cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Similar documents
cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Enhancing the cyber security &

Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

European Union Agency for Network and Information Security

Discussion on MS contribution to the WP2018

The NIS Directive and Cybersecurity in

IoT and Smart Infrastructure efforts in ENISA

Securing Europe s IoT Devices and Services

ENISA Cooperation in the EU / NIS Directive

Directive on Security of Network and Information Systems

The Network and Information Security Directive - ENISA's contribution

Network and Information Security Directive

Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

ENISA EU Threat Landscape

NIS-Directive and Smart Grids

ENISA s Position on the NIS Directive

Directive on security of network and information systems (NIS): State of Play

Call for Expressions of Interest

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

NIS Standardisation ENISA view

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

Cyber Security in Europe

Package of initiatives on Cybersecurity

CYBER SECURITY AIR TRANSPORT IT SUMMIT

EU policy on Network and Information Security & Critical Information Infrastructures Protection

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Cybersecurity Strategy of the Republic of Cyprus

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

Security and resilience in Information Society: the European approach

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

13967/16 MK/mj 1 DG D 2B

Regulating Cyber: the UK s plans for the NIS Directive

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

Securing Europe's Information Society

Cybersecurity & Digital Privacy in the Energy sector

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

The SPARKS Project Motivation, Objectives and Results

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

ENISA S WORK ON ICS AND SMART GRID SECURITY

Cyber Security in Europe and CEER s new PEER initiative

Bradford J. Willke. 19 September 2007

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

Creating NIS Compliant Country in a Non-Regulated Environment. Jurica Čular

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

IoT & SCADA Cyber Security Services

Section One of the Order: The Cybersecurity of Federal Networks.

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

CEF e-invoicing. Presentation to the European Multi- Stakeholder Forum on e-invoicing. DIGIT Directorate-General for Informatics.

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

The Digitalisation of Finance

Future-Proof Security & Privacy in IoT

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

H2020 WP Cybersecurity PPP topics

GDPR Update and ENISA guidelines

EISAS Enhanced Roadmap 2012

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

Promoting Global Cybersecurity

Introductory Speech to the Ramboll Event on the future of ENISA. Speech by ENISA s Executive Director, Prof. Dr. Udo Helmbrecht

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

NIS Directive development The Incident Notification Framework

Valérie Andrianavaly European Commission DG INFSO-A3

Cyber Security Beyond 2020

General Framework for Secure IoT Systems

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

The NIST Cybersecurity Framework

Why you should adopt the NIST Cybersecurity Framework

6 CONCLUSION AND RECOMMENDATION

Cyber Security. Activities of an national insurance association based on the example of VVO

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

Doug Couto Texas A&M Transportation Technology Conference 2017 College Station, Texas May 4, 2017

Bringing EU Cybersecurity & privacy research results closer to the market

Innovation policy for Industry 4.0

Cybersecurity Package

Cybersecurity in the EU Steve Purser Head of Operational Departments, ENISA Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European

ENISA & Cybersecurity. Steve Purser Head of Technical Competence Department December 2012

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

European Cybersecurity PPP European Cyber Security Organisation - ECSO November 2016

European Transport Policy: ITS in action ITS Action Plan Directive 2010/40/EU

Cybersecurity, safety and resilience - Airline perspective

Shaping the Cyber Security R&D Agenda in Europe, Horizon 2020

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

David Fletcher Co-Principal Investigator Western Management & Consulting LLC Albuquerque, NM

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

In Accountable IoT We Trust

Digital Technology and Railway Security

Transcription:

Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services European Union Agency for Network and Information Security

Securing Europe s Information society 2

Positioning ENISA activities 3

Secure Infrastructure and Services Communication networks: Critical Information Infrastructure and Internet Infrastructure Transport ehealth and Smart Hospitals Finance 4

Cybersecurity for ICS SCADA EuroSCSIE ICS Security Stakeholder Group Protecting Industrial Control Systems. Recommendations for Europe and Member States Can we learn from SCADA security incidents? Window of exposure a real problem for SCADA systems? Good Practices for an EU ICS Testing Coordination Capability Certification of Cyber Security skills of ICS/SCADA professionals https://www.enisa.europa.eu/scada 5

Communication network dependencies for ICS SCADA Outlined scope and perimeter with EICS SG and EUROSCSIE experts Map assets and threats via desktop research and interviews with security researchers and asset owners List all possible attacks coming from network exposure Examine protocols vulnerabilities List good practices Develop 3 attack PoCs and mitigation actions Define recommendations for Infrastructure operators Vendors EU Member States European Commission 6

IoT and Smart

Everything becomes connected Manufacturers have an economic interest Data collection and processing New business models: data reseller, targeted ads, etc. Competitors do IoT, hence we must do IoT Competitors don t do IoT, let s be the first one! Customers have their own interests (do they?) Connectivity is needed, mobility is important Statistics and remote control Convergence and interconnection with devices and services More functionalities than non-iot product, reasonable price Non-connected version is not available Connected products are the new normal 8

Why IoT security matters? No device is fully secured Reliance on third-party components, hardware and software Dependency to networks and external services Design of IoT/connected devices Vulnerabilities in protocols IoT security is currently limited Cyber System Physical System Investments on security are limited Functionalities before security Real physical threats with risks on health and safety No legal framework for liabilities IoT brings smartness and new security challenges 9

ENISA and IoT security Definition of the perimeter Smart Cities SCADA and Industry 4.0 Devices Data exchange (including network infrastructure) Local and remote services (e.g. Cloud, etc.) Smart Homes Intelligent Public Transport ehealth Smart Cars ENISA develops expertise to secure IoT Evaluation of threats Promotion of security good practices Stakeholders engagement Awareness raising Community expert groups Liaison with policy makers Smart Airports ENISA provide guidance to secure IoT against cyber threats 10

An increasing number of threats 11

Threat taxonomy for IoT Failures Malfunctions Acts of Nature Disasters Physical attacks Unintentional damage (accidental) Nefarious Activity Abuse Damage/Loss (IT Assets) Legal Outages Insider threat Eavesdropping Interception Hijacking 12

How to secure IoT? Generic good practices Raise awareness of manufacturers and suppliers Define security management at organisational level Develop information exchange on threats and risks Promote a common cyber security framework Reuse existing good practices from other domains ENISA to provide guidance to secure the lifecycle of IoT Develop cross-sector baseline security measures Develop sectorial good practices Foster information exchange through ENISA Experts Groups https://www.enisa.europa.eu/smartinfra 13

IoT in Smart Homes Security concerns Manufacturers don t invest in security Security and privacy are closely linked Difficult to secure the entire lifecyle of products ENISA proposes to: Establish security procurement guidelines Define a framework to evaluate the security of products Support security-driven business models https://www.enisa.europa.eu/smartinfra 14

Securing Smart cities and transport infrastructure

Smart Cities as a system of systems New and emerging risks ICT Dependency is generalised Cohabitation between IP-connected systems and older (legacy) systems Data exchange integrated into business processes Threats with consequences on the society Economical consequences, but not only Smart Infrastructures operators are not security experts Lack of clarity on the concept of cyber security Cyber security measures are not only technical but also operational and organisational 16

Securing transport infrastructure 2015 studies Architecture model of the transport sector in Smart Cities Cyber Security and Resilience of Intelligent Public Transport. Good practices and recommendations Objectives Assist IPT operators in their risk assessment Raise awareness to municipalities and policy makers Invite manufacturers and solution vendors to focus on security https://www.enisa.europa.eu/smartinfra 17

Cybersecurity for Intelligent Public Transport Existing status of security for IPT is limited Safety does not integrate security Security is not well integrated in organisations Awareness level is low Yet, it is possible to act today Understand the threats to critical assets Assess applicable security measures Collaborate to enhance cyber security ENISA aims at providing pragmatic solutions to secure transport infrastructure in Europe 18

Cybersecurity for Smart Cars Increased attack surface Insecure development in today s cars Security culture Liability Safety and security process integration Supply chain and glue code 19

Preliminary Findings - Smart Cars Improve cyber security in smart cars Improve information sharing amongst industry actors Improve exchanges with security researchers and third parties Clarify liability among industry actors Achieve consensus on technical standards for good practices Define an independent third-party evaluation scheme Build tools for security analysis 20

Cybersecurity for smart airport The objective of this study is to improve the security and resilience of airports and air traffic control to prevent disruptions that could have an impact on the service being delivered and on the passengers. Workshop November 2016 Publication Q4 2016 21

Perimeter of the study The goal is to cover the entire IT perimeter of smart airports: Assets inside the airport Connected assets outside the airport Dependencies on the airway 22

Threat modelling 23

Attack scenarios Drone intercept as mobile vehicle for jamming and spoofing aircraft-airport and traffic control- airline communications Tampering with airport self-serving e-ticketing systems Network attack to the baggage handling 24

Preliminary Findings Smart airports Variety of cyber security practices in airports Lack of EU regulations on cyber security of airports Lack of guidelines on network architecture, ownership, and remote management Evidence-based vulnerability analysis metrics and priorities Threat modelling and architecture analysis Information sharing Multi-stakeholder enable security technologies Appropriate Security Governance model Skillset of experts safety vis a vis security 25

Recommendations ENISA recommendations Propose solutions to enhance cyber security Targeted at Policy makers, transport Operators, Manufacturers and Service providers Key recommendations (excerpt) Promote collaboration on cyber security across Europe Integrate security in business processes Develop products integrating security for safety Cyber security for Transport requires a global effort 26

How you can get involved Studies Events: Network attacks to ICS SCADA - 27th of September - Frankenthal Securing Smart Cars 10 th of October - Munich NISD and ICS SCADA skills - 26/28 th of October - Stockholm Open call for experts: CARSEC Smart Car security expert group TRANSSEC - Intelligent Public Transport Resilience and Security Expert Group ENISA ICS Security Stakeholder Group EuroSCSIE - European SCADA and Control Systems Information Exchange https://resilience.enisa.europa.eu/ 27

The road ahead

The Network and Information Security Directive Scope: to achieve a high common level of security of NIS within the Union (first EU regulatory act at this level). Status: 17 May 2016, the Council approved its position at first reading. The next step is approval of the legal act by the European Parliament at second reading. The directive entered into force in August 2016. 21 months after entry into force from transposition Provisions: - Obligations for all MS to adopt a national NIS strategies and designate national authorities. - Creates first EU cooperation group on NIS, from all MS. - Creates a EU national CSIRTs network. - Establishes security and notification requirements for operators of essential services and digital service providers 29

The NIS Directive National Cyber Security Strategies Cloud Computing Services Online Marketplaces Digital Service Providers Strategic Cooperation Network Incident Reporting Security Requirements Operators of Essential Services Transport Energy Healthcare Banking and Financial market infrastructures Search Engines Tactical/Operational CSIRT Network Digital Infrastructure http://www.consilium.europa.eu/en/policies/cyber-security/ 30

ENISA s overall role and contribution - Assist MS and EU Comm by providing expertise/advice and by developing/facilitating exchange of good practices, e.g. - assist MS in developing national NIS Strategies (NCSS) - assist EU Commission and MS in developing min security requirements for ESOs and DSPs - assist EU Commission and MS in developing incident reporting frameworks for ESOs and DSPs - assist MS in the defining criteria for the designation of ESOs - Be the secretariat of the CSIRT network and develop with members the network - Participate/contribute to the work of the Cooperation Group (CG) - Elaborate advices and guidelines regarding standardization in NIS security, together with MS 31

NISD Timeline Date entry into force + Milestone August 2016 - Entry into force February 2017 6 months Cooperation Group begins tasks August 2017 February 2018 12 months 18 months Adoption of implementing on security and notification requirements for DSPs Cooperation Group establishes work programme May 2018 21 months Transposition into national law November 2018 May 2019 27 months 33 months (i.e. 1 year after transposition) Member States to identify operators of essential services Commission report assessing the consistency of Member States' identification of operators of essential services May 2021 57 months (i.e. 3 years after transposition) Commission review of the functioning of the Directive, with a particular focus on strategic and operational cooperation, as well as the scope in relation to operators of essential services and digital service providers 32

Goals 01 Raise the level of awareness on Infrastructure security in Europe 02 Support Private and Public Sector with focused studies and tools 03 Facilitate information exchange and collaboration 04 Foster the growth of communication networks and industry 05 Enable higher level of security for Europe s Infrastructures 33

Thank you, Rossella Mattioli resilience@enisa.europa.eu https://www.enisa.europa.eu/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback