Critical infrastructure: complex yet vital compliance
Published on: 21 10 2019 | Modified on: 22 10 2019
Cyberattacks targeting critical infrastructure entail extremely high risks. Hence the complexity of the legislation needed to combat them. Faced with the challenges of securing such infrastructure, no one can afford to skimp when it comes to understanding and complying with this legal framework.
“Critical infrastructure” plays a central role in the way our societies work.
Behind this expression, we find abbreviations such as OIV (Organisme d’Importance Vitale - Organisation of vital importance) for France or OES (Operator of Essential Services) for Europe, but this isn’t all. More generally, the expression refers to all public and private infrastructure, the continuous operation of which is vital to the satisfactory operation of the State or of society.
Stéphane Prévost, Stormshield Product Marketing Manager, explains that: “It generally refers to organisations operating in the telecommunications, transport, energy or health sectors. Any organisation for which an interruption of their services following a breakdown of the IT infrastructure would have dramatic consequences”.
Prime targets for cyber-attackers
Ensuring the satisfactory operation of these structures is therefore vital to the day-to-day running of our societies and the security of our people. However, this means that such infrastructure becomes a prime target for terrorist acts or acts of sabotage perpetrated through cyberattacks. It was after the 11 September 2001 terror attacks that people began giving thought to this notion of critical infrastructure in France.
To avoid such attacks occurring via their IT systems, the managers of critical infrastructure must strive for maximum security, as specified in a jungle of different directives, versions and regulatory texts both at a national and European level.
The legislation is particularly dense and not always very clear
As Stéphane Prévost explains, the critical nature of this infrastructure has led to the member states of the European Union adopting laws, regulations and directives to ensure that this infrastructure can resist cyberattacks. “Although we may be unable to prevent cyberattacks, we need to do everything possible to successfully block them or at least to restore the affected services as quickly as possible”.
In France, organisations operating in the health sector for example are subject to at least four European directives or regulations (such as the GDPR, the NIS or the PCI-DSS), to two French laws or directives (the Public Health Code and interministerial instruction number 901) and potentially to two standards (Common Criteria and ISO27000). And that’s before we even get to the good practices guides. This framework naturally includes recommended solutions, such as the “decree concerning the health sector of the French Military Planning Law (MPL) which makes it compulsory to use cybersecurity solutions recommended by the French state”, adds Stéphane Prévost.
Adopting the right habits: qualification, compliance and protection
These good habits in the cybersecurity field first and foremost include choosing products approved by the ANSSI (National Cybersecurity Agency of France). An approved solution is compliant with the regulatory framework and offers added peace of mind as it has been tested to very demanding levels.
“The challenge is to deploy the cybersecurity solution while at the same time taking full account of the business processes and the various constraints specific to this infrastructure, such as availability or continuity of service for example”, adds Houari Rachedi, Stormshield Project Manager.
The challenge is to deploy the cybersecurity solution while at the same time taking full account of the business processes and the various constraints specific to this infrastructureHouari Rachedi, Stormshield Project Manager
This sometimes means trialling even a minor update in a test environment to avoid the risk of modifying the ecosystem for the workstation or network or affecting a business-critical product. “We try to anticipate in as far as this is possible, by notifying the product managers of these constraints to ensure that they are taken into account right from the design stage. Our consultants then get involved, supporting our clients through the deployment and configuration stages”, he continues.
Fortunately, critical infrastructure is today managed by teams who are increasingly competent when it comes to guaranteeing the security of their IT systems. A good first step towards ensuring compliance is to choose solutions recommended and/or approved by the ANSSI. However, support from specialists can also come in handy to help you get the most from solutions implemented in a restricted environment.