Applied Risk Management using ANSSI's EBIOS RM methodology
This repository contains three real-world EBIOS Risk Manager (EBIOS RM) case studies applied across critical infrastructure sectors. Each study follows the full ANSSI methodology through 5 structured workshops (ateliers), covering threat source identification, risk scenario modeling, and treatment recommendations.
| # | File | Sector | Framework | Key Threats |
|---|---|---|---|---|
| 1 | EBIOS_RM_AXA_Cloud_Azure.docx |
Insurance / Finance | EBIOS RM + Cloud (CSP) | Data breach, Cloud misconfiguration, Ransomware |
| 2 | EBIOS_RM_Banque_SPI_DORA.docx |
Banking | EBIOS RM + DORA | Operational resilience, ICT third-party risk, Cyberattacks |
| 3 | EBIOS_RM_TransRail_SupplyChain.docx |
Rail / Transport | EBIOS RM | Supply chain attacks, SCADA/OT compromise, Sabotage |
EBIOS Risk Manager (Expression des Besoins et Identification des Objectifs de Sécurité) is the French national risk management standard developed by ANSSI (Agence nationale de la sécurité des systèmes d'information).
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β EBIOS RM β 5 WORKSHOPS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ATELIER 1 βββΊ ATELIER 2 βββΊ ATELIER 3 βββΊ ATELIER 4 βββΊ ATELIER 5 β
β β
β Cadrage & Sources de ScΓ©narios ScΓ©narios Traitement β
β Socle de Risque (SR) StratΓ©giques OpΓ©rationnels du Risque β
β SΓ©curitΓ© (SS) (SO) β
β β
β β PΓ©rimΓ¨tre β Motivations β Biens β Modes β Mesures β
β β SMSI β CapacitΓ©s β SupportΓ©s β OpΓ©ratoires β Risques β
β β Valeurs β Ciblage β Chemins β Vraisemblance β RΓ©siduel β
β MΓ©tier d'Attaque β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Sector: Insurance & Financial Services
Context: Cloud migration of critical insurance systems to Microsoft Azure
| Scenario | Source de Risque | Vraisemblance | GravitΓ© | Niveau |
|---|---|---|---|---|
| Exfiltration de donnΓ©es assurΓ©s | Cybercriminel organisΓ© | 3 | 4 | CRITIQUE |
| Ransomware sur infrastructure cloud | Groupe APT | 3 | 4 | CRITIQUE |
| Misconfiguration Azure IAM | InitiΓ© malveillant | 2 | 3 | IMPORTANT |
| Compromission API Gateway | Cybercriminel | 2 | 3 | IMPORTANT |
| DDoS sur services en ligne | Hacktiviste | 3 | 2 | MODΓRΓ |
mesures_prioritaires = {
"Gouvernance": [
"Politique SMSI Cloud spΓ©cifique",
"ProcΓ©dure de gestion des incidents cloud",
"Revue de sΓ©curitΓ© trimestrielle Azure"
],
"Technique": [
"Azure Defender for Cloud (niveau Standard)",
"Chiffrement AES-256 au repos et en transit",
"Zero Trust Network Architecture (ZTNA)",
"MFA obligatoire + Conditional Access Policies",
"SIEM Azure Sentinel avec règles UEBA"
],
"Organisationnel": [
"Formation sΓ©curitΓ© cloud DevOps teams",
"Exercices de simulation d'incidents",
"Audit de conformitΓ© ISO 27017/27018"
]
}Sector: Banking & Financial Services
Context: DORA compliance assessment for a mid-size French bank (SPI β SystΓ¨me de Paiement Interbancaire)
| Pilier DORA | Article | Risque IdentifiΓ© | MaturitΓ© Actuelle | Cible |
|---|---|---|---|---|
| ICT Risk Management | Art. 5-16 | Framework incomplet | 2/5 | 4/5 |
| Incident Reporting | Art. 17-23 | DΓ©lais non respectΓ©s | 1/5 | 4/5 |
| Digital Operational Testing | Art. 24-27 | Tests TLPT absents | 1/5 | 3/5 |
| ICT Third-Party Risk | Art. 28-44 | Mapping fournisseurs incomplet | 2/5 | 4/5 |
| Info Sharing | Art. 45-49 | Participation limitΓ©e | 2/5 | 3/5 |
GRAVITΓ
5 β ββ Ransomware sur core banking
β ββ Fraude interne SI paiement
4 β ββ DΓ©faillance prestataire critique
β ββ Attaque SWIFT/SEPA
3 β ββ Vol de donnΓ©es clients
β ββ DDoS plateforme digitale
2 β ββ Erreur configuration rΓ©seau
β
1 βββββββββββββββββββββββββββββββββββ VRAISEMBLANCE
1 2 3 4 5
Sector: Rail Transport & Critical Infrastructure
Context: Supply chain security assessment for a French rail operator
scenarios_supply_chain = {
"SS-01": {
"titre": "Compromission logiciel SCADA via mise Γ jour malveillante",
"source_risque": "Groupe APT Γ©tatique",
"bien_supporte": "Systèmes de contrôle-commande",
"vraisemblance": 3,
"gravite": 5,
"niveau_risque": "CRITIQUE"
},
"SS-02": {
"titre": "Backdoor dans composant Γ©lectronique embarquΓ©",
"source_risque": "Fournisseur compromis",
"bien_supporte": "MatΓ©riel embarquΓ© trains",
"vraisemblance": 2,
"gravite": 5,
"niveau_risque": "CRITIQUE"
},
"SS-03": {
"titre": "Attaque sur prestataire maintenance IT",
"source_risque": "Cybercriminel",
"bien_supporte": "Infrastructure IT centrale",
"vraisemblance": 3,
"gravite": 4,
"niveau_risque": "IMPORTANT"
}
}- Segmentation stricte rΓ©seaux OT/IT (IEC 62443)
- Qualification des fournisseurs (SecNumCloud equivalent pour OT)
- Politique de gestion des mises Γ jour signΓ©es cryptographiquement
- Surveillance comportementale des accès tiers (PAM)
| Secteur | Risques Critiques | Risques Importants | Mesures Prioritaires |
|---|---|---|---|
| AXA / Cloud Azure | 2 | 3 | 15 |
| Banque SPI / DORA | 3 | 4 | 22 |
| TransRail Supply Chain | 2 | 2 | 12 |
| Total | 7 | 9 | 49 |
π― Sources de Risque communes aux 3 secteurs :
βββ Cybercriminels organisΓ©s (ransomware, fraude) ββββββββββββ 95%
βββ Groupes APT Γ©tatiques (espionnage, sabotage) ββββββββββββ 70%
βββ InitiΓ©s malveillants (vol de donnΓ©es) ββββββββββββ 55%
βββ Fournisseurs compromis (supply chain) ββββββββββββ 50%
βββ Hacktivistes (DDoS, dΓ©facement) ββββββββββββ 35%
| Standard | Description | Application |
|---|---|---|
| EBIOS RM v1.5 | MΓ©thode ANSSI | Tous cas |
| ISO/IEC 27005:2022 | Information security risk management | Tous cas |
| DORA Regulation | EU 2022/2554 - Digital Operational Resilience | Banque SPI |
| NIS2 Directive | EU 2022/2555 - Network & Information Security | Tous cas |
| IEC 62443 | Industrial Cybersecurity | TransRail |
FilAmine β Cybersecurity Engineer | GRC Specialist
π GitHub Profile | πΌ LinkedIn
These case studies are created for educational and professional demonstration purposes. Sensitive data has been anonymized and fictitious elements have been added.