Critical Information Infrastructure Protection in the EU Evangelos Ouzounis Head of Secure Infrastructure and Services Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European Union Agency for Network and Information Security
EU Policy Context ENISA II new mandate EU Cyber Security Strategy (COM) EECSP eidas Directive article 19 General Data Protection Regulation (GDPR) The NIS Directive cppp Telecom Package article 13 a, art. 4 EU Cloud Computing Strategy and Partnership (COM) EU s CIIP action plan Digital Single Market Strategy (DSM) Security of supply directive Commission Recommendation 2012/148/EU PIA for smart meters BATs 2
The Network and Information Security Directive About the NIS Directive 3
The NIS Directive Scope: to achieve a high common level of security of NIS within the Union (first EU regulatory act at this level). Status: 17 May 2016, the Council approved its position at first reading. The next step is approval of the legal act by the European Parliament at second reading. The directive entered into force in August 2016. 21 months after entry into force from transposition Provisions: - Obligations for all MS to adopt a national NIS strategies and designate national authorities. - Creates first EU cooperation group on NIS, from all MS. - Creates a EU national CSIRTs network. - Establishes security and notification requirements for operators of essential services and digital service providers 4
NIS directive - TIMELINE August 2016 - Entry into force February 2017 6 months Cooperation Group begins tasks August 2017 February 2018 12 months 18 months Adoption of implementing on security and notification requirements for DSPs Cooperation Group establishes work programme 9 May 2018 21 months Transposition into national law November 2018 27 months Member States to identify operators of essential services May 2019 May 2021 33 months (i.e. 1 year after transposition) 57 months (i.e. 3 years after transposition) Commission report - consistency of Member States' identification of OES Commission review About the NIS Directive 5
CIIP Governance EU Member States Three profiles of CIIP-governance Centralised approach Decentralised approach Co-regulation with private sector Centralised characteristics Central authority across sectors. Comprehensive legislation Examples: France Public Agency Public Agency Public Agency Principle of subsidiarity. Strong cooperation between public agencies. Sector-specific legislation. Example : Sweden Public Agency Decentralised characteristics Council Public Agency Institutionalised cooperation with the private sector Horizontal relationship between public and private parties Example: The Netherlands Public Agency Co-regulation characteristics PPP Private Actors Sector Sector Sector Sector Sector Sector 6
Energy sector an attractive target >500 millions inhabitants, annual electricity need ~ 3.3 mil. Gigawatt hours Economic impact Brands damage / Customer confidence erosion Implications in public safety by disruptions in: - Communications, - Exploration, - Energy refining, - Power and utility services. Organizational reasons Operational reasons 7
Key findings in the Energy Sector Most of the attacks target the SCADA, not the field (directly) Common attack methods such as (spare)phising, XSS, USB sticks etc Although several field device attacks demonstrations have taken place, backdoors at the field devices cannot be confirmed (yet) Common ICT security practices can be applied for the existing landscape Regular patching Media access policy Test of DRPs Encryption. Difficulty to identify reliable, publicly available and representative factual data no EU ICS CSIRT distributed data collections non disclosure policies 8
Cybersecurity for ICS SCADA EuroSCSIE ICS Security Stakeholder Group Protecting Industrial Control Systems. Recommendations for Europe and Member States Can we learn from SCADA security incidents? Window of exposure a real problem for SCADA systems? Good Practices for an EU ICS Testing Coordination Capability Certification of Cyber Security skills of ICS/SCADA professionals https://www.enisa.europa.eu/scada 9
Incident Reporting for the Telecom Sector Article 13a of the Framework Directive (2009/140/EC), is introduced in the 2009 reform of the EU regulatory framework for electronic communications. Art. 13a addresses security and integrity of public electronic communications networks and services (availability of the service). Art. 13a of Telecom Package: Expert Group with all NRAs (EU and EFTA) & EC Non-binding technical guidelines (strong adoption among MS) 4 years of success annual reporting from Telecoms to NRAs and then to ENISA and EC Impact evaluation available March 2016. More incident reporting schemes: Article 4 on data breaches - Telecom Package Article 19 on breaches of trust services - eidas NIS Directive (affecting many sectors) 10
Incidents per root cause category (percentage) Impact on emergency services (percentages) Root causes Impact on emergency services 80 76 90 70 60 50 47 61 66 68,8 80 70 60 67 63 79 71 79,7 40 30 20 10 0 19 20 21,7 12 12 14 6 6 8 9 8 5 6 5 1,4 2011 2012 2013 2014 2015 Natural phenomena Human errors Malicious actions System failures 50 40 30 20 10 0 37 33 29 21 20,3 2011 2012 2013 2014 2015 Affected Not affected 11
Cyber Security of Finance Sector Distributed Ledger Technology New technology offering possibilities for automation of processes ENISA tries to identify the Security challenges with this technology Challenges Traditional - key management - privacy Technology specific - Security of Smart Contracts - Consensus hijack - Anti-fraud tools Mobile Payment Applications Every day a new payment app comes into the market ENISA tries to identify the minimum security measures for a mobile payment application Recommendations on minimum measures Avoid hard-coded sensitive information such as passwords or keys Verify the integrity of the running code certificate pinning to ensure that the application is communicating to the intended end points 12
ENISA and IoT security Smart Cities Smart Homes Intelligent Public Transport SCADA and Industry 4.0 ehealth Smart Cars ENISA develops expertise to secure IoT Evaluation of threats Promotion of security good practices Stakeholders engagement Awareness raising Community expert groups Liaison with policy makers Smart Airports ENISA provide guidance to secure IoT against cyber threats 13
IoT in Smart Homes Security concerns Manufacturers don t invest in security Security and privacy are closely linked Difficult to secure the entire lifecyle of products ENISA proposes to: Establish security procurement guidelines Define a framework to evaluate the security of products Support security-driven business models 14
Cybersecurity for Intelligent Public Transport Existing status of security for IPT is limited Safety does not integrate security Security is not well integrated in organisations Awareness level is low ENISA Objectives Assist IPT operators in their risk assessment Raise awareness to municipalities and policy makers Invite manufacturers and solution vendors to focus on security Yet, it is possible to act today Understand the threats to critical assets Assess applicable security measures Collaborate to enhance cyber security ENISA aims at providing pragmatic solutions to secure transport infrastructure in Europe 15
Cybersecurity for Smart Cars Challenges: Increased attack surface Insecure development in today s cars Security culture Liability Safety and security process integration Supply chain and glue code Recommendations: Improve cyber security in smart cars Improve information sharing amongst industry actors Improve exchanges with security researchers and third parties Clarify liability among industry actors Achieve consensus on technical standards for good practices Define an independent third-party evaluation scheme Build tools for security analysis 16
Cybersecurity for smart airport Variety of cyber security practices in airports Lack of EU regulations on cyber security of airports Lack of guidelines on network architecture, ownership, and remote management Evidence-based vulnerability analysis metrics and priorities Threat modelling and architecture analysis Information sharing Multi-stakeholder enable security technologies Appropriate Security Governance model Skillset of experts safety vis a vis security 17
2016: ENISA work to secure Smart Hospitals Objectives Improve security and resilience of hospitals information systems Identify common cyber security threats and challenges and, Present mitigation measures to address them Support pilots in hospitals across the EU Secure devices and systems to improve patients safety 18
Conclusions 1 2 3 Cyber attacks on CIIs is now the norm than a future trend. Failure to detect threats is often more costly than false alarms. MS and private sector, with the assistance of ENISA, should co-operate to protect CIIs sharing experiences and information developing and deploying good practices co-operate with NRAs to achieve EU wide harmonization of EU regulations 4 Collaboration is Everything. 19