The Military Programming Law (MPL) not only has an impact on Vital Importance Operators (VIOs), it also has an impact on their suppliers. The systems acquired by the VIOs and integrated into the Vital Information System (VIS) must comply with the MPL. This "LPM" qualification requires suppliers to integrate new activities into their systems, but also into their company.
Integration of new technologies
In order to obtain the "LPM" qualification, a system must now integrate the following functions:
- Identification / Personal Authentication
- Profile and rights management (RBAC)
- Security event escalation
- Supervision
- Hardening
Some systems are based, at least in part, on electronic equipment; for example, equipment that makes up a mobile telecommunications network, or a solution for controlling an electrical network. It is no longer rare to see that some manufacturers do not hesitate to highlight the "cyber" advantages of such equipment. This equipment then includes the following technologies:
* SNMP for equipment supervision . The SNMP V3 protocol will be preferred to SNMP V 2c..
- Version 3 includes some very interesting security options such as :
- Identification and authentication
- Integrity check. It is a pity that the integrity calculation protocol chosen by the working group is not SHA-256.
- Encryption
Although the Request part (request initiated by the supervision console to the equipment), and the Trap part (Information sent by the equipment to the supervision console after a threshold crossing) are defined in SNMP Version 3, no system I have come across has implemented the SNMP V3 protocol for the trap part. The trap part is then based on version 2c.
The SNMP V2c embeds only one security property: The community.
SNMP V1 is to be banned, as the version of this protocol is not at all secure.
Good to know, the SNMP protocol includes configuration download functions.
- Syslog for reporting security events to the central collector
- NTP for time management. The successor to the NTP protocol will be the NTS. It will become the standard once available.
- Radius for Identification / Personal Authentication. The equipment can then dialogue with an X500 directory (Active Directory type), either directly with the directory or via a Proxy Radius. The Proxy Radius is effective in the following cases:
I'm trying to protect my equipment. I'm locating it in the private area. The private area cannot communicate directly with the public area. Communication can only be through equipment in the Demilitarized Zone (DMZ). The Proxy Radius, hosted in the DMZ, performs a protocol break.
My equipment can talk in Radius, but my X500 directory only talks in Kerberos (for example). The Proxy Radius is then used as a gateway .
Radius also includes profile management (RBAC), with rights being managed directly in the equipment.
Patrick Quintreau-Belleux, Project Director - ITS Group
