Industrial cybersecurity

Key security considerations in the industrial sector
As we saw in a previous article, why the industrial sector is a prime target for cybercrime. Professionals understand the risks (financial loss, production downtime, loss of industrial secrets, client data breaches) but often find it harder to implement specific measures to secure their IT infrastructure.
Security should therefore be viewed as a complete chain, where each link requires particular attention.

Network security
The network security involves protecting the computer network from intruders, whether they are targeted attacks or opportunistic malware. Many security techniques and technologies exist, such as segmentation, port control, DMZ implementation, or firewalls, etc.
These techniques can be quite complex to implement, sometimes leading professionals to work exclusively on their local network and isolate it as much as possible. Installing "on-premise" applications (on the local network) rather than in the cloud may seem more secure to some, as they feel they control all security parameters. However, this perspective has several limitations. Today, managing your own IT assets, network security, data, and applications is like hiding your money under your mattress instead of putting it in the bank: with our money, we choose to trust someone whose specialty it is and who deploys the appropriate resources. The same logic applies to managing your IT infrastructure.
With the advent of Industry 4.0, applications are increasingly interconnected and require access for remote maintenance. Completely isolating one's network becomes complicated, if not utopian.
To communicate between its services, SCorp-io uses a VPC (virtual private cloud). External access is controlled by an Ingress*, as well as an API Gateway**, which provides a single entry point for all data read and write requests.
* An Ingress is a relatively simple Kubernetes object that defines application routing rules for HTTP traffic.
** An API Gateway is the single entry point for APIs and back-end microservices. It enhances security and ensures system scalability.
Application security
The application security aims to protect software and devices from threats. A corrupted application could open access to the data it is supposed to protect.
Due to its cloud hosting, SCorp-io benefits from the host's security processes, which are responsible for machine security: applying security patches, OS updates, etc. Once again, delegating machine maintenance to a specialized host is often safer and allows professionals to focus on their own core issues rather than on infrastructure maintenance.
Information Security
The information security ensures the integrity and confidentiality of data, whether stored or in transit.
SCorp-io uses the OAuth2 authentication protocol to secure access to its REST API. This protocol protects access to data displayed in the browser by ensuring the user is identified with the system. This protocol is reinforced by a second authentication factor (2FA), which confirms the user's identity with a second code sent via email.
Whether for data collection from automated systems or data publication to its cloud modules, all communication protocols used by SCorp-io are encrypted.
Operational Security
The operational security encompasses the processes and decisions related to data processing and protection. This includes user permissions and procedures that define data storage and location.
SCorp-io has implemented a highly granular rights management system with multiple roles, allowing control over the actions permitted to each of its users.
SCorp-io hosts its data in France with a 100% French hosting provider, ensuring that European law applies to its users' data. For a European company, it is preferable not to store data in the United States, which does not offer a level of personal data protection equivalent to that of Europe, particularly due to the Foreign Intelligence Surveillance Act.
Disaster Recovery and Business Continuity
The disaster recovery and business continuity specify how a company responds to a cybersecurity incident or any other event causing operational or data loss. Disaster recovery policies govern how a company restores its operations and information to regain the same operational capacity as before the event. Business continuity refers to the plan a company relies on while attempting to operate without certain resources.
SCorp-io's infrastructure is entirely scripted (Infrastructure as Code). This allows for the recreation of all services used by its users in a matter of minutes. SCorp-io performs daily backups of its databases. Backups are carried out on remote servers to guard against any disaster occurring at the hosting provider.
Furthermore, SCorp-io uses regional hosting for its server cluster, ensuring that the application is replicated by the host in several geographically distant zones. This hosting method guarantees high availability and protects against a hosting provider outage. For example, OVH experienced a significant outage at one of its sites during the fire on March 10, 2021, which destroyed an entire data center (SBG2) and partially another (SGB1). (source)
End-user training
The end-user training focuses on the most unpredictable factor: humans. Anyone can accidentally introduce a virus into an otherwise secure system by not following good security practices. Training employees is therefore essential.
At the Telecom Paris incubator, The company Mantra offers phishing email simulation services to train employees to effectively detect these fraudulent emails and significantly reduce cyber risk exposure.

Conclusion
The characteristics of the sector (system lifespan, increase in connected equipment) make industry a prime target for cybercrime. The risk is enormous, sometimes leading to operational shutdowns. To protect against this, security measures must be comprehensive and safeguard the entire information systems chain. While technical measures are necessary, humans also bear responsibility, and training employees is as essential as protecting the network. Security is at the core of SCorp-io's concerns, and other articles on this topic will be regularly published on this blog.
You might be interested in this
Explore more articles on energy management and smart buildings.
Ready to transform your energy management
Start with a personalized demo or a free audit of your facilities.



