The Military Programming Law raised cybersecurity standards to a whole new level. What real effect has it had on Operators of Vital Importance and their Systems of Vital Importance (SIIV)?
The impact of the Military Programming Law on Operators of Vital Importance
Since the Military Programming Law (LPM) came into effect, Operators of Vital Importance (OIV) have had to make considerable investments in order to satisfy its obligations. The new measures and concerns addressed require them to adapt existing infrastructure, or even to build an entirely new one. All of which has significant consequences on their organisation, technology and budget.
Impact on organisation
Firstly, OIVs must designate a SIIV security representative to be the point of contact with ANSSI (the French National Cybersecurity Agency), and to ensure compliance with the security rules. This person must also draw up the IS Security Policy (PSSI), which defines what is required vis-à-vis training, communication and reporting. This policy provides relevant, coherent and reliable indicators that are calculated in an understandable and interpretable manner. The new system thus means OIVs must restructure their organisation, as well as train and accredit staff.
The fact that OIVs are also obliged to employ the services of ANSSI-certified service providers also has an effect on their purchasing policy. Existing partners must be vetted and encouraged to apply for certification, and new partners chosen if they fail to do so. As for PRIS, OIVs are advised to create benchmarks and a framework agreement to ensure they are available at short notice in an emergency.
Impact on technology
OIVs whose SIIVs are not adequately safeguarded are most likely to struggle to meet the requirements as they have no base upon which to build. These more ‘immature’ OIVs must therefore implement brand new measures if they are to comply with the LPM.
More mature OIVs must upgrade their old initiatives and SIIVs, or supplement them with additional measures if that is not possible.
OIVs having taken measures that do not satisfy the ANSSI’s rules may have to redesign their SIIVs’ defences. In some cases, they may even have to consider an overhaul of their entire IS infrastructure (e.g. network partitioning and SIIV admin tools).
Another difficulty is in relation to the SIIV perimeter, which varies for each OIV. Some possess hyper-centralised SIIVs, while others are tightly linked to the rest of the IS. Utility providers and transports networks also represent a particular challenge, as their SIIVs are widely shared. Consequently, careful attention must be paid to ensure partitioning does not have a negative impact on the fluidity of their operations.
Impact on budget
Failure to comply with the LPM carries a fine of up to €150,000 for the OIV’s director, and up to €750,000 for the legal entity. And avoiding such fines requires OIVs to invest considerable amounts of human and technical resources. The exact amount will depend on the nature, size and geographic distribution of the SIIVs.
This financial investment must therefore be taken into account in the multi-year budget. Before undertaking any compliance programme, an impact analysis should be conducted to provide a precise indication of the work and cost it will entail.
Additionally, OIVs are responsible for the costs involved in complying with all the measures stipulated in the sectoral decrees. For some, this could involve major expenditure e.g. network partitioning, PDIS SOC, certified intrusion detection systems. They must also allow for the increased SIIV operating costs, and the price of ANSSI/PASSI inspections, which are also at their expense.
Difficulties in applying the Military Programming Law
This new regulatory framework comes with its own long list of difficulties for both OIVs and ANSSI.
On one hand, the LPM’s legal corpus is complicated. While some OIVs may be tempted to only comply with the 20 rules set by the sectoral decrees, the implicit requirements must not be ignored. The rules are made harder to decipher by the numerous references, explicit or not, to ANSSI benchmarks, the official secrets act (IGI 1300), the protection of sensitive information systems (II 901) and the PSSIE.
Furthermore, not all the OIVs are subject to the same deadlines or rules. Although most of the rules are identical across all sectors, they may be formulated differently, which complicates their interpretation and application.
Operators could therefore interpret the criteria for determining an SIIV in different ways. These differences result in disparities between OIVs and, ultimately, to varying security levels.
That certain information (e.g. lists of OIVs and SIIVs) is classified or restricted (deadlines for applying rules, notifications of security incidents) further hinders understanding. This information is essential to the proper application of the law’s provisions, and such limitations thus impede employee education, project management and partnerships with service providers, to the benefit of no one.
On the other hand, inspecting SIIVs is a complex matter for ANSSI. The Agency has its own obstacles to overcome, with audits required for each SIIV, and several SIIV for each of the 250 OIV. Individually checking every single one is thus no mean feat.
And since OIVs independently manage their own SIIVs audits, ANSSI cannot take the initiative. It also is responsible for prioritising its inspections, and may delegate certain audits to other government services or certified partners.
Finally, no intrusion detection system has yet to receive certification, despite them being required by the sectoral decrees. ANSSI needs to therefore compile a ‘range’ of products and keep it constantly updated.
Although beneficial in the long term, application of the Military Programming Law is still proving difficult, on several levels. The necessary overhaul of services, resources and tools would suggest we are unlikely to see a tangible impact any time soon. We will have to wait until the end of the programme in 2019 to know the long-lasting effect on those concerned.