Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert European Union Agency For Network And Information Security
Securing Europe s Information Society Operational Office in Athens
Positioning ENISA activities
National Cyber Security Strategies in EU 4
Critical Information Infrastructure (CII) ICT systems that are critical infrastructures for themselves or that are essential for the operation of critical infrastructures (telecommunications, computers/software, Internet, satellites, etc.)
Critical Sectors in EU MS Sectors Energy ICT Water Food Health Financial Public Legal Order & Civil Admin. Transport Chemical & Nuclear Industry AU BE CZ DK EE FI FR DE EL HU IT MT NL PL SK ES UK CH Space & Research
Critical Information Infrastructure Protection in Europe: ENISA efforts Communication networks: Critical information Infrastructure and Internet Infrastructure ICS SCADA Smart grids ehealth Finance Transport
2015 studies on CIIs Stock Taking, Analysis and Recommendations on the protection of CIIs Analysis of ICS-SCADA Cyber Security Maturity Levels in Critical Sectors Communication networks dependencies in smart grids Security and resilience for E-health infrastructure Security and resilience for cloud computing in the Finance sector 8
Key Findings Protection of CII in EU Member States Paul Weissmann; Pascal Pillokeit
Key Findings National Authorities 18 16 14 Most countries have assigned responsibility to Information security agencies, Emergency or CIP agencies, or National regulatory agencies 12 10 8 6 4 2 7 5 4 2 2 2 Reason: Historical development or indicator for how the problem is perceived Only four countries have assigned CIIP to Information security forums or Intelligence security agencies 0 ISA EMR NRA ISF INT MIN In two cases, responsibility is shared between a Ministry and a public agency
Key Findings Task and Responsibilities Most tasks are on the operational level (10-12 / out of 12 examined countries) (darkblue) 7 to 8 countries have been assigned responsibilities on the politico-strategic level (lightblue) 4 countries have been tasked with the supervision of institutions other than CERT. These include mainly regulatory tasks (red) Point of contact for incident reporting Organise and conduct CIIP-related exercises and training Advisory to operators of CII (private and public sector) Incident response Development of strategy or policy papers Monitoring the security of national CII Issuing guidelines or proposing legislations Supervision of national CERT Monitoring the implementation of security measures Supervision of other institutions 4 7 7 7 8 8 10 11 11 12 0 2 4 6 8 10 12
Key Findings Public-private Cooperation Risk Assessment Cooperation between private and public stakeholders 2 6 10 PPP Working groups (or similar) Informal Ten out of 18 examined countries have developed partnerships with private actors Trend towards more institutionalised forms of cooperation with the private stakeholders Risk Assessment The majority of the 16 examined countries has conducted RA on a 5 4 national level or a planning to do so This can be seen as an indicator for 3 how a government perceives the 4 problem National National (under dev) Sectorial Operators
Key Findings Obligations and Requirements 16 12 8 4 0 5 All sectors Security Incident Reporting 10 Limited to specific sectors 2 None Only five of 17 examined countries have established mandatory incident reporting across all sectors All Member States have implemented mandatory incident reporting in the telecommunications sector Other important sectors: Finance, Energy, Public Administration 16 Security Audits 12 8 4 0 5 All sectors 6 6 Limited to specific sectors None Six countries have implemented no mandatory security audits in any sector Security Audits are either of less priority for countries or hard to implement
Governance of CIIP Protection of CII in EU Member States Paul Weissmann; Pascal Pillokeit
Governance of CIIP Three profiles of CIIP-governance have been examined Centralised approach Decentralised approach Co-regulation with private sector The different profiles illustrate specific forms of CIIP governance, which are defined by their shared characteristics. The profiles are not exclusive types, but are rather points on a spectrum These profiles can help to understand how CIIP is organised in the individual Member States Can help to understand and what CIIP-measures and -actions can possibly be transferred from one Member State to another
Governance of CIIP The centralised approach The centralised approach is characterised by Central authority across sectors Comprehensive legislation Examples France Public Agency Public Agency Public Agency Sector Sector Sector
Governance of CIIP The decentralised approach The decentralised approach is characterised by Principle of subsidiarity Strong cooperation between public agencies Sector-specific legislation Examples Sweden Public Agency Council Public Agency Sector Sector
Governance of CIIP The co-regulation approach The co-regulation approach is characterised by Institutionalised cooperation with the private sector Horizontal relationship between public and private parties Examples Netherlands Public Agency PPP Private Actors Sector
Goals 01 Raise the level of awareness on CIIP in Europe 02 Support Private and Public Sector with focused studies and tools 03 Facilitate information exchange and collaboration 04 Foster the growth of communication networks and industry 05 Enable higher level of security for Europe s Critical Infrastructures
Thank you Dimitra Liveri resilience@enisa.europa.eu www.enisa.europa.eu/internetcii https://www.enisa.europa.eu/scada