Critical infrastructure: complex yet vital compliance

Protecting critical infrastructure: what do the regulations say? | Stormshield

Cyberattacks targeting critical infrastructure entail extremely high risks. Hence the complexity of the legislation needed to combat them. Faced with the challenges of securing such infrastructure, no one can afford to skimp when it comes to understanding and complying with this legal framework.

“Critical infrastructure” plays a central role in the way our societies work.

Behind this expression, we find abbreviations such as OIV (Organisme d’Importance Vitale - Organisation of vital importance) for France or OES (Operator of Essential Services) for Europe, but this isn’t all. More generally, the expression refers to all public and private infrastructure, the continuous operation of which is vital to the satisfactory operation of the State or of society.

Stéphane Prévost, Stormshield Product Marketing Manager, explains that: “It generally refers to organisations operating in the telecommunications, transport, energy or health sectors. Any organisation for which an interruption of their services following a breakdown of the IT infrastructure would have dramatic consequences”.

Prime targets for cyber-attackers

Ensuring the satisfactory operation of these structures is therefore vital to the day-to-day running of our societies and the security of our people. However, this means that such infrastructure becomes a prime target for terrorist acts or acts of sabotage perpetrated through cyberattacks. It was after the 11 September 2001 terror attacks that people began giving thought to this notion of critical infrastructure in France.

To avoid such attacks occurring via their IT systems, the managers of critical infrastructure must strive for maximum security, as specified in a jungle of different directives, versions and regulatory texts both at a national and European level.

The legislation is particularly dense and not always very clear

As Stéphane Prévost explains, the critical nature of this infrastructure has led to the member states of the European Union adopting laws, regulations and directives to ensure that this infrastructure can resist cyberattacks. “Although we may be unable to prevent cyberattacks, we need to do everything possible to successfully block them or at least to restore the affected services as quickly as possible”.

In France, organisations operating in the health sector for example are subject to at least four European directives or regulations (such as the GDPR, the NIS or the PCI-DSS), to two French laws or directives (the Public Health Code and interministerial instruction number 901) and potentially to two standards (Common Criteria and ISO27000). And that’s before we even get to the good practices guides. This framework naturally includes recommended solutions, such as the “decree concerning the health sector of the French Military Planning Law (MPL) which makes it compulsory to use cybersecurity solutions recommended by the French state”, adds Stéphane Prévost.

Adopting the right habits: qualification, compliance and protection

These good habits in the cybersecurity field first and foremost include choosing products approved by the ANSSI (National Cybersecurity Agency of France). An approved solution is compliant with the regulatory framework and offers added peace of mind as it has been tested to very demanding levels.

The challenge is to deploy the cybersecurity solution while at the same time taking full account of the business processes and the various constraints specific to this infrastructure, such as availability or continuity of service for example”, adds Houari Rachedi, Stormshield Project Manager.

The challenge is to deploy the cybersecurity solution while at the same time taking full account of the business processes and the various constraints specific to this infrastructure

Houari Rachedi, Stormshield Project Manager

This sometimes means trialling even a minor update in a test environment to avoid the risk of modifying the ecosystem for the workstation or network or affecting a business-critical product. “We try to anticipate in as far as this is possible, by notifying the product managers of these constraints to ensure that they are taken into account right from the design stage. Our consultants then get involved, supporting our clients through the deployment and configuration stages”, he continues.

Fortunately, critical infrastructure is today managed by teams who are increasingly competent when it comes to guaranteeing the security of their IT systems. A good first step towards ensuring compliance is to choose solutions recommended and/or approved by the ANSSI. However, support from specialists can also come in handy to help you get the most from solutions implemented in a restricted environment.

Share on

To help you find your way through the maze of security solutions and its sometimes complex vocabulary (certified or qualified products, etc.), Stormshield proposes a handy overview to help you see things more clearly.
It’s not always easy to get to grips with the legislation in your particular business area as it can be very dense and complex, whether at a national or European level. What if we offered you a guide introducing the subject in a manner specific to your own area of activity?

About the author

mm
Julien Paffumi
Product Management Leader, Stormshield

Julien Paffumi made his first foray into Arkoon’s R&D as a quality engineer. He then directly trained administrators and acquired broad knowledge of their needs – an invaluable experience for his next role as Product Manager of Arkoon Fast360 firewalls, and then of the Stormshield Management Center centralised administration console. Eager to share what he has learned, Julien now works in continuous improvement for Product Management at Stormshield as a Product Management Leader. This cross-cutting role also feeds his never-ending curiosity thanks to its broader approach to Stormshield solutions.