What can be done to strengthen the security of industrial IoT?

Cyber-attacks, particularly those delivered via unauthorised remote access, are a growing threat for industrial facilities in which IoT is increasingly prevalent. This is an issue that Paris Aéroport, whose industrial information systems have been secured by Actemium in partnership with Axians using the WALLIX solution, has been taking very seriously for around 10 years.

Paris Airport has been working for a decade to increase the security of its information systems.

According to a report produced by cyber security firm Barracuda, 94% of industrial organisations have experienced a “security incident” in the last 12 months. These attacks take the form of distributed denial-of-service (DDoS), unauthorised remote access to networks, compromised supply chains, data theft, ransomware, and so on.

Cyber security incidents, especially IIoT (Industrial Internet of Things) breaches, often have impacts beyond monetary losses that lead to significant downtime. Indeed, 87% of organisations that have experienced an incident were impacted for more than one day.

The vast majority of industrial companies now agree on the need to invest more in IIoT and OT (Operational Technology^*) security. Some 96% of business leaders note that their organisation needs to increase investment in industrial security, and 72% of organisations reported that they had already implemented or were in the process of implementing IIoT/OT security projects.

A step-by-step approach

How to go about all this has yet to be established. “Of course investment is important, but the maturity of stakeholders within the business regarding these issues and of the assets themselves is a crucial factor,” says Pierre Vidard. According to the project manager of Actemium Maisons-Laffitte, the VINCI Energies brand that specialises in industrial processes, a step-by-step approach should be adopted.

“Depending on the specific characteristics of each business, the first step to take is to partition assets using the ‘principle of least privilege’. Next, you need to manage the obsolescence of your hardware and the related software programmes which may not always be configured to the latest cyber security standards.”

“The third step involves properly understanding the habits and behaviours of users so as to introduce good practices, minimising the impact on their daily work. Lastly, due to growth in home working and remote maintenance, it’s vital to secure operations through VPNs or better still ‘bastion**’–style solutions.”

Better connection traceability

Paris Aéroport, which is working to strengthen the security of its industrial information systems with the support of Actemium – responsible for the maintenance of the systems – has already been taking this initiative for around 10 years.

“The maturity of stakeholders within the business and of the assets themselves is a crucial factor.”

“In 2020, we specifically wanted to address the new remote maintenance requirements by better controlling the channels used and data streams delivered in remote operations. We aimed to do this through better connection traceability, thereby avoiding any breach of protocol,” explains Sébastien Hélaouet, industrial systems security and administration manager at Groupe ADP.

Actemium advised the airport operator to adopt the WALLIX solution. A publisher of cyber security software and European specialist in access and digital identity security, WALLIX has developed a solution of the same name that offers unified privilege management.

Building on WALLIX’s partnership with the VINCI Energies ICT brand Axians, Actemium initiated the deployment of three bastions within Groupe ADP, one of which has been operational since 2021. “This solution, which provides a centralised way of defining access rights to secure connections, offers the advantage of featuring an access administration interface that includes session monitoring,” says Pierre Vidard.

This gives the company full control over the use of its information systems, whether by external stakeholders – in particular those involved in maintenance, or by its own employees, an increasing number of whom work from home.

Awareness-building, a key step

The Actemium project manager highlights another aspect, too often neglected, which is the importance of the human dimension in the success of this kind of solution. “With any IT change, but perhaps even more so with bastion solutions, building awareness and providing information for users plays a key part. If people don’t buy into the solution, then it won’t work. At least not properly.”

In the case of Paris Aéroport, while an additional connection step has been set up through WALLIX to supplement the existing VPN, the ability to access all machines without having to mention the IP address of each device, as in the past, was seen as a real benefit. “Furthermore, this type of secure solution is particularly reassuring for stakeholders, whether external or internal,” concludes Pierre Vidard.

^* Operational Technology: use of hardware and software to control industrial equipment.

^** Bastions are a way of managing and supplying a single point of access to specific and sensitive parts of an information system.

14/12/2022