The subject of Face au Risque’s file, physical security, video protection or access control systems rely heavily on digital technologies. How can cyber risks associated with their use be controlled ? Pierre Oger, co-founder of Egerie, agreed to answer our questions.
Information systems (SI) are supported by technical infrastructure. These infrastructures are accessible to a human environment and are therefore physically accessible. I will take a very well-known example, that of physical silos, which has been used for a very long time in the world of defence. If you are in the presence of an IS that is both interconnected and physically accessible, necessarily the attack surface is very important. Now, if we consider this IS within a bunker, physically inaccessible and having in addition to an extremely strong partition, then the possibilities of attack scenarios are obviously reduced. Physical security is therefore a simple and basic way to ensure a high level of security. The difficulty is that the world today is driven by digital: the more we use it, the more we want it to be efficient, and the more open it must be. In a business environment, the bunker’s operating model cannot be used because there are ongoing exchanges of information between different entities. Moreover, today the physical security elements are almost always attached to IP technology: they become active components of IS. So we need to find an intermediate model that integrates smart security.
It is essential to manage cybersecurity through risk control. With risk there are always three times: First, you must know the risks you face – this is the identification phase. Second, you need to have a thorough knowledge of these risks and have precise metrics – this is called the quantification phase. Thirdly, there, a standardized and structured method of dealing with identified risks must be put in place – the analysis phase.This must also be dynamic – risks must be constantly reassessed on an ongoing basis. These three crucial steps are the risk management process. By identifying and defining all the information, you become more agile and efficient.
Before there was the world of computer science on one side, and on the other the world of security. There was no real connection between computer security engineers and security engineers. Today these two themes are interdependent and the people in charge of risk management in the company must have a global and integrated view of the situation. In the risk analysis, actions are identified that will identify the largest number of risk scenarios. It is this global vision that prevents the attack scenario from unfolding. It is all the more strategic as the system is alive and so is the attacker. In other words, the more time one wastes implementing this cyber strategy through risk, the more time one will have to waste mastering the situation and thus correcting it.