CIIP : ENISA s Role in Assisting Member States Steve Purser Head of Core Operations SEDE Committee Brussels 21 April 2016 European Union Agency for Network and Information Security
ENISA ENISA was formed in 2004. The original mandate was renewed and extended in 2013. The Agency is a Centre of Expertise that supports the Commission and the EU Member States in the area of information and network security. We facilitate the exchange of information between communities, with particular emphasis on the EU institutions, the public sector and the private sector. 2
Positioning ENISA activities 3
ENISA Threat Landscape Top threats 4
Critical Information Infrastructure Protection in Europe: ENISA efforts Communication networks: Critical information Infrastructure and Internet Infrastructure Smart grids ICS SCADA ehealth Finance Transport 5
National Cyber Security Strategies (NCSS) ENISA maintains an interactive map of NCSS on its website EU MS currently have different maturity levels CIIP is a key subject in NCSSs PPPs - limited success so far SMEs are, in general, not properly covered Overlaps in authorities and mandates Assessment of NCSS is an issue https://www.enisa.europa.eu/activities/resilience-and-ciip/national-cyber-security-strategies-ncsss 6
Incident Reporting for the Telecom Sector Article 13a of the Framework Directive (2009/140/EC), is introduced in the 2009 by the EU regulatory framework for electronic communications. Art. 13a addresses security and integrity of public electronic communications networks and services (availability of the service). Art. 13a of Telecom Package: Expert Group with all NRAs (EU and EFTA) & EC Non-binding technical guidelines (strong adoption among MS) 4 years of success annual reporting from Telecoms to NRAs and then to ENISA and EC Impact evaluation available March 2016. More incident reporting schemes: Article 4 on data breaches - Telecom Package Article 19 on breaches of trust services - eidas NIS Directive (affecting many sectors) 7
Incidents per root cause category (percentage) 80 76 70 60 61 66 50 47 40 30 20 10 12 12 6 6 5 8 14 19 20 6 5 9 0 2011 2012 2013 2014 Natural phenomena Human errors Malicious actions System failures 8
Cloud Computing Risk Assessment Updated Cloud Computing Risk Assessment. Identifies important security benefits as well as risks in moving to the Cloud. Explains and examines different cloud service models. 9
ICS SCADA EuroSCSIE ICS Security Stakeholder Group Protecting Industrial Control Systems. Recommendations for Europe and Member States Can we learn from SCADA security incidents? Window of exposure a real problem for SCADA systems? Good Practices for an EU ICS Testing Coordination Capability Certification of Cyber Security skills of ICS/SCADA professionals In 2015 ENISA developed a study on ICS SCADA maturity models 10
EU Cybersecurity exercises Joint EU-US Cybersecurity Exercise 2011 First transatlantic cooperation exercise. Table-top exercise - what-if scenarios. Cyber Europe 2010-2014 Large scale realistic cyber-crisis exercises. Public and private sector involved. Largest cyber exercise to date. Cyber Europe 2016 The exercise will take place in Q4. Cyber Exercise Platform (CEP) Will offer opportunities for continuous cyber exercising. More information on: http://www.enisa.europa.eu/c3e 11
The NIS Directive Scope: to achieve a high common level of security of NIS within the Union (first EU regulatory act at this level). Status: adoption pending. Key Provisions: Obligations for all Member States to adopt a National NIS strategy and designate National Authorities. Obliges Member States to designate national competent authorities and CSIRTS. Creates first EU cooperation group on NIS, from all Member States. Creates an EU national CSIRTs network. Establishes security and notification requirements for operators of Essential Services (ESP) and Digital Service Providers (DSP). 12
The NIS Directive National Cyber Security Strategies Cloud Computing Services Online Marketplaces Digital Service Providers Strategic Cooperation Network Incident Reporting Security Requirements Operators of Essential Services Transport Energy and Water Healthcare Search Engines Tactical/Operational CSIRT Network Banking and Financial market infrastructures Digital Infrastructure 13
Conclusions ENISA works together with operational communities to identify pragmatic solutions to current security issues. We issue concrete advice on how to improve system security and which implementations to favour. The solutions we propose are based on industry best practice and are therefore known to work. By working in this way, we put security to the service of EU industry and improve the competitiveness of our industries. 14
Thank you for your attention! PO Box 1309, 710 01 Heraklion, Greece Tel: +30 28 14 40 9710 info@enisa.europa.eu www.enisa.europa.eu