Reevaluating Cybersecurity Needs for Industrial Information Systems: Less Emphasis on Attack Plausibility
When assessing the cybersecurity requirements of your industrial IT systems, it is advised to place less weight on the criterion “likelihood of attacks.” While the French National Agency for Cybersecurity (ANSSI) does not explicitly state this, it has recently updated its methodology for classifying these systems accordingly.
The original classification framework, in use for over a decade, primarily followed a straightforward model:
- The functionalities and connectivity of a system determine its exposure level.
- This exposure, combined with the attacker’s profile and personnel access rights, influences the perceived likelihood of an attack.
- The likelihood, when combined with the potential impact severity, leads to a system classification.
Historically, three levels of functionality were defined:
- Minimal systems: Control-command type (sensors/actuators, remote I/O, PLCs, control stations, embedded systems, analyzers), excluding programming consoles.
- Complex systems: SCADA type (supervision stations, local historical servers, local databases).
- Highly complex systems: Systems with programming consoles or engineering stations connected continuously, those linked to manufacturing control systems, or those containing centralized historical databases.
Similarly, five levels of connectivity were characterized:
- Isolated system
- Connected to an operational management system (with operations from outside not authorized)
- Using wireless technology
- Distributed, where sites communicate via private infrastructure or facilitate operations from external sites or management networks
- Distributed with public infrastructure (such as telecommunications networks)
Personnel access levels were classified into four categories:
- Authorized, entitled, and regulated
- Authorized and entitled
- Authorized
- Unauthorized
Impacts were evaluated across three domains: human, environmental, and macroeconomic, each rated on a scale from 1 to 5 (“Insignificant”, “Minor”, “Moderate”, “Major”, “Catastrophic”).
Addressing the “Likelihood Loop” Issue
The updated classification method moves away from emphasizing the “insignificant” impact level and incorporates economic impacts on the industrial facility owner. Most notably, it significantly reduces reliance on the likelihood criterion.
The agency explains that with the previous methodology, systems were often classified as critical. This was partly due to the “likelihood loop” phenomenon. Essentially, as an industrial system incorporated cybersecurity measures, the assessed likelihood of attack would decrease, which paradoxically lowered its classification, creating a feedback loop. To circumvent this, analysts would artificially maintain the likelihood at a constant level, regardless of actual security improvements. However, this approach ignored the evolving context, whereas a stable classification is preferable for systems whose functions do not change, ensuring that security measures are appropriately defined and remain consistent over time.
Moreover, the agency highlights that likelihood can be “too variable over time,” detracting from the classification’s effectiveness in establishing long-term security frameworks.
The EBIOS RM Framework… with Specific Adaptations
Moving forward, the integration of likelihood assessments is confined to the final stage of the process, specifically through the strategic scenarios outlined in the EBIOS Risk Management methodology. The updated classification approach heavily draws from EBIOS RM in various aspects but distinguishes itself by, among other things, providing a more detailed inventory of business values and segmenting the operational landscape into distinct zones.
Impact severity on each zone is estimated based on their criticality—considering criteria such as availability and integrity—and by identifying the most feared events. This results in four security levels: low, moderate, high, or catastrophic impact.
The security class assigned to a zone depends on the maximum impact of the most severe feared event. It is possible, in addition to likelihood considerations, to elevate the security classification for a zone—particularly in scenarios involving geographically dispersed facilities, where a simultaneous event affecting multiple sites can have significant consequences. Similarly, zones that cannot be adequately isolated at the recommended levels might also be upgraded in classification.
Impact level scale used in the risk assessment study, representing the severity of potential consequences of targeted events.
