Enhancing Cyber Security in Europe Dr. Cédric LÉVY-BENCHETON NIS Expert Cyber Security Summit 2015 Milan 16 April 2015

Size: px

Start display at page:

Download "Enhancing Cyber Security in Europe Dr. Cédric LÉVY-BENCHETON NIS Expert Cyber Security Summit 2015 Milan 16 April 2015"

Doris Ramsey
8 years ago
Views:

1 Enhancing Cyber Security in Europe Dr. Cédric LÉVY-BENCHETON NIS Expert Cyber Security Summit 2015 Milan 16 April 2015 European Union Agency for Network and Information Security

2 Summary 1 Presentation of ENISA 2 Enhancing Cyber Security in Europe Threat landscape assessment Regulatory aspect New risks for Critical Infrastructures 3 Conclusion 2

3 Presentation of ENISA

4 EU Cyber Security Strategy The Five strategic objectives of the strategy: 1. Achieving cyber resilience 2. Drastically reducing cybercrime 3. Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP) 4. Developing the industrial and technological resources for cybersecurity 5. Establishing a coherent international cyberspace policy for the European Union and promote core EU values ENISA explicitly called upon 4

Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP) 4.

5 Presentation of ENISA The European Union Agency for Network and Information Security was formed in The original mandate was renewed and extended in 2013 The Agency is a Centre of Expertise that supports the Commission and the EU Member States in the area of information security We facilitate the exchange of information between communities, with particular emphasis on the EU institutions, the public sector and the private sector 5

Commission and the EU Member States in the area of information security We facilitate the exchange of

6 Positioning ENISA activities 6

7 Enhancing Cyber Security in Europe Threat landscape assessment Regulatory aspect New risks for Critical Infrastructures

Threat landscape assessment Current and emerging threats Threats are always evolving Target several domains of everyday s life Companion to your risk assessment

8 Threat landscape assessment Current and emerging threats Threats are always evolving Target several domains of everyday s life Companion to your risk assessment Evaluate assets exposed Prioritize investments ENISA Threat Landscape 2014 Generic Threat Landscape Two technical deep dives : Internet Infrastructure and Smart Homes 8

assessment Evaluate assets exposed Prioritize investments ENISA Threat Landscape

9 ENISA Threat Landscape

10 Threat Landscape for Internet Infrastructure 10

Regulatory aspect Regulation mandates high level requirements Different interpretations possible No concrete actions ENISA provides guidance to public

11 Regulatory aspect Regulation mandates high level requirements Different interpretations possible No concrete actions ENISA provides guidance to public and private sector Coordination at EU level Definition of security objectives and measures Structure of the security objectives and security measures 11

public and private sector Coordination at EU level Definition of security

12 Regulatory aspect for Incident Reporting Mandatory incident reporting Electronic Communication Article 13a of the Framework Directive (2009/140/EC) Personal Data breach Article 4 of the e-privacy directive (2002/58/EC) Incident report enhance security Analysis of source causes Dissemination of good practices EC Incident notification Member state National authority ENISA Incident reporting Member state National authority Incidents analysed and insights shared with providers Network or service provider Network or service provider Network or service provider Network or service provider Network or service provider Network or service provider 12

notification Member state National authority ENISA Incident reporting Member state National authority Incidents analysed and insights shared with providers

13 Is regulation the only way to enhance cyber security? Collaboration before regulation? Share incidents and good practices Incentive to invest Collaboration in Europe Private Public Partnership (eg: NIS Platform) Sectorial ISACs (eg: FI-ISAC) Trust-based groups (eg: ENISA Reference Groups) Preparation to future regulation (eg: NIS Directive) Enhance the global level of security Spread investments over time Facilitate compliance 13

(eg: NIS Platform) Sectorial ISACs (eg: FI-ISAC) Trust-based groups (eg: ENISA Reference Groups) Preparation

New risks for Critical Infrastructures Critical Infrastructure provider Relies more and more on ICT technology Not an ICT expert Information Technology (IT) vs Operations

14 New risks for Critical Infrastructures Critical Infrastructure provider Relies more and more on ICT technology Not an ICT expert Information Technology (IT) vs Operations Technology (OT) IP-enabled systems / Legacy systems Cyber security / security More threats with consequences on the society Need for cyber security adapted to Critical Infrastructures 14

Technology (OT) IP-enabled systems / Legacy systems Cyber security / security More

15 Critical Sectors in EU28 + EFTA Sectors Energy ICT Water Food Health Financial Public & Legal Order Civil Admin. Transport Chemical & Nuclear Industry Space & Research AU BE CZ Emergency services DK EE Rescue services FI FR Industry DE Media & Culture EL HU Industry IT MT NL PL Rescue systems SK Industry Postal ES UK Emergency services CH Industry Other 15

Transport Chemical & Nuclear Industry Space & Research AU BE CZ Emergency services DK EE

Cyber Security is not only technical Operational and organisational Understand who does what, what to do, who to report to Important in case of a crisis Certification schemes can help To

16 Cyber Security is not only technical Operational and organisational Understand who does what, what to do, who to report to Important in case of a crisis Certification schemes can help To secure systems and components ( chain of trust ) To validate cyber security skills of personnel Challenges No harmonisation across Europe Certification is not mandatory Lack of incident report 16

secure systems and components ( chain of trust ) To validate cyber security skills of personnel

Certification of skills in ICS/SCADA Ensure security skills of all personnel From operational to top management Importance in case of a crisis The report evaluates

17 Certification of skills in ICS/SCADA Ensure security skills of all personnel From operational to top management Importance in case of a crisis The report evaluates sectorial needs List existing certification schemes Recommendations for a harmonised certification scheme Certification is part of a global approach to enhanced cyber security 17

sectorial needs List existing certification schemes Recommendations for a harmonised

18 Conclusion

19 Conclusion ENISA s work to enhance cyber security A practical approach Not only technical Targeted at different stakeholders Promote a multi-stakeholders collaboration Anticipate future regulation Promote harmonisation in the EU Work with the private sector and Member States Enhancing Cyber Security is a global effort 19

collaboration Anticipate future regulation Promote harmonisation in the EU Work

Thank you Dr. Cédric LÉVY-BENCHETON cedric.

20 Thank you Dr. Cédric LÉVY-BENCHETON ENISA.europa.eu

Cyber Security for Railway Signalling

Cyber Security for Railway Signalling Dr. Cédric LÉVY-BENCHETON Network and Information Security Expert European Union Agency for Network and Information Security How to protect signalling system against