5.1. Introduction

The success of an attack on a computer system depends on at least one vulnerability being exploited; it can be technical, human or organizational.

Very often, vulnerability analysis of an industrial control system (ICS) is limited to a technical aspect. While the number of vulnerabilities of this type is often significant, they do not explain most attacks on their own, as shown by analysis of feedback. Fixing these technical vulnerabilities is necessary, but not sufficient.

The analogy with the security of a building makes you realize this: to ensure security, it is important to have good quality locks and to have secured the windows; this is the technical aspect. The building use policy should define rules related to closure, such as closing times. It is then necessary for users to lock the door, this is the human aspect. They must therefore be made aware of the importance of the procedure and, if necessary, trained in use of the locking system. To complete the whole, it is then necessary to plan to check that the rule is applied and, possibly, to plan a systemic lock when shifts end by a member of security staff.

An analysis of the building security vulnerabilities will begin with an analysis of the technical characteristics (lock quality), which should be as comprehensive as possible. This will require first identifying the different potential entry points for a burglar. In a second step, the organizational aspect will be checked: ...