Cybersecurity: 600 sensitive infrastructure operators facing specific obligations

Cybersecurity affects us all. Every company, large and small, in every sector is a potential target. But in some cases, sensitive infrastructure operators for example, a cyberattack can have huge repercussions on an entire country. Operators of Vital Importance (OVIs) and Operators of Essential Services (OESs) need to have a specific security policy in place to tackle these threats, with nearly 600 such operators in France alone.

What are operations of vital importance?

Operations are considered to be of vital importance if they contribute toward producing and distributing goods or services that are essential to the exercise of the state’s authority, the functioning of the economy, or the maintenance of national defense or security. These operations are, by their very nature, difficult to substitute or replace.

Services indispensable to the nation’s survival

There are 12 designated sectors of vital importance, grouped into 4 categories:

• Human : Food supply / Water supply /Health
• State : Civil / Judicial / Military /
• Economic : Energy / Finance / Transport
• Technological : Electronic, audiovisual, and IT communications / Industry / Space and research

What are essential services?

Essential services are defined in the EU Network and Information System Security (NIS) Directive. A service must meet 3 criteria to be defined as essential:

• The service is essential to maintain critical societal or economic activities.
• The service relies on networks and information systems.
• An incident affecting these networks and systems would significantly disrupt the ability to provide the service.

Prime target for hackers

These operators are prime targets for hackers, not just because of the impact a cyberattack would have on the organization, but far beyond that. There is no shortage of examples of recent attacks on OVIs and OSEs. The maritime sector, for example, fell victim to multiple attacks in 2018, with ransomware hitting three ports across the world: Long Beach Port in China, Barcelona in Spain, and San Diego in the United States.

The health sector is also a frequent target for hackers. In Singapore, a cyberattack resulted in the theft of more than one million medical records ─ a tremendous amount of sensitive data that has vanished into thin air. Then, in early June 2019, the pharmaceutical, food, and environmental analysis laboratory Eurofins saw its IT systems disrupted by a ransomware attack. An attack that had immediate repercussions, as the group saw its share price dive after the cyberattack was made public.

More recently, Belgian equipment manufacturer Asco ─ a subcontractor of Airbus and Boeing ─ was paralyzed by a ransomware attack, leaving 1,000 employees unable to do their job and technically unemployed.  In January 2019, engineering and R&D services group Altran was also struck by a cyberattack. The list of companies vulnerable to a cyberattack only continues to grow.

Specific cybersecurity obligations for sensitive infrastructure operators

It should come as no surprise that countries are taking action to boost their protection. France has become the first country to actually legislate for a mandatory, effective system for critical infrastructure. At a conference organized in Paris by the anti-virus software developer ESET, the French National Cybersecurity Agency (ANSSI) said that France has up to 600 companies and institutions subject to specific cybersecurity obligations.

Designating OVIs and OESs

There are currently around 200 OVIs, and France is still in the process of designating which organizations are to be classed as OESs, in application of a European Directive of July 2016. ANSSI has been charged with helping the country to put together the list of operators, which will remain confidential. It will then ensure that these organizations are complying with their obligations. “There are 122 so far; there will be a second wave by the end of 2019 and a third wave in 2020,” explained Patrice Bigeard of ANSSI at the gathering in June 2019.

OVIs and OESs: Oodrive is by your side

In early 2019, Oodrive became the first ever cloud service provider to obtain the Security Visa from the French National Cybersecurity Agency (ANSSI), under the SecNumCloud label. Initially based on the stringent technical specifications of ISO 27001 and complemented by service and European data hosting commitments, SecNumCloud imposes increased technical, organizational, contractual, and regulatory compliance requirements.

Oodrive offers three private cloud solutions certified by ANSSI’s SecNumCloud label. The group can provide its customers, OVIs, OESs, and public authorities with qualified solutions that meet the security requirements recommended by ANSSI.