1 Critical Infrastructures and Challenges for Enhanced Security and Network Management Dr. Ioannis Chochliouros Evangelos Sfakianakis 17 th INFOCOM World Conference 2015 Athens, Greece - November 24, 2015
2 SECCRIT 2 SEcure Cloud computing for CRitical infrastructure IT (Ασφαλής υπολογιστική νέφους για κρίσιμες υποδομές τεχνολογιών πληροφορικής) Grant Agreement No
3 Contents 3 Introduction and Essential Contextual Framework: Discussion upon Critical Infrastructures and about essential concerns of the related European policy The Information Technology (IT) Sector as part of the CI protection policy in the modern EU context Cloud Computing as a means to support NIS for essential CI protection and operation
4 4 Introduction Essential Conceptual Framework Discussion upon Critical Infrastructures and about essential concerns of the related European policy
5 CI - Conceptual definition (I) 5 The term Critical infrastructure (CI) implicates for a particular asset -or a systemwhich is necessary for the maintenance and the continuity of vital societal functions. Title in 16pt Arial Bold The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviours, may have an important negative impact for the security of the EU and the well-being of its citizens. The term infrastructure usually describes the underlying basis of an organization or system (for example a country) and includes, in principle: Information and Telecommunications Systems; Banking and Financial Institutions; Water, Electricity, Oil and Gas supplies; Transportation and Logistics structures, and; Health and Emergency services. The word critical is more appropriate than infrastructure, for making a conceptual distinction between normal operating procedures and strategic security policy.
6 CI - Conceptual definition (II) 6 Actual Title in 16pt European Arial Bold challenges: The reduction of CIs vulnerabilities and weaknesses in parallel with effort to improve / raise their resilience, is one among the well defined objectives of the present and the contemporary EU policy. An acceptable level of protection has to be provided and guaranteed, while harmful effects of disruptions on the society and/or upon the citizens need to be reduced!
7 CI - Conceptual definition (III) 7 CIs comprise those physical resources, services, and IT facilities, networks and infrastructure assets which, if disrupted or destroyed, Title in 16pt Arial Bold would have a severe impact and influence on the health, safety, security or economic well-being of citizens or the effective functioning of European or local governments. There are three types of corresponding infrastructure assets: Public, private and governmental infrastructure assets and interdependent cyber & physical networks. Procedures and -where relevant- individuals that exercise control over critical infrastructure functions and/or operations. Objects having cultural or political significance as well as soft targets which may also incorporate mass events (i.e.: sports, leisure and cultural).
8 European Critical Infrastructures (I) 8 The term European Critical Infrastructure (ECI) Title in 16pt Arial Bold implies those specific physical resources, services, and IT facilities, networks and infrastructure assets, which, if disrupted or destroyed, would have a serious impact on the health, safety, security, economic or social well-being of two or more Member States (MS).
9 European Critical Infrastructures (II) 9 The pure definition of what may constitute an EU critical infrastructure is Title given in 16pt by its Arial cross-border Bold effect, which ascertains whether an incident could have a serious impact beyond two or more MS national territories. This is conceived as the loss of a critical infrastructure element, and is rated by the following criteria: Extent of the geographic area which could be affected by the loss or unavailability of a critical infrastructure element beyond three or more Member State s national territories. Effect of time (i.e. the fact that a for example a radiological cloud might, with time, cross a border). Level of the so-called interdependency.
10 European Critical Infrastructures (III) 10 Interdependency is a bidirectional relationship between two infrastructures, through Title in which 16pt the Arial state Bold of each infrastructure influences or is correlated to the state of the other (for example, an electricity network failure in one MS affecting another). There are four types of interdependencies for critical infrastructures: Physical: Cyber: The operation of one infrastructure depends on the material output of the other. Dependency on information transmitted through the information infrastructure. Geographic: Dependency on local environmental effects, simultaneously affecting several infrastructures. Logical: Any kind of dependency not characterized as Physical, Cyber or Geographic.
11 European Critical Infrastructures (IV) 11 According to the context of the Council Directive 2008/114/EC, an EU critical infrastructure is an asset, system or part thereof located in Member States which Title is essential in 16pt Arial for the Bold maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions. The scope of the Directive was originally limited to the energy and transport sectors However, it has constituted the first step, in a step-by-step approach, to detect, identify and then designate ECIs and so assess the need to improve their protection. The Directive outlined the approach all Member States would be required to follow to identify, designate, and protect ECIs in the energy and transport sectors, while indicating the ICT sector as a priority for possible future expansion of its scope. The majority of Member States have implemented the provisions of this Directive by incorporating them within their national legislative and regulatory frameworks, through a variety of approaches.
12 Critical Infrastructure Protection (I) 12 CIs can be damaged, destroyed or disrupted by deliberate acts of terrorism, natural disasters, negligence, accidents or computer hacking, criminal activity & malicious behaviour. Title in 16pt Arial Bold To save the lives and property of citizens being at any kind of potential risk in the EU territory from any cause (terrorism, natural disasters and accidents), any disruptions or manipulations of CI should, to the extent possible, be brief, infrequent, manageable, geographically isolated and minimally detrimental to the welfare of the Member States, their citizens and the European Union. The effective CI protection implies for a proper level of communication, coordination, and cooperation nationally and at EU level, among all interested parties, including: Owners and operators of infrastructure, regulators, professional bodies and industry associations, in collaboration with all other sectors of government, and the wider public.
13 Critical Infrastructure Protection (II) 13 Critical Infrastructure Protection (CIP) is about ensuring that services vital to the society Title in 16pt continue Arial Bold to function, even after the occurrence of any harmful event. It also implicates the capability to prepare for, protect against, mitigate, respond to, and recover from critical infrastructure disruptions or destruction, when some of these may appear and threaten the proper operation of the corresponding asset. The general European objective of CIP is to raise critical infrastructure protection capabilities across all EU Member States against all possible hazards. The underlying rationale is that disruption to infrastructures providing key services could harm the security and economy of the EU as well as the well-being of its citizens and so it is essential to work for proper prevention and/or counter measures.
14 Critical Information Infrastructure (I) 14 The term Critical Information Infrastructure (CII) refers to all ICT systems that are critical infrastructures for themselves or that are essential for the operation of critical infrastructures Title 16pt (telecommunications, Arial Bold computers/software, Internet, satellites, fibre optics, etc.). These infrastructures are necessary for the correct operation of most other CIs and compose a vital tool for managing risk factors and for returning infrastructures to order, after a breakdown occurs. Critical Information Infrastructure Protection (CIIP) refers to the programs and activities of infrastructure owners, operators, manufacturers, users, and regulatory authorities which aim at keeping the performance of critical information infrastructures in case of failures, attacks or accidents, above a defined minimum level of services and also aim at minimising the recovery time and damage. CIIP is a shared responsibility among state, local, tribal, and territorial entities, and public and private owners and operators of critical infrastructure.
15 European Strategic Framework (I) 15 Basic Title in 16pt Aim Arial Bold The assurance of a high degree of protection of EU infrastructures and the increase of their resilience (against all threats and hazards), so that to minimise the consequences of loss of services to society as a whole. Two essential strategic frameworks Stockholm Programme (2009) EU Internal Security Strategy (2014)
16 European Strategic Framework (II) 16 Stockholm Programme (2009) Notification of the importance of critical infrastructure protection. The EU has identified Title in 16pt as one Arial of its Bold major objectives the reduction of critical infrastructure vulnerabilities. Member States have been invited to draw up and implement policies to improve measures for the protection, security preparedness and resilience of critical infrastructure, also including Information and Communication Technology (ICT) and services infrastructure. Further analysis and review of the essential Directive 2008/114/EC, in order to consider including additional policy sectors. EU Internal Security Strategy (2014) Critical infrastructure must be better protected from criminals who take advantage of modern technologies and that the EU should continue to designate critical infrastructure and put in place plans to protect such assets, as they are essential for the functioning of society and the economy. Threats to critical infrastructure require enhancements to long-standing crisis and disaster management practices in terms of efficiency and coherence. Focus on better risk assessment and risk management.
17 European Strategic Framework (III) 17 The objective of CI protection at the EU level is to provide satisfactory guarantee that there are adequate and equal levels of protective security on CI Title in 16pt Arial Bold minimal single points of failure and rapid, tested recovery arrangements throughout the EU. The level of the ensured protection may not be equal for all potential sorts of and can be relevant to the impact caused by the potential failure of the CI. The related European policy and strategy is a continuing process and it so implicates for systematic reviews to identify, assess and consider any new issues and/or related concerns. Objectives: Development of a commonly accepted framework towards achieving, to the extent possible, a common level of protection. Avoiding negative impact or consequences between member states, in particular due to the high expansion of modern Future Internet (FI)-based technologies and applications, in parallel with current market liberalisation initiatives. Sufficient protection implicates for communication, coordination, and cooperation nationally, at EU level (where relevant), as well as internationally.
18 European Strategic Framework (IV) 18 Principles taken into account in order to compose the essential framework Title in 16pt for Arial CI protection: Bold Subsidiarity Complementarity Confidentiality Stakeholder Cooperation Proportionality Sector-by-sector approach
19 European Strategic Framework (V) 19 Subsidiarity: Explicit priority is given for the CI protection and the related action becomes an action of national responsibility. Thus, the national governments need to work together with Title any in involved 16pt Arial market Bold actors (i.e., owners and/or operators) according to a welldefined and common context. Complementarity: The proposed set of measures and/or actions has to complement any previously existing measures. In case where there are specific contexts already established and/or validated, these have to remain active in order to support the overall performance of any new action. Complementarity also needs to be ensured with other Community and Union programmes and related initiatives (i.e.: European Union Solidarity Fund and the Civil Protection Financial Instrument, Horizon 2020 and the Structural Funds). Confidentiality: Any necessary action for information sharing about CI has to be done in a way to provide sufficient guarantee about trust and confidentiality. This implicates that that CIP information has to be classified accordingly, and that access has to be granted only on a need-to know basis. For the IT sector, an effective information sharing procedure can enable the success of the related sector s public-private partnership model, by ensuring that all partners have relevant situational awareness to protect IT and critical functions.
20 European Strategic Framework (VI) 20 Stakeholder Cooperation: All stakeholders (European Authorities, MS, industry and business associations, standardisation bodies and owners, regulators, operators and users) have a major role to play in protecting CI. Title in 16pt Arial Bold These actors need to work together to effectively contribute to the development/validation/implementation of a modern and efficient EPCIP (European Programme for Critical Infrastructure Protection), according to their specific roles and responsibilities. State Authorities have to afford leadership and coordination in developing and implementing a nationally reliable approach to the CI protection within their jurisdictions. Owners, operators and users would be actively involved at both the national and EU level. Proportionality: Any proposed protection strategies and/or related measures have to be proportionate to the level of risk involved, as not all infrastructures can be protected from all threats. By applying fitting risk management techniques, priority can be given to those sectors implying for highest risk, by considering the nature of the threat, any comparative criticality, cost-benefit ratio, the level of protective security and the efficiency of existing mitigation strategies. Sector-by-sector approach: As numerous sectors of the market environment already possess specific experience, expertise and requirements with the CIP issue, the corresponding EPCIP will be structured on an explicit sector-by-sector basis and will be implemented by following an approved list of CIP sectors.
21 European Strategic Framework (VII) 21 Prevention implicates the range of deliberate, critical tasks and activities required to shape, sustain, and expand the operational capability to prevent, protect against, respond to, and recover Title from in 16pt an incident. Arial Bold It also encompasses effort to recognize and classify potential threats, define vulnerabilities and identify necessary resources for such kind of purposes. Prevention also implicates for suitable measures to protect lives and property. Prevention involves applying intelligence and other data to a variety of actions that may include: Countermeasures as deterrence operations; heightened inspections; improved surveillance and security operations; investigations to determine the full nature and source of the threat; public health and agricultural surveillance and testing processes; immunizations, isolation, or quarantine; and appropriate specific law enforcement operations aimed at deterring, pre-empting, interdicting, or disrupting illegal activity, and apprehending potential perpetrators and bringing them to justice.
22 Some Essential Concerns about CIs 22 During the latest years, the appearance of CIP studies and programs at the European level constitutes an increasing trend EU Member States have provided substantial initiatives and have selected and promoted appropriate measures for crisis management cooperation through supranational institutions, to ensure a globally accepted character of the proposed measures. This sort of dynamic development implicates a qualitatively novel role for the EU, much further beyond pure economic management. A European protection policy space is gradually emerging. This protection space intersects several policy sectors and EU institutions, thus comprising all activities, mechanisms, resources and other means to deal with potential trans-boundary crises.
23 23 The Information Technology (IT) Sector as part of the CI protection policy in the modern EU context
24 General concerns (I) 24 The Information Technology (IT) sector conducts operations and services that provide for the design, development, distribution and support of corresponding Title in 16pt Arial Bold products (HW/SW) and operational support services that are necessary & critical to the assurance of national and economic security and public health, safety and confidence. IT sector provides, among others, critical control systems and related services/facilities, physical architecture and any relevant Internet infrastructure. All involved actors (corporate entities, authorities, research and academic organizations, public users) depend on the proper establishment and the operational functionality of the corresponding resources. Such kind of physical or virtual functions can create and offer hardware, software, and information technology systems and services, under various concepts.
25 General concerns (II) 25 The high complexity of the underlying environment implicates difficulties upon identification and assessing threats or Title upon in the 16pt evaluation Arial Bold and management of vulnerabilities. The procedure for vulnerability assessment normally considers the people, process, technology, and physical vulnerabilities that, if exploited by a certain kind of threat, could exercise effects and modify certain essential features of critical functions (such as confidentiality, integrity, or availability). Although IT technology infrastructure has a convinced level of intrinsic resilience, its interdependent and interconnected structure creates challenges and opportunities for coordinating public and private sector preparedness and protection activities. Cooperation is needed between the public and the private sector, with the pure aim of promoting commonly accepted concepts & methodologies.
26 Risk Management in the IT sector (I) 26 The IT Sector risk management context concentrates on two major levels: the individual enterprise level, and; the sector -or the national- level. Private sector entities structure their approaches on business explicit objectives, such as shareholder value, efficacy, and customer service. Public sector entities base their approaches on ensuring mission effectiveness or providing a well-defined and conceived public service. Enterprise-level risk management methodologies regularly include cybersecurity initiatives and measures to preserve the well-being of information security programs and of the necessary infrastructures to fulfil that purpose. Corresponding examples may comprise, among others: Physical vulnerability mitigation measures (e.g., physical access control and surveillance) Human vulnerability mitigation measures (e.g., security training and awareness) Cybersecurity measures (e.g., encryption; behavior monitoring and management technologies) Business continuity planning.
27 Risk Management in the IT sector (II) 27 The area of ICT security has developed extensively within the EU, over the past few years. There is a large body of EU legislation, regulation and programs aimed at the protection of telecommunications, media and IT (the Commission addresses these infrastructures in combination).
28 Network and Information Security NIS (I) 28 The EU promotes specific network and information security (NIS) measures, via a regulatory framework for electronic communications (which also addresses issues of privacy and data protection) and via measures against cyber crime. NIS is increasingly significant to our economy and society. NIS is also an important precondition to generate a reliable environment for worldwide trade in services. Lack of NIS can compromise vital services depending on the integrity of network and information systems. Lack of NIS can: Harm or terminate businesses functioning; generate substantial financial losses for the economy, and; negatively affect societal welfare.
29 Network and Information Security NIS (II) 29 The current European regulatory framework requires only telecommunication companies-operators to adopt risk management steps and to report serious NIS incidents. However, many other sectors rely on ICT as an enabler and should be concerned about NIS as well. Several infrastructure and service providers are particularly vulnerable, due to their high dependence on appropriately functioning NIS. Security the underlying systems is of specific importance to the functioning of the market, especially for several sectors like: Banking, stock exchanges, energy generation, transmission and distribution, transport (air, rail, maritime), health, Internet services and public administration).
30 Network and Information Security NIS (III) 30 The European Commission has focused attention on prevention, preparedness and awareness and has defined a plan of immediate actions to strengthen the security and resilience of CIIs. This focus was consistent with the challenges and priorities for NIS policy and the most appropriate instruments needed at EU level to tackle them. The proposed actions were also complementary to those to prevent, fight and prosecute criminal and terrorist activities targeting CIIs and synergetic with current and prospective EU research efforts in the field of NIS, as well as with international initiatives in this area.
31 Network and Information Security NIS (IV) 31 Areas & activities in the European regulatory and strategic policy framework Support of the right to privacy and of the right to the protection of personal data Creation of common specifications on, for example, personal integrity and user control, and for developing a secure infrastructure. Measure to improve robustness of networks and of information systems, against accidents and criminal attacks. Development of rules to secure electronic communications (e.g., via measures for electronic signatures and the data protection legislation for e-communication). Establishment of a bureau for information security: the European Network and Information Security Agency (ENISA)
32 Network and Information Security NIS (V) 32 Promotion of a Directive on Network and Information Security (COM(2013) 48 final, ) to strengthen national resilience and to increase cooperation on cyber incidents. This is to be achieved By requiring member states to increase their preparedness and improve their cooperation with each other, and by requiring operators of critical infrastructures, such as energy, transport, and key providers of information society services (e-commerce platforms, social networks, etc.), as well as public administrations, to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities.
33 33 Cloud Computing as an means to support NIS for essential CI protection and operation
34 Cloud Computing for managing CIs (I) 34 IT Systems used for managing CIs require large resources and thus, CI providers often host their own infrastructure and possess own data centers. However, due to virtually unlimited scalability of resources and performance, as well as noteworthy improvement regarding maintainability, evermore organisations will incorporate cloud computing into their computing environments. Thus, we argue that cloud computing will eventually reach ICT services that are operating critical infrastructures (CI).
35 Cloud Computing for managing CIs (II) 35 Cloud computing ( CC ) is a style of computing where elastic IT-related capabilities are provided as optimized, cost-effective, and on-demand utilitylike services to the corresponding customers, mainly by using Internet-based technologies. Cloud computing, in simplified terms, can be understood as the storing, processing and use of data on remotely located computers, accessed over the Internet. This means that users can command almost unlimited computing power on demand, they do not have to make major capital investments to fulfil their needs, and; they can get to their data from anywhere, simply with an Internet connection.
36 Cloud Computing for managing CIs (III) 36 Cloud computing has gained tremendous momentum and started to revolutionize the way enterprises create and deliver IT solutions. Cloud computing has the potential to slash users IT expenditure and enable many new services to be developed. As more and more sectors adopt cloud services in their computing environment, the trend also reaches ICT services operating critical infrastructures (CIs) such as transportation systems or infrastructure surveillance which are two quite characteristic and modern examples.
37 Cloud Computing for managing CIs (IV) 37 Cloud services provide competent access to large IT infrastructures that benefit from the economy of scale. It would extremely advantageous to preserve irrecoverable and valuable data obtained from CIs, within secure cloud infrastructures. But hosting CI services in the cloud brings with it security and resilience requirements, that existing cloud offerings are not well placed to deal with for all related cases. Any attempt to deploy, test and validate CI services in the cloud implicates difficulties and potential obstacles -as well as risks and threats- focused around technical issues but also being dependent upon legal or business issues. With a minimum tolerance to any security incidence or downtime, a CI enforces much stronger requirements for security, reliability and resilience on cloud computing environments.
38 Cloud Computing for managing CIs (V) 38 The main concerns about cloud services are security, data location, applicable law and jurisdiction over data, though on the last point it appears that most organizations in the EU market lack a full understanding of the complex issues. Data and application portability between cloud service providers does not appear to be a significant barrier to initial adoption, but becomes more important when the issue is deepening and extending the use of cloud in the enterprise. For the case where CIs are actually running inside the cloud environment, it should be expected to deploy countermeasures for attacks (implicating for a detailed, in depth, analysis/assessment of all corresponding risks -upon a continuous and fully dynamic perspective) together with preventive and corrective measures whenever anomalies, deviations from proper level of operational behaviour or unexpected features may be observed.
39 Cloud Computing for managing CIs (VI) 39 An example for the consideration and use of cloud computing for the support of IT of CI has been develpoed within the scope of the SECCRIT ( SEcure Cloud computing for Critical infrastructure IT ) EU-funded project (GA No ). SECCRIT s mission is to analyze and evaluate cloud computing technologies with respect to security risks in sensitive environments, and to develop methodologies, technologies, and best practices for creating a secure, trustworthy, and high assurance cloud computing environment for CI. SECCRIT s main objectives are prescribed as follows: Identification of the relevant legal framework and establishment of respective guidelines, provision of evidence and data protection for cloud services; Understanding and managing risk associated with cloud environments; Understanding cloud behavior in the face of challenges; Establishment of best practice for secure cloud service implementations; Demonstration of SECCRIT research and development results in real-world application scenarios
40 Thank you for your attention! For further information: Ioannis Chochliouros, Ph.D., M.Sc., (Head of Research Programs Section, Fixed) Evangelos Sfakianakis, M.Sc. Research Programs Section, Fixed Hellenic Telecommunications Organization S.A. 1, Pelika & Spartis Str Maroussi Athens Greece Tel , Fax
DCAF a centre for security, development and the rule of law On the European experience in critical infrastructure protection Valeri R. RATCHEV email@example.com @ratchevv DCAF/CSDM 1 This presentation
EU Cybersecurity Policy & Legislation ENISA s Contribution Steve Purser Head of Core Operations Oslo 26 May 2015 European Union Agency for Network and Information Security Agenda 01 Introduction to ENISA
EUROPEAN COMMISSION Brussels, XXX [ ](2012) XXX draft Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning measures to ensure a high common level of network and information
TEXAS HOMELAND SECURITY STRATEGIC PLAN 2015-2020: PRIORITY ACTIONS INTRODUCTION The purpose of this document is to list the aligned with each in the Texas Homeland Security Strategic Plan 2015-2020 (THSSP).
EUROPEAN COMMISSION Brussels, 7.2.2013 COM(2013) 48 final 2013/0027 (COD) Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning measures to ensure a high common level of network
Cyberspace Situational Awarness in National Security System Rafał Piotrowski, Joanna Sliwa, Military Communication Institute C4I Systems Department Zegrze, Poland, firstname.lastname@example.org, email@example.com
Council of the European Union Brussels, 21 April 2016 (OR. en) Interinstitutional File: 2013/0027 (COD) 5581/16 LEGISLATIVE ACTS AND OTHER INSTRUMTS Subject: TELECOM 7 DATAPROTECT 6 CYBER 4 MI 37 CSC 15
National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information
Policy Document Cybersecurity Strategy of the Republic of Cyprus Network and Information Security and Protection of Critical Information Infrastructures Version 1.0 23 April 2012 TABLE OF CONTENTS EXECUTIVE
Comprehensive European Security Approaches: EU Security Programmes Robert HAVAS EOS Chairman of the Board INTRODUCTION the EOS Programmes rationale Why implementing EU Security Programmes / ASPIDA approach?
GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, 2000 Issue Chair: Issue Sherpa: Dick Brown CEO EDS Corporation Bill Poulos EDS Corporation Tel: (202) 637-6708
Ref. Ares(2011)193990-22/02/2011 EUROPEAN COMMISSION ENTERPRISE AND INDUSTRY DIRECTORATE-GENERAL Space, Security and GMES Security Research and Development Brussels, 17 th February 2011 M/487 EN PROGRAMMING
Council of the European Union Brussels, 5 March 2015 (OR. en) Interinstitutional File: 2013/0027 (COD) 6788/15 LIMITE TELECOM 59 DATAPROTECT 23 CYBER 13 MI 139 CSC 55 CODEC 279 NOTE From: Presidency To:
Speech by Mr Rudolf Peter ROY, Head of division for Security Policy and Sanctions of the European External Action Service, at the L COSAC Meeting 29 October 2013, Vilnius Honourable members of the National
Microsoft s cybersecurity commitment Published January 2015 At Microsoft, we take the security and privacy of our customers data seriously. This focus has been core to our culture for more than a decade
Germany: Report on Developments in the Field of Information and Telecommunications in the Context of International Security (RES 69/28), General appreciation of the issues of information security Information
EEI Business Continuity Conference Threat Scenario (TSP) April 4, 2012 EEI Threat Scenario 1 Background EEI, working with a group of CIOs and Subject Matter Experts, conducted a survey with member companies
ITU National Cybersecurity/CIIP Self-Assessment Tool ICT Applications and Cybersecurity Division Policies and Strategies Department ITU Telecommunication Development Sector April 2009 Revised Draft For
CIPS 2011 Awarded Grants Project number Applicant's name Ctry Title Description Grant HOME/2011/CIPS/AG/2012 NATIONAL INSTUTE COMMUNICATION TECHNOLOGIES (INTECO) ES SCADA laboratory and testbed as a service
WHAT S ABOUT CYBERSECURITY, WP 2016-2017 ERRIN-SOST CYBERSECURITY BROKERAGE 30-SEP-2015 Dr. Marina Martínez García Programme Officer H2020 Spanish Officer for Science and Technology, SOST-CDTI 80.000 M
Internet Safety and Security: Strategies for Building an Internet Safety Wall Sylvanus A. EHIKIOYA, PhD Director, New Media & Information Security Nigerian Communications Commission Abuja, NIGERIA Internet
GOVERNMENT OF THE REPUBLIC OF LITHUANIA RESOLUTION NO 796 of 29 June 2011 ON THE APPROVAL OF THE PROGRAMME FOR THE DEVELOPMENT OF ELECTRONIC INFORMATION SECURITY (CYBER-SECURITY) FOR 20112019 Vilnius For
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary May 2007 Environmental Protection Agency Executive Summary
CYBER SECURITY AND CYBER DEFENCE IN THE EUROPEAN UNION OPPORTUNITIES, SYNERGIES AND CHALLENGES By Wolfgang Röhrig, Programme Manager Cyber Defence at EDA and Wg Cdr Rob Smeaton, Cyber Defence Staff Officer
European priorities in information security Graeme Cooper Head of Public Affairs Unit, ENISA 12th International InfoSec and Data Storage Conference, 26th September 2013, Sheraton Hotel, Sofia, Bulgaria
Council of the European Union Brussels, 18 November 2014 15585/14 COPS 303 POLMIL 103 CYBER 61 RELEX 934 JAI 880 TELECOM 210 CSC 249 CIS 13 COSI 114 OUTCOME OF PROCEEDINGS From: Council On: 17 18 November
Cyber Security Recommendations October 29, 2002 Leading Co-Chair (Asia/Oceania) Co-Chair (Americas) Co-Chair (Europe/Africa) Dr. Hiroki Arakawa Executive Vice President NTT Data Corporation Richard Brown
CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires
OVERVIEW Critial infrastructures are increasingly dependent on information and communication technology. ICT-systems are getting more and more complex, and to enable the implementation of secure applications
U.S. Department of Homeland Security in partnership with the National Coordination Office for Space-Based Positioning, Navigation and Timing Critical Infrastructure Security and Resilience International
HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of
Section A: Introduction, Definitions and Principles of Infrastructure Resilience A1. This section introduces infrastructure resilience, sets out the background and provides definitions. Introduction Purpose
ericsson White paper Uen 284 23-3244 January 2015 Cloud security architecture from process to deployment The Trust Engine concept and logical cloud security architecture presented in this paper provide
Unclassified DSTI/ICCP/REG(2003)5/REV1 DSTI/ICCP/REG(2003)5/REV1 Unclassified Organisation de Coopération et de Développement Economiques Organisation for Economic Co-operation and Development 02-Jul-2003
NYA International B Effective risk management begins with a comprehensive understanding of the threat and an organisation s vulnerability, and the application of appropriate mitigation measures. Operating
THE WHITE HOUSE Office of the Press Secretary For Immediate Release February 12, 2013 February 12, 2013 PRESIDENTIAL POLICY DIRECTIVE/PPD-21 SUBJECT: Critical Infrastructure Security and Resilience The
OLL0 TH CONGRESS ST SESSION S. ll To secure the United States against cyber attack, to improve communication and collaboration between the private sector and the Federal Government, to enhance American
TUSKEGEE CYBER SECURITY PATH FORWARD Preface Tuskegee University is very aware of the ever-escalating cybersecurity threat, which consumes continually more of our societies resources to counter these threats,
INFORMATION RISK MANAGEMENT KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity ADVISORY Contents Agenda: Global trends and BCM
CyberSecurity Solutions Delivering Confidence Staying One Step Ahead Cyber attacks pose a real and growing threat to nations, corporations and individuals globally. As a trusted leader in cyber solutions
U.S. Department of Homeland Security Protective Security Advisor (PSA) North Carolina District Securing the Nation s s critical infrastructures one community at a time Critical Infrastructure & Key Resources
Oil & Gas Industry Towards Global Security A Holistic Security Risk Management Approach www.thalesgroup.com/security-services Oil & Gas Industry Towards Global Security This white paper discusses current
Cyber Security solutions The scenario IT security has become a highly critical issue for all businesses as a result of the growing pervasiveness and diffusion of ICT technology. Risks can arise both inside
Supplemental Tool: Executing A Critical Infrastructure Risk Management Approach Executing a Critical Infrastructure Risk Management Approach Risk is defined as the potential for an unwanted outcome resulting
H. R. 5005 11 (d) OTHER OFFICERS. To assist the Secretary in the performance of the Secretary s functions, there are the following officers, appointed by the President: (1) A Director of the Secret Service.
E FACILITATION COMMITTEE 39th session Agenda item 7 FAL 39/7 10 July 2014 Original: ENGLISH ENSURING SECURITY IN AND FACILITATING INTERNATIONAL TRADE Measures toward enhancing maritime cybersecurity Submitted
THE STRATEGIC POLICING REQUIREMENT July 2012 Contents Foreward by the Home Secretary...3 1. Introduction...5 2. National Threats...8 3. Capacity and contribution...9 4. Capability...11 5. Consistency...12
COUNCIL OF EUROPE COMMITTEE OF MINISTERS Recommendation Rec(2006)8 of the Committee of Ministers to member states on assistance to crime victims (Adopted by the Committee of Ministers on 14 June 2006 at
Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are
The Trident University International (Trident) catalog consists of two parts: Policy Handbook and Academic Programs, which reflect current academic policies, procedures, program and degree offerings, course
Michigan State Police Emergency Management & Homeland Security Infrastructure Analysis & Response Section Sgt. Bruce E. Payne Presidential Directive On December 17, 2003, President Bush issued Homeland
EU Directive on Network and Information Security SWD(2013) 31 & SWD(2013) 32 A call for views and evidence 22 nd May 2013 Contents Contents... 2 Overview: The EU Directive on Network and Information Security...
COUCIL OF TH UROPA UIO N The Hague, 25 March 2014 8193/14 (OR. en) PRSS 187 The Hague uclear Security Summit Communiqué We, the leaders, met in The Hague on 24 and 25 March 2014 to strengthen nuclear security,
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
MAJOR PROJECTS CONSTRUCTION SAFETY SECURITY MANAGEMENT PROGRAM STANDARD HS-09 Document Owner(s) Tom Munro Project/Organization Role Supervisor, Major Projects Safety & Security (Canada) Version Control:
IAEA NUCLEAR SECURITY SERIES NO. FUNDAMENTALS OF A STATE S NUCLEAR SECURITY REGIME: OBJECTIVE AND ESSENTIAL ELEMENTS Revision 17.04 Page 1 of 20 FOREWORD [TO BE PROVIDED BY THE SECRETARIAT AT A LATER TIME]
Business Plan 2012/13 Contents Introduction 3 About the NFA..4 Priorities for 2012/13 4 Resources.6 Reporting Arrangements.6 Objective 1 7 To raise the profile and awareness of fraud among individuals,
NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA JOÃO MANUEL ASSIS BARBAS Coronel de Artilharia. Assessor de Estudos do IDN INTRODUCTION Globalization and information and communication technologies
TITLE OF THE INITIATIVE ROADMAP Proposal on a European Strategy for Internet Security TYPE OF INITIATIVE xcwp Non-CWP Implementing act/delegated act LEAD DG RESPONSIBLE UNIT INFSO A3 EXPECTED DATE OF ADOPTION
Emergency Management Standard Emergency Management Accreditation Program Publication Note The Emergency Management Standard by the Emergency Management Accreditation Program (EMAP) is designed as a tool
CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14
COMMUNIQUÉ ON PRINCIPLES FOR INTERNET POLICY-MAKING OECD HIGH LEVEL MEETING ON THE INTERNET ECONOMY, 28-29 JUNE 2011 The Seoul Declaration on the Future of the Internet Economy adopted at the 2008 OECD
Council of the European Union Brussels, 18 December 2015 (OR. en) Interinstitutional File: 2013/0027 (COD) 15229/2/15 REV 2 NOTE From: To: Presidency Permanent Representatives Committee TELECOM 232 DATAPROTECT
Cyber Europe 2012 December 2012 On National and International Cyber Exercises S I Acknowledgements ENISA wishes to thank all persons and organisations which have contributed to this exercise. In particular,
ENISA What s On? ENISA as facilitator for enhanced Network and Information Security in Europe CENTR General Assembly, Brussels October 4, 2012 firstname.lastname@example.org 1 Who we are ENISA was
Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
The Cyber challenge Adjacent Digital Politics Ltd gives an overview of the EU Commission s Cyber Security Strategy and Commissioner Ashton s priorities to increase cyber security in Europe The internet
Cyber Security Build-up of India s National Force 2 Gabi Siboni, 1 Senior Research Fellow and Director, Military and Strategic Affairs and Cyber Security Programs, Institute for National Security Studies,
JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement
JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President
16.5.2009 Official Journal of the European Union L 122/47 RECOMMENDATIONS COMMISSION COMMISSION RECOMMENDATION of 12 May 2009 on the implementation of privacy and data protection principles in applications
EU Cybersecurity: Ensuring Trust in the European Digital Economy Synthesis of the FIC Breakfast-Debate 15 October 2013, Brussels With the participation of Tunne Kelam Member of the European Parliament'
Summary Report Report # 1 Security Challenges of Cross-Border Use of Cloud Services under Special Consideration of ENISA s Contributions COINS Summer School 2015 on Could Security Prepared by: Nabeel Ali
Seoul Communiqué 2012 Seoul Nuclear Security Summit We, the leaders, gathered in Seoul on March 26-27, 2012, renew the political commitments generated from the 2010 Washington Nuclear Security Summit to
Public Private Partnerships and National Input to International Cyber Security 10 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington,
INTERNATIONAL STANDARD ISO/IEC 27000 Third edition 2014-01-15 Information technology Security techniques Information security management systems Overview and vocabulary Technologies de l information Techniques
Policy 8.3.2 Business Responsible Party: President s Office BUSINESS CONTINUITY PLANNING Overview The UT Health Science Center at San Antonio (Health Science Center) is committed to its employees, students,
Table of Contents EXECUTIVE SUMMARY...4 1 INTRODUCTION TO INFORMATION TECHNOLOGY SECTOR CRITICAL INFRASTRUCTURE PROTECTION...9 1.1. PARTNERING FOR SECURITY...9 1.2. IT SECTOR PROFILE...11 2 RISK MANAGEMENT
CONNECTING WITH CONFIDENCE: OPTIMISING AUSTRALIA S DIGITAL FUTURE AIIA Response 14 November 2011 INTRODUCTION The Australian Information Industry Association (AIIA) is the peak national body representing
Principles for BCM requirements for the Dutch financial sector and its providers. Platform Business Continuity Vitale Infrastructuur Financiële sector (BC VIF) Werkgroep BCM requirements 21 September 2011
APPENDIX A A COMPREHENSIVE INTER-AMERICAN CYBERSECURITY STRATEGY: A MULTIDIMENSIONAL AND MULTIDISCIPLINARY APPROACH TO CREATING A CULTURE OF CYBERSECURITY INTRODUCTION The Internet and related networks
Ref.:EBF_001314 Brussels, 17 June 2013 Launched in 1960, the European Banking Federation is the voice of the European banking sector from the European Union and European Free Trade Association countries.