Embed Size (px)
Citation preview
European Union Agency for Network and Information Security
ENISA – Cooperation in the EU / NIS Directive Paulo Empadinhas| Head of Administration & Stakeholders Relations |IT STAR| Milan, Italy | 28th October 2016
2
The EU Cyber Security Agency Securing Europe’s Information Society
3
Positioning ENISA activities
4
Agenda
1 ENISA, NCSS and the NIS Directive
2 Critical Information Infrastructure Protection
3 Building Capabilities on Cyber Security
4 Security in emerging technologies
5 Conclusion
5
EU Policy Context
EU Cyber Security Strategy (COM) eIDAs Directive – article 19
EU Cloud Computing Strategy and Partnership (COM)
Telecom Package – article 13 a, art. 4
ENISA II – new mandate
The NIS Directive
EU’s CIIP action plan
6
The NIS Directive
About the NIS Directive
Operators of Essential Services
Digital Service Providers
Strategic Cooperation Group
Cloud Computing Services
Online Marketplaces Incident Reporting
Security Requirements
National Cyber Security Strategies
Tactical/Operational CSIRTs Network
Transport
Energy and Drinking water supply and
distribution
Banking and Financial market infrastructures
Search Engines
Digital Infrastructure
Healthcare
(DNS, IXPs, TLD)
7
National Cyber Security Strategies
25 NCSS in EU; a few under development
Effective cooperation between public stakeholders
Overlaps in mandates
Lack of resources
Evaluation of NCSS is an issue
https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national-cyber-security-strategies-in-the-world
8
ENISA NCSS EU map
ENISA Supports the MSs
ENISA NCSS Expert Group
&
Art.14 Requests
E‐Learning
& Workshops
ENISA REPORTS
9
NCSS Lifecycle
NCSS | Secure Infrastructure and Services Unit | ENISA
10
Strategic Objectives of NCSS
ENISA supporting Critical Sectors
12
Critical Sectors in the EU
Space & Research
Chemical & Nuclear Industry
Civil Admin.
Public & Legal Order
Health
Financial
Water
ICT
Transport
Energy
3
3
8
11
13
14
14
16
18
18
Critical Sectors identified by 17 examined Member States and 1 EFTA.
13
CIIP Governance – EU Member States
Three profiles of CIIP-governance
Centralised approach Decentralised approach Co-regulation with private sector
• Central authority across sectors.
• Comprehensive legislation
• Examples: France
Centralised characteristics
Public Agency
Public Agency
Public Agency
Sector Sector Sector
• Principle of subsidiarity. • Strong cooperation between
public agencies. • Sector-specific legislation. • Example : Sweden
Decentralised characteristics
Public Agency
Public Agency
Sector Sector
Council
• Institutionalised cooperation with the private sector
• Horizontal relationship between public and private parties
• Example: The Netherlands
Co-regulation characteristics
Public Agency
Sector
PPP Private Actors
14
Key findings in EU MS’s CIIP Governance Public-private Cooperation | Incident Reporting
10 6
2
PPP Working groups (or similar) Informal
Cooperation between private and public stakeholders
5
10
2
0
4
8
12
16
All sectors Limited to specificsectors
None
Security Incident Reporting • Only five of 17 examined countries have established mandatory incident reporting across all sectors
• All Member States have implemented mandatory incident reporting in the telecommunications sector
• Other important sectors: Finance, Energy, Public Administration
• Ten out of 18 examined countries have developed partnerships with private actors
• Trend towards more institutionalised forms of cooperation with the private stakeholders
15
Critical Information Infrastructure Protection in Europe: ENISA’s efforts
eHealth Transport
Communication networks: Critical information Infrastructure and Internet Infrastructure
Finance
ICS SCADA
Smart grids
16
Cybersecurity in the energy sector
• Increasing interest by MSs in securing national power grids
• Smart grid is the future energy infrastructure
• EECSP
• ENISA has established relationships with • Public sector(CEER, ACER, ENER) • Private sector(EE-ISAC)
• ENISA keeps active two SG: • EuroSCSIE • EICS
• Key messages • Sharing experiences and deploying good
practices improves the situation • More involvement by energy utilities and
NRAs is required
CIIP | Secure Infrastructure and Services Unit | ENISA
17
Incident Reporting for the Telecom Sector
• Article 13a of the Framework Directive (2009/140/EC), is introduced in the 2009 reform of the EU regulatory framework for electronic communications.
• Art. 13a addresses security and integrity of public electronic communications networks and services (availability of the service).
• Art. 13a of Telecom Package: • Expert Group with all NRAs (EU and EFTA) & EC • Non-binding technical guidelines (strong adoption
among MS) • 4 years of success annual reporting from Telecoms
to NRAs and then to ENISA and EC • Impact evaluation available March 2016.
• More incident reporting schemes: • Article 4 on data breaches - Telecom Package • Article 19 on breaches of trust services - eIDAS • NIS Directive (affecting many sectors)
18
Total reported incidents (numeric)
Impact on services (percentage)
22
37
29
47
34 33
25
19
34 32
61
48 48
39 35
59
49 53
35
44
2011 2012 2013 2014 2015Fixed telephony Fixed internet Mobile telephony Mobile internet
51
79 90
137 138
2011 2012 2013 2014 2015
19
Cyber Security for ICS SCADA
ICS Security Stakeholder Group
Can we learn from SCADA security incidents?
Window of exposure… a real problem for SCADA systems?
Good Practices for an EU ICS Testing Coordination Capability
Certification of Cyber Security skills of ICS/SCADA professionals
EuroSCSIE
Protecting Industrial Control Systems. Recommendations for Europe and Member States
In 2015 ENISA developed a study on ICS SCADA maturity models
20
Cyber Security of Finance Sector
Challenges • Unclear regulatory and policy environment • Not enough awareness on challenges coming from new technologies by
industry and regulatory authorities • Implementation of NIS directive in the Finance Sector
- Minimum security measures - Incident reporting - Information sharing
Recommendations • EU wide harmonization of legal and regulatory requirements • Bridge the knowledge and awareness gap on cyber security of new
technologies • Good practices and guidelines in the area of NIS
Next steps • Cooperate with regulators to harmonize the requirements
- for Cloud adoption in finance - Incident reporting and security measures
• Help raise awareness for cyber security challenges on new technologies • Promote good practices in incident reporting, certifications
21
Challenges • Electronic Health Records are one of the most critical systems in all MS • There is no specific regulation on the protection of critical ehealth
infrastructures; either the general IT law applies or there is no provision • Cross border incidents remain a grey area for the MS as there are no specific
guidelines for information exchange
Recommendations • Identify and classify the critical eHealth infrastructures in national level • Introduce cyber security guidelines for the protection of the critical eHealth
infrastructures • Invest on an incident reporting scheme and minimum security measures for
eHealth organisations
Next steps • Smart Hospitals: Cyber Security Threats • Healthcare and Cloud Computing
eHealth Cyber Security
22
Conclusions
1 Cyber attacks on CIIs is now the norm than a future trend.
2 Failure to detect threats is often more costly than false alarms.
3
MS and private sector, with the assistance of ENISA, should co-operate to protect CIIs sharing experiences and information developing and deploying good practices co-operate with NRAs to achieve EU wide harmonization
of EU regulations
4 “Collaboration is Everything”.
PO Box 1309, 710 01 Heraklion, Greece
Tel: +30 28 14 40 9710
www.enisa.europa.eu
Thankyou
Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)
