NIS Standardisation ENISA view

Similar documents
ENISA EU Threat Landscape

ENISA And Standards Adri án Belmonte ETSI Security Week Event Sophia Antipolis (France) 22th June

The NIS Directive and Cybersecurity in

Cyber Security Beyond 2020

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

Securing Europe s IoT Devices and Services

European Union Agency for Network and Information Security

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

ENISA Cooperation in the EU / NIS Directive

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Securing Europe's Information Society

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Discussion on MS contribution to the WP2018

ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

Network and Information Security Directive

13967/16 MK/mj 1 DG D 2B

Package of initiatives on Cybersecurity

ENISA s Position on the NIS Directive

The Network and Information Security Directive - ENISA's contribution

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Security Aspects of Trust Services Providers

Cloud Computing Standards C-SIG Plenary Brussels, 15 February Luis C. Busquets Pérez DG CONNECT E2

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

Technologies with the potential to enhance resilience - An overview on the activities of ENISA

The Digitalisation of Finance

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Cybersecurity & Digital Privacy in the Energy sector

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

Cyber Security in Europe and CEER s new PEER initiative

Cyber Security in Europe

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Enhancing the cyber security &

Introductory Speech to the Ramboll Event on the future of ENISA. Speech by ENISA s Executive Director, Prof. Dr. Udo Helmbrecht

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Improving recognition of ICT security standards Recommendations for the Member States for the conformance to NIS Directive

Cybersecurity in the EU Steve Purser Head of Operational Departments, ENISA Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Technical guidelines implementing eidas

DIGITIZING INDUSTRY, ICT STANDARDS TO

Security and resilience in Information Society: the European approach

Cybersecurity Package

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

Call for Expressions of Interest

H2020 WP Cybersecurity PPP topics

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

EISAS Enhanced Roadmap 2012

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

European Directives and reglements for Information security

Internet of Things Security standards

EU Cloud Computing Policy. Luis C. Busquets Pérez 26 September 2017

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

Standardization mandate addressed to CEN, CENELEC and ETSI in the field of Information Society Standardization

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Cyber security: a building block of the Digital Single Market

Cybersecurity eit. Software. Certification. Industrial Security Embedded System

EU EHEALTH INTEROPERABILITY,

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

Joint FIEEC-ZVEI Position on Cybersecurity

Directive on security of network and information systems (NIS): State of Play

Committee on the Internal Market and Consumer Protection

Position Paper of the ASD Civil Aviation Cybersecurity Taskforce

GDPR Update and ENISA guidelines

IoT and Smart Infrastructure efforts in ENISA

Directive on Security of Network and Information Systems

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

RESOLUTION 130 (REV. BUSAN, 2014)

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

NIS-Directive and Smart Grids

***I DRAFT REPORT. EN United in diversity EN. European Parliament 2017/0225(COD)

Towards a European Cloud Computing Strategy

Technology's role in General Data Protection Regulation Dr. Prokopios Drogkaris Officer in NIS SECPRE 2017 Oslo

European Commission Directorate General Enterprise and Industry INSTITUTIONAL FRAMEWORK ON

EUROPEAN ORGANISATION FOR SECURITY SUPPLY CHAIN SECURITY WHITE PAPER

Some keynote messages on standardization and trade between US and EU

SAINT PETERSBURG DECLARATION Building Confidence and Security in the Use of ICT to Promote Economic Growth and Prosperity

Achieving Global Cyber Security Through Collaboration

TEL2813/IS2820 Security Management

Status of activities Joint Working Group on standards for Smart Grids in Europe

FOR QTSPs BASED ON STANDARDS

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

European Cyber Security Certification: ECSO Meta-Scheme Approach

ENISA today and in the future

EU policy and the way forward for smart meters and smart grids

Friedrich Smaxwil CEN President. CEN European Committee for Standardization

Modernising the public sector through the cloud

ISAO SO Product Outline

DG CONNECT (Unit H5) Update on Data Centre Activities

Raising standards for consumers

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

The NIST Cybersecurity Framework

EU Innovation Investments: The Challenges met by Innovation Infrastructures Today in Europe

Transcription:

NIS Standardisation ENISA view Dr. Steve Purser Brussels, 19 th September 2017 European Union Agency for Network and Information Security

Instruments For Improving Cybersecurity Policy makers have a number of instruments at their disposal for improving cybersecurity: International treaties and agreements EU legislation and national legislation Policy statements and strategy Standards Good practices Awareness raising and training It is important to choose the right instrument for the right problem. Standards are well suited to problems that require a normalised approach and are stable in time.

The Importance of Standards (1) Improving efficiency and effectiveness of key processes. Standardised procedures of are critical importance in cross-border and cross community communication. Standard Operating Procedures are key to the EU response mechanism to cyber incidents. Where industry is concerned, standards such as ISO 27001 encourage the adoption of standard organisational structures. Facilitating systems integration and interoperability Security products need to interoperate in different environments. Many security weaknesses occur at the interface of different technologies or products. Needs to be balanced against risk of creating a single target.

The Importance of Standards (2) Enabling different products or methods to be compared in a meaningful manner. Standardisation of testing methods makes it possible to compare security products in a meaningful manner. Example : level of compatibility of cryptographic modules with the FIPS 140-2 standard. Providing a means for users to assess new products or services. Standards increase the level of transparency of the product or service to the end user. Structuring the approach to deploying new technologies or business models.

The Importance of Standards (3) Simplification of complex environments. The complexity of real-life systems is one of the biggest barriers to achieving coherent security solutions. Standards help reduce complexity, reducing the number of special cases that a security solution has to take account of. Techniques such as defence in depth provide a mitigation for the problem of the standardised target. Promoting economic growth. The use of open standards encourages information exchange between developers and is likely to result in greater competition between product developers.

Standardisation Challenges Organisational challenges The number of SDOs and the number of published standards has increased, which can be a source of confusion to end users. This issue is not restricted to the area of standards. Areas of standardisation standardisation activities in the area of NIS tends to be driven by areas of work that lay in line with the core interests of service providers. There is no single, continuous line of standards related to cyber security, but rather a number of discrete areas which are the subject of standardisation. What does a cyber security standard look like? Lack of awareness In many areas, customers still do not demand open standards.

Lack of agility Standardisation Challenges Standards move slowly, ICT moves fast. Good Practice might be a precursor to standards. Competing sets of standards The great thing about standards is that there are so many to choose from. Public key Infrastructure (PKI) for instance often uses a combination of standards : X.509 (ITU), PKIX (IETF), PKCS (RSA) standards. Economic considerations Proprietary standards often result in wasted resources. Companies with a dominant position have few incentives to adopt interoperable standards,

ENISA & Standardisation Legislation Regulation 460/2004: "the Agency shall [..] track the development of standards for products and services on network and information security" Regulation 526/2013, "Support research and development and standardisation, by: facilitating the establishment and take-up of European and international standards for risk management and for the security of electronic products, networks and services" NIS Directive: ENISA, [..] shall draw up advice and guidelines regarding the technical areas [..] as well as regarding already existing standards, including Member States' national standards, which would allow for those areas to be covered Cooperation agreements: ISO SC27 (Liaison), ETSI (MoU), CEN CENELEC (Collaboration agreement) ETSI TISPAN on CIIP, ESI on eid, CLOUD on cloud certification, CEN CENELEC on smart grids, ISO SC 27 in the area of privacy

Current landscape of standardisation Cybersecurity areas covered by standardization Security feature provision o Provision of sector/technology specific security features. Security assurance o Common Criteria (ISO 15408) o Ongoing work in 3GPP Security threat sharing o Sharing of threat information, current attack patterns, software vulnerabilities Organisational management for secure operations o ISO 27000 series Challenges from EU perspective Lack of consistent strategy towards standards Recognized shortcomings of the current approach Need establishing a small number of key initiatives at EU level Improve coordination between EU funded R&D and SDOs

New context NIS Directive Focus of the Directive

Priorities for standardisation related to NIS Directive Close the gaps and simplify the standards for NIS that enable interoperability of event reporting and information sharing Reach consensus on Architectures, interfaces, and information exchange expressions Standards and specifications Develop a means for Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) to fit into the NIS Directive model and architecture Develop means for Public Electronic Communication Networks or Publicly Available Electronic Communication Service Providers (under Framework Directive) and Trust Providers to fit into the NIS Directive model and architecture Develop additional border gateway defence and threat exchange standards for one Essential Service (Digital Infrastructure Internet Exchange Points) Develop a means for virtualised infrastructures and services to fit into the NIS Directive model and architecture

Recommendations (2014) The Commission and the Member States should continue to encourage vendors to agree on the use of open standards and to encourage both private and public sector organisations to include references to these standards in procurement processes. Member States should consider including the subject of standardization in national cyber security strategies. Emphasis should be given to improving the coordination between policy and operational levels and enhancing the role of public private partnerships in the standardisation process. Member States should encourage National Regulatory Authorities to make greater use of open standards as point of reference in the process of enforcing regulations.

Recommendations (2014) Public institutions involved in the funding of research and development should identify consistent sets of standards for different research areas. Where appropriate, publicly funded research should require compliance with these standards. Standards Development Organisations should work together to identify ways of speeding up the standards development process for cyber security related standards. This might be achieved by a fast track mechanism. The Commission and the Member States should support the EU-wide certification scheme outlined in the new ENISA mandate proposal allowing end users to verify that services or products upon which they rely comply with security standards (2017).

Trending Issues New trust models to ensure supply chain integrity Baseline requirements for IoT security and privacy, including mandatory reference levels for trusted IoT solutions and minimal requirements Adaptation of the framework for interoperability testing to new IoT requirements Future standards for scalability of security controls have to anticipate and meet the needs of different risk levels. Baseline security certification ( lightweight certification) for ICT products Better coordination of work performed by ESOs

Thank you! PO Box 1309, 710 01 Heraklion, Greece Tel: +30 28 14 40 9710 info@enisa.europa.eu www.enisa.europa.eu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback