The European Platform in Network and Information Security (NIS) Fabio Martinelli Istituto di Informatica e Telematica Consiglio Nazionale delle Ricerche IIT-CNR, Pisa, Italy
Cyber security directive - (Network and Information Security NIS) A new initiative launched by the Commission for member states and companies in order to support the adoption of the new Cyber Security Directive (launched on Jan 2013 revised this Jan.) The aim of the proposed Directive is to ensure a high common level of network and information security (NIS). This means improving the security of the Internet and the private networks and information systems underpinning the functioning of our societies and economies. This will be achieved by requiring the Member States to increase their preparedness and improve their cooperation with each other, and by requiring operators of critical infrastructures, such as energy, transport, and key providers of information society services, as well as public administrations to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities. 2
Cyber security directive (NIS) -2 The directive mainly addresses the necessity to increase the cyber security level of all the member states In particular, consolidation and cooperation of national CERTs able to share incidents information creation of national preparedness plans for cyber security (including authorities etc) including risk management plans 3
Cyber security directive (NIS) -3 At the national level it recommends: (a) The definition of the objectives and priorities of the strategy based on an up-todate risk and incident analysis; (b) A governance framework to achieve the strategy objectives and priorities, including a clear definition of the roles and responsibilities of the government bodies and the other relevant actors; (c) The identification of the general measures on preparedness, response and recovery, including cooperation mechanisms between the public and private sectors; (d) An indication of the education, awareness raising and training programmes; (e) Research and development plans and a description of how these plans reflect the identified priorities. 4
Cyber security directive (NIS) -4 Among the requirements: Member States shall ensure that public administrations and market operators take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations. Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems. 5
The NIS platform To support the EU cyber security directive EU decided to create a public/private/cooperation in the form of a EU platform on Network and Information Security (NIS) Unique opportunity to better understand NIS Challenges, Threats and Risks A platform for bringing together policy and technical experts to debate about the current and future challenges A platform for influencing future R&D in NIS issues
Topics of the NIS platform 1. Organisational measures: practices to define, guide or evaluate an organisation s cybersecurity, specifically its capability to identify, assess and mitigate cybersecurity risks, and to deter and handle incidents; (Risk management for cyber security) 2. Secure products and services: practices to demonstrate the ability of products or services to provide a good level of cybersecurity performance as part of the ICT value chain; (Assurance) 3. Metrics, measurement and language / taxonomy for cyber risk: practices for measuring, describing and evaluating cyber risks, impacts, threats, controls, etc. (Metrics and measurements for cybersecurity) 4. Information exchange: practices for the exchange of cyber incident information, to allow cyber incident reports to be understood and acted upon in the framework of complex cooperation schemes; to facilitate a high level view of all cyber incidents which facilitates spotting trends and directing resources; (Information exchange) 5. Cybersecurity resources: practices to manage and develop cybersecurity knowledge, skills and resources within an organisation or a sector. (Cybersecurity best practices) 7
WGs structure Eventually 3 WGs have best established (two mainly operational and one mainly research&innovation oriented): WG1 on Risk Management aims to identify best practice in cybersecurity risk management activities, provide guidance to enhance levels of information security and facilitate the voluntary take-up of the practices; WG2 on Information Sharing aims to promote the sharing of cyber threat information and incidents and allowing coordination in both the public and private segments of the EU; WG3 on Secure ICT R&I WG3 will address issues related to Cyber Security research and innovation in the context of the EU Strategy for Cyber Security.
WG3 deliverables WG3 Main deliverables
WG3 initial activities WG3 met in Sept. 27 / Dec. 12: Get participants to know each other; Contribute to the terms of reference (TOR); Share knowledge and content related to the Strategic Research Agenda (SRA); Draft a structure that facilitates this work.
WG3 Steps achieved Strategic Research Agenda ToC (draft): Executive Summary Introduction Background Description of Area of Interest Description of the AoI s vision Description of the issues and challenges Identification of Technology, Policy and Regulation Enablers Inhibitors SRA ToC Gap analysis (tech., policy, regulation, and competences) for achieving the vision
ToC (draft): (cont.) Cross-analysis of all areas of interest s enablers and inhibitors Finding commonalities (e.g., two enablers shared by AoIs) Finding conflicts (e.g., one enabler becomes and inhibitor) Giving research priorities Roadmap Timelines Identification of R&D&I instruments Key performance indicators Other aspects as Economic and Social benefits (using results from the business and educations deliverables) Biblio Appendix SRA ToC (II)
Deliverable: Strategic Areas Research of Interest Agenda (SRA)
Thanks!