1 00:00:04,040 --> 00:00:11,759 It goes back to twenty sixteen when the French government published the first national regulation 2 00:00:11,839 --> 00:00:24,000 on cybersecurity for critical infrastructure. Welcome listeners to the Industrial Security Podcast. My 3 00:00:24,120 --> 00:00:28,039 name is Nate Nelson. I'm here with Andrew Ginter, the vice president of 4 00:00:28,120 --> 00:00:33,479 Industrial Security at Waterfall Security Solutions, who's going to be introducing for us the 5 00:00:33,520 --> 00:00:37,840 subject and guest of our show today. Andrew, how's it gone? I'm 6 00:00:37,920 --> 00:00:41,320 very well, Thank you, Nate. Our guest today is Eric Vautier. 7 00:00:41,520 --> 00:00:47,280 He is the Group CISO Chief Information and Security Officer at Group ADP, which 8 00:00:47,320 --> 00:00:51,719 is Airport du Paris, the Paris Airports, all three of them. And 9 00:00:51,759 --> 00:00:57,960 our topic is cybersecurity regulations with a bit of a focus on of course this 10 00:00:58,159 --> 00:01:02,200 too, which is what everyone's doing in Europe. Then, without further ado, 11 00:01:02,320 --> 00:01:07,719 here's you and Eric. Hello, Eric, and welcome to the podcast. 12 00:01:08,239 --> 00:01:11,480 Before we get started, can you say a few words for our listeners 13 00:01:11,519 --> 00:01:15,840 about yourself and about the good work that you're doing at ADP in Paris. 14 00:01:17,560 --> 00:01:22,719 Hi, Andrew, So Miami is Eric? Vote, I'm the groups I 15 00:01:22,760 --> 00:01:26,879 saw for a Group ADP, so mainly I'm an airport guy. I've done 16 00:01:26,000 --> 00:01:34,680 almost all my careers in ADP. I started something like fifteen years with airport 17 00:01:34,719 --> 00:01:40,519 IT and then I moved to to cyber in two thousand and eight. And 18 00:01:41,239 --> 00:01:45,959 I started with that because I think it's very important to know the job, 19 00:01:46,359 --> 00:01:51,400 to know the company you're in before doing cyber security. So I was lucky 20 00:01:51,519 --> 00:01:56,159 enough to start with airport IT and then moved to cyber within the same company 21 00:01:56,840 --> 00:02:01,680 and in a duct chair ADP. This is the company operating the free airports 22 00:02:01,879 --> 00:02:06,560 around Paris Paris, France. As you can guess from my accent, I 23 00:02:06,560 --> 00:02:12,879 guess. So we have CDG, which is international. This is the biggest 24 00:02:12,879 --> 00:02:15,439 airport in France, and I think the third one right now in Europe. 25 00:02:16,080 --> 00:02:23,840 And something very important also is number six as sky tracks quality ratings worldwide. 26 00:02:23,639 --> 00:02:28,800 Second airport is Early, which is mainly domestic and European, so second in 27 00:02:28,840 --> 00:02:31,560 France. And last is the leu Burge, which is famous for his air 28 00:02:31,599 --> 00:02:36,840 show. And maybe you don't know it, but Le Burgie is the busiest 29 00:02:37,000 --> 00:02:40,879 business airport in Europe. Cool. Thanks for that background, you know, 30 00:02:42,280 --> 00:02:45,960 before we dive into cybersecurity, can we take a little bit deeper. Can 31 00:02:46,000 --> 00:02:51,039 you talk about your airports? You know, can you talk about automation. 32 00:02:51,159 --> 00:02:55,360 I mean cybersecurity is relevant to you know, when computers are automating physical processes. 33 00:02:55,719 --> 00:03:00,520 I mean the automation that passengers see at airport is you know, flight 34 00:03:00,560 --> 00:03:05,120 signage, they see ticketing, they see you know, on their on their 35 00:03:05,159 --> 00:03:09,080 cell phone apps. They sometimes see baggage tracking. Is that it what what 36 00:03:09,199 --> 00:03:14,719 happens under the hood at an airport. No, actually, this is kind 37 00:03:14,759 --> 00:03:17,159 of the tip of the iceberg. Of course, of course for us, 38 00:03:17,159 --> 00:03:23,439 this is very important for our passengers to to have this seamless, seamless journey 39 00:03:23,479 --> 00:03:34,199 throughout our airports by modern technology. I t but I think the most critical 40 00:03:34,240 --> 00:03:39,120 part to make the airport efficient and operational is under the radar kind of and 41 00:03:40,159 --> 00:03:45,759 very easily. You can compare an airport like CDG for instance, uh to 42 00:03:45,759 --> 00:03:51,319 to a city. Still taking the example of CDG, we have our own 43 00:03:51,400 --> 00:03:58,319 automatic train reaching every terminal. We have also water treatment of course you can 44 00:03:58,360 --> 00:04:02,960 imagine water on the ramp with pollutants and etcetera needs to be to be dealt 45 00:04:03,000 --> 00:04:06,960 with, of course. And last thing, maybe people don't know, we 46 00:04:08,000 --> 00:04:14,800 have our own power plant to make sure we we we have constant electricity. 47 00:04:15,280 --> 00:04:17,040 And other than that, you have like in a city, you have car 48 00:04:17,120 --> 00:04:24,079 park management, we have logistics, we call them baggageingly system or BHS for 49 00:04:24,079 --> 00:04:29,160 for the passenger bags of course, and this is this is a key issue 50 00:04:29,160 --> 00:04:32,240 for for the passengers to have their bags of course delivered to the aircraft. 51 00:04:32,399 --> 00:04:36,959 And last point, maybe people don't not see it like that, but the 52 00:04:38,079 --> 00:04:42,319 ramp the runway for instance, is kind of similar to a road right now 53 00:04:42,879 --> 00:04:46,480 in big airports and major airports, and you have these kind of traffic lights 54 00:04:47,399 --> 00:04:54,839 to allow planes to enter the runway. So really all this automation is under 55 00:04:54,879 --> 00:04:58,639 the radar or under the surface, if I want to stick to the Iceberg 56 00:04:58,920 --> 00:05:05,720 metaphor you mentioned rail. I've visited a you know, a metro control center 57 00:05:05,879 --> 00:05:14,720 in Spain many years ago, something like twenty operators sitting in the control center 58 00:05:15,279 --> 00:05:18,759 while the metro was running. Each of the operators has you know, five 59 00:05:18,839 --> 00:05:23,600 or six of their own screens, their own keyboard mouse, They have shared 60 00:05:23,759 --> 00:05:28,160 projection screens with a sort of a rendering the entire system and you know where 61 00:05:28,160 --> 00:05:32,800 the locomotives are and where the cars are. Is there is there a control 62 00:05:32,879 --> 00:05:36,759 center like that for the airport or you know, does every bit of the 63 00:05:36,800 --> 00:05:42,639 automation, like the baggage have its own little control center somewhere. Good question. 64 00:05:43,040 --> 00:05:46,879 Actually we have both. Of course, each each system has its own 65 00:05:46,959 --> 00:05:53,199 team to to make sure it runs smoothly. And going back, for instance, 66 00:05:53,360 --> 00:05:56,600 to the train, our line is on. Our train is only one 67 00:05:56,639 --> 00:06:00,040 line, of course, so very simple in comparison to a metro. So 68 00:06:00,680 --> 00:06:06,720 BHS may be more tricky because as you know now BHS embeds X rays and 69 00:06:08,279 --> 00:06:15,439 tomographs, et cetera, so it's kind of complicated logistics equipment. So as 70 00:06:15,439 --> 00:06:23,720 I mentioned, every system has its own control room control room. But of 71 00:06:23,759 --> 00:06:28,879 course, and I think your question is very relevant to modern airports. We 72 00:06:29,000 --> 00:06:34,079 need someone to get in real time information about all these processes because at the 73 00:06:34,160 --> 00:06:38,160 end, at the end of the day, what the passenger wants is to 74 00:06:38,199 --> 00:06:42,720 be in the aircraft with these bags, with cattering, et cetera. So 75 00:06:42,759 --> 00:06:48,199 you need to interface or to make sure to coordinate and synchronize all these processes. 76 00:06:48,759 --> 00:06:55,279 So we have this trend in airport for some years now called APOC, 77 00:06:55,759 --> 00:07:00,160 the Airport Operational Center, kind of big control room for the airport with all 78 00:07:00,279 --> 00:07:04,120 the screens as you mentioned in your metro example. So we are we are 79 00:07:04,120 --> 00:07:11,879 going in this direction definitely for for major airports. You did not mention some 80 00:07:12,040 --> 00:07:15,000 systems that I kind of expected you talk about at some point. You know, 81 00:07:15,720 --> 00:07:19,720 you did not mention the radar, the air traffic control, the you 82 00:07:19,759 --> 00:07:25,079 know, the interface to what I assume is a nationwide air traffic control you 83 00:07:25,120 --> 00:07:29,800 know where does where does that fit? Yeah? Actually I think it's my 84 00:07:30,000 --> 00:07:34,360 answer, will will We'll be valid for all Europe. It's more you mentioned 85 00:07:34,439 --> 00:07:43,319 nationwide. Actually it's European, uh, European size air traffic control system. 86 00:07:43,519 --> 00:07:48,600 Like the name is EUER Control, which is kind of inter governmental or I 87 00:07:48,600 --> 00:07:54,279 don't know if that's the White World, but trying to coordinate air traffic control 88 00:07:54,680 --> 00:07:58,800 all over Europe. And but as you mentioned, for for friends, this 89 00:07:59,000 --> 00:08:09,480 is dedicated to civil aviation, so DIGAC and they are completely responsible for controlling 90 00:08:09,519 --> 00:08:15,759 the aircraft up to the docking point in the airport. The only interface we 91 00:08:15,800 --> 00:08:20,759 have with aircraft kind of kind of saying is the runway, which is under 92 00:08:20,839 --> 00:08:26,680 the responsibility of ADP. But for the rest talking to the pilot is dedicated 93 00:08:26,720 --> 00:08:33,120 to civil aviation. So Andrew, now that we're getting started here, I 94 00:08:33,240 --> 00:08:39,240 recall it must have been years ago that we spoke with another expert specifically in 95 00:08:39,360 --> 00:08:43,960 airport security. Right. Do you remember the name of the guests. I 96 00:08:45,080 --> 00:08:48,919 do. That was Mark Lindick. He was the head of cyber defense at 97 00:08:48,960 --> 00:08:54,039 Minich Airport. It was a long time ago. That was like episode twelve, 98 00:08:54,080 --> 00:08:58,320 I believe, And yeah, I you know, I didm'tly recall the 99 00:08:58,360 --> 00:09:03,799 episode Mark was I think most of the episode we talked about a new training 100 00:09:03,840 --> 00:09:09,480 program that you know, he and Munich Airport were running for critical infrastructures back 101 00:09:09,519 --> 00:09:13,039 in twenty nineteen. As far as I know, they're still running it. 102 00:09:13,080 --> 00:09:18,200 But what I remember from the episode, what struck me on the episode was, 103 00:09:18,960 --> 00:09:22,720 you know, Mark used the same words that Eric is using here. 104 00:09:22,759 --> 00:09:24,799 He said, look, Andrew, you know you're thinking about airports the wrong 105 00:09:24,879 --> 00:09:28,200 way. Think of them as a small city. I remember him saying the 106 00:09:28,200 --> 00:09:33,840 word small city. Now the rest of his description, I remember talking about 107 00:09:35,279 --> 00:09:39,519 escalators and security cameras and elevators. I remember coming away from the episode, 108 00:09:39,840 --> 00:09:43,480 you know, he said the word small city. But I remember thinking of 109 00:09:43,639 --> 00:09:48,240 you know what he described as, you know, as a large building, 110 00:09:48,840 --> 00:09:52,960 because we talked a lot about building automation. But you know, what Eric 111 00:09:52,039 --> 00:09:58,440 is talking about today really sounds like a smart city. Their own rail system, 112 00:09:58,639 --> 00:10:03,720 there own power plant, their own wastewater treatment, their own water distribution 113 00:10:03,840 --> 00:10:09,879 system, their own power distribution system. It really sounds like a smart city. 114 00:10:09,960 --> 00:10:13,399 Everything is automated, and everything's going to become more automated because of course 115 00:10:13,440 --> 00:10:16,360 everyone wants, you know, the experience of going through the airport to be 116 00:10:16,399 --> 00:10:20,200 a more pleasant and be cheaper, and that's what automation gives us. It 117 00:10:20,240 --> 00:10:26,080 makes everything cheaper. Building off that to the theme of this episode, regulation 118 00:10:26,320 --> 00:10:31,080 seems like pretty important, or at least maybe ever present thing when you have 119 00:10:31,639 --> 00:10:35,480 such a structure as you're describing, right, it does, and Eric's going 120 00:10:35,480 --> 00:10:41,000 to get into this, but very briefly, there are differences between smart cities 121 00:10:41,000 --> 00:10:46,200 and airports, and there are enormous similarities. The differences to me are in 122 00:10:46,240 --> 00:10:52,519 a sense obvious. You know, you have a huge physical security focus, 123 00:10:52,639 --> 00:10:56,879 and of course you know regulations in airports, you have security lines, you 124 00:10:56,879 --> 00:11:01,399 have X ray machines, and I assume you know there are regulations for all 125 00:11:01,399 --> 00:11:07,159 this. You don't tend to see, you know, regulations for X ray 126 00:11:07,200 --> 00:11:13,559 machines in smart cities. But the similarities are obvious. You know, smart 127 00:11:13,559 --> 00:11:18,399 cities have all sorts of regulations either in place or coming into place for critical 128 00:11:18,399 --> 00:11:24,559 infrastructures. Airports are critical infrastructures and they're small cities, so yeah, we 129 00:11:24,039 --> 00:11:33,559 are seeing a lot of similarities there as well. Yeah, so thanks for 130 00:11:33,600 --> 00:11:37,919 that introduction. I mean, our topic is regulation and eventually cybersecurity regulation and 131 00:11:37,960 --> 00:11:41,360 this too. But you know, can we start with a big picture of 132 00:11:41,399 --> 00:11:46,440 regulation. What does the regulatory environment look like for an airport in France? 133 00:11:46,720 --> 00:11:52,879 Actually it's nowadays it's quite a complex environment because we have so many different regulation 134 00:11:54,080 --> 00:12:03,919 coming from different origins. So we are first critical infrastructure regulation, so national 135 00:12:03,000 --> 00:12:09,559 one regulation, national regulation first and then it became then one regulation, so 136 00:12:09,600 --> 00:12:13,360 we're still under this these two in France. And on top of that we 137 00:12:13,440 --> 00:12:22,600 have also sectorial regulations aviation ones of course here and one with dealing with physical 138 00:12:22,639 --> 00:12:26,600 security in airports UH. And the second one, of course and it's very 139 00:12:26,639 --> 00:12:33,159 important for our passengers, is safety regulation under the UMBREDA of i k UH 140 00:12:33,320 --> 00:12:39,559 International Civil Aviation Organization. So this is for for Europe, but I think 141 00:12:39,600 --> 00:12:45,080 it's quite similar to to the US, where you have different entities also regulating 142 00:12:45,240 --> 00:12:50,159 like T S A, F A A and I guessize Siza or Caesar and 143 00:12:50,039 --> 00:12:56,080 so this is it actually kind of multiple layers dealing with similar topics, so 144 00:12:56,200 --> 00:13:03,519 complexity and you know are our focus here is cybersecurity. You know, can 145 00:13:03,559 --> 00:13:07,879 you tell us a bit about about sort of the big picture of cybersecurity in 146 00:13:07,919 --> 00:13:13,919 France and eventually you know how it starts applying to airports. It goes back 147 00:13:13,960 --> 00:13:26,120 to to actually twenty sixteen when the French government published the first national regulation on 148 00:13:26,200 --> 00:13:33,639 cyber security for critical infrastructure. It has been a three years work in discussion 149 00:13:33,720 --> 00:13:41,399 with the cyber Security Agency and eventually in twenty sixteen we had this first regulation 150 00:13:41,600 --> 00:13:48,759 asking critical infrastructure operators to fulfill quite a number of requirements, so he started 151 00:13:48,840 --> 00:13:54,080 there. Two years later we had kind of similar regulation at European level called 152 00:13:54,240 --> 00:14:01,120 NICE Network and Information Security Directive now it's nie one because we have this NIEE 153 00:14:01,120 --> 00:14:09,320 to on the horizon. And then later on we had to implement regulation around 154 00:14:09,679 --> 00:14:15,519 as I mentioned before, sectorial and the first one was physical sexuality under the 155 00:14:15,600 --> 00:14:20,240 responsibility of dig MOVE part of EU of course, and the next year or 156 00:14:20,279 --> 00:14:24,279 at the end of the year or next year, we will have a regulation 157 00:14:24,360 --> 00:14:31,519 on safety published by AASA, which is a European Agency for Safety in Aviation. 158 00:14:31,720 --> 00:14:35,039 Let me start with ANCI. You know, I saw the regulation come 159 00:14:35,080 --> 00:14:41,120 out in twenty sixteen. I was impressed. I mean, it's two volumes 160 00:14:43,559 --> 00:14:48,200 and to me it was surprisingly readable. You know, it is I think 161 00:14:48,240 --> 00:14:54,960 the most understandable regulation in the world for critical infrastructure cybersecurity. I recommend our 162 00:14:54,960 --> 00:15:00,720 listeners look it up and read it. It's you know, search for classification 163 00:15:00,879 --> 00:15:05,000 method and detailed Measures n C A, N S S. I. But 164 00:15:05,120 --> 00:15:09,720 let me ask you when that came out, the regulation seemed, you know, 165 00:15:09,799 --> 00:15:13,679 in my read of the the the prologue to the to the the regulation, 166 00:15:15,080 --> 00:15:18,600 it seemed to me to apply sort of once you did an audit once 167 00:15:18,759 --> 00:15:24,159 when a new system was created. You know, it didn't really apply retrospectively 168 00:15:24,240 --> 00:15:30,559 to existing systems. You know, I understand that that NIS, you know, 169 00:15:30,679 --> 00:15:37,240 demanded that that France or that all member nations create regulations that I thought 170 00:15:37,279 --> 00:15:43,000 were sort of ongoing that sort of had a permanent effect rather than a one 171 00:15:43,080 --> 00:15:46,039 time audit requirement. Can you talk about, you know, where did where 172 00:15:46,039 --> 00:15:50,360 did ANCI start and how did this change it? And is that you know, 173 00:15:50,840 --> 00:15:52,200 is that still where it is today? Where you know, how did 174 00:15:52,240 --> 00:15:56,360 we get where we are today. It's a it's a very long story. 175 00:15:56,440 --> 00:16:02,240 So I tried to to to resume it, uh at best. Yeah, 176 00:16:02,360 --> 00:16:08,120 So I agree with you about the clarity of all this regulation. If I 177 00:16:08,159 --> 00:16:15,120 may pay a tribute to ants there, I think it's worth it. First, 178 00:16:15,080 --> 00:16:22,639 they didn't publish this regulation without consulting different sectors. That's the way we 179 00:16:22,759 --> 00:16:30,480 organize for critical infrastructure. In France. We have something like eighteen sectors critical 180 00:16:30,480 --> 00:16:34,039 sectors, and within that, of course, it depends depending on different ministry. 181 00:16:34,679 --> 00:16:41,159 And they started to discuss with us so main operators like for instance in 182 00:16:41,240 --> 00:16:49,679 aviation like Air France atc SO, DGC and an ADP for instance, because 183 00:16:49,679 --> 00:16:53,120 they had their own ideas, but they wanted to make sure that these ideas 184 00:16:53,120 --> 00:16:59,240 were applicable in real life. So it took something like free of discussion, 185 00:16:59,320 --> 00:17:03,480 of course, and the we had his own goal and and so they managed 186 00:17:03,519 --> 00:17:10,039 to public this kind of joint result, if I may say so. Of 187 00:17:10,079 --> 00:17:15,839 course, ninety ninety five percent is ANCI and five percent maybe is due to 188 00:17:15,920 --> 00:17:21,680 conversation with operators. So it started like that. But I will slightly contradict 189 00:17:21,759 --> 00:17:25,720 you. It's for each and every system and we had at the time three 190 00:17:25,759 --> 00:17:30,160 years for old system to comply with our regulation, which is very extensive, 191 00:17:30,200 --> 00:17:37,440 as you mentioned, encourage also people to read it. And but and it 192 00:17:37,519 --> 00:17:41,759 was also kind of the beginning of cybersecurity by design in regulation. So the 193 00:17:41,799 --> 00:17:51,759 new system you mentioned, you're exactly right, they are supposed to be secured 194 00:17:52,359 --> 00:17:57,319 when they enter, when they when they're implemented, operationally implemented. But we 195 00:17:57,359 --> 00:18:03,400 had we had to go back to the all systems and make them also compliant 196 00:18:03,640 --> 00:18:11,880 with OR regulations. That's that the kickstart in France, if I may say 197 00:18:11,920 --> 00:18:15,160 so, And and two years later we have this NIS dire Active And honestly 198 00:18:17,480 --> 00:18:25,319 it was promoted and maybe a bit driven by France at the time at EU 199 00:18:25,440 --> 00:18:30,240 level, for I guess, and maybe I'm wrong, but I guess because 200 00:18:30,279 --> 00:18:34,640 we already had in France this experience or ants he had this experience of creating 201 00:18:34,680 --> 00:18:40,160 the text. So if you look at it, NIE one and French regulation 202 00:18:40,319 --> 00:18:45,519 are very similar, and it was also very clever from ANTSI, if I 203 00:18:45,559 --> 00:18:48,799 may say so once again, because it means that for critical operators in France 204 00:18:49,799 --> 00:18:56,039 we were already compliant to NIE one, if we were compliant with the French 205 00:18:56,079 --> 00:19:02,200 regulation. That's how it all started. Yeah, h I am still confused. 206 00:19:03,960 --> 00:19:10,079 NIS I thought was a directive from the European Union to the member nations 207 00:19:10,880 --> 00:19:15,000 saying the member nations have to produce regulations. So the director was not was 208 00:19:15,039 --> 00:19:22,799 not regulations by itself. ANTSIE already had these regulations that mandated an audit at 209 00:19:22,839 --> 00:19:30,400 the beginning of life for the for for a new system. But I thought 210 00:19:30,559 --> 00:19:34,720 the NIS directive said the regulation has to be sort of more than one audit. 211 00:19:36,640 --> 00:19:40,799 I kind of missed. How did how did NIS? You know? 212 00:19:41,519 --> 00:19:45,640 Is there is there more to antsy? Is there another document that people like 213 00:19:45,680 --> 00:19:48,240 me should be looking at saying, oh, here's the sort of the current 214 00:19:48,359 --> 00:19:55,599 world of NIS in addition to the original ANTSI good question. Maybe I was 215 00:19:55,640 --> 00:20:00,880 too too quick or not precise enough. Yeah, you're right. A directive 216 00:20:00,920 --> 00:20:06,920 in European sense means that every member state has to transpose it into its own 217 00:20:07,039 --> 00:20:11,519 regulation. So what ANSI did very easily. They said, okay, we 218 00:20:11,599 --> 00:20:18,240 already have our own regulation and it fits to the requirement of the directive, 219 00:20:18,680 --> 00:20:22,799 so they kind of transpos it so you have your rights a specific text, 220 00:20:23,000 --> 00:20:32,599 which is the nice directive transposition in French regulation, which is I would say 221 00:20:32,640 --> 00:20:37,799 almost exactly, because maybe some words are different, but almost exactly the regulation 222 00:20:37,920 --> 00:20:44,240 we already had in plants place in France for critical infrastructure. So there it's 223 00:20:44,400 --> 00:20:48,839 really perfectly aligned, if I may say. So, let me ask you. 224 00:20:48,839 --> 00:20:56,759 You mentioned earlier cybersecurity rules for safety systems, cybersecurity rules for physical security 225 00:20:56,759 --> 00:21:04,200 systems. Can you so you know this was sort of history by now and 226 00:21:04,279 --> 00:21:08,200 these two is coming. You've got safety, you've got physical security. Can 227 00:21:08,240 --> 00:21:12,400 you talk a bit more about sort of the modern regulatory environment and what you're 228 00:21:12,400 --> 00:21:18,240 facing today. It's quite similar. We will still have the same players in 229 00:21:18,319 --> 00:21:22,359 place, and I think we can stick to the European level because it's valid 230 00:21:22,440 --> 00:21:26,440 for France. We will still have the three origin of text. So I 231 00:21:26,519 --> 00:21:32,960 mentioned AAZA for safety, I mentioned DIGI move for for security, and these 232 00:21:33,000 --> 00:21:40,119 too is under digit Connect which is kind of ITM Ministry for Europe. And 233 00:21:40,519 --> 00:21:45,079 this last one is for each and every sector of the economy uh and the 234 00:21:45,119 --> 00:21:51,599 two other one are really dedicated to aviation aviation. So the difficulty for us 235 00:21:51,960 --> 00:21:59,519 is that these text texts don't really align and they have some different requirements depending 236 00:21:59,799 --> 00:22:04,200 of course, depending on the topic. Of course, we have a large 237 00:22:06,359 --> 00:22:14,200 share of commonalities kind of actual cyber security, but we have we have slightly 238 00:22:14,240 --> 00:22:19,119 different requirements. For instance, on safety, they're applying their safety regulation for 239 00:22:21,880 --> 00:22:26,319 i would say every day safety regulation, and for instance, when you investigate 240 00:22:26,759 --> 00:22:32,359 an accident, aviation accident, you need to to keep track of something like 241 00:22:32,680 --> 00:22:40,319 five or more even more data on the on the equipment. So they just 242 00:22:40,559 --> 00:22:44,119 transpose it to to cyber security and said, if you have a cyber incident, 243 00:22:44,279 --> 00:22:48,799 you need to keep five years of records. And I'm sure your listener 244 00:22:48,880 --> 00:22:53,519 will find this very important, maybe too much, maybe we think something similar, 245 00:22:53,599 --> 00:23:00,000 but so you see that they didn't try to to understand what would be 246 00:23:00,480 --> 00:23:08,319 the implications of saying, just give us five years of records and things like 247 00:23:08,400 --> 00:23:15,319 that. And risk analysis is slightly different, different depending on the regulation. 248 00:23:15,640 --> 00:23:21,880 So same thing, how do we conduct a risk analysis for AZA, for 249 00:23:22,079 --> 00:23:26,519 digit move for digit connects, And so that's that's really the tricky part of 250 00:23:26,559 --> 00:23:32,640 it, making sure we don't do we don't duplicate our work just to prove 251 00:23:32,680 --> 00:23:37,720 something we do once. And so especially airports, we have been advocating for 252 00:23:37,839 --> 00:23:45,400 this during the the rulemaking task of this this regulation, saying you need to 253 00:23:45,599 --> 00:23:49,559 you need to align, you need to to kind of kind of overlap your 254 00:23:49,799 --> 00:23:56,839 regulation and don't do specifics in your own track. So Nate Eric did not 255 00:23:57,039 --> 00:24:02,640 say the word, but the word I hear used in lots of other contexts. 256 00:24:02,759 --> 00:24:07,759 You know, talking about this issue is harmonization. Owners and operators are 257 00:24:07,799 --> 00:24:14,000 talking about it. Government authorities are talking about it. Manufactures of you know, 258 00:24:14,079 --> 00:24:18,200 automation and security equipment are talking about it. And it's you know, 259 00:24:18,880 --> 00:24:22,920 we're seeing more and more cybersecurity regulations. I mean ten fifteen years ago, 260 00:24:22,960 --> 00:24:26,039 there was almost nothing. There was NIRKSIP, you know, there was sea 261 00:24:26,079 --> 00:24:30,599 FATS, which you know was chemical facility. Anti terrorism in North America had 262 00:24:30,720 --> 00:24:37,200 you know, like three paragraphs on cybersecurity. It was almost nothing. Today 263 00:24:37,119 --> 00:24:41,920 there's nrk SIP, there's this too, there's the original THISS, there's you 264 00:24:41,960 --> 00:24:48,680 know, every every country has some kind of critical infrastructure cybersecurity, and often 265 00:24:48,759 --> 00:24:53,480 in different regimes, you know, for airport safety, for you know, 266 00:24:53,720 --> 00:25:03,200 the safety of water treatment systems. Every sort of authority has their own cybersecurity 267 00:25:03,200 --> 00:25:07,559 standard. And so everyone is saying, look if I have to do a 268 00:25:07,559 --> 00:25:14,759 cyber risk assessment for six different agencies according to six different rules, do you 269 00:25:14,799 --> 00:25:18,880 know how much effort that is to to cross all those t's and dot all 270 00:25:18,920 --> 00:25:23,599 those eyes. Can't you guys sort of harmonize? Can't you normalize these things? 271 00:25:23,599 --> 00:25:27,000 So I only need to do one cyber risk assessment to sort of one 272 00:25:27,640 --> 00:25:33,119 uber global set of rules and be done with it. And it's not just 273 00:25:33,200 --> 00:25:37,599 risk assessments. You know, there's risk assessments. There's audits, you know, 274 00:25:37,640 --> 00:25:41,279 different authorities coming in Every every two months, a different authority drops in 275 00:25:41,359 --> 00:25:44,480 on YouTube to do an audit. At the end of the year. You 276 00:25:44,480 --> 00:25:49,160 know, you repeat it just it costs too much. Incident reports Lots of 277 00:25:49,200 --> 00:25:55,599 different authorities are requiring incident reports. If if you've got a multinational that operates 278 00:25:55,640 --> 00:26:02,599 critical infrastructure in multiple countries or in multiple continents, and there's a cyber incident 279 00:26:03,079 --> 00:26:07,599 at you know this this owner and operator somewhere, how many different authorities do 280 00:26:07,640 --> 00:26:11,079 they have to report it to? How many different formats do those reports have 281 00:26:11,119 --> 00:26:14,559 to take? How many different kinds of detail do those reports have to supply? 282 00:26:15,759 --> 00:26:19,000 Manufacturers It's not just owners and operators. Manufacturers are complaining about the same 283 00:26:19,039 --> 00:26:23,279 thing, saying, look, increasingly, you know, in different jurisdictions, 284 00:26:23,319 --> 00:26:30,839 they're required to report vulnerabilities to different authorities, sometimes in confidence, sometimes in 285 00:26:30,880 --> 00:26:34,720 public, with different levels of information. Again, they're they're saying, can 286 00:26:34,759 --> 00:26:37,799 we not all get on the same page? People, Do you have any 287 00:26:37,839 --> 00:26:45,519 idea how much paperwork burden you're imposing on you know, operators and manufacturers. 288 00:26:45,440 --> 00:26:48,960 And it's you know, it's not just Europe, It's not just ns too. 289 00:26:49,720 --> 00:26:56,400 I hear these issues arising in North America. I hear them all over 290 00:26:56,440 --> 00:27:00,480 the world. Any time that you have multiple authorities, anytime that you have 291 00:27:02,440 --> 00:27:07,880 multinational corporations operating in lots of different jurisdictions, you have these harmonization problems. 292 00:27:07,960 --> 00:27:12,039 This is sort of a hot topic, hopefully for the next three four years, 293 00:27:12,359 --> 00:27:18,960 until it all gets sorted out across our fingers, so pulling it all 294 00:27:18,960 --> 00:27:22,880 together. You know, the big news in Europe is this too. It 295 00:27:22,960 --> 00:27:29,559 is again a directive to the member nations, and in my experience, there 296 00:27:29,599 --> 00:27:33,640 is enormous there is widespread interest in this too. You know, we're talking 297 00:27:33,680 --> 00:27:36,839 airports here, but you know, when I attend security events in Europe, 298 00:27:36,880 --> 00:27:41,839 when I interact with customers or prospective customers in Europe, everyone talks about this 299 00:27:42,079 --> 00:27:48,079 too. How big an impact has this too been for the airport because you've 300 00:27:48,079 --> 00:27:51,839 been sort of critical infrastructure from the beginning. How big has it been? 301 00:27:51,880 --> 00:27:55,119 How big will it be for the airport? It depends on the site. 302 00:27:55,160 --> 00:27:59,839 Actually, yeah, you're right, these two is a very big thing in 303 00:28:00,000 --> 00:28:07,039 Europe right now because its coverage is much larger than the previous regulations. For 304 00:28:07,079 --> 00:28:11,279 instance, in France, right now we have something like two hundred and fifty 305 00:28:11,960 --> 00:28:21,000 three hundred critical infrastructure operators with these to the estimate because today nobody can really 306 00:28:21,039 --> 00:28:27,799 say, but the estimates is fifteen thousand companies. So you see the difference 307 00:28:27,839 --> 00:28:33,920 between between the two as far as coverage is concerned. This is the first 308 00:28:33,079 --> 00:28:37,000 the first change. A second change or so for the size of it or 309 00:28:37,039 --> 00:28:44,519 the width of it is the number of sectors they want to extend it to 310 00:28:44,960 --> 00:28:48,680 sectors that we are not under the previous regulations. So once again, more 311 00:28:48,720 --> 00:28:53,960 companies, more operators. And going back to your question specifically on airports, 312 00:28:55,440 --> 00:28:59,559 for I deep it won't change anything nothing for major airports throughout Europe will be 313 00:28:59,559 --> 00:29:04,759 the same thing. But with needs to all airports. When you read the 314 00:29:04,799 --> 00:29:10,359 text that we need to wait for official lists. But when you read the 315 00:29:10,400 --> 00:29:14,839 text, you may get that all airports, big or small, will be 316 00:29:14,920 --> 00:29:18,559 under needs to And this is a big issue of course for small airports that 317 00:29:18,640 --> 00:29:25,720 may don't have the teams right now, may don't have the cyber security in 318 00:29:25,799 --> 00:29:32,680 place exactly like major airports have. So I think this is really what's what's 319 00:29:33,799 --> 00:29:38,359 the main concern for people in Europe, small withold sell small companies more than 320 00:29:38,519 --> 00:29:45,000 big companies that are already doing a lot on cybersecurity. Okay, so you 321 00:29:45,039 --> 00:29:49,039 know it makes sense that that, you know, in a nation that had 322 00:29:49,079 --> 00:29:53,079 ANTSY almost ten years ago, and you know, it was, like I 323 00:29:53,119 --> 00:29:57,640 said, it was very well done. In my opinion, that the largest 324 00:29:57,680 --> 00:30:03,319 airports you know, aren't see much change. Are you going to see any 325 00:30:03,400 --> 00:30:07,200 change? I mean it seems to me that you know the world has changed 326 00:30:07,240 --> 00:30:11,599 in the last ten year cybersecurity wise. What kind of changes you know, 327 00:30:11,680 --> 00:30:17,880 do you see coming of any Yeah, I said, big airports on't see 328 00:30:17,920 --> 00:30:22,759 the difference internally, if I may add, but I think we will see 329 00:30:23,119 --> 00:30:29,359 a major difference on outside. And when I say outside, I mean the 330 00:30:29,400 --> 00:30:34,240 supply chain. It was the main critics we had at the time of this 331 00:30:34,480 --> 00:30:40,599 one, saying that all requirements were on the operator and as you know, 332 00:30:40,799 --> 00:30:45,559 and especially airports, no, no one is really alone doing his job. 333 00:30:45,680 --> 00:30:52,440 And we have in airport quite a number of suppliers I, T, O, 334 00:30:52,599 --> 00:30:57,680 T whatever, and this supplier where suppliers sorry, where outside of this 335 00:30:59,119 --> 00:31:02,759 Nie one director. So this is something that has changed and is very important, 336 00:31:03,319 --> 00:31:10,119 meaning that there will these supply chain company. They will also have requirements 337 00:31:10,880 --> 00:31:15,279 being kind of indirectly part of critical infrastructure. Just to give you an example 338 00:31:17,039 --> 00:31:21,799 I mentioned previously cyber security. In physical security, if you're a passenger, 339 00:31:21,880 --> 00:31:26,079 you have put your bags in X rays, very easy, easy to spot. 340 00:31:26,960 --> 00:31:33,000 And this six rayse right now is tomography plus a computer. So of 341 00:31:33,039 --> 00:31:37,880 course we have cyber security questions around it and on this one which could just 342 00:31:37,079 --> 00:31:45,519 add question send send questions to this manufacturer saying please be gentle and add some 343 00:31:45,559 --> 00:31:48,720 cyber security. Now with thisess to they fall under it. So they can't 344 00:31:48,759 --> 00:31:52,880 say this is the airport problem, but it's also their own problem now and 345 00:31:52,920 --> 00:31:57,680 then we'll have to fulfill this requirement too. So coming back to something you 346 00:31:57,680 --> 00:32:01,440 said a moment ago, you know fifteen thousand edies, lots of smaller airports, 347 00:32:02,960 --> 00:32:09,279 the smallest entities don't have a lot of money to spend on cybersecurity. 348 00:32:09,359 --> 00:32:14,680 You know, the smallest nations don't have a lot of money to spend you 349 00:32:14,720 --> 00:32:22,559 know, defining regulations much less enforcing them on smaller entities. Does this to 350 00:32:23,160 --> 00:32:28,640 address that? I mean, if if there's going to be that many entities 351 00:32:28,680 --> 00:32:34,279 and that many people, you know, getting paid to do cybersecurity, on 352 00:32:34,359 --> 00:32:37,200 the one hand, that's a lot of money. On the other hand, 353 00:32:37,240 --> 00:32:39,359 saying you know, we don't have the money, it costs too much doesn't 354 00:32:39,400 --> 00:32:44,240 make the threat go away. How do you how do you balance security and 355 00:32:44,400 --> 00:32:49,839 cost in this too good question? I think there've been a lot of discussion 356 00:32:49,880 --> 00:32:54,160 around this topic. And for instance, the Association of European Airport has been 357 00:32:54,200 --> 00:33:02,319 advocating for kind of exemption for very small airport airports, but actually small airports 358 00:33:02,319 --> 00:33:07,240 they don't have a lot of it OT and if they have the consequence of 359 00:33:07,279 --> 00:33:13,640 a failure, maybe maybe not as important as in a big one where you 360 00:33:13,640 --> 00:33:19,799 have this optimization as we mentioned before, thanks to IT and OT automations. 361 00:33:19,480 --> 00:33:28,640 But I think cyber security maybe is a proportional issue. You you depending on 362 00:33:28,680 --> 00:33:32,559 your size, you you you put a kind of proportional amount of money. 363 00:33:34,400 --> 00:33:37,839 For instance, if you want to secure a small system. You want to 364 00:33:37,880 --> 00:33:45,880 have so many equipment cyber security equipment. We have something which is quite fit 365 00:33:45,359 --> 00:33:51,200 fitted to the side of the airport, and a bigger one. A bigger 366 00:33:51,240 --> 00:33:54,119 airport like ADP will spend a lot of money because we have a lot of 367 00:33:54,200 --> 00:33:59,039 systems. But when you have smaller systems and in a limited number, I 368 00:33:59,079 --> 00:34:02,920 guess this is kind of the same amount of money. You said security costs 369 00:34:02,920 --> 00:34:09,559 too much. I have a kind of sayings which is maybe it costs that 370 00:34:09,960 --> 00:34:16,280 lack of security may cost more, even more if someone finds you and destroy 371 00:34:16,480 --> 00:34:22,159 or damage your system. So I think this is something which is of course 372 00:34:22,159 --> 00:34:27,679 this is interpretation, but I think it's something it needs to It's I think 373 00:34:27,679 --> 00:34:32,320 the right world may be adequate level of cyber security, meaning that you need 374 00:34:32,360 --> 00:34:37,400 to assess your system as set the cyber security risk on this system, and 375 00:34:37,519 --> 00:34:43,599 put the adequate measure to our controls to reduce that risk. So, of 376 00:34:43,639 --> 00:34:47,199 course it will change things for smaller companies. They will have to hire people 377 00:34:47,360 --> 00:34:54,360 and put some equipment in place if they don't have already that they didn't do 378 00:34:54,440 --> 00:35:00,719 it already. But I think it it's not of course, when you spend 379 00:35:00,719 --> 00:35:04,719 nothing, and spending something is a big deal. But at the end of 380 00:35:04,760 --> 00:35:07,639 the day, I don't think this is such a big deal in comparison to 381 00:35:07,360 --> 00:35:15,480 the impact and the consequence lack of security may have. Andrew, if I 382 00:35:15,480 --> 00:35:20,559 could bring us back to small airports for a moment, there's something timeless in 383 00:35:20,880 --> 00:35:24,719 you know, small organizations not necessarily having all of the budget the large ones 384 00:35:24,760 --> 00:35:30,800 do to deal with cybersecurity. But of course not having security and then having 385 00:35:30,800 --> 00:35:36,519 an incident ends up being much more expensive in the end. So what exactly 386 00:35:36,559 --> 00:35:42,519 are we proposing that small airports in this kind of situation do to keep up. 387 00:35:43,639 --> 00:35:46,679 Well, that's that's a good question, and it's a question that is 388 00:35:46,760 --> 00:35:53,239 confusing to a lot of practitioners. I think part of the answer is is 389 00:35:53,239 --> 00:35:57,599 what Eric said, which is, look, the smaller airports tend to be 390 00:35:57,639 --> 00:36:00,280 automated less. They tend to have less automation, and therefore they have less 391 00:36:00,280 --> 00:36:04,840 exposure on the ot side, you know, on the industrial side, to 392 00:36:05,119 --> 00:36:10,400 cybersecurity attacks, and so they need less security. So that's a good thing. 393 00:36:10,639 --> 00:36:19,239 It means you don't have to spend an ADP size budget on cybersecurity for 394 00:36:19,559 --> 00:36:24,320 you know, us small airports OT systems. But what it also means, 395 00:36:25,079 --> 00:36:30,239 it's a question of economies. I mean, why do we deploy OT automation, 396 00:36:30,320 --> 00:36:35,880 why do we deploy computers there at all? It's to save money. 397 00:36:35,960 --> 00:36:39,000 And what we have to be careful of in small airports is when we look 398 00:36:39,039 --> 00:36:45,360 at our existing automation, when we look at new automation opportunities, it's important 399 00:36:45,519 --> 00:36:51,159 that we look not you know, don't just say, hey, I could 400 00:36:51,199 --> 00:36:55,159 spend one hundred thousand dollars and save one hundred and fifty thousand dollars over the 401 00:36:55,159 --> 00:36:59,440 course of three years. That's a fifty thousand dollars benefit. Here we go. 402 00:37:00,559 --> 00:37:05,039 You have to say I could spend one hundred thousand dollars on a new 403 00:37:05,039 --> 00:37:10,440 system, new automation, and how much more cybersecurity would I need. You've 404 00:37:10,440 --> 00:37:17,440 got to include the cost of securing your new automation. You can't just you 405 00:37:17,480 --> 00:37:22,800 know, if you've got something that is sort of automation that is marginally beneficial, 406 00:37:22,920 --> 00:37:25,480 it's going to save you know, fifty thousand dollars over three years on 407 00:37:25,519 --> 00:37:30,239 one hundred thousand dollars investment. To me, that's marginal. If you had 408 00:37:30,239 --> 00:37:34,599 a one hundred thousand dollars investment that would save you six hundred thousand dollars over 409 00:37:34,639 --> 00:37:37,440 three years. Well, then you can afford to spend one hundred thousand dollars 410 00:37:37,480 --> 00:37:44,239 of your savings on a proper cyber security system for that new piece of automation. 411 00:37:45,480 --> 00:37:50,639 But if you if your payback is marginal, you know, really we 412 00:37:50,960 --> 00:37:53,800 probably shouldn't be deploying that automation. We need to be deploying automation where the 413 00:37:53,880 --> 00:38:00,239 payback is big enough to you know, provide protection from the new risk that 414 00:38:00,280 --> 00:38:02,719 we're introducing. This is you know, this is the thing that confuses a 415 00:38:02,719 --> 00:38:07,119 lot of a lot of practitioners and that that I think is going to become 416 00:38:07,199 --> 00:38:13,719 very crystal clear for small operators in the years ahead. We're coming up on 417 00:38:13,800 --> 00:38:16,119 the on the the end of our interview here, let me ask you. 418 00:38:16,159 --> 00:38:22,719 We've been talking about sort of the history of cybersecurity in the aviation industry. 419 00:38:22,719 --> 00:38:25,559 In France we've been and in Europe we've been talking about the present, which 420 00:38:25,599 --> 00:38:31,400 is this too. You folks at you know, the the the the Paris 421 00:38:31,440 --> 00:38:38,880 airports, you personally have been working with authorities, with French and European authorities 422 00:38:38,920 --> 00:38:43,000 on cybersecurity for a very long time. Now, Uh, you know this 423 00:38:43,119 --> 00:38:47,639 too is something that is sort of the current big news. But you're talking 424 00:38:47,679 --> 00:38:52,639 to these authorities. Can you look into the future for us a little bit? 425 00:38:52,760 --> 00:38:54,360 What's you know, what are you working on now? What are we 426 00:38:54,440 --> 00:39:00,440 going to see coming out in the next year, two or three? I 427 00:39:00,519 --> 00:39:04,599 can't really say, so we'll guess, and I hope when we get back 428 00:39:04,639 --> 00:39:07,519 to this interview in three years time, maybe it will be still valid. 429 00:39:07,559 --> 00:39:13,559 I don't know, but I think there are maybe some films that are not 430 00:39:14,239 --> 00:39:22,760 relycovered. This is continuous improvement loops. These regulations and for instance right now 431 00:39:22,880 --> 00:39:25,920 needs to is generate to every sector, so they don't go into details. 432 00:39:27,840 --> 00:39:31,400 I mentioned things we have in aviation for instance, but once again this is 433 00:39:34,679 --> 00:39:38,480 not detailed enough, I would say, or detailed for the operator for instance, 434 00:39:38,519 --> 00:39:43,880 in airport. I mentioned safety and security, so we are supposed to 435 00:39:43,880 --> 00:39:49,800 do our homework on this topic, but they don't say exactly what we need 436 00:39:49,800 --> 00:39:54,519 to do to secure a safety system for instance. So I guess with experience, 437 00:39:54,639 --> 00:40:00,960 with return of experience from operators and maybe some incidents, uh, maybe 438 00:40:00,039 --> 00:40:08,960 they start uh defining more precise regulations, like maybe they're in nuclear and maybe 439 00:40:09,000 --> 00:40:14,719 sometimes in rails also as far as I know, so maybe it will be 440 00:40:15,000 --> 00:40:19,159 kind of drilled down for bisectors. So I don't know, for instance, 441 00:40:19,199 --> 00:40:24,480 for for pharmaceutical or food industry. I don't know if that's something specific that 442 00:40:24,480 --> 00:40:30,920 that is not detailed enough in the in the under needs to that's that's maybe 443 00:40:30,760 --> 00:40:37,360 one topic. Another topic maybe for specially for aviation, but maybe it's similar 444 00:40:37,400 --> 00:40:42,639 to to other sectors. Is the notion of ecosystem. Right now, the 445 00:40:42,960 --> 00:40:47,119 regulation focused on operators, so ADP has to be compliant on his own, 446 00:40:47,880 --> 00:40:54,599 but of course ADP without an airline, without air traffic control, without aircraft 447 00:40:54,639 --> 00:41:00,280 manufacturers, we are useless. So this ecosystem as a whole needs to be 448 00:41:00,920 --> 00:41:05,519 to be secured also by design. So we are very at the early stage 449 00:41:05,559 --> 00:41:09,440 right now. We are kind of sequencing the airport does this, the airline 450 00:41:09,480 --> 00:41:14,440 does that, et cetera. He has that I mentioned before try to do 451 00:41:14,559 --> 00:41:19,599 that to work as an ecosystem and shared a risk analysis for instance in the 452 00:41:19,679 --> 00:41:23,199 text. But I think, once again this is only the early stage, 453 00:41:23,599 --> 00:41:30,280 and I think later we will we will need to reach that ecosystem cyber security 454 00:41:30,320 --> 00:41:35,360 by design. And last point, which is not much of a prediction because 455 00:41:35,360 --> 00:41:38,920 it's already in place. We have a new text in Europe called Cyber Resilience 456 00:41:38,960 --> 00:41:49,000 Act, which is defining what we should put in place to be resilient. 457 00:41:49,119 --> 00:41:52,519 I know this is the kind of gimmick right now, but meaning we are 458 00:41:52,519 --> 00:41:58,360 doing a lot in prevention with needs to and in case we have an incidence, 459 00:41:58,400 --> 00:42:00,519 how do we react? This is reside you to me, more than 460 00:42:00,639 --> 00:42:06,440 business continuity, and so we have also this kind of new topic. I 461 00:42:06,440 --> 00:42:08,880 would say as far as the regulation is concerned, and I think we'll have 462 00:42:08,920 --> 00:42:14,400 also a lot of work to do to be able to recover as quickly as 463 00:42:14,440 --> 00:42:20,800 possible in case of a dramatic incident. So something that you know, I've 464 00:42:20,840 --> 00:42:24,880 been thinking about that occurs to me thinking about the interview so far, fifteen 465 00:42:24,960 --> 00:42:30,159 thousand entities. That's a lot, you know, just in France, that's 466 00:42:30,159 --> 00:42:37,199 a lot of entities to audit. If you're ordered every three years, that's 467 00:42:37,239 --> 00:42:40,639 a lot of auditors. Is how's that going to work? Yeah? I 468 00:42:40,679 --> 00:42:45,559 think this is a good question, Andrew. Actually you should ask answer about 469 00:42:45,599 --> 00:42:52,639 this better for me. And once again this is my interpretation. I think 470 00:42:52,679 --> 00:42:59,800 it shows the way, it shows the way the regulators want want to proceed 471 00:42:59,840 --> 00:43:06,559 now before needs too, Let's say this one and sorry for the technical terms. 472 00:43:06,360 --> 00:43:09,159 It was a kind of ex aunte. This is Latin. Sorry for 473 00:43:09,199 --> 00:43:15,559 that. And friends, this is an excellent regulation, meaning that the regulators 474 00:43:16,280 --> 00:43:21,440 can come to you and said, prove you've done what's in their regulation, 475 00:43:21,599 --> 00:43:25,320 the requirements of the regulation. With the number of companies as you mentioned, 476 00:43:25,719 --> 00:43:31,800 I think it will be an ex post regulation, meaning that and you're right, 477 00:43:32,519 --> 00:43:37,039 and C won't be able to go to each and every company, but 478 00:43:38,280 --> 00:43:43,159 let's put it like that. We'll go after you if you have an incident, 479 00:43:43,320 --> 00:43:47,880 and you will have to prove that you implemented the regulation as best as 480 00:43:47,920 --> 00:43:53,400 you could. Of course, it's cybersecurity. It's not an exact topic. 481 00:43:53,800 --> 00:44:00,239 We still have a space for interpretation. But I think if you if you 482 00:44:00,960 --> 00:44:04,360 are not able to prove you you did your best, then you have a 483 00:44:04,400 --> 00:44:10,039 problem. And especially something quite strange at the beginning, but the first the 484 00:44:10,079 --> 00:44:16,360 first articles of the regulation mentioned the responsibility of the top management and one article 485 00:44:16,400 --> 00:44:21,480 says, I don't know if it will be applied one day, that they 486 00:44:21,519 --> 00:44:29,519 can remove the CEO or the top management team if they prove unable to deliver 487 00:44:29,559 --> 00:44:35,199 cybersecurity. So I'm pretty sure that for some operators could be the case. 488 00:44:36,000 --> 00:44:38,880 And if you have an incident, good luck with that because they will come 489 00:44:38,920 --> 00:44:46,800 with the text and maybe use this article. Let me cover that ground again. 490 00:44:47,559 --> 00:44:52,360 I'm not quite sure this is what Eric said, but what I heard 491 00:44:52,440 --> 00:44:55,960 was an interesting idea. Whether he meant it or not, what I heard 492 00:44:57,159 --> 00:45:00,119 was, look, there's a problem about it. I mean, that was 493 00:45:00,159 --> 00:45:04,360 the question I asked. Do the math. If there's fifteen thousand organizations that 494 00:45:04,440 --> 00:45:08,119 need to be audited every three years, that's five thousand organizations a year. 495 00:45:08,960 --> 00:45:13,239 You know, if an audit takes you know, I don't know, a 496 00:45:13,280 --> 00:45:15,719 week or ten days on site and another week or ten days of writing up 497 00:45:15,719 --> 00:45:22,000 after the fact. We're talking practically speaking, one audit per month per auditor. 498 00:45:22,960 --> 00:45:28,320 You know, if we have five thousand person months of audits to do 499 00:45:28,400 --> 00:45:31,920 every year, you've got to hire you know, something like six hundred auditors 500 00:45:31,920 --> 00:45:37,360 plus their managers and their infrastructure. We're talking you know, six or seven 501 00:45:37,480 --> 00:45:39,880 or eight hundred HighRes on the part of the regulator. That's that's a lot 502 00:45:39,920 --> 00:45:47,000 of money. And but you know what I heard was, look, in 503 00:45:47,039 --> 00:45:52,039 the past, the big fish, you know, sort of covered by the 504 00:45:52,079 --> 00:45:54,880 original NIS directive and the original anti directives. The big fish, Yeah, 505 00:45:54,920 --> 00:45:58,800 you want to do thorough audits on them because they're big fish, they're critical 506 00:45:58,880 --> 00:46:02,800 infrastructure. We care a lot about their cybersecurity. If you've got a lot 507 00:46:04,159 --> 00:46:08,960 of smaller airports and you know, smaller entities that you need to audit, 508 00:46:09,239 --> 00:46:14,199 do you really need to do a really thorough audit on every one of them? 509 00:46:14,239 --> 00:46:20,360 Are they all equally important? And the answer maybe no. You know, 510 00:46:20,400 --> 00:46:22,719 you can probably do a less thorough audit. You can burn through these 511 00:46:22,800 --> 00:46:29,239 organizations, these smaller entities faster, So do that, don't hire quite as 512 00:46:29,239 --> 00:46:34,480 many people. But what happens if there's an incident after the fact, it 513 00:46:34,639 --> 00:46:38,199 makes sense that you're going to do a deep dive on cybersecurity at the affected 514 00:46:38,320 --> 00:46:44,000 organization. You know, there may be consequences for the affected organization. This 515 00:46:44,199 --> 00:46:46,800 it's going to be a public process, is my guess. You You you 516 00:46:46,840 --> 00:46:53,559 can, you know, publish learnings and best practices to the entire industry, 517 00:46:53,639 --> 00:46:59,559 all other smaller players when you have these incidents. So it you know, 518 00:46:59,800 --> 00:47:02,320 the the concept that the regulator might say, we're going to do a deep 519 00:47:02,360 --> 00:47:08,679 dive on a small entity when those entities are breached. That, you know, 520 00:47:09,599 --> 00:47:14,159 if I heard it right, I haven't heard anyone else, you know, 521 00:47:14,320 --> 00:47:17,440 talk about that. That strikes me as an interesting approches and something that 522 00:47:19,000 --> 00:47:22,559 probably the regulator could sort of do on their own. It doesn't have to 523 00:47:22,599 --> 00:47:24,960 be specified in the regulation. This can just be the you know, a 524 00:47:25,360 --> 00:47:29,519 practical way of dealing with it, so that that's something to think about. 525 00:47:29,559 --> 00:47:35,599 That's, you know, to me that that was an interesting takeaway. There's 526 00:47:35,639 --> 00:47:39,599 a lot of ground that we covered here. What what are the big what 527 00:47:39,639 --> 00:47:44,320 are the big takeaways? What if you wanted to summarize what's going on and 528 00:47:44,360 --> 00:47:49,559 sort of give people a lesson going forward? What what should we what should 529 00:47:49,559 --> 00:47:53,280 we learn from this space? Yeah, I don't know if I'm the best 530 00:47:53,320 --> 00:47:58,960 person to say so, I'm just a piso in an opereto. But things 531 00:47:59,559 --> 00:48:06,119 maybe that could be useful to your listeners. First is regulation is not Regulation 532 00:48:06,239 --> 00:48:09,719 is not going away. So if you think you can't avoid it because you're 533 00:48:09,760 --> 00:48:16,119 too small, or maybe you're in the right within bracket in the right sector 534 00:48:16,920 --> 00:48:22,119 meaning not covered by regulation, forget about it. Actually, when you look 535 00:48:22,159 --> 00:48:27,360 at the regulation, it's not rocket science, just asking you to do everyday 536 00:48:27,360 --> 00:48:34,559 cybersecurvity, but but make sure you do it actually and more importantly, I 537 00:48:34,599 --> 00:48:37,440 think when you have regulation. This is something I've observed in ADP for for 538 00:48:37,559 --> 00:48:40,920 more than ten years now. When you have regulation, you have the intention 539 00:48:42,039 --> 00:48:45,159 of your CEO or your top management. So for SIZO in the room, 540 00:48:45,280 --> 00:48:54,280 I think use the regulation wisely to get you budget and interest and enraise awareness 541 00:48:54,480 --> 00:49:00,679 within your company. And maybe for CEO, I don't know if some listening 542 00:49:00,719 --> 00:49:07,159 now. I think one important thing is cyber security is not a technical topic. 543 00:49:07,400 --> 00:49:14,719 Actually it's a culture. On one I mean culture in companies, but 544 00:49:14,800 --> 00:49:20,880 also a culture in everyday society. Every every everybody now has its own smartphone, 545 00:49:20,920 --> 00:49:23,320 I guess, and this is it. So you need to understand what 546 00:49:23,360 --> 00:49:29,559 cybersecurity for your smartphone as well as cyber security for for your aut system in 547 00:49:29,599 --> 00:49:35,320 your in your factory. And I think that's in a nutshare very high level. 548 00:49:35,719 --> 00:49:40,079 What needs to is trying to implement do every day cybersecurity because it's protecting 549 00:49:40,159 --> 00:49:45,360 your rocketical assets and help you deliver the service you you you promise to deliver. 550 00:49:46,280 --> 00:49:52,000 That's maybe two to two things I want to address to two people doing 551 00:49:52,039 --> 00:49:55,360 it. And last topic is for suppliers. I mentioned the supply chain before, 552 00:49:57,000 --> 00:50:00,440 and I have only three words for them. It's cyber security by design. 553 00:50:00,119 --> 00:50:05,760 Please with this one. As I mentioned, we have been fighting with 554 00:50:05,800 --> 00:50:13,360 some equip equipment manufacturer saying this is our obligation now, so please help us 555 00:50:13,360 --> 00:50:17,119 reach that now with NIS too, it's their obligation too. But once again, 556 00:50:17,320 --> 00:50:22,880 this is this is no longer an extra for an equipment. It needs 557 00:50:22,920 --> 00:50:27,760 to be secured by design. So pay attention to this regulation. You will 558 00:50:27,800 --> 00:50:31,440 help your customer and you will also help your company to be to be as 559 00:50:31,480 --> 00:50:40,639 competitive as needed. So that would be my free takeaways for NI to You 560 00:50:40,679 --> 00:50:45,840 know, Andrew, I feel like this happens sometimes where we start an episode 561 00:50:45,880 --> 00:50:47,760 with a certain topic and then we just end up talking about this too a 562 00:50:47,760 --> 00:50:53,559 lot. Yeah, this two is a very big deal in Europe, but 563 00:50:53,719 --> 00:50:58,119 to be fair, you know, regulation is increasing in a lot of places 564 00:50:58,519 --> 00:51:02,400 in the USA. For example, the the TSA has issued a cybersecurity directive 565 00:51:02,519 --> 00:51:08,639 to airports as well. That said, for now, the directive is confidential. 566 00:51:08,719 --> 00:51:13,719 I mean, I'm assuming the directive looks a lot like to their rail 567 00:51:13,800 --> 00:51:16,360 and pipeline directives, but I don't know that for sure. So you know, 568 00:51:16,480 --> 00:51:21,880 regulations are increasing in a lot of places, and I mean there's a 569 00:51:21,960 --> 00:51:28,480 truism in the industry and the cybersecurity industry. Never waste a crisis. Nobody 570 00:51:28,480 --> 00:51:31,000 wants a crisis. Nobody wants their OT systems to be breached and you know, 571 00:51:31,119 --> 00:51:35,320 fires to start and people to be injured. Nobody wants any of that. 572 00:51:36,199 --> 00:51:38,760 But if you have a crisis, never waste the crisis. Use the 573 00:51:38,840 --> 00:51:44,559 crisis to spring some money, loose money to solve the cybersecurity problem that you 574 00:51:44,639 --> 00:51:49,719 knew from the beginning needed to be solved. The same thing with regulation. 575 00:51:50,440 --> 00:51:54,000 Nobody wants regulation, but if you have a regulation coming down on you, 576 00:51:54,320 --> 00:52:00,480 don't waste the opportunity. Use the opportunity of the regulation, use it to 577 00:52:00,559 --> 00:52:05,360 spring some money loose and yes, do the paperwork to comply with the regulation 578 00:52:05,800 --> 00:52:10,199 and make the changes that you knew needed to be made in terms of technology 579 00:52:10,280 --> 00:52:16,320 people process solve the problem in addition to dealing with the regulation. And yeah, 580 00:52:16,440 --> 00:52:21,960 this too is affecting tens of thousands of organizations all throughout Europe. Enormous 581 00:52:22,039 --> 00:52:27,079 change in terms of societal expectations, enormous interests. So yeah, never waste 582 00:52:27,079 --> 00:52:31,440 a crisis. Never waste a regulation. It makes sense to me with that 583 00:52:31,519 --> 00:52:36,079 thought. Thank you to Eric Voutier for speaking with us. And Andrew is 584 00:52:36,079 --> 00:52:38,280 always thank you for speaking with me. It's always a pleasure. Thank you, 585 00:52:38,400 --> 00:52:44,360 Nate. This has been the Industrial Security podcast from Waterfall. Thank you 586 00:52:44,480 --> 00:52:50,599 to everybody out there listening