Cyber Security in EU: ENISA approach Konstantinos Moulinos, Security Expert European Union Network and Information Security Agency Norwegian Energy Days 2015, Oslo European Union Agency for Network and Information Security
Securing Europe s Information Society Operational Office in Athens 2
Positioning ENISA activities 3
Terms and interrelationships Critical Infrastructure Protection* Energy Energy sector (e.g. gas, nuclear) Security & safety Energy sector Cybersecurity Smart grid cybersecurity National Cybersecurity Strategies 4
EU Policy Context Energy and CIIP Directive 114/2008 EU s CIIP action plan Proposal for a NIS Directive EU Cyber Security Strategy (COM Digital Single Market strategy 5
Why cyber? ICS-CERT Year in Review 2014 HP Enterprise Security s 2014 Global Report on the Cost of Cyber Crime by the Ponemon Institute Many incidents but no major disruptions yet Everybody agrees that we have to do something but what? 6
Cyber security management Smart grid dependencies on telcos Smart grid threat landscape Risk assessment Information Security Intelligence Smart grid devices certification ICS SCADA security Governance and roles Appropriate security measures Cost of implementation Security measures Incident Reporting Cyber Security is not only technical but also operational and organisational? Root causes? Assets affected 7
Governance models report- Why? Low participation of public authorities in EG2 ad hoc group on Smart grid security measures Overlapping mandates amongst different national authorities TSOs do not consider smart grid security as their problem Energy regulators usually not empowered with cyber security mandate Smart grids an emerging area sometimes not covered by CIIs 8
Status of existing governance models Legend: Size: Roles and Responsibilities o Small: No roles and responsibilities defined o Medium: Definition ongoing o Large: Roles and responsibilities already defined Color: Smart Grid Cybersecurity Framework o Red: Existing Smart Grid Cybersecurity Framework o Blue: No existing Smart Grid Cybersecurity Framework Sub-quadrants position: Smart Grids and Critical Infrastructure Protection o Right: Smart Grid part of National Cyber Security Strategy (NCSS) o Left: Smart Grid not part of NCSS o Up: Smart Grids part of National Critical Infrastructures (NCIs) o Down: Smart Grids not part of NCIs 9
An example of Incident Reporting: Telecoms Most major outages were caused by software bugs and hardware failures Detailed Causes and Affected Assets (Percentage of all incidents) Most major outages affected base stations and switches 10
ENISA effort in Smart Grids Challenging area, emerging technology Different types of stakeholders Various sizes of organizations Not a clear view of the market Setting baseline cyber security measures for Smart Grids Not an easy task Consensus is needed ENISA aims to reach better harmonisation across the EU this way contributing to the Digital Single Market Strategy Collaboration with the European Commission Smart Grids Task Force (SGTF) Adoption by the SGTF EG2 and CEN/CENELEC/ETSI Smart Grid Coordination Group Practical guide to deploy baseline security measures This year ENISA is developing a study on smart grid dependencies on telcos (expected mid of Nov.) 11
ENISA efforts EuroSCSIE ICS Security Stakeholder Group Protecting Industrial Control Systems. Recommendations for Europe and Member States Can we learn from SCADA security incidents? Window of exposure a real problem for SCADA systems? Good Practices for an EU ICS Testing Coordination Capability Certification of Cyber Security skills of ICS/SCADA professionals This year ENISA is developing a study on ICS SCADA maturity models (expected mid of November) 12
like curling 13
Information Sharing ERNCIP European Reference Network for Critical Infrastructure Protection. TNCEIP Thematic Network on Critical Energy Infrastructure Protection DENSEK European Energy - ISAC NIS platform ENISA SISEC Smart Infrastructures Security Experts Community ENISA ICS Security Stakeholder Group Collaboration with: CEER ACER ENTSO-E Eurelectric 14
Trends Mandatory incident reporting (EU) Information sharing and analysis (EU) Baseline security measures (EU) National risk assessment (MS) Compliance Audits (MS) 15
Key recommendations Governance Model Foster R&D Cybersecurity as a Requirement Identify and Analyze Cost of Cybersecurity Measures Common EU Energy Cybersecurity Framework Trusted Information Sharing Initiatives Increase User Awareness National Risk Assessment National Energy Cybersecurity Framework Incident Response Capabilities and Report Mechanisms Definition of Roles and Responsibilities Join International Forums and WG Collaboration Platform National Forum on Energy Cybersecurity Support Dialogue Among Stakeholders Define Baseline Security Requirements 16
Open issues Next Steps Identification of good practices for Energy Sector incident reporting Certification of smart grid components and systems Definition of EU baseline security requirements A roadmap for more harmonized national certification approaches Certification of smart grid cyber security skills Incident response capability for smart grids and relationships to existing national ICS-CERT/Gov CERTs Bring competent authorities on board 17
Conclusions Cyber Security becomes important for the well functioning of the society and economy Critical Services and Infrastructures (including energy) should be better protected from cyber attacks and threats MS recognize the importance and develop NCSS A more coordinated cybersecurity approach is needed to address cyber security issues for different energy subsectors (e.g. gas, nuclear) ENISA s develop good practices for EU MS and Private Sector to address the emerging issues Sharing experiences and deploying good practices improves the situation quickly When it is necessary additional regulatory measures are introduced to resolve issues More involvement by NRAs is required 18
Konstantinos Moulinos resilience@enisa.europa.eu http://www.enisa.europa.eu/act/res