Transcription
PROTECT:Cyber(Security) forIndustryenabling a trusted future
2; Cyber security for industryCyber Securityfor IndustryWe’re passionate about risk management, safety, security andsustainability. Our experts guide clients in their transformation whileempowering them to build a better future.Airbus Protect offers end-to-end strategic advisory, consultingservices, training programmes, and software solutions to industry,Critical National Infrastructure, governments and institutions. Webring together 1,200 professionals from Airbus CyberSecurity – oneof Europe’s most advanced sovereign cybersecurity players, andAPSYS – a leading provider of safety, security and sustainabilityconsulting, IT and business solutions – creating a centre ofexcellence to meet our clients’ evolving needs.We are a trusted partner with more than 35 years of experiencein making businesses safe, secure and sustainable for today andtomorrow.Our mission is to use our deep knowledge and diverse industryexpertise to make a meaningful impact. We enable our clients toconcentrate on growing their businesses and building a trustedfuture, while ensuring their safety, security and sustainability neverwavers.We are dedicated to our employees and our clients. Our relationshipsare based on deep trust empowering us to tackle complex projectsand co-innovate to build a better future.
; Cyber security for TIONSASSESSMENTProtect your businessCOMPLIANCEwith highest securitystandards and eMSSecurity Management SystemDO3
4; Cyber security for industryAuthoritiesInDesignSuppliersCyber defenceFrom Industry Securityto Data ProtectionStakes Safety Production and Operations continuity Regulation compliance Data protection Company branding Improved asset utilization Secured maintenance
; Cyber security for Cyber Threats Digitalization Production or operation disruption Supply chain and third parties Ransomware Personal data protection Phishing Emergency management Advanced Persistent Threats (APT) Evolving threats Non-compliance with regulations Continuously changing regulations and policies Data loss or theft Insider threats Distributed Denial of Service (DDoS)5
6; Cyber security for industryCustomerJourneyUNDERSTANDASSESSIMPROVE
; Cyber security for industryIdentify Security Stakes SECURITY CONSULTING TRAININGSCheck Compliance,Robustness and Priorities AUDITS AND ASSESSMENTS OFFENSIVE SECURITY RISK ASSESSMENTEnsure Long Term Security SECURITY MANAGEMENT SYSTEM DATA SHIELD LEGAL SUPPORT ARCHITECTURE & SYSTEM DESIGN007
008; Cyber security for industryConsultingUnderstand the stakes. Figure out the big picture. Preparefor what comes next.Cyber Security is a concern for all businesses.When dealing with cyber security, industrial companies share thefollowing common characteristics:- Increasingly complex and connected systems that deliver newservices- Attractive targets for hackers, hacktivists, terrorists- Multiple third parties involved in operations- Potential impact on employees’ and passengers’ safety- Evolving regulationTackling these challenges requires experience. Airbus Protect offersto share its own experience in a set of services designed to helpindustries in their cyber security journey (described in the followingpages).We usually start our activities with a consulting mission to presentexecutive and senior managers with cyber security stakes, challengesand best practices. We then initiate assessment on existingorganizational approaches and finally offer a customized view of whatshould come next.A report is delivered at the end of the mission summarizing the currentmaturity of the organization and a concrete action plan to start orimprove their cyber security programme.Pre-assessmentBased on our in-house expertise, we developed a simple yet powerfultool to help you better understand your maturity to face cyber securityrisks. This tool will propose a list of customized questions related toorganizational, procedural, or technical solutions already in place.It then evaluates your cyber security maturity level.Pre-requisiteThis first service is addressing executive and senior manager dealingwith cyber security.BENEFITS Experiencedconsultantin the industrialcontext Customized tool toquickly identify yourmaturity Tailor-madeproposition fornext steps in yourcompany Recommendationsand action plandelivered as anoutcome of themission
; Cyber security for industryTrainingsGain insight on the essential concepts of security stakesand challenges.Our proposal will address dedicated training sessions focusing on themain stakes of cyber security in an industrial context. Threats againstthis sector are evolving rapidly.Security risks are becoming more complex and regulation is evolvingto take them properly into account.Industrial systems are more and more interconnected and digital.They cannot be addressed as isolated systems anymore. Newtechnologies have been integrated allowing greater communicationsand functions (maintenance, traceability, data management), implyingmore interactions and more connections with other systems andenvironments.Understanding security stakes and challenges is the first step tomaking the right decisions to protect and ensure operations.Training sessions overview·······General security awarenessRegulation, policies and standardsThreat landscapeRisk analysesSecurity Management SystemIncident and crisis managementSecure developmentAll these training sessions are delivered by Airbus Protect experts fromdifferent fields of activities. Each training can be adapted according toattendee expectations and the required specific context.Pre-requisiteDepending on each training.BENEFITS Set up a sharedunderstanding of theindustrial securitycontext Identify securityobjectives forcontinuousproduction andoperation Understand howsystems interact andhow to manage themsecurely Understand thesecurity risks andbe able to establishan overall securitygovernance Improve, develop andmaintain the existingsecurity measures Improve securityassurance level ofyour code009
010; Cyber security for industryAudits and AssessmentsAssess your compliance with the most relevant securitystandards.To face the increasing number of standards and regulations tocomply with (II901, LPM, ISO 62443,, ISO 2700X, NIS Directives,GDPR, Export Control.), Airbus Protect offers a set of audits andassessments tailored to your needs. We can perform assessmentsor formal compliance checks on all phases of the product lifecycle(design, production, in service operation) and company scope (IT,physical, product, industry, supply chain, in service).Our team of certified auditors will assess your organizational, physicaland technical controls in place, evaluate their compliance andperformance and identify ways of improvementWe will support your organization to achieve the next maturity levelwith a clear and comprehensive report on your current compliancelevel including security recommendations prioritized by criticality,efficiency and complexity.Audit plan key topicsSecurity organizationSecurity in operationsAsset managementExchange of information and media managementNetworks and communicationsBusiness continuityIncident and crisis managementCompliance and continuous improvementSecurity in development (state-of-the-art, target, how to get there)to reach Security by Design· Regulations and standards· KPIs definition for continued monitoring of security level·········Auditors and referentialsAudits performed by certified auditors:· PASSI (recognized auditor by National French IS security agency)· ISO 27001 certified Lead AuditorsUsual standards:· Referential: II901, LPM, IEC 62443, ISO 2700X, NIS directives,GDPR, export control, internal security policy, security qualityprogram, security training programBENEFITS Get a comprehensivepicture of the securitylevel of your productsand processes Suggestions toimprove your securitylevel after an audit Security activitiesin the frame of amanagement system(ISO 27001 like) Organizational,physical and technicalsecurity aspectscovered
; Cyber security for industryOffensive SecurityServicesTest your security and defence with a combined physical,IT and social attack approach.In your systems, malicious hackers can and most probably will exploitany loophole that they find. It is key to identify them.That is why Airbus Protect put together teams of offensive securityspecialists to support industrials in assessing their cyber defence.Airbus Protect white hat hackers are professionals with high expertisein the area of anti-hacking techniques. They possess multiplecomplementary skills in IT, network, cloud, embedded systems andindustrial capabilities. Their goal is to ensure the protection of yoursystems.Airbus Protect teams can go beyond the analysis and provideconsulting services to improve tested systems and infrastructures.IT and Systems networks intrusiontestsExperts will test many potential security weaknesses (XSS faultdetection, SQL fault detection, security failures related to configurationerrors.) to generate a detailed analysis. This is just the first step of themission. Once the analysis is generated, Airbus Protect teams issue afindings tracking report to explain system vulnerabilities and possiblemitigations, thus supporting the business step by step to reach thetargeted security level.RedTeam – A realistic IT, physical andsocial intrusionAs pentesting focuses on a part of your IT, the RedTeam can takeadvantage of all possible domains of access to your organization.Indeed RedTeam missions are full-scope assessments aiming toleverage in a controlled way the tools, tactics and protocols of anyadversary willing to damage the critical assets of the company ororganization.Based on their expertise, our RedTeam members assess and improvecompany defences, monitoring and response capabilities againstcomplex attack scenarios involving physical, digital and humanaspects. This engagement aims to provide a more realistic overviewof risks and their exploitability, and can reveal « blind spots » in yourcurrent policies. Our method rely on existing ones, such as OSINT,Social Engineering, pentest and physical intrusion.BENEFITSPentests Adaptive solutionsdepending on yourneeds: from simplereport generation tocorrective consultingservice White box, grey boxor black box modespossible Support providedto business afterfindings reportRedteam RedTeam highlightthreats that are notusually considered,such as socialmanipulation andphysical intrusion Globally assess yourorganization’s attacksurface thanks to asimulated advancedattack011
012; Cyber security for industryRisk AssessmentGet a clear end to end picture of security risks on yourbusiness.Cyber threats are continuously evolving. Being aware of the securityrisks is essential to face many challenges including the protection ofyour business, know-how and customers. Accordingly, it becomesmandatory to:· Consider the whole cyber threat landscape,· Better understand the stakes,· Assess the feared events and the security risks on products andservices,· Mitigate them,· Define necessary activities to ensure acceptable risks,· Limit unnecessary mitigations to reduce security costs,· Adapt and improve communication with management, businessesor other non-security-oriented people.Based on our engineering experience on transport domains(aeronautic, railway, maritime, space), Airbus Protect has built a strongknowledge about risk management:· Risk analysis perimeter: include all stakeholders to identifydependencies to other parties· Assets management: knowing what matters, what needs to beprotected and why Threat landscape: knowing what is threateningyour business· Risks analysis: identifying the most relevant attack scenarios andassessing their likelihood of occurrence· Risk treatment: proposing how to mitigate risks and prioritize,based on technical and organizational security measuresHaving a security risk based approach is a key fundamental driverto making better decision and ensure business protection againstthreats.ToolsPerforming risk analysis can be complex and time consuming.To ensure repeatable and consistent analysis, we developed FENCE ,a risk assessment tool suited to multiple contexts and methods.Thanks to the expertise and automation directly injected in thissolution, risk analysis experts can focus their attention on the mostvaluable activities.BENEFITS Provide adaptedbusiness leveldiagnostics Monitor and provideperspective onsecurity risks Provide betterstructure, reports andanalysis of risks Provide risk basedapproach for efficientuse of resources Integrate in globalsecurity management Support businessstrategy ISO 27005 compliantapproach Provide repeatableand consistentanalysis with thehelp of FENCE , ourinternally developedrisk analysis tool
; Cyber security for industrySecurity ManagementSystem (SeMS)Ensure that the overall security compliance and risk levelof your company is maintained over the long term.Multiple security regulations and guidance are or will soon beapplicable to industrial actors.Building compliance with different regulations and guidance is adifficult task. Doing it in a coordinated way to optimize operationsand expenses is a bigger challenge. Maintaining the compliance overmany years with employees’ turnover, technologies and regulationevolutions, new threats and vulnerabilities is even more difficult.An integrated management systemSecurity Management System (SeMS) is a mix of processes andorganizations recognized as the state of the art for maintaining asecurity level over many years. Compliance with security regulations isachieved by the management of specific risks.It is built by the integration, coordination and extension of existingorganizations and processes rather than the implementation of newones.Security contribution of suppliersSeMS also covers the integration of security aspects in suppliermanagement processes:· Description of supplier security obligations,· Contractual binding with suppliers,· Defining mechanisms to check supplier complianceTypical service phasesAfter Identification of the relevant security rules and assessment of theexisting organizations and processes:· Proposal of an SeMS architecture· Proposal of a plan to build the SeMS· Support for building up the SeMSNote: Service only available after an assessment of existingmanagement systemBENEFITS Cost optimizationby integration withexisting ManagementSystems (Safety orother) State of the art tomanage security overyears Compliancewith regulationtrends (Risks andManagement Systembased) Address all actorsfrom companyinternal organizationto supply chain.013
014; Cyber security for industryData Shield ServicesProtect your data and ensure compliance withregulations.Protecting personal data and confidential information becomes centralfor business continuity.Accordingly, each market actor processing data has the duty to copewith data governance and compliance management, as per recentlaws and regulations. Whether it is data security issue, technical dataexport or personal data protection, it is fundamental for companies tokeep the control of their own data and to demonstrate compliance.Potential consequences of data breach or negligent data governancecould be financial loss and bad reputation with a strong additionalimpact on market shares.Airbus Protect has strong and significant experience in productsecurity activities through methodologies and procedures alreadyimplemented and tested in the aeronautic industry. We rely onthis know-how and our team of experts to provide our customerswith appropriate consulting and actions plans to ensure regulationcompliance (GDPR, Export Control, NIS Directive) implementationwithin their own organization.Data governance and data compliance are key activities to ensurebusiness stability and to gain future customers’ confidence.Data compliance services overview·····Assessment or checking legal complianceImplementation of compliance meansRisk managementData Governance and continuous improvementCulture changeBENEFITS Compliance withGDPR and ExportControl regulations Data governanceimprovement Reduce legal risks Support providedto business (Audits,Privacy ImpactAssessment, Training,and Consulting)
; Cyber security for industryLegal SupportAnticipate, review & manage legal impacts in terms ofCybersecurity.A thorough protection of its own products, services and informationagainst cyber-attacks is an objective that is shared by all companies.Law remains one of the corner stones that shall empower allstakeholders towards this objective.International, national, and regional evolving laws are sophisticated,and associated topics on Cybersecurity are emerging. That is whyit is mandatory to have both a technical and legal knowledge tounderstand and answer these complex - legal - requirements.In order to properly answer the client’s compliance and securityneeds, to help them understand these complex regulations andadditionally help them manage their legal and contractual risks, AirbusProtect has developed dedicated competencies and services.BENEFITS Legal and Securityqualified expertsupport Legal translationinto concreterequirements Time saving for legalwatch and regulatoryanalysis Contractual riskscontrolLegal support overview· Legal watch (national, regional and international) – Regulationswatch strategy setup, new regulations/jurisprudences impactsanalysis· Contractual/Legal Analysis and support - Applicable regulationsidentification and translation into concrete actions to be performedin the client’s - technical - environment· Contractual Risk Management - implementation and managementof contractual security in order to identify security risks intocontracts015
016; Cyber security for industryArchitecture& System DesignDesign the security of your systems.After an organization has performed typical activities of assessmentsuch as Risk analysis, Audit, or Penetration testing, the actualimplementation of security controls needs to be carried out.This typically occurs in two set of activities:- Security architecture, which is the process of designing thenetwork or product so that your assets are protected from threatsby appropriate security controls,- System design, which ensures the security controls are correctlyimplemented, robust and well tested.BENEFITS Advise you with thebest and most fittechnical possibilitiesaccording to yourstakes Bring expertise toyour company as aservice Mentor and helpOverviewWe have industrial experience in several, highly-demanding domains:space, aeronautics, military and defence, and railway systems.In these domains we have successfully tackled complex projectsalong the entire product development cycle: from security objectivesidentified in the risk assessment all the way to the certification ofworking, in-service, secured products. The activities include studiesof architecture taking into account business requirements, definitionof product specification, definition of security development plans, ofsecurity test plans and review of test results.We run these activities both at the level of the global architecture of alarge project, and at the level of specific product design.We can also dive deep into specific technical topics requiring expertiseto provide an informed expert opinion to help with business decisions.Fields of activities·········Computer architectureCryptographyProduct configurationNetwork and communicationsOperating systemsProgramming languagesDesign methodologiesSystems engineeringAssurance, V&Vyour teams withour experience onindustrial projects Support for all yourdesign office securityactivities
; Cyber security for industry17
018; Cyber security for industryReferencesAirbus Protect, a 100% Airbus subsidiary,has been an expert in industrial riskmanagement since 1985.Airbus is facing daily exposure to ahigh level of physical and cyber threatsin design, production and worldwideoperations. Airbus trusts Airbus Protectto take care of the security and the safetyof its own products.Airbus Protect has been working veryclosely with Airbus since the verybeginning of their Product Securitydepartment to jointly develop skills inprocesses, systems, and productssecurity.In 2017, Airbus and Airbus Protectdecided to share benefits from this cybersecurity expertise outside the group.Together, we decided to help otherindustries facing similar challenges andthreats.Our playgroundAirbus commercial aircraftsAirbus Protect experts are engaged in securing the business of Airbus with a strongbackground and know-how in security and their ability to implement regulatory andnormative requirements for complex products.Airbus Protect is involved in the architecture and design of security for avionicsembedded systems.Airbus Protect carries out physical and cyber security risk analysis from aircraft tosystem level, and proposes risk reduction plans. In this frame, Airbus Protect definessecurity policies, guidelines, methods and processes to be applied during design,manufacturing and operation of aircraft.Airbus Protect also provides security expertise for the assembly line teams ofAirbus to guarantee the integrity of the aircraft throughout all manufacturing phases,through the incident follow-up and analysis and the implementation of technical andorganizational security solutions.Airbus Protect is also involved in securing digital services addressed to airlinecompanies.Finally, Airbus Protect supports the certifying bodies in the definition of the certificationprocesses and the creation and revision of domain-wide standards.Airbus HelicoptersAirbus Protect supports the governance of security projects, taking part of theimplementation of the security management systems.Airbus Protect is fully involved in the cyber and physical security risk assessments forhelicopters as well as for the Airbus Helicopters industrial assets.Airbus Defence & SpaceAirbus Protect is involved in the definition of governance frameworks, the definitionand execution of risk analysis, the architecture and system design for groundequipment.Other IndustriesAirbus Protect experts are involved in various product security projects, dealing withgovernance, design, security risk assessment and offensive security for key actorsin the sectors of railway, automotive and autonomous transport and military such asALSTOM, ATR, MBDA, Ariane Group, Bureau Veritas or the European Central Bank.
CertificationISO 9001Quality Management System (QMS) for the organization,methods and documentary baselineEUROCONTROLSingle European Sky ATM Research (SESAR)ISO 27001/2Lead Implementers/Lead AuditorsPASSIRecognized auditor by national french IS security agencyEBIOSSecurity risk methodologyNIST BEST PRACTICESCOMMON CRITERIAEUROCAEED202/DO326ED204/DO355Aeronautical Systems SecurityACC3 Independent ValidatorAir cargo or mail carrier operating in the Unionfrom a third country airport
20; Cyber security for industryAirbus Protect, 31700 Blagnac, France AIRBUS Protect - All rights reserved. Airbus,its logo and the product names are registeredtrademarks.This document is notcontractual. Subject to change without notice.www.protect.airbus.com
Cyber security for industry 011 Offensive Security Services Test your security and defence with a combined physical, IT and social attack approach. In your systems, malicious hackers can and most probably will exploit any loophole that they find. It is key to identify them. That is why Airbus Protect put together teams of offensive security
