Thierry Trouvé, CEO of GRTgaz describes the initiatives that the French gas transport system operator is putting in place to protect its industrial systems (OTs) from the main risks it faces, whether traditional or cyber.
Today, industrial systems make extensive use of information technologies, even though they were not designed to deal with the threats they introduce. How do you integrate these systems into your assessment of the security of the company’s information systems?
In the industrial sector, this is a key issue because we have a significant technical debt, with equipment of an older generation, and therefore more vulnerable to cyber threats. This equipment consists of a centralised control system (our national dispatching system) and, in the field, compressor and interconnection stations, and metering points…
My answer to your question will certainly disappoint you, first because I cannot tell you everything, then because we have not found the miracle recipe that would allow us to entirely solve this problem with a limited investment.
However, we apply a number of principles, the most important of which is the strictest possible separation between the OT and IT. At the same time, we are also working on eliminating our technical debt. For example, we use risk assessment approaches to update the most sensitive operating systems or administration procedures. These are relatively classic recipes that we apply where the risks are greatest and, of course, within the specific framework of the Military Programming Law.
What other principles do you apply?
We practice defence in depth, based on compartmentalisation and access control, including privileges. We are also paying more and more attention to outsourcing, a battle that is just beginning. The Solarwinds attack is a perfect example of the need to ensure that a company’s subcontractors are at the same level of security as their client.
You have just mentioned the very strong seal between OT and IT. What technologies does your OT rely on?
The technologies we use are fairly standard: we have a SCADA (supervisory control and data acquisition) system that monitors and pilotes our gas system and is hosted under our control. We also have dedicated networks. This part is completely sealed off from the IT.
What are the main types of threats you face?
The threats we face are those to which all companies are exposed today, and which make the headlines every week: financial crime, cyber-banditry, etc. But as the operator of a strategic national infrastructure, we are also potentially exposed to state threats. We are therefore, in theory, not spared from any type of threat.
How important are your resilience skills?
We give them a central place because, despite all our efforts, we tell ourselves that one day we might be directly affected by an attack. There is no such thing as zero risk. In the risk assessments we carry out, we strongly focus on our resilience capacity.
What will be the consequences, both numerical and physical, of an attack? At what point will it prevent us from providing our service? How quickly will we be back up and running, even with a half-functional system? These are our priorities today.
Until a few years ago, we had the weakness of thinking that if we had enough perimeter security in place, we would be safe from the main threats. Today, this posture seems to me a little too optimistic. The question is no longer if we will fall, but when, and how we will overcome this while mitigating consequences.
How do you manage connected objects within your OT?
A distinction must be made between commercial connected objects—which have many security flaws—and industrial IoT—which we mainly use and for which we systematically implement security by design.
When we use more standard, off-the-shelf solutions, we make sure that they do not affect sensitive functions. We therefore ensure that the system remains separated or that the functions concerned are not vital.
How do you make your staff aware of safety issues, as we know that the human factor is very important in this area?
We provide our employees with e-learning modules; we organise events, demonstrations, webinars, the “cyber month”… We also run phishing exercises to see how employees react in a real situation, and then give them feedback if they take the bait. Out of our 3,000 employees, a few always fall for our tests.
We have tackled cybersecurity head on: it is managed at ExCo level, I am very interested and personally involved in this subject.
In addition, for some time now, we have started to carry out cyber crisis drills, which complement the traditional crisis exercises that every industrial company carries out regularly. These drills heavily involve the national crisis unit. It is very interesting because it gives a very concrete idea of cyber issues that were previously difficult to grasp by some.
In conclusion, what best practices would you recommend?
The security and cybersecurity approaches have many similarities. Some of the recipes that are valid for traditional security therefore apply to the field of cybersecurity: involving the management team, carrying out drills, and performing what we call the security visit.
The security visit consists of a manager visiting an employee who is carrying out a particular operation. The manager observes the employee and then debriefs them on what they have seen, in a constructive and benevolent spirit. Since last year, we have added the topic of cybersecurity to our security visits. These are very instructive opportunities for dialogue and exchange that contribute to our continuous improvement in this area.