European Union Agency for Network and Information Security

Similar documents
cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

ENISA Cooperation in the EU / NIS Directive

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Enhancing the cyber security &

Discussion on MS contribution to the WP2018

The NIS Directive and Cybersecurity in

Securing Europe s IoT Devices and Services

Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

The Network and Information Security Directive - ENISA's contribution

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

Network and Information Security Directive

ENISA s Position on the NIS Directive

ENISA EU Threat Landscape

Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

Call for Expressions of Interest

IoT and Smart Infrastructure efforts in ENISA

Package of initiatives on Cybersecurity

Cyber Security in Europe

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

NIS Standardisation ENISA view

Directive on Security of Network and Information Systems

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Cyber Security in Europe and CEER s new PEER initiative

Directive on security of network and information systems (NIS): State of Play

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

Cybersecurity & Digital Privacy in the Energy sector

NIS-Directive and Smart Grids

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Cybersecurity Strategy of the Republic of Cyprus

Securing Europe's Information Society

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

13967/16 MK/mj 1 DG D 2B

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

Security and resilience in Information Society: the European approach

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

EISAS Enhanced Roadmap 2012

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

H2020 WP Cybersecurity PPP topics

Regulating Cyber: the UK s plans for the NIS Directive

Cybersecurity Package

WORK PROGRAMME 2015 INCLUDING MULTI-ANNUAL PLANNING

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Mozilla position paper on the legislative proposal for an EU Cybersecurity Act

Valérie Andrianavaly European Commission DG INFSO-A3

Protecting your data. EY s approach to data privacy and information security

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

Cyber Security Beyond 2020

ENISA S WORK ON ICS AND SMART GRID SECURITY

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

Cyber security: a building block of the Digital Single Market

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

European Directives and reglements for Information security

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

In Accountable IoT We Trust

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

Cyber Security in Smart Commercial Buildings 2017 to 2021

ENISA & Cybersecurity. Steve Purser Head of Technical Competence Department December 2012

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

CERT.LV activities, role in Latvia and globally. Baiba Kaskina, CERT.LV , Sofia, Bulgaria

Cybersecurity in the EU Steve Purser Head of Operational Departments, ENISA Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European

Introductory Speech to the Ramboll Event on the future of ENISA. Speech by ENISA s Executive Director, Prof. Dr. Udo Helmbrecht

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

IoT & SCADA Cyber Security Services

Security Aspects of Trust Services Providers

Committee on the Internal Market and Consumer Protection

Protecting Critical Information Infrastructure in times of increasing cyber conflict

EU General Data Protection Regulation (GDPR) Achieving compliance

GDPR Update and ENISA guidelines

2017 ANNUAL TRUST SERVICES SECURITY INCIDENTS ANALYSIS. ENISA Article 19 Team

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

Cyber Security: Threat and Prevention

The Digitalisation of Finance

NIS Directive development The Incident Notification Framework

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

General Framework for Secure IoT Systems

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Promoting Global Cybersecurity

Achieving Global Cyber Security Through Collaboration

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Horizon 2020 Security

MOTION FOR A RESOLUTION

The SPARKS Project Motivation, Objectives and Results

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

Secure Societies Work Programme Call

COUNCIL OF THE EUROPEAN UNION. Brussels, 28 January 2003 (OR. en) 15723/02 TELECOM 78 JAI 307 PESC 593

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Internet copy. EasyGo security policy. Annex 1.3 to Joint Venture Agreement Toll Service Provider Agreement

Transcription:

Critical Information Infrastructure Protection in the EU Evangelos Ouzounis Head of Secure Infrastructure and Services Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European Union Agency for Network and Information Security

EU Policy Context ENISA II new mandate EU Cyber Security Strategy (COM) EECSP eidas Directive article 19 General Data Protection Regulation (GDPR) The NIS Directive cppp Telecom Package article 13 a, art. 4 EU Cloud Computing Strategy and Partnership (COM) EU s CIIP action plan Digital Single Market Strategy (DSM) Security of supply directive Commission Recommendation 2012/148/EU PIA for smart meters BATs 2

The Network and Information Security Directive About the NIS Directive 3

The NIS Directive Scope: to achieve a high common level of security of NIS within the Union (first EU regulatory act at this level). Status: 17 May 2016, the Council approved its position at first reading. The next step is approval of the legal act by the European Parliament at second reading. The directive entered into force in August 2016. 21 months after entry into force from transposition Provisions: - Obligations for all MS to adopt a national NIS strategies and designate national authorities. - Creates first EU cooperation group on NIS, from all MS. - Creates a EU national CSIRTs network. - Establishes security and notification requirements for operators of essential services and digital service providers 4

NIS directive - TIMELINE August 2016 - Entry into force February 2017 6 months Cooperation Group begins tasks August 2017 February 2018 12 months 18 months Adoption of implementing on security and notification requirements for DSPs Cooperation Group establishes work programme 9 May 2018 21 months Transposition into national law November 2018 27 months Member States to identify operators of essential services May 2019 May 2021 33 months (i.e. 1 year after transposition) 57 months (i.e. 3 years after transposition) Commission report - consistency of Member States' identification of OES Commission review About the NIS Directive 5

CIIP Governance EU Member States Three profiles of CIIP-governance Centralised approach Decentralised approach Co-regulation with private sector Centralised characteristics Central authority across sectors. Comprehensive legislation Examples: France Public Agency Public Agency Public Agency Principle of subsidiarity. Strong cooperation between public agencies. Sector-specific legislation. Example : Sweden Public Agency Decentralised characteristics Council Public Agency Institutionalised cooperation with the private sector Horizontal relationship between public and private parties Example: The Netherlands Public Agency Co-regulation characteristics PPP Private Actors Sector Sector Sector Sector Sector Sector 6

Energy sector an attractive target >500 millions inhabitants, annual electricity need ~ 3.3 mil. Gigawatt hours Economic impact Brands damage / Customer confidence erosion Implications in public safety by disruptions in: - Communications, - Exploration, - Energy refining, - Power and utility services. Organizational reasons Operational reasons 7

Key findings in the Energy Sector Most of the attacks target the SCADA, not the field (directly) Common attack methods such as (spare)phising, XSS, USB sticks etc Although several field device attacks demonstrations have taken place, backdoors at the field devices cannot be confirmed (yet) Common ICT security practices can be applied for the existing landscape Regular patching Media access policy Test of DRPs Encryption. Difficulty to identify reliable, publicly available and representative factual data no EU ICS CSIRT distributed data collections non disclosure policies 8

Cybersecurity for ICS SCADA EuroSCSIE ICS Security Stakeholder Group Protecting Industrial Control Systems. Recommendations for Europe and Member States Can we learn from SCADA security incidents? Window of exposure a real problem for SCADA systems? Good Practices for an EU ICS Testing Coordination Capability Certification of Cyber Security skills of ICS/SCADA professionals https://www.enisa.europa.eu/scada 9

Incident Reporting for the Telecom Sector Article 13a of the Framework Directive (2009/140/EC), is introduced in the 2009 reform of the EU regulatory framework for electronic communications. Art. 13a addresses security and integrity of public electronic communications networks and services (availability of the service). Art. 13a of Telecom Package: Expert Group with all NRAs (EU and EFTA) & EC Non-binding technical guidelines (strong adoption among MS) 4 years of success annual reporting from Telecoms to NRAs and then to ENISA and EC Impact evaluation available March 2016. More incident reporting schemes: Article 4 on data breaches - Telecom Package Article 19 on breaches of trust services - eidas NIS Directive (affecting many sectors) 10

Incidents per root cause category (percentage) Impact on emergency services (percentages) Root causes Impact on emergency services 80 76 90 70 60 50 47 61 66 68,8 80 70 60 67 63 79 71 79,7 40 30 20 10 0 19 20 21,7 12 12 14 6 6 8 9 8 5 6 5 1,4 2011 2012 2013 2014 2015 Natural phenomena Human errors Malicious actions System failures 50 40 30 20 10 0 37 33 29 21 20,3 2011 2012 2013 2014 2015 Affected Not affected 11

Cyber Security of Finance Sector Distributed Ledger Technology New technology offering possibilities for automation of processes ENISA tries to identify the Security challenges with this technology Challenges Traditional - key management - privacy Technology specific - Security of Smart Contracts - Consensus hijack - Anti-fraud tools Mobile Payment Applications Every day a new payment app comes into the market ENISA tries to identify the minimum security measures for a mobile payment application Recommendations on minimum measures Avoid hard-coded sensitive information such as passwords or keys Verify the integrity of the running code certificate pinning to ensure that the application is communicating to the intended end points 12

ENISA and IoT security Smart Cities Smart Homes Intelligent Public Transport SCADA and Industry 4.0 ehealth Smart Cars ENISA develops expertise to secure IoT Evaluation of threats Promotion of security good practices Stakeholders engagement Awareness raising Community expert groups Liaison with policy makers Smart Airports ENISA provide guidance to secure IoT against cyber threats 13

IoT in Smart Homes Security concerns Manufacturers don t invest in security Security and privacy are closely linked Difficult to secure the entire lifecyle of products ENISA proposes to: Establish security procurement guidelines Define a framework to evaluate the security of products Support security-driven business models 14

Cybersecurity for Intelligent Public Transport Existing status of security for IPT is limited Safety does not integrate security Security is not well integrated in organisations Awareness level is low ENISA Objectives Assist IPT operators in their risk assessment Raise awareness to municipalities and policy makers Invite manufacturers and solution vendors to focus on security Yet, it is possible to act today Understand the threats to critical assets Assess applicable security measures Collaborate to enhance cyber security ENISA aims at providing pragmatic solutions to secure transport infrastructure in Europe 15

Cybersecurity for Smart Cars Challenges: Increased attack surface Insecure development in today s cars Security culture Liability Safety and security process integration Supply chain and glue code Recommendations: Improve cyber security in smart cars Improve information sharing amongst industry actors Improve exchanges with security researchers and third parties Clarify liability among industry actors Achieve consensus on technical standards for good practices Define an independent third-party evaluation scheme Build tools for security analysis 16

Cybersecurity for smart airport Variety of cyber security practices in airports Lack of EU regulations on cyber security of airports Lack of guidelines on network architecture, ownership, and remote management Evidence-based vulnerability analysis metrics and priorities Threat modelling and architecture analysis Information sharing Multi-stakeholder enable security technologies Appropriate Security Governance model Skillset of experts safety vis a vis security 17

2016: ENISA work to secure Smart Hospitals Objectives Improve security and resilience of hospitals information systems Identify common cyber security threats and challenges and, Present mitigation measures to address them Support pilots in hospitals across the EU Secure devices and systems to improve patients safety 18

Conclusions 1 2 3 Cyber attacks on CIIs is now the norm than a future trend. Failure to detect threats is often more costly than false alarms. MS and private sector, with the assistance of ENISA, should co-operate to protect CIIs sharing experiences and information developing and deploying good practices co-operate with NRAs to achieve EU wide harmonization of EU regulations 4 Collaboration is Everything. 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback