Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

Transcription

1 Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert European Union Agency For Network And Information Security

2 Securing Europe s Information Society Operational Office in Athens

3 Positioning ENISA activities

4 National Cyber Security Strategies in EU 4

5 Critical Information Infrastructure (CII) ICT systems that are critical infrastructures for themselves or that are essential for the operation of critical infrastructures (telecommunications, computers/software, Internet, satellites, etc.)

6 Critical Sectors in EU MS Sectors Energy ICT Water Food Health Financial Public Legal Order & Civil Admin. Transport Chemical & Nuclear Industry AU BE CZ DK EE FI FR DE EL HU IT MT NL PL SK ES UK CH Space & Research

7 Critical Information Infrastructure Protection in Europe: ENISA efforts Communication networks: Critical information Infrastructure and Internet Infrastructure ICS SCADA Smart grids ehealth Finance Transport

8 2015 studies on CIIs Stock Taking, Analysis and Recommendations on the protection of CIIs Analysis of ICS-SCADA Cyber Security Maturity Levels in Critical Sectors Communication networks dependencies in smart grids Security and resilience for E-health infrastructure Security and resilience for cloud computing in the Finance sector 8

9 Key Findings Protection of CII in EU Member States Paul Weissmann; Pascal Pillokeit

10 Key Findings National Authorities Most countries have assigned responsibility to Information security agencies, Emergency or CIP agencies, or National regulatory agencies Reason: Historical development or indicator for how the problem is perceived Only four countries have assigned CIIP to Information security forums or Intelligence security agencies 0 ISA EMR NRA ISF INT MIN In two cases, responsibility is shared between a Ministry and a public agency

11 Key Findings Task and Responsibilities Most tasks are on the operational level (10-12 / out of 12 examined countries) (darkblue) 7 to 8 countries have been assigned responsibilities on the politico-strategic level (lightblue) 4 countries have been tasked with the supervision of institutions other than CERT. These include mainly regulatory tasks (red) Point of contact for incident reporting Organise and conduct CIIP-related exercises and training Advisory to operators of CII (private and public sector) Incident response Development of strategy or policy papers Monitoring the security of national CII Issuing guidelines or proposing legislations Supervision of national CERT Monitoring the implementation of security measures Supervision of other institutions

12 Key Findings Public-private Cooperation Risk Assessment Cooperation between private and public stakeholders PPP Working groups (or similar) Informal Ten out of 18 examined countries have developed partnerships with private actors Trend towards more institutionalised forms of cooperation with the private stakeholders Risk Assessment The majority of the 16 examined countries has conducted RA on a 5 4 national level or a planning to do so This can be seen as an indicator for 3 how a government perceives the 4 problem National National (under dev) Sectorial Operators

13 Key Findings Obligations and Requirements All sectors Security Incident Reporting 10 Limited to specific sectors 2 None Only five of 17 examined countries have established mandatory incident reporting across all sectors All Member States have implemented mandatory incident reporting in the telecommunications sector Other important sectors: Finance, Energy, Public Administration 16 Security Audits All sectors 6 6 Limited to specific sectors None Six countries have implemented no mandatory security audits in any sector Security Audits are either of less priority for countries or hard to implement

14 Governance of CIIP Protection of CII in EU Member States Paul Weissmann; Pascal Pillokeit

15 Governance of CIIP Three profiles of CIIP-governance have been examined Centralised approach Decentralised approach Co-regulation with private sector The different profiles illustrate specific forms of CIIP governance, which are defined by their shared characteristics. The profiles are not exclusive types, but are rather points on a spectrum These profiles can help to understand how CIIP is organised in the individual Member States Can help to understand and what CIIP-measures and -actions can possibly be transferred from one Member State to another

16 Governance of CIIP The centralised approach The centralised approach is characterised by Central authority across sectors Comprehensive legislation Examples France Public Agency Public Agency Public Agency Sector Sector Sector

17 Governance of CIIP The decentralised approach The decentralised approach is characterised by Principle of subsidiarity Strong cooperation between public agencies Sector-specific legislation Examples Sweden Public Agency Council Public Agency Sector Sector

18 Governance of CIIP The co-regulation approach The co-regulation approach is characterised by Institutionalised cooperation with the private sector Horizontal relationship between public and private parties Examples Netherlands Public Agency PPP Private Actors Sector

19 Goals 01 Raise the level of awareness on CIIP in Europe 02 Support Private and Public Sector with focused studies and tools 03 Facilitate information exchange and collaboration 04 Foster the growth of communication networks and industry 05 Enable higher level of security for Europe s Critical Infrastructures

20 Thank you Dimitra Liveri