Gilles Berthelot, CISO at the Audit and Risk Department in SNCF, France’s national state-owned railway company, confronts major challenges in cybersecurity in the railway sector. He agreed to an exclusive interview with us about his role, the changes in the industry and its digital transformation as well as the cyber risks he must tackle.
What do you consider the role and tasks of a CISO to be in the context of industrial activity?
The industrial world of control engineers went digital alongside information management systems and created a “sort of endemic information system”, often with confidential or proprietary technology. This characteristic was for a long time the only natural protection for these systems against rampant contamination from the threats of the IP world.
The search for cost reduction led to the standardization of these systems and the use of tried and tested technologies, often IP. Furthermore, industrial teams, even though they had expertise in ensuring operations, were not necessarily up to par with the cyber protection of systems.
As long as these worlds remained isolated, the risks were few and far between but opening these information systems up to remote management and maintenance in IP tore these technical barriers down. We also introduced standard risks into systems that are sometimes critical.
It seems natural then that CISOs, who covered the perimeters of information management systems, would broaden their tasks to the cyber protection of the digital industrial world.
There are generally 2 challenges to overcome:
- Integrating information systems security (ISS) into new industrial projects from the beginning in the design stage by integrating cyber requirements (security by design), including major industrial partners.
- Back protection of existing systems in production that have poor or inadequate cyber protection. This is a major challenge for systems that are often hard to modify or do not always have the basic features needed. In this case, the only possibility that remains is an “isolation room”.
How has Industry 4.0 materialized in your company?
Industry 4.0 represents the first part of the challenge: the conception of security by design… the only sustainable option.
‘We don’t see shipyards releasing boats into the sea with holes in their hulls that would require their sailors to repair them out on the open sea’, I tend to say. However, more often than not this is what designers of IT systems do— it’s very irresponsible!
In SNCF, we design our industrial systems with the awareness that the “rising IS dependence” of our profession is full-scale. What’s left is to apply it overall to operations.
This requires long-term efforts:
- To educate people in these new approaches;
- To adapt ISS processes and methods to the industrial world;
- To adapt cyberdefense technology to the specific nature of industrial production.
The challenges of Industry 4.0 and the IIoT are numerous. What do you consider to be the inherent risks?
It is certain that smart industry is closely tied to the IoT. Sensors and automatic reactions to detected incidents are what we are aiming for in order to become more efficient.
Therefore, we must be sure of our IoT choices: cybersecurity of equipment is primordial because it is the key to trustworthiness, which is an essential value in our profession.
Once the smart sensors have been installed and deployed, we cannot go back and improve the flaws in the design of ISS. It’s too late and incompatible with the dissemination model of these technologies.
How do you think CISOs can guide this movement and how does the latter differ from conventional industrial systems?
With conventional industrial systems we are often dealing with closed production installations: factories, data centers, workshops, etc.
With connected objects, we’re dealing with territorial dissemination which brings with it energy problems, problems with network speed, limited calculation capacity, etc. These problems clearly put limits on ISS.
How has the digital transformation of factories, as well as its challenges and impact on industrial information systems, changed the role of CISOs?
The world of control engineers was not prepared for this standard digital invasion and must reinforce its cyber skills.
Resources are as scarce as industrial systems and processes are specific and complex. The knowledge of experts must be combined with cyber knowledge by educating people working in industries or by integrating cyber experts into the industrial world. This act of combining is sometimes delicate and may take time to develop but it is essential.
What material, financial and organizational resources do you have to reinforce the security of industrial systems? How do you think the responsibilities of CISOs over industrial networks and the IoT will evolve?
SNCF decided to appoint delegated CISOs to industrial systems (rolling stock and infrastructure systems) and provides the proper resources, dedicated and adapted ISS governance and a repository of reference material from the industrial world.
SNCF’s ISSP already takes the industrial perimeter into consideration.
Do you think it is necessary to improve control over your industrial networks?
Gaps do exist, even if only between the disproportionate life cycles of industrial devices (20 to 40 years) and the life cycles of the IS controlling said devices (5 to 10 years).
Have you implemented a SOC (Security Operation Center) or do you have plans to implement one? If yes, what is your strategic and technical approach to implementing one as efficiently as possible?
An industrial SOC is in the process of being deployed. It will operate in synergy with the SOC for information management and both will be consolidated to offer an overall view of security operations while respecting the individual nature of each environment.
What about industrial networks? Are they included in your project? If not, why?
Industrial networks are undergoing major changes with the invasion of the IP world. The strict separation of platforms and flows is non-negotiable. A gateway must link the two worlds but must be strictly limited and adhere to ISS certification by ANSSI-approved providers (ANSSI-French National Cybersecurity Agency) before being deployed.