A pharmaceutical group operates several production sites for active ingredients, with numerous information systems at the heart of its operations. Faced with a growing risk of cyber-attacks in a sensitive sector, it wanted to identify its critical systems and assess the threats to its activities, so as to be able to implement the appropriate means of protection.
Our EBIOS® RM-certified consultants deploy the approach promoted by ANSSI, in partnership with cybersecurity experts I-Tracing. We apply our operational consulting vision to bear in determining key business values to limit the risk of compromising IS integrity, availability and confidentiality, and its consequences on production and patients.
Main achievement
Cyber risk mapping
After identifying the essential tasks to achieving the production sites’ objectives, we mapped the business processes and key information required to achieve them. We qualified their criticality according to their security needs (Availability, Integrity, Confidentiality and Traceability) and associated the most essential with the supports needed to carry them out (hardware, applications, network, personnel).
We identified the events feared by operational staff and assessed their level of severity in terms of their human, legal, regulatory, reputational and financial impact.
Based on our benchmarks, we identified and qualified threats to the sector (espionage, hacktivism, etc.) in terms of probability and modes of action. We then established the most critical cyber attack scenarios, taking into account the stakeholders in the ecosystem (service providers, partners, etc.), and determined the possible technical attack paths by qualifying their likelihood.
Finally, we assessed the robustness of the protection and business continuity systems in place to develop a proposal for a managerial and technical action plan to enhance Cyber risk control.
Key figures :
20 processes and information to protect
10 attack scenarios with major impact
15 recommendations, including 7 major ones