Appendix 2

Ensuring Cybersecurity in Practice

and on a Daily Basis

– Managing passwords.
– Managing access rights to systems and applications.
– Partitioning uses.
– Defining rules for digital partners and service providers.
– Regularly updating the software of all hardware.
– Training staff (including avoiding the use of a USB stick of unknown
origin, installing software without prior authorization, default configurations
and unused features).
– Disseminating a charter of good conduct.
– Disabling or removing default accounts, ports (USB or other) and
unused removable media, non-essential web services, etc.
– Backing up data and software regularly on separate media.
– Updating operating systems and security applications.
– Controlling access to production equipment via personalized
passwords.
– Protecting physical and digital access to SCADA (Supervisory Control
and Data Acquisition) development stations, programming consoles, PLCs
(programmable logic controllers), handheld terminals, etc.

Cybersecurity and Decision Makers: Data Security and Digital Trust,

First Edition. Marie de Fréminville.
© ISTE Ltd 2020. Published by ISTE Ltd and John Wiley & Sons, Inc.
174 Cybersecurity and Decision Makers

– Mapping information flows, filtering them with firewalls, tracing and

analyzing connection failures.
– Separating networks (office automation, workshops, etc.) and
connections between production islands.
– Disabling remote access, vulnerable and unsecured protocols and
features.
– Separating development tools from production servers or operator
stations.
– Identifying the documents to be archived and the archiving conditions.
– Encrypting sensitive data.
– Testing back-up recovery processes.
– Disconnecting back-ups from the information system and keeping back-
ups on multiple physical media.
– Ensuring that subcontractors meet acceptable cybersecurity
requirements in relation to those required.
– Ensuring the protection of customer data, in the case of marketing
connected objects, integrating appropriate encryption mechanisms.
– Having the conformity of products and services certified and audited by
a third party such as a national center for IT Security Evaluation and
Certification.
– Using products certified by the National Cybersecurity Agency: data
erasure, secure storage, operating and virtualization systems, firewalls,
intrusion detection, antivirus, malware protection, security administration
and supervision, identification, authentication and access control, secure
communication, secure messaging, embedded hardware and software, secure
execution environment, PLCs, industrial switch.