This appendix presents the measures proposed by the ANSSI guides (ANSSI 2013a; ANSSI 2013b). They are defined according to the class of the system (Chapter 6).
Recommendations are prefixed with an R and directives with a letter D.
Table A4.1. Recommendations and guidelines for system knowledge
Roles and responsibilities | C1 | R1 – A cybersecurity chain of responsibility must be put in place. It should cover all systems. R2 – Responsibilities for cybersecurity should be clearly defined for each of the stakeholders regardless of the aspect concerned (development, integration, operation, maintenance, etc.). |
C2 | D3 – R1 is mandatory. D4 – R2 is mandatory. |
|
C3 | D5 – The identity and contact details of the person in charge of the cybersecurity chain of custody must be communicated to the cyber defense authority. D6 – The limits of liability must be reviewed periodically, at least once a year. |
|
Mapping | C1 | R7 – Build a map:
|
C2 | D8 – Build a map:
|
|
C3 | D10 – R9 is mandatory. | |
Risk analysis | C1 | R11 – Carry out a risk analysis for cybersecurity, however brief. |
C2 | D12 – Carry out a risk analysis for cybersecurity according to a method chosen by the responsible entity. | |
C3 | D13 – In addition to class 2, updating is required once a year. R14 – Require the analysis to be carried out by a certified service provider. |
|
Backup management | C1 | R15 – Set up a backup plan to allow recovery in the event of an incident. R16 – Save the configurations before and after any modification, including when they have been made “hot”. R17 – If possible, regularly test the backup process, possibly on a limited but representative subset. The data concerned are all the data needed to restore the system after a disaster: programs, configurations, firmware, process parameters, data useful for traceability, etc. |
C2 | D18 – C1’s recommendations are mandatory. | |
C3 | No additional requirements. | |
Documentation management | C1 | In the documentation describing the system (functional analyses, list of variables, various plans, etc.), some documents may be sensitive. R19 – The sensitivity level of the documentation should be defined and appear on the documents that must be processed accordingly. R20 – All design, configuration and operational documents should be considered sensitive. R21 – Store documents in an IS with an appropriate level of sensitivity. |
C2 | R22 – Ensure integrity and confidentiality. R23 – Review the documentation at regular intervals. |
|
C3 | D24 – R19, R21 and R22 are mandatory. |
Participant management | C1 | R25 – Implement stakeholder management procedures (creation/destruction of computer accounts, local access, mobile terminal management, sensitive document management). R26 – Implement a competency management process to ensure that stakeholders have the appropriate competencies. |
C2 | D27 – Class 1 recommendations become mandatory. | |
C3 | D28 – As class 2, plus periodic review at least once a year. | |
Awareness and training of participants | C1 | R29 – Workers should be empowered and trained in cybersecurity. R30 – If possible, set up a charter of good conduct to be signed by all stakeholders. |
C2 | D31 – Class 1 recommendations become mandatory. | |
C3 | D32 – Mandatory cybersecurity training before intervention. R33 – Training provided by a certified service provider. R34 – Provide training at the same time as site safety and security training. |
|
Intervention management | C1 | R35 – If possible, set up an intervention management procedure to identify:
R36 – Identify and update the hardware and software used for interventions. R37 – Have the intervention authorization validated by the responsible entity. R38 – Audit the process once a year to verify compliance with the procedure. |
C2 | D39 – Class 1 recommendations become mandatory. R40 – If the intervener brings his own tools, in exceptional cases, provide a procedure to verify the level of safety of these tools. |
|
C3 | D41 – As class 2, but the use of special tools brought by the intervener is prohibited. |
Table A4.3. Recommendations and guidelines for lifecycle management
Inclusion in specifications | C1 | R42 – Integrate the requirements identified during the specification phases. R43 – Define a contact point in charge of liaising with the responsible entity’s chain of responsibility, ensuring compliance with the policy, communicating differences. R44 – Include the expected documents in the specifications: risk analysis, functional analysis, organic analysis, operation and maintenance file, mapping. R45 – Plan cyber security tests during the acceptance phase (follow recommendation R71). |
C2 | D46 – C1’s recommendations are mandatory. Add to the specifications: D47 – A confidentiality clause. R48 – If possible, a regular clause for revising the risk analysis. R49 – Describe in the specification documents the technical, human and organizational means to trace them and be able to verify the level of cybersecurity. R50 – The contractor must have a security insurance plan describing all measures that meet the requested cybersecurity requirements. R51 – The contractor uses a secure development environment. R52 – The contract includes a clause allowing contractors and suppliers to be audited. |
|
C3 | D53 – C2’s recommendations are mandatory. R54 – Add a clause requiring the provision of hardware and software labeled for cybersecurity. R55 – Require software developers to demonstrate that their development processes, employ state-of-the-art engineering methods, quality control processes and validation techniques to reduce software failures and vulnerabilities. R56 – Labeling the contractor. |
|
Integrations in the specification phases | C1 | R57 – Take into account all the technical measures presented below. For example, the necessity:
R59 – Take into account physical security when defining the location of equipment. R60 – Require in the specifications that operations not essential to the operation of the industrial system be performed on another information system. |
C2 | D61 – C1’s recommendations are mandatory. R62 – Integrate into the design of tools and mechanisms to manage security and facilitate requirements such as:
|
|
C3 | D63 – The recommendations of C2 are mandatory. | |
Integration in the design phases | C1 | R64 – During design, limit interfaces and system complexity to a minimum in order to limit the introduction of vulnerabilities during implementation. Integrate cybersecurity features of equipment (authentication mechanisms, segregation of rights, etc.) into the equipment selection process. R66 – Define roles for integrated stakeholders in the management of computer account rights with a policy of least privilege. |
C2 | D67 – C1’s recommendations are mandatory. | |
C3 | No additional requirements. | |
Cybersecurity audits and tests | C1 | R68 – Set up regular audits, which may be internal. R69 – The audit must be followed by an action plan validated and monitored by the responsible entity. |
C2 | D70 – C1’s recommendations are mandatory. R71 – The audit program must contain:
|
|
C3 | D73 – The elements suggested for the audit in class C2 are mandatory. D74 – Conduct audits at least once a year. |
|
Transfer in operation | C1 | R75 – Before commissioning:
|
C2 | D76 – Obligation for the entities responsible to approve the system. | |
C3 | D77 – Obligation to have the system approved by an external organization. Prior authorization for commissioning is required | |
Change management | C1 | R78 – For PLC programs, SCADA applications and equipment configurations, use tools to quickly check the differences between the current version and the version to be installed, and ensure that only the necessary and requested changes have been applied. R79 – Track changes. |
C2 | D80 – C1’s recommendations are mandatory. R81 – For PLC programs, SCADA applications, set up a process to check the running program versions against a reference version. R82 – Evaluate changes in a test environment. |
|
C3 | D83 – R78 is mandatory + have the impacts validated by the responsible entity before going into production. D84 – C2’s recommendations are mandatory. |
|
Monitoring process | C1 | R85 – Implementation of a process to monitor threats and vulnerabilities. |
C2 | D86 – R85 is mandatory. R87 – Contractualize the distribution, by suppliers, of vulnerability bulletins for all hardware and software equipment used. R88 – Set up a monitoring process on the evolution of protection techniques (can be based on open sources available such as the ANSSI website). |
|
C3 | D89 – C2’s recommendations are mandatory. D90 – Set up a monitoring process on the evolution of attack techniques. In case of significant changes, repeat the risk analysis. |
|
Obsolescence management | C1 | R91 – Include clauses in contracts relating to the management of obsolescence of equipment and software (with support end date). Indeed, for software or equipment that is not maintained, vulnerabilities are not fixed. R92 – Include a replacement plan for obsolete equipment and applications. |
C2 | D93 – C1’s recommendations are mandatory. | |
C3 | No additional requirements. |
Table A4.4. Recommendations and guidelines for physical security
Access to premises | C1 | R94 – Provide a physical access control policy, including:
R95 – Access to the premises must be logged and auditable. |
C2 | D96 – C1’s recommendations are mandatory. R97 – The control mechanisms must be robust (ref1). R98 – Put the accesses under video protection. R99 – Restrict access to equipment to authorized persons only. |
|
C3 | D100 – C2’s recommendations are mandatory. D101 – Implement an intrusion detection system for vital areas, especially those not occupied 24 h a day. |
|
Access to equipment and wiring | C1 | R102 – Install the servers in rooms with access control. R103 – Install station CPUs, PLCs and network equipment in locked cabinets. R104 – Do not leave industrial network access sockets in areas open to the public. |
C2 | D105 – C1’s recommendations are mandatory. D106 – Do not leave industrial network access sockets in unattended areas. R107 – Protect the physical integrity of the cables. R108 – Close the plugs dedicated to maintenance and define a procedure for removing the plug including prior authorization. R109 – Set up an opening detector with alarm for cabinets of sensitive equipment or visual control means, and define a procedure for opening including prior authorization. |
|
C3 | D110 – C2’s recommendations are mandatory. |
A disaster recovery or business continuity plan ensures the recovery or continuity of service following a disaster, regardless of its origin. With regard to cybersecurity, it is based on risk analysis, which has made it possible to identify impacts and threats.
Table A4.5. Recommendations and guidelines for incident response
Recovery or business continuity plan | C1 | R111 – Set up a backup plan for sensitive data, so that the system can be rebuilt afterwards. R112 – Consider cybersecurity in recovery and business continuity plans. |
C2 | R113 – Test the plan at least once a year. | |
C3 | D114 – The recommendations of C1 and C2 are mandatory. | |
Degraded modes | C1 | R115 – Plan to include in the intervention procedures an emergency mode to be able to intervene quickly in case of need, without significantly degrading the level of cybersecurity, in particular not to affect the traceability of the interventions. R116 – Integrate degraded modes for stopping allowing them to:
|
C2 | No additional requirements. | |
C3 | D117 – C1’s recommendations are mandatory. | |
Crisis management | C1 | R118 – Implement a crisis management process to determine:
R119 – Include in the crisis management plan a procedure to manage incidents at the right level of responsibility and decide accordingly:
R120 – Include in the crisis management plan a postincident analysis phase to determine the origin of the incident. |
C2 | R121 – Test the plan at least once a year. | |
C3 | D122 – The recommendations of C1 and C2 are mandatory. |
These technical measures potentially involve:
The authentication of a user in a computer system requires the definition of an account, often associating a name (identifier) and a password (authentication). Other identification modes exist.
Accounts can be associated with an operating system (Windows, Linux, etc.), an application or equipment that uses a dedicated system.
Accounts have different levels of privileges, offering more or fewer possibilities to users. Administrators are often distinguished from simple users.
Table A4.6. Recommendations and guidelines for authentication
Account management | C1 | R123 – Identify each user in a unique way. R124 – Protect all accounts with important privileges such as administrator accounts with an authentication mechanism. Separate user and administrator accounts. R125 – Avoid generic accounts, especially those with significant privileges; if impossible to avoid, limit them to very specific and documented uses. R126 – Define roles, documented and implemented so that users’ privileges correspond exactly to their needs. R127 – Perform an audit of events related to the use of accounts. R128 – Delete or deactivate the accounts of former users. |
C2 | D129, R123, R124 and R125 are mandatory. Do not use default or generic accounts unless there are strong operational constraints. Do not use generic accounts with high privileges. Separate high privilege accounts (admin) and user accounts. D130, R126 are mandatory with validation by the user’s line manager. D131, R128 are mandatory and complete D27 (stakeholder management procedure). R132 – Conduct an annual review of user accounts to verify the above obligations, with particular attention to administrative accounts. R133 – Configure read-only access for first-level maintenance tasks. R134 – If account management is centralized, audit the configuration of the centralized directory regularly and at least once a year. |
|
C3 | D135 – R127, R132 and R134 are mandatory. | |
Authentication management n | C1 | R136 – Only make the various components (hardware and software) accessible after authentication with ID and password. R136 – Passwords must be robust, and default passwords must be changed. R137 – Prefer an inhibition delay to blocking in case of authentication failure. R138 – Protect passwords in integrity and confidentiality if transmitted over the network. R139 – If software authentication is not possible due to operational constraints, define and document palliative measures, such as:
An example of such a case is a SCADA joint account. R140 – Keep password files, ensuring integrity and availability. R141 – Define a secure procedure to reset passwords in case of loss. |
C2 | D142 – C1’s recommendations are mandatory. R143 – Use strong authentication (smart card, one time password, etc.) for workstations and servers. Do the same for field equipment (PLCs, remote e/s, etc.) that allow it. R144 – If R143 cannot be applied, reinforce the password policy (keep password history, check its quality, force renewal). R145 – Log authentication failures and successful authentications of privilege accounts. |
|
C3 | D146, R136, R144 and R145 are mandatory. D147, R143 are mandatory for all exposed equipment (workstations, laptops, engineering stations, programming consoles, firewalls, VPN, etc.) |
The partitioning of industrial information systems is a key measure to improve security. It is very well developed in the IEC 62443 standard (Chapter 7).
System partitioning | C1 | R148 – Cut the system into functional areas or coherent technical areas and partition them. R149 – Implement a filtering policy between zones. R150 – For non-IP flows, filter on source and destination identifiers. It will also be possible to filter on the type of protocol allowed. R151 – As far as possible, achieve physical partitioning between the functional areas of the industrial system. R152 – Perform a logical partitioning during a physical separation by VLAN, for example. R153 – Separate the equipment administration network from other networks (switches, gateways, routers, firewalls, etc.), at a minimum logically. R154 – Keep the administration workstations only for this purpose and do not connect them to the Internet or a management network. |
C2 | D155, R148 to R151 are mandatory. D156, R153 and R154 are mandatory. If it is not possible to carry out a partitioning because the equipment does not allow it, study possible countermeasures and assess the level of residual risk. R157 – If possible, make the flows unidirectional between class C1 and C2 systems. A firewall can be used. R158 – Separate the equipment administration network from other networks (physically, at least logically, using VPN tunnels using qualified products). |
|
C3 | D159 – Make unidirectional flows between C3 and non-C3 systems. Unidirectionality is physically ensured by a data diode. R160 – Use a labeled diode. D161 – Physically separate class 3 systems from lower class systems. It is forbidden to use a logical partitioning. |
|
Interconnection of the management information system (considered by default of class C1) | C1 | R162 – Protect the interconnection with a firewall device. R163 – Limit flows to the strict minimum. R164 – Implement a flow filtering policy as above. |
C2 | D165 – C1’s recommendations are mandatory. R166 – Make the flows unidirectional between the C2 system and the management system. A firewall can be used. |
|
C3 | D167 – Make unidirectional flows between C3 class systems and the management system. Unidirectionality is physically ensured by a data diode. R168 – Use an organism-certified diode. |
|
Internet access and remote sites | C1 | R169 – Limit Internet access. In particular, supervisory positions and equipment should not have access to them. R170 – Limit Internet access to the system. R171 – Use an IPSec VPN interconnection between remote sites for confidentiality, integrity and authenticity. R172 – Set up a firewall at the interconnection gateways. R173 – Configure the gateways in a secure way. |
C2 | D174, R169, R170, R171 and R172 are mandatory. R175 – Use labeled gateways. |
|
C3 | D176 – Prohibit interconnections between the C3 system and the public network. | |
Remote access for nomadic workstations | C1 | R177 – When remote management, remote maintenance or remote diagnosis operations are required, the following rules should be applied:
R178 – In the case of a modem connection, use a callback system. R179 – Use labeled connection equipment. |
C2 | D180 – Use a solution with:
R181 – Use a detection probe at the gateway to analyze incoming and outgoing traffic. |
|
C3 | D182 – Remote maintenance prohibited (if necessary, integrate remote equipment into the C3 system and apply C3 level rules). D183 – Remote diagnosis possible with the following measures:
|
|
Distributed industrial systems | C1 | R184 – Use secure protocols that protect confidentiality, integrity and authenticity for flows through unprotected networks. R185 – Use VPN labeled gateways at the ends of the links. R186 – Position the equipment behind a firewall allowing only the strictly necessary flows to pass through. In particular, traffic external to the VPN should be blocked. R187 – If necessary, avoid the Internet and use leased lines. |
C2 | D188, R185 and R186 are mandatory. R189 – Use a detection probe at the gateway to analyze incoming and outgoing traffic. | |
C3 | D190 – Prohibit links on public networks. D191 – R189 is mandatory. |
|
Wireless communication | C1 | R192 – Limit the use of wireless technologies to what is strictly necessary. R193 – Sign or encrypt and sign flows according to usage. R194 – Use wireless access points with:
R195 – Maximize the partitioning of wireless communications by isolating wireless devices in a separate physical or logical network. R196 – If there is no centralized supervision of safety events, review them regularly. R197 – Reduce the range of emissions to a minimum. |
C2 | D198, R196 are mandatory. D199 – Regularly apply security patches to wireless network equipment. R200 – Use a detection probe at the connection of the access point with the rest of the network. |
|
C3 | D201, R200 are mandatory. D202 – Avoid the use of wireless links if possible. D203 – Prohibit the use of wireless links if critical availability is required. D204 – Monitor security events centrally. R205 – Use certified equipment. |
|
Protocol security | C1 | R206 – Disable unsecured protocols (http, telnet, ftp, etc.) in favor of secure protocols (https, ssh, sftp, etc.) to ensure integrity, confidentiality, authenticity and absence of replay of flows. |
C2 | R207 – If protocols cannot be secured for technical and operational reasons, if possible, implement compensatory measures such as:
|
|
C3 | D208, R206 and R207 are mandatory. | |
Hardening of configurations disabling unnecessary components | C1 | R209 – For equipment, deactivate:
|
C2 | D212, R209 are mandatory. | |
C3 | D213, R210 and R211 are mandatory. | |
Hardening of configurations: reinforcement of protection | C1 | R214 – Apply the recommendations for hardening operating systems1. R215 – Run applications only with the privileges necessary for their operation. |
C2 | D213, R215 are mandatory. R217 – Set up tools for in-depth workstation defense, set up a white list of applications on the equipment that have the right to run. R218 – For PLCs, when the equipment allows it, set up:
|
|
C3 | D219, R217 and R218 are mandatory. R220 – Use labeled tools. |
NOTE.– An antivirus is not always suitable for industrial systems:
In the following section, we distinguish between:
Hardening of configurations: integrity and authenticity | C1 | R221 – Integrate an integrity (checksum) and authenticity (signature) verification mechanism for software, updates and configuration files, such as:
|
C2 | D222, R221 are mandatory. R223 – Regularly check the integrity, authenticity of firmware, software and application programs (PLCs, SCADA, etc.). Ideally, once a day automatically. |
|
C3 | D224, D222 are reinforced: The supplier (OEM, developer, integrator, etc.) must sign the critical elements and the responsible entity must verify the signature upon receipt. D225, R223 are mandatory. |
|
Vulnerability management | C1 | R226 – Implement a vulnerability management process to:
R227 – Apply patches as a priority on the most exposed workstations (workstations, laptops, engineering stations, programming consoles, firewalls, VPN, etc.). |
C2 | D228 – Clearly identify uncorrected vulnerabilities, and then implement specific monitoring and palliative measures to reduce exposure due to these vulnerabilities. R229 – Have patches validated by suppliers before deployment. R230 – Conduct an effective verification of the application of security patches and possibly use it as a monitoring indicator. |
|
C3 | D231, R226, R227, R229 and R230 are mandatory R232 – Implement a test environment to ensure that patches do not cause regression. | |
Connection interfaces: removable media |
C1 | R233 – Define a policy for the use of removable media (USB key, floppy disk, hard disk, etc.) R234 – As far as possible, limit the use of removable media to the strict minimum. R235 – Use a decontamination station to analyze and decontaminate all removable devices before using them on the industrial system. R236 – Prohibit the connection of undecontaminated, removable devices. R237 – Provide stakeholders with removable media dedicated to industrial systems, and prohibit the use of these media for other uses and the use of other media. |
C2 | D238 – C1’s recommendations are mandatory. R239 – Disable removable media ports when their use is not necessary. If physical blocking is not possible, deactivate it logically. |
|
C3 | D240, R239 are mandatory. D241 – Set up an airlock to exchange data with the industrial system, located in a controlled area. Data exchange is a one-off action that must be governed by a procedure. R242 – Use a labeled airlock. |
|
Connection interfaces: network access points |
C1 | R243 – Clearly identify and identify access points. R244 – Disable unused access points (switches, hubs, patchbays, maintenance sockets on fieldbuses, etc.). |
C2 | D245 – C1’s recommendations are mandatory. D246 – In case of attempted connection and disconnection on network ports, report an alert and process it. |
|
C3 | D247 – Allow network access points to be accessible only in controlled premises. | |
Connection interfaces: mobile equipment |
C1 | R248 – Prohibit the use of personal devices (computers, tablets, USB sticks, cameras, etc.). R249 – Set up guidelines for the use of mobile terminals and signage to remind the charter. R250 – Identify and validate the equipment authorized to connect to the systems. R251 – Implement a process for allocating mobile terminals in order to:
R252 – When the equipment contains sensitive data, encrypt its storage memory. |
C2 | D253, R248 to R252 are mandatory. R254 – Use equipment dedicated to the industrial system, including for external service providers. R255 – Do not allow this equipment to leave the site. |
|
C3 | D256, R251, R254 and R255 are mandatory. | |
Security of programming consoles and administration workstations |
C1 | R257 – Use engineering stations dedicated to engineering tasks, do not connect them to the Internet, install them in premises with access control, apply the hardening rules described above and switch them off when not in use. R258 – Use programming consoles dedicated to maintenance and operation activities, do not connect them to the Internet, do not connect them to systems other than the industrial system, apply the rules for mobile terminals and the rules for hardening configuration and strengthening protection, store them in a secure room, add a clear identifier (visual marking for example). R259 – Use administration workstations dedicated to the administration of infrastructure equipment, do not connect them to the Internet, install them in premises with access control, apply the hardening rules described above and switch them off when not in use. R260 – Do not install development tools on production machines. Only production environments (runtime) should be installed on SCADA servers and stations for example. R261 – If the above recommendation is difficult to implement, as in the case of the use of digital control-command systems (DCS), then compensatory solutions should be considered to isolate the system and reduce its attack surface. |
C2 | D262, R257 to R261 are mandatory. | |
C3 | R263 – Do not use administration stations for permanent system monitoring. | |
Secure development | C1 | R264 – Define rules of good programming practice, then apply them and check their implementation. For example, use the advanced options of some compilers or tools dedicated to checking good programming practices. |
C2 | R265 – Use a development environment dedicated to the industrial system. R266 – Implement and apply secure coding rules in addition to the good development practices mentioned above. R267 – Systematically use static analysis tools and robustness tests. R268 – Have code audits performed by external service providers. |
|
C3 | D269, R265, R266, R267 and R268 are mandatory. D270 – The security level of the development environment must be verified by audits. |
NOTE.– Installation of patches is a tricky operation, because it can jeopardize the proper functioning of the installation. This update should preferably be carried out as part of maintenance operations.
NOTE.– Some compilers, SCADA and PLC development workshops have many options for reporting additional warnings to the user. Often, these options are not enabled by default. They prevent many programming errors and bugs that can lead to vulnerabilities and should be used.
Event logs | C1 | R271 – Define an event management policy to:
R272 – Enable traceability functions for hardware and software that allow it, such as syslog, SNMPv3, Windows Event. R273 – Implement a centralized and secure event log management system that takes into account backup, confidentiality and integrity. R274 – Trace and record parameter changes for sensors and actuators, servo and control functions, etc. This can be done by some SCADA software. |
C2 | D275, R271, R272 and R273 are mandatory. R276 – Regularly analyze newspapers. |
|
C3 | D277, R276 are mandatory. R278 – Implement a SIEM solution centralizing event logs and allowing logs to be correlated to detect security incidents. The SIEM must be placed behind a diode to avoid being considered a class 3 device. |
|
Means of detection |
C1 | No additional requirements. |
C2 | R279 – Implement intrusion detection means on the periphery of the systems and on the points identified as critical, which include in particular:
R280 – Use labeled detection means. R281 – Centralize the events collected by the probes. R282 – Develop the process that describes the consideration of events reported by the probes. |
|
C3 | D283, R279, R281 and R282 are obligatory. |
Here is a non-exhaustive list of audit events to configure:
3.133.160.14