Industrial Cybersecurity: Securing the Value Chain and Building Trust

Securing the industrial supply chain, complying with NIS2, and leveraging cybersecurity for business benefits — these were key topics discussed during the Cybersecurity for Industry (CFI) day at the Forum InCyber. Below is a summary of the discussions held during the roundtables.

Securing the industrial supply chain remains a top concern, especially as it becomes an increasingly frequent target for cybercriminals. According to a 2023 study by SecurityScorecard and the Cyentia Institute, 98% of organizations worldwide have at least one third-party service provider that experienced a cybersecurity breach in the past two years.

The concept of the industrial “supply chain” has significantly evolved in recent years. It has expanded from a linear chain—from manufacturing to delivery to the end customer—into a much broader ecosystem. “Today, the challenge is identifying and mitigating risks stemming from a highly complex third-party ecosystem (third, fourth parties and beyond) that interacts with our data and systems. Due to the evolving threat landscape and system interconnectivity, there are no longer any clear perimeter boundaries,” explains Lucile Coupez, Head of Group Security Governance and Third-Party Risk Management at EssilorLuxottica. She adds that this topic is managed within the group’s governance bodies.

To effectively secure the industrial supply chain, strong collaboration between various departments is crucial—especially with procurement. “Securing the supply chain is a collaborative effort between the security and procurement departments, with the latter being responsible for managing supplier relationships. This partnership is both complementary and essential to improving supply chain resilience,” says Élise Babelaere, Supply Chain Security Coordinator at Airbus.

She also stresses the importance of applying a “security by design” approach from the early stages of procurement: “Every supplier must demonstrate their maturity level before final selection. Specific contractual security requirements are also necessary, along with the implementation of audits,” she notes.

Samuel Braure, Regional Cybersecurity Manager at Schneider Electric, shares this view: “Risk qualification and prioritization to determine what and where to protect is a critical step.” He emphasizes the need to move beyond siloed approaches: “We must shift away from an individual cybersecurity stance toward a collective approach grounded in ecosystem thinking.”

Braure also highlights the importance of integrating cybersecurity “at every stage of the product lifecycle,” particularly to safeguard operations in the face of supply chain threats. He sees the adoption of international standards such as IEC 62443 as “a major lever to strengthen this momentum.”

NIS2 Compliance: A Decisive Milestone

Compliance with the NIS2 directive was another major point of discussion. This European directive aims to strengthen cybersecurity across the EU’s internal market and its public administrations to counter systemic threats, including those linked to cybercrime. In recent years, cybercriminals have increasingly turned their attention from large corporations to local governments and SMEs.

Entities subject to NIS2 will be required to fulfill a set of obligations: registering with the national authority and keeping their information up to date, reporting cybersecurity incidents, and implementing cybersecurity measures. These measures mainly cover basic cybersecurity hygiene practices: incident management and response, supply chain security, network and information system protection, and crisis resilience and management.

“To address the issue of securing systems, we must move beyond assumptions like ‘My OT isn’t connected to my IT.’ That’s becoming less and less true, especially as OT systems are increasingly digitized—such as wired temperature sensors becoming wireless and therefore externally connected,” says Florian Lemoine, Project Manager at ANSSI (France’s National Cybersecurity Agency). He advocates for mapping, classifying, prioritizing, and applying basic hygiene principles—particularly through segmentation.

While awaiting the publication of the security requirements framework for NIS2-regulated entities, ANSSI is offering several tools and guides on its website. These include guidelines for classifying industrial IT systems and implementing technical security measures. For organizations new to cybersecurity, ANSSI provides services such as MonEspaceNIS2, a portal offering up-to-date transposition information, and MonAideCyber, a support platform.

Resilience, Innovation, Processes: How Cybersecurity Adds Business Value

During the CFI roundtables, participants also explored how cybersecurity can evolve from being seen as a constraint to becoming a value-creation lever.

“We’ve developed a network monitoring system for a security setup used in nuclear plants. This system provides not only network metrics but also operational metrics. We can deliver actionable insights to business units in real time—for example, for predictive maintenance,” says Pierre-Marie Lore, Cybersecurity Director at Framatome I&C.

According to Thierry Manciot, Head of Cybersecurity for Network, Manufacturing & Supply at Sanofi, cybersecurity can deliver substantial value to business operations when approached through the lens of the value chain. “In terms of performance and innovation, cybersecurity can reinforce the resilience of value chains. We are developing a value chain approach tailored to our products, which in our case are pharmaceuticals,” Manciot explains. This involves modeling the entire value chain end-to-end, aiming to identify all links in the chain (systems, assets, suppliers, etc.).

“If one link is compromised, the whole chain may be affected. Cybersecurity ensures the protection of systems and lifecycle management, as well as recovery and crisis response capabilities,” he adds.

Ultimately, Dimitri Van Zantvliet, CISO at Dutch Railways, argues that when cybersecurity becomes a genuine lever for optimizing processes, boosting resilience, and fostering innovation, its impact is strategic: “To innovate is also to build trust. Today, trust is the new gold. It’s no longer just the data itself that holds strategic value, but the trust we place in those handling it,” he states.

In both B2B and B2C activities, organizations earn this trust by demonstrating their ability to secure interactions and personal data. “In the end, clients and partners are willing to ‘leave their business card’—in other words, share their data—because they believe it will be handled responsibly and securely. Security is essential, but no longer sufficient: it’s trust that makes the real difference,” he concludes.