NIS-Directive and Smart Grids

Similar documents
Directive on Security of Network and Information Systems

Directive on security of network and information systems (NIS): State of Play

The NIS Directive and Cybersecurity in

Network and Information Security Directive

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

ENISA s Position on the NIS Directive

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

European Union Agency for Network and Information Security

Cybersecurity Strategy of the Republic of Cyprus

ENISA Cooperation in the EU / NIS Directive

Cyber Security in Europe

Regulating Cyber: the UK s plans for the NIS Directive

Cybersecurity & Digital Privacy in the Energy sector

Securing Europe's Information Society

Working with the EU Directive High common level of network and information security. Martin Apel, SANS ICS Summit, Munich und

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

Discussion on MS contribution to the WP2018

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

13967/16 MK/mj 1 DG D 2B

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

COMMENTARY. The New EU Cybersecurity Directive: What Impact on Digital Service Providers? Relevant Terms

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

Bradford J. Willke. 19 September 2007

ENISA EU Threat Landscape

The Network and Information Security Directive - ENISA's contribution

Cyber Security in Europe and CEER s new PEER initiative

Package of initiatives on Cybersecurity

The SPARKS Project Motivation, Objectives and Results

Security and resilience in Information Society: the European approach

Critical Infrastructure Protection in the European Union

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

Call for Expressions of Interest

Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

Legislative Framework

International Legal Regulation of Cybersecurity U.S.-German Standards Panel 2018

NIS Directive development The Incident Notification Framework

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

National Policy and Guiding Principles

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

EISAS Enhanced Roadmap 2012

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Committee on Civil Liberties, Justice and Home Affairs

NIS Standardisation ENISA view

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Promoting Global Cybersecurity

Cyber Security Beyond 2020

About Issues in Building the National Strategy for Cybersecurity in Vietnam

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

NIS Directive : Call for Proposals

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

CEF Telecom Calls: CEF-TC : Cyber Security TZAFALIAS ARISTOTELIS POLICY OFFICER DG CONNECT

COUNCIL OF THE EUROPEAN UNION. Brussels, 28 January 2003 (OR. en) 15723/02 TELECOM 78 JAI 307 PESC 593

Data Processing Clauses

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

Valérie Andrianavaly European Commission DG INFSO-A3

H2020 Opportunities in the Area of Security and Critical Infrastructure Protection

Legal and Regulatory Developments for Privacy and Security

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

FINNISH APPROACH TO CRITICAL INFRASTRUCTURE PROTECTION

Breach Notification Form

Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (Provisional Translation)

Critical Infrastructure Analysis and Protection - A Case for Secure Information Exchange. August 16, 2016

RESOLUTION 130 (Rev. Antalya, 2006)

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

The Case for National CSIRTs

U.S. Japan Internet Economy Industry Forum Joint Statement October 2013 Keidanren The American Chamber of Commerce in Japan

Data Processing Agreement

Commonwealth Cyber Declaration

Council of the European Union Brussels, 14 September 2017 (OR. en)

Horizon 2020 Security

ENISA today and in the future

Current developments in Germany and Europe

Strategy for information security in Sweden

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Member of the County or municipal emergency management organization

Presentation to the ITU on the Q-CERT Incident Management Team. Ian M Dowdeswell Incident Manager, Q-CERT

Research Infrastructures and Horizon 2020

Public consultation on Counterfeit and Piracy Watch-List

SAINT PETERSBURG DECLARATION Building Confidence and Security in the Use of ICT to Promote Economic Growth and Prosperity

H2020 WP Cybersecurity PPP topics

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

Secure Societies Work Programme Call

The NIST Cybersecurity Framework

European Directives and reglements for Information security

Committee on the Internal Market and Consumer Protection

Transcription:

NIS-Directive and Smart Grids Workshop on European Smart Grid Cybersecurity: Emerging Threats and Countermeasures Marie Holzleitner

Table of Content Aims & Objectives Affected Parties Selected Requirements of the NIS-DIRECTIVE Selected Requirements of the General Data Protection Regulation 2

NAME: DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning measures for a high common level of security of network and information systems across the Union (NIS- Directive) Directive (EU) 2016/1148 of 6th July 2016 Entry into force: August 2016 MS have 21 months to transpose the Directive into their national laws 3

NIS-DIRECTIVE is defined as a common provision for ALL network and information systems, e.g. digital infrastructure, financial market infrastructure, banking, NO specific regulation for the energy sector and the smart grid environment Can a common provision sufficiently cover the specific requirements of the Energy Sector? 4

AIM of NIS-DIRECTIVE 5

Aim of the NIS-Directive What is the aim of the NIS-Directive? ensure a high common level of network and information security (NIS) improving the security of the Internet and the private networks and information systems increase preparedness of Member States (MS) improve cooperation between Member States 6

OBJECTIVES 7

Objectives of the NIS-Directive What are the cornerstones? 1. national NIS strategy 2. creating a cooperation group to support and facilitate strategic cooperation and exchange of information 3. creating a Computer Security Incident Response Team (CSIRTs) to facilitate effective operational cooperation 8

Objectives of the NIS-Directive 4. security and notification requirements for operators of essential services and 5. digital service providers 6. national competent authorities, single points of contact and CSIRTs with tasks related to the security of networks and information systems 9

AFFECTED PARTIES 10

Affected Parties For whom does the NIS Directive apply? Operator of essential services Digital Service Provider no application if certain provisions (with at least equivalent requirements) apply instead of the respective NIS Directive Directive not applicable: not for Micro and Small Enterprises not for sectors which are regulated separately (with at least equivalent requirements) 11

Affected Parties Operator of essential services 6 months after implementation of MS to identify operators of essential services public or private entity with an important role for the society and economy have to take appropriate security measures and to notify serious incidents to the relevant national authority 12

Affected Parties Operator of essential services applies to operators of essential services in the following critical sectors: Energy: electricity, oil and gas Transport: air, rail, water and road Banking: credit institutions Financial market infrastructures: trading venues, central counterparties Health: healthcare settings Water: drinking water supply and distribution Digital infrastructure: internet exchange points, domain name system service providers, top level domain name registries 13

Affected Parties Operator of essential services Requirement National Measures Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk. Ensuring security of network and information systems: The measures should ensure a level of security of network and information systems appropriate to the risks. Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services. 14

Affected Parties Operator of essential services Identification of OoES Entities providing service which is essential for the maintance of critical societal/economic activities provision of that service depends on network and information systems security incident would have significant disruptive effects on the provision of the essential service Which entities in the Smart Grid Environment need to be considered? 15

Applicability of NIS-Directive USEF interaction model Smart Energy Collective, An introduction to the Universal Smart The SPARKS Energy Consortium EU Framework FP7 Programme! Contract No. 608224 16

Affected Parties Digital Service Provider (DSP) means any legal person that provides a digital service Types of DSPs for purposes of NIS-Directive Online Marketplace Online Search Engine Cloud Computing Service Is there any relevant Digital Service Provider in the Smart Grid Environment? 17

NATIONAL EFFORTS & INSTITUTIONS 18

National Efforts & Institutions NIS Strategy Each MS has to adopt a National NIS Strategy Strategic objectives, priorities and governance framework Identification of measures on preparedness, response and recovery Cooperation methods between the public and private sectors Awareness raising, training and education Research & development plans related to NIS Strategy Risk assessment plan List of actors involved in the strategy implementation communicated to Commission within 3 months from their adoption 19

National Efforts & Institutions NIS Strategy Each MS has to adopt a National NIS Strategy Strategic objectives, priorities and governance framework Identification of measures on preparedness, response and recovery Cooperation methods between the public and private sectors Awareness raising, training and education Research & development plans related to NIS Strategy Risk assessment plan List of actors involved in the strategy implementation What do we expect from the NIS-Strategies to promote security in the Energy Sector? 20

National Efforts & Institutions Which compulsory institutions does every Member State have to establish? Competent Authority Single Point of Contact Computer Security Incident Response Team (CSIRT) 21

National Efforts & Institutions Competent Authority Monitors application of NIS Directive at national level Is to be notified in case of an incident (or CSIRT) 22

National Efforts & Institutions Single Point of Contact liaison function to ensure cross-border cooperation of MS authorities anonymized summary report to Cooperation Group about received notifications 23

National Efforts & Institutions Computer Security Incident Response Team (CSIRT) handling incidents and risks according to a defined process - responding to incidents ensure high availability of communications services by avoiding single points of failure Monitoring incidents at a national level Providing early warning, alerts, announcements and dissemination of information 24

National Efforts & Institutions Competent Authority Single Point of Contact Computer Security Incident Response Team (CSIRT) How to ensure that the specific needs of the Energy Sector are covered? 25

TRANSNATIONAL NETWORKS 26

Transnational Networks Cooperation Group Aim support and facilitate strategic cooperation among MS share information about best practices Composition Members of Commission, ENISA and MS Biennial workprogramme Output report assessing gained experience with strategic cooperation every 1,5 years 27

Transnational Networks CSIRTs network Aim confidence and trust between MS swift and effective operational cooperation Composition National CSIRTs, CERT-EU, Commission (observer), ENISA (support) Output report assessing gained experience with operational cooperation every 1,5 years 28

Transnational Networks Cooperation Group CSIRTs Network What should be the specific tasks of these transnational networks? 29

INCIDENT NOTIFICATION according to NIS-DIRECTIVE 30

Incident Notification according to NIS-Directive Significant disruptive effect cross-sectoral factors Number of users Dependency of other sectors Impact on economic and societal acitivities or public safety (degree and duration) Market share Geographic spread Importance for maintaining a sufficiant level Appropriate sector-specified factors How do we classify an incident as significant in a Smart Grid environment? 31

Incident Notification according to NIS-Directive Parameters which should be taken into consideration by OoES Number of users affected Duration of incident Geographic spread These parameters may be further clarified by means of guidelines adopted by the national competent authorities acting together within the Cooperation Group. 32

Incident Notification according to NIS-Directive Parameters which should be taken into consideration by DSP Number of users affected Duration of incident Geographic spread The extent of the disruption of the service The impact on economic and sociatal activities These parameters will be further specified by the Commission by means of implementing acts. 33

Incident Notification according to NIS-Directive Notification to Public public awareness necessary to prevent an incident deal with an ongoing incident disclosure otherwise in the public interest 34

INCIDENT NOTIFICATION according to GENERAL DATA PROTECTION REGULATION (GDPR) 35

Incident Notification according to GDPR Notification to supervisory authority (General Data Protection Regulation) risk to personal data Personal data breach is likely to risk rights and freedom of individuals deal with an ongoing incident disclosure of the incident is otherwise in the public interest 36

INCIDENT NOTIFICATION SUMMARY 37

Incident Notification - Summary Focus: NIS Directive: focused on network security to improve security of the Internet and private networks and information systems GDPR: safeguard personal data 38

Incident Notification - Summary Requirement: NIS Directive: requires operators to appropriately secure their networks to protect the provision of the service GDPR: requires controllers to adopt measures that secure personal data 39

Incident Notification - Summary What incidents require notification? NIS Directive: breach notification required if significant disruption to provision GDPR: breach notification only where personal data is jeopardized 40

Incident Notification - Summary Whom to notify? NIS Directive: Notification to competent authority GDPR: Notification to data subjects 41

INVITATION Workshop on Security Requirements for Smart Grids: Economic, legal and societal aspects On 19th of October 2016 in the European Parliament, Brussels Attendees of EP, Comission, ENISA, ACER, 42

THANK YOU FOR YOUR ATTENTION Energieinstitut an der Johannes Kepler Universität Linz Altenberger Straße 69 4040 Linz, AUSTRIA Tel: +43 723 2468 5675 Fax: + 43 723 2468 5651 e-mail: holzleitner@energieinstitut-linz.at Marie-Theres Holzleitner holzleitner@energieinstitut-linz.at 43

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback