget and interest and no and rise awareness within your company and maybe for CEO I don’t know if some are listening now.

I think one important thing is cybersecurity is not a technical topic. Actually it’s a cultural one and I mean culture in in companies but also culture in everyday society. Everybody every everybody now has his own smartphone I guess and this is IT so you need to understand what’ cyber security for your smartphone as well as cyber security for for your OT system in your in your factory and I think that’s. You know, nutshell very high level. What needs to is trying to to implement do everyday cybersecurity because it’s protecting your rockical assets and help you deliver as a service you you promise to deliver. So that’s maybe to to two things I want to address to to people doing it. And last topic is for suppliers I mentioned the supply chain before and I’ve only three words for them. It’s cybersecurity by design please with this one as I mentioned we have been fighting with some equipment equipment manufacturer saying this is our obligation now. So please help us reach that now with needs to it’s their obligation too. But once again, this is this is no longer an extra for for an equipment. It. It needs to be secured by design so pay attention to this regulation. You will help your customer and you will also help your company to be as competitive as needed. So that would be my my and my three takeaways for for NIS2.

Nathaniel Nelson
You know, Andrew, I I feel like this happens sometimes where we start an episode with a certain topic and then we just end up talking about NIS2 a lot.

Andrew Ginter
Yea, NIS2 is a very big deal in Europe. But to be fair, regulation is increasing everywhere. In the USA for example, the TSA has issued a cybersecurity directmive to airports as well – though – for now the – directive is confidential. I mean – I’m ASSUMING the directive is very similar to their rail and pipeline directives, but I don’t know that for sure. So regulations are increasing in a lot of places and, I mean, there’s – there’s a truism in the in the cybersecurity industry, never waste a crisis. Nobody wants a crisis. Nobody wants their OT systems to be breached and, you know, fires to start and and people to be injured. Nobody wants any of that. But if you have a crisis, never waste the crisis. Use the crisis to spring money loose and solve the problem that you knew from the beginning needed to be solved.

Same thing with regulation. Nobody wants regulation. But if you have a regulation coming down on you, don’t waste the opportunity. Use the opportunity of the regulation coming down on you. To spring some money loose. And yes, you know do the paperwork to comply with regulation – and – make the changes that you knew needed to be made in terms of technology, people, process. Solve the problem in addition to dealing with the regulation. And NIS2 is affecting tens of thousands of organizations all throughout Europe, enormous change in in terms of societal expectations, enormous interest. So yeah, never waste a crisis, never waste a regulation.

Nathaniel Nelson
It makes sense to me. With that thought, thank you to Eric Vautier for speaking with us. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thank you to everybody out there listening.