Fleury Michon
Centralize and strengthen the security of internal and external access to OT and IT systems, while ensuring segregation between the two.
Fleury Michon
> Food industry company
> 3,000 employees
> 8 production sites in France, with a presence in Canada and the Netherlands.
Challenges
> Regain control over remote access to the factory perimeter.
> Secure IT administration access, both internal and external.
> Centralize the management of remote access with segregated control between industrial (OT) and IT networks.
Benefits :
> Control of OT & IT access, both internal and external, in compliance with the principle of segregation.
> An OT & IT access security strategy based on Zero Trust principles.
> A solution adapted to the AD siloing context, facilitating audits.
« cyberelements Cleanroom is the foundation of our access security strategy based on the 3-Tier model: we can centrally manage internal and external access to our OT & IT target resources while applying all Zero Trust principles. »
About Fleury Michon
Fleury Michon, a French food company producing delicatessen, catering, foodservice and airline catering products, is the third best-selling brand in France. With over 3,000 employees, the company operates 8 production sites in France, as well as having a presence in Canada and the Netherlands.
The challenge: centralize and secure internal and external access to OT & IT systems
Having already been the target of a cyberattack, Fleury Michon needed to implement an access security strategy based on the 3-Tier model (AD siloing), in line with ANSSI recommendations. Within this framework, the teams sought a solution that would allow them to manage administrative access rights to both industrial and IT systems, by user type and team, in order to handle these rights with the finest possible granularity.
Regain control over remote access to the factory perimeter
Remote access to the factory perimeter was managed through several heterogeneous solutions, depending on the site and the equipment in place. In some cases, these solutions were implemented by the equipment manufacturers themselves, who were the only ones controlling access to Fleury Michon’s factory perimeter. This management was time-consuming, and maintaining security was challenging. The company therefore sought a solution to centrally manage these remote accesses—whether from the service provider’s network or employees’ homes—while ensuring full control over them.
Secure IT administrative access, both internal and external
As part of its access security strategy, Fleury Michon aimed to implement administrative access rights management by user type and team, in order to handle permissions as precisely as possible. The teams intended to first deploy this solution for internal administrators, and then extend it to contractor administration access. Contractor access was previously managed via the Forty client, directly on their firewalls. There was therefore a desire to standardize all administrative access on a single platform, eliminating the use of VPNs by contractors to access the PLCs.
Centralize remote access management with segregated control between industrial (OT) and IT networks
The challenge for the teams was to maintain segregated control of access between IT and OT networks, and therefore to have a solution that allowed centralized management (creation, modification, deletion, activation, etc.) of individual user accounts to meet non-repudiation requirements. The solution also needed to facilitate account reviews and ensure user permissions compliance.
Why did Fleury Michon choose cyberelements Cleanroom to centralize and secure access to its OT & IT systems?
Following the evaluation of three solutions as part of a tender to secure OT access, the Fleury Michon teams chose cyberelements Cleanroom: its OT functionalities were more advanced than the other solutions and met the company’s requirements while offering a controlled cost. Seeing the functional coverage of cyberelements Cleanroom, the teams extended the tender to include IT administrative access security. The solution was then deployed in three phases: first for IT administrators, then for IT contractors, and finally for OT contractors.
A unified platform for access to OT & IT resources
Today, internal and external access to OT & IT target resources is managed exclusively through the cyberelements Cleanroom portal. This represents 45 simultaneous accesses on working days, with a 75%/25% split between internal administrator access and contractor access. The solution allows access to be configured based on usage: internal administrators use the Cleanroom client for RDP access, while all other access, including that of contractors, is done via the HTML5 portal, avoiding the need to install the client on devices not managed by the organization. 80% of internal and external administrative sessions are recorded.
A single solution to cover all industrial access use cases
Fleury Michon has a wide variety of industrial suppliers and did not have the infrastructure or licenses to provide remote access to these suppliers or their service providers. With cyberelements Cleanroom, the Fleury Michon teams centralize and track access to target infrastructures according to the capabilities offered by the manufacturers and industrial protocols: access to control applications on an engineering workstation, or access to equipment via the engineering application running on the supplier’s or manufacturer’s workstation. This diversity of access modes makes the use of the bastion transparent and facilitates the adoption of the solution by all users.
Highly granular management of different access rights
cyberelements Cleanroom enables highly granular access management, as specific access rights and permissions are defined according to user roles (support, operators, experts, etc.). The ability to create ‘group’ objects that bring together all users with identical access greatly simplifies the administration of these permissions.
What are the benefits of cyberelements Cleanroom today?
Full control of OT & IT access, both internal and external, in compliance with the principle of segregation
cyberelements Cleanroom centralizes secure internal and external access to IT and OT on a single infrastructure, while ensuring segregation between IT and OT through its multi-gateway approach. The solution’s unique Zero Trust architecture also enables secure tunnels between external providers and the OT LAN, allowing industrial administration teams to deploy their tools (monitoring, patch management, etc.) on production networks. In this way, cyberelements Cleanroom simplifies access management while reducing operating costs.
An OT & IT access security strategy based on Zero Trust principles
cyberelements Cleanroom enables Fleury Michon to implement all Zero Trust principles within its industrial infrastructure:
Application of the principle of least privilege, allowing internal administrators or contractors to access only the authorized resource, when they need it, and only for the duration of their intervention.
Control of the user’s access context (compliance of the access device, authorized time slots for access, etc.).
No disclosure of authentication secrets: the Fleury Michon teams deployed the password vault with password injection for RDP and VNC access, and with automatic renewal for RDP access.
Implementation of strong authentication methods (MFA) depending on usage: Azure portal MFA for internal access and email-based MFA for OT & IT contractors.
A solution adapted to the AD siloing context, facilitating audits
cyberelements Cleanroom interfaces with Fleury Michon’s AD in accordance with the security principles and rules of the Microsoft Active Directory environment based on the 3-tier model. The interfacing of cyberelements Cleanroom with AD facilitates audits on account management and remote access, as teams benefit from control over all accounts with complete visibility of effective authorizations on IT and OT resources. cyberelements Cleanroom makes it possible to prove who did what, when, and on which system at any time, thus ensuring accountability for all access to the industrial infrastructure.