2. Alejandro Pinto - EC Policy Context 16 Sept 2011

7/28/2019 2. Alejandro Pinto - EC Policy Context 16 Sept 2011

http://slidepdf.com/reader/full/2-alejandro-pinto-ec-policy-context-16-sept-2011 1/37

Industrial Control System Security

Workshop-Update of EU NIS & CIIP policy

16 September 2011

Alejandro PINTO

European Commission

Directorate GeneralInformation Society and Media - DG INFSO

Unit A3 – Internet Governance; Network andInformation Security

[email protected]



NIS & CIIPThe EU Policy Framework

• 2004: Establishment of the European Network and Information SecurityAgency - ENISA

• 2006: European Commission Strategy for a Secure Information Society -COM(2006)251

• 2006: COM on European Programme for Critical Infrastructure Protection• 2007: Council Resolution on a Strategy for a Secure Information Society

in Europe [2007/C 68/01]

• 2008: Directive on Identification and Designation of European CriticalInfrastructures

• Mar 2009: COM on Action Plan on Critical Information Infrastructure

Protection - CIIP -• Dec 2009: Council resolution on a collaborative European approach

to NIS [2009/C 321/01]

• May 2010: Adoption of the European Digital Agenda

• Mar 2011: COM on CIIP: achievements and next steps

• April 2011: COM on SmartGrids:From innovation to deployment



EU policies on NIS and CIIP

NIS has never been so high on the EU politicalagenda

President Barroso “Political guidelines for thenext Commission”, 3 September 2009:

• “The next Commission will develop a EuropeanDigital Agenda [] to tackle the main obstacles to agenuine digital single market, promote investment inhigh-speed Internet and avert an unacceptable digital divide. Because of the increasing dependence of our economies and societies on the Internet, amajor initiative to boost network security will also be proposed .”



• Increasing economic and social dependency on ICT vsgrowing sophistication of threats

• Network and Information Security (NIS) is a key enabler

for trust and is a shared responsibility.

• Global interconnection vs lack of transnationalcooperation

•

Operational responsibility with private sector whilepublic policy responsibility lies with governments

• Limited incentives for wide NIS uptake

• Fragmentation of NIS regimes and market maturity in

MS

Network & Information Security (NIS)Facts



• Make security and resilience the front line of defence of critical ICT infrastructures

• Develop a risk management culture in the EU

• Identify socio-economic incentives

• Promote openness, diversity, interoperability,usability, competition

• Boost policy and operational cooperation(e.g. pan-European security incident exercises)

Network and Information SecurityChallenges



Recent policy developments

• May 2010, Digital Agenda

• 20 November 2010: Establishment of the EU-U.S.

Working Group on Cybersecurity and Cybercrime – EU-U.S. Summit – Lisbon

• 22 November 2010: Adoption of EU Internal SecurityStrategy

• CIIP COM(2011)163“Achievements and next steps: towards global cyber - security”



A Digital Agenda for Europe - COM(2010)245 The Seven Priority areas for action -

1. Creating a Digital Single Market2. Improving the framework conditions for

interoperability between ICT products andservices

3. Boosting Internet trust and security4. Guaranteeing the provision of much faster

internet access5. Encouraging investment in research and

development6. Enhancing digital literacy, skills and inclusion7. Applying ICT to address social challenges such as

climate change, rising healthcare costs and theageing population.

“Every European Digital” N. Kroes – May 2010



KA 6 (28)NIS Policy

1

2

3

ENISA

EU institutions CERT

ToolBox

38 – Network of CERTs by 2012

33 – EU cyber-security

preparedness

39 –MSSimulation

exercises as of 2010

Regulation for mandateand duration

ENISA ………………………… EFMS ………………………….

EP3R ……………………….. Observer in Cyberstorm .EPCIP ……………………….. CIIP Conference

Expert Group

32–

Cooperation oncybersecurity

41 – Nationalalert platforms

by 2012

30 – EUplatform by

2012

31 – Create

EuropeanCybercrime

center

CybercrimeCybersecurity preparedness

37 –Dialogueand self-

regulationminors

36 – Supportfor reporting

of illegalcontent

40 –Harmfulcontent hotlinesand awareness

campaigns

Safety and privacy of online content and

services

Overview of Pillar 3 “Trust and Security”

35 – Implementationof privacy andpersonal data

protection

34 – Exploreextension of

personal data breach notification INFSO CdF

HOME CdF

Others COM CdF

Commission action

Member States action

KA 7 (29)– Measures on

cyberattacks

KA 6 (28)



EU-U.S. Working Group on Cybersecurityand Cybercrime

The EU-US Working Group on Cyber-security and Cyber-crime(EU-US WG) was established in the context of the EU-US summit of 20 November 2010 held in Lisbon to "tackle new threats to the global networks upon which the security and prosperity of our free societies

increasingly depend". The EU-US WG "will address a number of specific priority areas and will report progress within a year” .

• Cyber Incident Management (TTX exercise and a cooperation program)

In 2011, EC and US will develop a common programme and roadmaptowards joint/synchronised trans-continental cyber exercises in2012/2013

• Public Private Partnership




The EU-US Expert Sub-Group on Public Private Partnerships:

Deliverables:

• Briefings/reports on specific topics of mutual interest including best practices and models to engage with the private sector; national approaches/programs for addressing botnets; private sector cybersecurity good practices; legislative developments; and others, as identified.

• A strategy and an action plan to engage the private sector in

cooperative activities with governments, on selected areas, includingdevelopment of agreed guidelines, principles, best practices, and/or standards.

• Common principles and guidelines on the resilience and stability of theInternet as well as on a reliable access to it .




The EU-US Expert Sub-Group on Public Private Partnerships:

Initially, ESG focus will be maintained on achieving measurable and

beneficial outcomes in the following areas:

•EU and US coordinated efforts to fight botnets;

•Cyber Security of industrial control systems and Smart grids;




CYBER SECURITY OF INDUSTRIAL CONTROL SYSTEMS AND SMART GRIDS

Proposed tasks:

Stock taking and comparative analysis of existing initiatives, pilots, good

practises and methods in particular addressing ICT risks (threats,vulnerabilities), privacy and security.

Input from EU side:

• Activities at national level (NL, DE, UK, SE…) as well as at European level(Euro-SCSIE, possibly via Member States experts in the ESG and during the

stock taking of the ENISA studies on ICS and Smart Grids)

• Ongoing ENISA studies on Industrial control systems and Interdependenciesof ICT sector to energy

• Activities of the Expert Group on the security and resilience of communication networks and information systems for Smart Grids,composed of European public and private stakeholders. The last meeting of

this Expert Group took place on 21 June 2011.




CYBER SECURITY OF INDUSTRIAL CONTROL SYSTEMS AND SMART GRIDS

Input from US side:

Experiences in international public-private coordination to mature acceptance of

voluntary security standards.

Specific methodology and mechanisms to engage with the private sector toachieve cooperation and mutual engagement in public-private control systemsecurity coordination.

Deliverables:

• Strategy for EU and US engagement on the control system/smart gridpriority area;

• Plan of Action for EU and US public private engagement on cyber security of industrial control systems and Smart grids; this will also draw on an analysisof existing coordination bodies for security of industrial control systems andhighlighting best practices for voluntary participation developed within them.



CIP – European Context

Need for action at the European level to enhance the protectionand resilience of critical infrastructures : In June 2004, theEuropean Council asked for an overall strategy to protect criticalinfrastructures

On 12 December 2006, the Commission adopted the Communicationon a European Programme on Critical Infrastructure ProtectionEPCIP (COM(2006)786) with the objective of improving theprotection of critical infrastructures in the EU.

EPCIP framework:

• A procedure for the identification and designation of ECI

• Measures: Critical Infrastructure Warning Information Network(CIWIN), use of CIP expert groups, CIP information sharing,identification and analysis of interdependencies.



C(I)IP – European Context

Because of their horizontal nature with inter-linkages

into many other critical infrastructures, the

protection of communication and information

infrastructure is a priority



Communication on CIIP - COM(2009)149

Objectives and scope

• High level objectives– Protect Europe from large scale cyber attacks and disruptions– Promote security and resilience culture (first line of defence)

& strategy– Tackle cyber attacks & disruptions from a systemic

perspective

• Means– Enhance the CIIP preparedness and response capability in EU– Promote the adoption of adequate and consistent levels of

preventive, detection, emergency and recovery measures

– Foster International cooperation, in particular on Internetstability and resilience

• Approach– Build on national and private sector initiatives– Engage public and private sectors

– Adopt an all-hazards approach– Be multilateral, open and all inclusive



Communication on CIIP“Protecting Europe from large scale cyber-attacks

and disruptions: enhancing preparedness, security

and resilience” - COM(2009)149

The five pillars of the CIIP Action Plan:

1. Preparedness and prevention

2. Detection and response

3. Mitigation and recovery

4. International Cooperation

5. Criteria for European CriticalInfrastructures in the ICT sector



CIIP COM(2011)163“Achievements and next steps: towards

global cybersecurity”

• Adopted on 31 March 2011

• Takes stock of results achieved since 2009

CIIP action plan

• Builds on existing policy initiatives, inparticular Digital Agenda, Stockholm

Action Plan and ISS

• Describes next steps at European andInternational level





• Threats and risks

– exploitation purposes (e.g. GhostNet, ETS,

recent attacks against government systems and EUInstitutions)

– disruption purposes (e.g. Conficker, StuxNet,submarine cable breaks)

– destruction purposes. This is a scenario that has

not yet materialised but, given the increasingpervasiveness of ICT in Critical Infrastructures(e.g. smart grids and water systems), it cannot beruled out for the years to come”





• EU and the global context

– A purely European approach is not sufficient andneeds to be embedded into a global coordination

strategy

– The DAE calls for the “cooperation of relevant actors […] to be organised at global level to beeffectively able to fight and mitigate security

threats" and sets out the goal to “work with global stakeholders notably to strengthen global risk management in the digital and in the physical

sphere and conduct internationally coordinated targeted actions against computer-based crimeand security attacks”



CIIP COM(2011)163

“Achievements and next steps: towards global cybersecurity”

Preparedness and prevention (1/3)

• European Forum for Member States(EFMS) Achievements

- Progress on ICT criteria for ECIs, identificationof priorities for Internet resilience and stability,exchange of policy practises.

Next steps

- To finalise discussion on ICT criteria forECIs;

- To be further involved in discussions onInternational priorities on security andresilience (e.g. EU-US WG);

- To focus on CERTs cooperation, securityincentives, driving pan-European exercises.



CIIP COM(2011)163“ Achievements and next steps: towards global

cybersecurity” Preparedness and prevention (2/3)

• European Public-private Partnership forResilience (EP3R) Achievements

- 2010: ENISA Three WGs launched within EP3R;

- A modernised ENISA would provide a long-termand sustainable framework for EP3R.

Next steps

- WGs to deliver first results;- EP3R to be leveraged in support of the EU-US

WG on Cyber-security and Cyber-crime.



CIIP COM(2011)163“ Achievements and next steps: towards

global cybersecurity” Preparedness and prevention (3/3)

• Baseline of capabilities and services for pan-European cooperation Achievements

- 2010: ENISA gave recommendations on baseline

capabilities for Nat/Gov CERTs;- 20 MS with Nat/Gov CERTs in place*.

Next steps

- ENISA to continue support MS – towards well-functioning network of CERTs at national level by

2012 (DAE);- ENISA to cooperate with Nat/Gov CERTs towards

EISAS by 2013 (ISS).

* Based on information provided to ENISA by MS




global cybersecurity” Detection and response

• European Information Sharing and AlertSystem (EISAS) Achievements

- FISHA and NEISAS currently producing results

- ENISA devised a high-level roadmap fordevelopment of EISAS by 2013

Next steps

- 2011: ENISA to support MS by developing basicservices needed for national ISAS

- 2012: ENISA to develop “interoperabilityservices”



CIIP COM(2011)163


Mitigation and Recovery (1/2)

• National contingency planning and exercises

Achievements

- To date, 12 MS* have carried out cyber-exercises atnational level

Next steps- ENISA to continue support MS in developing national

contingency plans

* Based on information provided to ENISA by MS

( )



CIIP COM(2011)163


Mitigation and Recovery (2/2)

• Pan-European exercise on large-scale

network security incidents

Achievements- Cyber Europe 2010 carried out on 4th November

2010

Next steps

- Eurocybex project- MS to work on future pan-European exercise totake place in 2012

- ENISA to work with MS on a EU cyber-incidentcontingency plan by 2012



CIIP COM(2011) 163“Achievements and next steps: towards global

cybersecurity”

ICT sector criteria for ECIs

• Sector specific criteria for identifyingEuropean Critical Infrastructures in theICT sector

Achievements

- Development within EFMS of draft criteria of fixed/mobile communications and the internet

Next steps

- EFMS to complete discussions by 2011- EC to discuss with MS on ICT-sector elements for

review of Directive 2008/114/EC



• Smart Grids concept brings improvement in operations and services,

but at the cost of exposing the entire electricity network to new

challenges, in particular in the field of cyber security.

• ICT infrastructures, as underpinning platform, have become critical

to the energy sector, without which some services (e.g. in electricity

transmission and distribution) could come to an abrupt halt. At the

extreme, vulnerabilities of communication networks and information

systems of Smart Grids may be exploited for financial or political

motivation to shut off power to large areas or directing cyber-

attacks against power generation plants.

Cyber security and resilience Smart GridsProblem Statement



I. Better understand of the views and objectives of the private and public sectors on the ICT securityand resilience challenges for the smart grids.

II. Identification and discussion about the relatedpolicy at EU level.

Expert Group on Security and Resilience of communication networks and information systems forthe Smart Grid

The European Commission (EC), with the support of theEuropean Network and Information Security Agency(ENISA), convened an Expert Group for:



COM(2011) 163 on Critical Information InfrastructureProtection

“destruction purposes. This is a scenario that has not yet materialised but,

given the increasing pervasiveness of ICT in Critical Infrastructures (e.g.smart grids and water systems), it cannot be ruled out for the years tocome”

COM(2011) 202 on Smart Grids “The Commission will continue bringing together the energy and ICTcommunities within an expert group to assess the network and informationsecurity and resilience of Smart Grids as well as to support relatedinternational cooperation.”

The Policy Context for the Expert Group



The Expert Group is discussing how to strengthen at European

Level the security and resilience of communication networks and

information systems for Smart Grids.

Objective 1

Identify European priority areas for which action should be undertaken to

address the security and resilience of communication networks and

information systems for Smart Grids. The Expert Group is also expected to

define recommendations on how to progress on each priority

area at European level.

Expert Group: Concrete objectives



Objective 2

Identify which elements of the smart grid should be addressed by the

Expert Group (e.g. smart appliances, smart metering, smart distribution,

smart (local) generation, smart transmission) and to what level. The use

of an existing common concept model should be considered.

The Expert Group will:• Identify key strategic and high level requirements

• Identify a good practices guideline based on lessons learned

• Propose mechanisms/messages to raise awareness of decision makers

Expert Group: Concrete objectives



Sub-Working Group 1: ICT security and resilience of Smart Grids: High LevelRisk Analysis and Security RequirementsObjective: Identify and explore policy issues related to risk analysis; and formulation of high level security requirements and measures to reduce risk levels to acceptable levelsand to improve the resilience of the network.Policy issues will include (but not limited to): objectives of risk analysis, enumeration of levels at which stakeholders should conduct risk analysis, process for prioritizing risk,

categories of security requirements, attributes of security measures, and phases andstages for risk mitigation.

Sub-Working Group 2: Challenges and recommendations for ICT security andresilience of Smart Grids Objective: To identify European challenges of ICT security and resilience of Smart Gridsand propose actions to be undertaken.Challenges for securing the communication networks and information systems that will becentral to the performance and availability of the Smart Grid. Exploring and setting theroad ahead to address these challenges, and indentify the European stakeholders whichare affected by these challenges and therefore should be involved in the development of measures to address them.

Moreover, a small group of experts will work on a Work Program for the Expert Group taking into consideration, among others, the activities of the two sub-Working Groups

Expert Group: How to achieve objectives- State of Play



Networking of initiatives

The Expert Group is also well engaged with related initiativesat EU and international level:

• Task Force Smart Grid (Expert Group 2)

• CEN/CENELEC/ETSI Smart Grids Co-ordination Group and itssubgroup on Smart Grid Information Security

• EuroScsie

• US NIST- Cyber security Working Group



EU Policy on NIS and CIIP

Thanks!



Web Sites

• EU policy on Critical Information Infrastructure Protection– CIIPhttp://ec.europa.eu/information_society/policy/nis/strat

egy/activities/ciip/index_en.htm

• A Digital Agenda for Europehttp://ec.europa.eu/information_society/digital-agenda/index_en.htm

• EU policy on promoting a secure Information Societyhttp://ec.europa.eu/information_society/policy/nis/index _en.htm

http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm


http://ec.europa.eu/information_society/digital-agenda/index_en.htm


http://ec.europa.eu/information_society/policy/nis/index_en.htm











Links to policy documents

• Commission Communication on Critical Information InfrastructureProtection – "Achievements and next steps: towards global cyber-security" - COM(2011) 163http://ec.europa.eu/information_society/policy/nis/docs/comm_ 2011/comm_163_en.pdf

•

Digital Agenda for Europe - COM(2010)245 of 19 May 2010http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0245:FIN:EN:PDF

• The EU Internal Security Strategy in Action: Five steps towards amore secure Europe COM(2010)673http://ec.europa.eu/commission_2010-

2014/malmstrom/archive/internal_security_strategy_in_action_en.pdf

• Commission Communication on Critical Information InfrastructureProtection – "Protecting Europe from large scale cyber-attacks anddisruptions: enhancing preparedness, security and resilience" -COM(2009) 149http://eur-le e opa e /Le U iSe /Le U iSe do? i COM 2009 0149 FIN

http://ec.europa.eu/information_society/policy/nis/docs/comm_2011/comm_163_en.pdf




http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0245:FIN:EN:PDF




http://ec.europa.eu/commission_2010-2014/malmstrom/archive/internal_security_strategy_in_action_en.pdf





















Documents

2. Alejandro Pinto - EC Policy Context 16 Sept 2011