In 2014, France’s National Agency for the Security of Information Systems, or ANSSI, issued two detailed cybersecurity guidance documents for Industrial Control Systems: Cybersecurity for Industrial Control Systems – Classification Method and Key Measures; and Cybersecurity for Industrial Control Systems – Detailed Measures. This guidance was and is still today seen as the most comprehensive, clear, and sophisticated industrial control system (ICS) security best practice in the world. In 2016 and 2017, on the tails of this important guidance, have come eleven sets of cybersecurity regulations for critical infrastructure – issued by the French Government’s military programming law (LPM) – to protect the Nation’s Operators of Vital Importance (OIVs) for various industrial sectors.
Other regulations were also issued to cover traditional IT and communications sectors considered critical infrastructure, such as Finance and Communications. The industrial sector regulations cover petroleum hydrocarbons, electric energy, natural gas, water management, health products, maritime and fluvial transport, aviation, ground transportation, food production, industrial manufacturing, and nuclear energy.
The LPM directives for these critical infrastructure sectors are very similar, each consisting of 20 rules, or topics, covering main principles of information system security from security policy to network segmentation, logs and incident reporting.
Industrial operators from these indicated sectors are now bound by French law to deploy protective and responsive cybersecurity programs. Though ANSSI has encouraged prescriptive and comprehensive ICS cybersecurity guidelines since 2014, the organization, as charged with enforcing these new LPM regulations, has left considerable discretion as to exactly how operators are to comply with the new cybersecurity directives for critical infrastructure. For operators, the pertinent question now is how to align security program choices with ANSSI auditor expectations to avoid audit failures or costly program revisions. For OIVs, this gap in discretion as to how to protect the most critical networks can be closed if the 2014 guidelines are used as a road map to design security programs to protect critical infrastructure environments.
2014 ANSSI guidelines
The 2014 ANSSI guidelines devote one entire document of the two-document standard to a classification of ICS networks. This classification, much like the NERC CIP classification, is based almost entirely on the impact to society of potentially-compromised networks, and to a small degree on how exposed those networks are through firewalls to less-secured networks. Class 1 networks are the least sensitive networks – all IT networks are by definition Class 1. Class 2 networks are important to society – the classification guidelines describe examples of a water treatment system for a city of one half million people and a large chemical plant near a population center, concluding they are Class 2 networks. Class 3 networks are very important to society – the guidelines describe examples of railway switching systems and the Safety Instrumented Systems (SIS) in that same Class 2 chemical plant as Class 3 networks.
Network segmentation is essential to industrial cyber security and is described clearly in the guidelines. Class 3 networks may use firewalls for internal segmentation, but are forbidden from using firewalls to connect to less-critical networks. Only hardware-enforced unidirectional gateways are permitted between network classes. Remote access from less-critical networks to more-critical networks is similarly forbidden. Class 2 networks may use firewalls to connect to less-critical networks, but a clear justification for such connectivity must be provided, and an explanation as to why such connectivity is safe. Unidirectional gateways are preferred for such communications, and remote access from Class 1 networks to Class 2 networks is strongly discouraged.
Strict removable media controls are similarly prescribed. On equipment where the use of such media is not essential, the guidelines state that removable media ports and drives should be removed or otherwise physically disabled. When removable media must bring suspect data into an important control system, those media must be scanned on a decontamination station for Class 2 networks, and run through a certified, secure data gateway for Class 3 networks.
Strong security simplifies compliance
Applying the 2014 guidance to the 2016-2017 regulations simplifies security programs and reduces their cost. For example, applying security updates can be very costly, and sometimes even dangerous, in critical infrastructure control system networks. Such updates must be tested extensively before deployment, to ensure that there are no unwanted consequences of changing the software that controls important physical processes. Unidirectionally-protected networks, coupled with strong removable media controls, dramatically reduce the opportunity for malware to enter a control network. Such protections can be used as a justification for applying security updates at long intervals, rather than as soon as approved security updates appear, thus dramatically reducing security update testing costs.
Furthermore, unidirectional replication of a file server from a Class 3 or Class 2 network to a Class 1 network dramatically reduces the need to use removable media, since at most sites, most cross-domain data transfers are from the more-important to the less-critical network.
Unidirectional gateway technology simplifies many other rules as well. For example, rule #17 requires that:
…the Operator puts in place filtering mechanisms for data flow circulating in its Information Systems of Vital Importance (SIIVs) in order to block the circulation of useless data flows which may facilitate cyber attacks. The Operator must 1) define data flow filter rules, 2) filter the data flows entering and exiting the SIIV and the data flows between sub-systems such that their interconnections permit only strictly necessary data flows, 3) establish and keep current a list of filtering rules mentioning all the new or deleted rules for the last month.
The most sophisticated unidirectional gateway products support deep filtering of data flows. These technologies do not need to inspect packets and try to decode and intuit their meaning. Instead, unidirectional server replication technology means that the gateways have access to decoded data streams, including the names and values and often the meaning of each data element / tag / paint. Data elements or their values can be filtered or edited in transit.
Another third example of simplifying compliance is the use of a tamper-proof, unidirectional forensic repository for logs, events and other important forensic information, such as PLC configuration files. A tamper-proof repository protected by unidirectional gateway technology simplifies incident response when there is a security incident, because the contents of the repository can be compared to other log repositories to determine which repositories have been changed by attackers. This leads investigators quickly to the records that attackers thought were the most incriminating.
A more detailed version of this article, exploring each of the twenty directives for each critical infrastructure standard is available here: ANSSI Issues Comprehensive Regulations to Protect Critical Infrastructure.