While it is inevitable and essential, the digital transformation of companies raises fears in terms of cybersecurity. However, the real danger is not necessarily where we expect it and excessive security can prove counterproductive. Worse: cybersecurity is sometimes an excuse to abandon certain projects deemed too dangerous. In any case, this is the point of view of Jean-Philippe LORINQUER, partner at OSS Ventures. He gave us some ideas to better control cyber risk without locking everything down!
OSS Ventures is a start-up studio founded in 2019 by Renan Devillières. Its mission is to support French industry in a technological, environmental, social and societal transition.
OSS Ventures also has a desire to evangelize the industrial world on digital and cybersecurity issues.
Engineering techniques: In your opinion, at what level is the cyber risk located?
Jean-Philippe Lorinquer : Unfortunately, the real risk is not where we think it is. Manufacturers sometimes tell me that SAAS solutions are dangerous and I tell them: “Show me examples of successful cyberattacks on Microsoft or Amazon data centers”Conversely, I have many examples of industrial companies that have suffered serious hacks, where the entry point was the mailbox or HR software and not SAAS products.
There are also the many USB keys in circulation in companies or inserted into machines by maintenance technicians for equipment updates.
And there is also a whole range of low-tech risks, in particular CEO scams which are becoming more and more sophisticated, thanks to deepfakes (imitation of image and voice), all this with market tools!
But I have an even more striking anecdote: some time ago, we worked on a start-up project in cyber. We decided to carry out penetration tests¹ (Pen test) by sending a hacker into a factory, provided with the access rights of a trainee and an email address. The results were frightening: at 12 p.m. he was able to turn off the lights in the factory, at 6 p.m. he was at the level of the group’s active directory (LDAP) and at 8 p.m. he was able to shut down all the equipment. production of the group. Barely twelve hours can therefore be enough to bring an industrial group to its knees.
Where does this lack of control of cyber risk come from?
It is a fact: there is risk, it is enormous, it is not controlled and the causes are multiple, the first being the lack of access to cybersecurity talent. These profiles prefer to earn a lot of money by going into highly remunerative sectors, rather than going to factories that do not evaluate cybersecurity as a priority and therefore pay less well.
What would you say to industrialists who are tempted to lock everything down for security reasons?
Locking everything down for security is not a solution, for two reasons. On the one hand, factories are an engineer’s world, and it is in the DNA of engineers to stubbornly seek to solve problems. If we prevent them from resolving these problems by closing off access, it is certain that they will seek to circumvent these obstacles. This phenomenon generates what is called “Shadow IT”, a practice consisting of using systems and software not authorized by the company’s IT security managers.
I have personally observed, in large international automotive groups, the presence of servers purchased under the name of PLCs. The goal ? Create an internal mini-network to connect equipment and resolve technical problems. Shadow IT can therefore go very far!
On the other hand, it is totally aberrant, in a world where digital technology makes it possible to increase company performance or develop new products, to “return to the stone age” of IT in the hope of surviving. . Because it is indeed a question of survival: if everything is locked, there is nothing left to attack, but in a few years, without digital, there is simply no more business.
Businesses are used to managing risks. Why is it different with cyber?
Companies do indeed have strong expertise in their operational risks (chemical, security, environment, etc.). This knowledge has the advantage of being well shared within organizations, unlike cyber risk. In general, cyber is entrusted to a single person, the DSI or RSSI expert, often with “life or death” power over projects. Unfortunately, there have been some abuses, with the feeling, on the part of the field, that cyber risk is sometimes a pretext for abandonment, due to lack of will.
But this feeling that operational staff have also comes, in part, from a lack of communication and understanding of the risks on the ground, because it is also not possible to let engineers do what they want.
We must therefore develop a cyber culture within companies!
There is indeed a lack of overall acculturation to cyber risk and therefore of training. It is essential that cybersecurity becomes everyone’s business. Just as quality is not the exclusive domain of the Quality Director, cybersecurity issues do not only concern the CIO or the CISO!
Some organizations have also decided to put cybersecurity under the leadership of the plant manager. Since even states, hospitals or public services are hacked, there is obviously no obligation of results, but an obligation of means. This accountability as close as possible to the field thus allows progress to be made.
In cybersecurity there is an adage that says that “the problem is often between the keyboard and the back of the chair”. To err is human, it is therefore systemic. We know that the risk exists and that sooner or later there will be an attack. But to “bring down” a factory, a combination of causes is required, the important thing is to do everything possible to protect yourself as best as possible and avoid the worst.
How to ensure security without locking?
Just as excess quality is synonymous with additional cost, too much security is not proof of risk control, on the contrary. The important thing is to protect at the right level. For example, an individual being able to send messages on the company’s internal network is annoying, but not necessarily serious if he or she does not have access to sensitive information.
There is a strategy to adopt, which we call “the onion strategy”. It consists of strongly securing the core, but less than protecting the outer layers. On the contrary, wanting to secure the entire system in the same way risks leading to unbearable rigidity for field teams.
Finally, it is important to remember that it is not possible to secure an organization without effort or human or budgetary resources. Companies must also focus on supporting change. For a large project to succeed, 25% of the budget should be devoted to this support (training, communication, etc.). This is rarely the case, and very often companies regret it.
¹ Security exercise in which a cybersecurity expert attempts to find and exploit vulnerabilities in a computer system
Cover image credit: rawpixel.com
