Cybersecurity is one of the major concerns of our time. The risk of cyber-attacks accompanies the development of digital systems and their networking, particularly through the Internet. These risks concern all types of installations, and attacks can be carried out by isolated actors – “hackers” who, depending on their ethics (provided they have any) will be qualified as “white, grey or black hats” – but they can also be the work of international criminal organizations, or even State services acting at offensive or counteroffensive level.

The motivations for these attacks are very diverse: the desire to disrupt, harm or even destroy, theft of information, threats, intimidation, blackmail, revenge, extortion, demonstration of force, etc. There are now countless examples of this, and industrial systems, small or large, which were long thought to be protected because of their specific characteristics and their isolation from the outside world (the famous air gap), are no longer immune to threats of very different shapes and sizes.

The consequences of successful attacks can be serious because in the industrial world, the aim will of course be to protect the information system and the data it contains, but the primary objective is to prevent serious disruptions in controlled processes. These disruptions can lead to untenable production stoppages for manufacturers, regardless of their size, and generate damage to the environment, property and people, with consequences that can be major. It is easy to imagine disaster scenarios that could affect sensitive installations in the fields of energy production, water treatment, transport and more generally major infrastructure.

The industry therefore faces a real problem that it can no longer ignore and it is the duty of each manager to assess the risks to which the installation for which he/she is responsible is exposed, and to take appropriate protective measures. However, industrial managers remain perplexed about the measures to be taken and the organization to be put in place. If they are willing to acknowledge the reality of risk, they often have difficulty perceiving its origin and magnitude, and admitting its possible consequences.

Yet, for a long time, the industry has been accustomed to dealing with functional safety and the risks of component and component failure, and operator manipulation errors that can affect essential functionality. The understanding of these risks has given rise to international standards: IEC 61508 on the functional safety of electrical/electronic/electronic programmable systems, and IEC 61511 specific to the processing industries sector, itself based on the ISA-84 standard developed by the ISA (International Society of Automation). These problems can be addressed probabilistically from experimental and experiential data, as the threats are unintentional.

In the case of cybersecurity, we know that there are threats, which will come from the outside, perhaps also from the inside, but in what form, with what magnitude and with what probability? In the case of threats of intentional actions, this is a purely subjective area of assessment that can lead to an overestimation, resulting in a level of protection that will be detrimental to the company’s competitiveness, or an underestimation that will pose an intolerable risk to the company.

In addition, attack techniques are evolving and improving. From the simple viruses of the 1990s, detectable by their signature, we have moved on to malicious software, which are complex computer constructions capable of communicating with the outside world, capable of growing and becoming more widespread, and capable of taking remote control of installations. Some attacks are targeted, as were the attacks on Ukrainian power grids in late 2015 and 2016, while others are broad spectrum, such as the Wannacrypt and NotPetya attacks, which have caused serious disruptions on many industrial installations, including in France.

Companies can be held for ransom from ransomware that has become common practice; they can also be complicit without their knowledge in distributed denial-of-service attacks, because connected objects – especially those that are permanently connected to the Internet but are insufficiently protected: surveillance cameras, printers, boxes – can be enrolled in botnets, manipulated at a distance to participate in massive attacks.

The development of the industrial Internet of Things will greatly expand the attack surfaces with the networking of a considerable number of diverse devices that will be impossible to monitor individually, and from which we will have to be wary of the origin, development conditions and the way they store and exchange information.

People working in the industrial world are often confused about how to approach the problem, but the normative and regulatory context forces them not to remain inactive. In France, ANSSI was charged by the Military Programming Act of December 18, 2013 and the decrees of March 27, 2015, with ensuring the security of vital operators’ information systems. More recently, the European Network and Information Security (NIS) directive, transposed into French law by the law of February 26, 2018 and the decree of May 23, 2018, introduced obligations for all operators of essential services.

It is likely that insurers will also exert increasing pressure for all companies to take appropriate protective measures.

Jean-Marie Flaus’ book is therefore timely and meets an essential need. It is an extremely valuable tool to better understand cybersecurity issues and solutions. Jean-Marie Flaus is a professor at the University of Grenoble Alpes. He is also a teacher-researcher and head of the Department of Management and Control of Production Systems at the G-SCOP Laboratory, Science for Design, Optimization and Production. The laboratory G-SCOP is a multidisciplinary laboratory created in Grenoble in 2007 by the CNRS, Grenoble-INP and the University of Grenoble Alpes, in order to meet the scientific challenges posed by changes to the industrial sector. Cybersecurity is clearly one of them.

The author addresses it in his book with both a teacher’s and a practitioner’s eye. His approach is deliberately didactic and aims to provide a detailed understanding of the nature and extent of the threats facing the industry. Its purpose is not to alarm unnecessarily, but to provide the keys to an assessment that is as objective as possible of the risks involved, which will be collated with those that a functional safety analysis may have revealed in order to identify the industrial risks involved as completely and as homogeneously as possible.

But Jean-Marie Flaus is also a practitioner, leading in particular the work of the “Cybersecurity of industrial installations and the Internet of Things” group within the Institute for Risk Management (IMdR). Once the overview of threats and vulnerabilities has been established, the author outlines the approach to be followed to address them based, in particular, on the normative standards that can be used. The fabric of standards is often considered complex and abstruse but, without getting lost in their mysteries, Jean-Marie Flaus explains its philosophy and approach, focusing on the two most important ones: the ISO 27000 series of standards and the IEC 62443 series. This last set of standards is the result of a long process of work undertaken within the ISA99 committee of the ISA more than 10 years ago and now in the process of being completed. The IEC 62443 standard is the only normative text specifically dedicated to industrial control systems; it has a double merit:

• – on the one hand, it segregates the obligations to be met throughout the lifecycle of a control system according to the role played: product developer or manufacturer, integration service provider, operator, maintenance service provider;
• – on the other hand, it provides the link and synthesis between the technical and organizational measures necessary to achieve a given level of security following a risk analysis.

As Jean-Marie Flaus explains very well, organizational and technical aspects must go hand in hand. There is no point in installing firewalls if the way they are operated and programmed is not defined. Conversely, “policies & procedures”, as sophisticated as they may be, are of no interest if they are not technically supported.

The reader will find in the book a description of the traditional and most advanced protection techniques, but also a statement of the rules and method to be followed to build an information security management system adapted to the case of each industrial installation. For such a system to be complete, it is necessary to think in terms of “protection” but also to act at the level of “prevention” and “early detection” of intrusions, in particular abnormal traffic suggesting that an attack is in preparation. It is also necessary, because the hypothesis of a successful attack cannot be ruled out, to consider how to contain it, through appropriate defense in depth, and to restore the normal functioning of the system, starting with essential services.

Jean-Marie Flaus makes a clear and precise presentation of all this, without ever falling into abstraction, and also dealing with a simplified approach to risk management, when the stakes are low and do not justify overly sophisticated analyses.

It is a book from which certain chapters can be extracted for a thorough reading; it is also a book that can be read in its entirety, without boredom and where much is learned. It is certainly a book that will become a reference work that each manufacturer must have at least consulted and kept nearby, and that will be extremely valuable to all cybersecurity professionals to better understand the issues and solutions.

Jean-Pierre HAUET

President of ISA-France

Voting member of the ISA99 committee