for Smart Infrastructures in Europe• Establish incident response • Assess the cost of security measures • Foster public/private co‐operation • Common reference framework

European Union Agency for Network and Information Security

Cyber security for Smart Infrastructures in EuropeDr. Cédric Lévy‐Bencheton | NIS ExpertETSI Security Week | Sofia‐Antipolis | 24 June 2015

2

ENISA’s activities

Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton

3

Sectors Energy ICT Water Food Health FinancialPublic &LegalOrder

CivilAdmin.

TransportChemical &NuclearIndustry

Space &Research

AU

BE

CZ

DK

EE

FI

FR

DE

EL

HU

IT

MT

NL

PL

SK

ES

UK

CH

Critical Sectors in EU28 + EFTA


4

FinanceTransport

Critical Information Infrastructure Protection in Europe: ENISA efforts


eHealth

Communication networks: Critical Information Infrastructure and Internet Infrastructure

5

New and emerging risks

• ICT Dependency is generalised• Cohabitation between IP‐connected systems and

older (legacy) systems

Threats with consequences on the society

• Economical consequences, but not only• Smart Infrastructures’ operators’ are not security

experts• Lack of clarity on the concept of “cyber security”


On the importance of securing smart infrastructures

Cyber security measures are not only technical but also operational and organisational

6

Several actions are possible

• Usually, after a risk assessment• Who is responsible? What role for everyone?• Who invest? Why invest?

ENISA is leading several actions in this direction

• Threat landscape• Regulation and incident sharing• Good practices and recommendations• Collaboration with all stakeholders

How to secure Smart Infrastructures?


Smart Operator secure their infrastructures and servicesCitizens are protected from cyber threats

7

Challenging area, emerging technology• Different types of stakeholders• Various sizes of organizations• Not a clear view of the market

Setting baseline cyber security measures for Smart Grids• Not an easy task• Consensus is needed

ENISA aims to reach better harmonisation across the EU• Collaboration with the European Commission Smart

Grids Task Force (SGTF)• Adoption by the SGTF EG2 and CEN/CENELEC/ETSI

Smart Grid Coordination Group• Practical guide to deploy baseline security measures


ENISA effort in Smart Grids

8

Setting a baseline cyber security is not an easy task

• Different stakeholders• Various sizes of organizations• Not a clear view of the market

Practical guide to deploy baseline security measures

• 3 degrees of sophistication• 11 domains of security• Mapping with ISO/IEC 27002, NISTIR 7628

and ISO/IEC TR 27019


Minimum security measures

9

1. Security governance & risk management

2. Management of third parties

3. Secure lifecycle process for smart grid components/systems and operating procedures

4. Personnel security, awareness and training

5. Incident response & information knowledge sharing

6. Audit and accountability

7. Continuity of operations

8. Physical security

9. Information systems security

10. Network security

11. Resilient and robust design of critical core functionalities and infrastructures

Security measures for Smart Grids: The 11 domains

Cyber Security is not only technicalbut also operational and organisational


10

Certification of components

• Ensure security of the whole supply chain• Create a “chain of trust” model• Mapping certification schemes with SGAM

and SG‐IS toolbox

Challenges

• No harmonisation in Europe: national certification schemes,ISO 9001, ISO/IEC 27001, IASME…

• Certification is not mandatory• Lack of incident report


Certification schemes for cyber security skills

11

Smart Grid Security Certification in Europe:Example for the Business Layer


12

Challenges• Shared mandate• TSOs do not consider security as their problem• Different types of authorities• Energy regulators usually not involved• Poor participation of Public authorities in EG2

Recommendations for MS and the European Commission• Establish incident response• Assess the cost of security measures• Foster public/private co‐operation• Common reference framework for harmonization

Smart grid security governance models in Europe


13

Experts from the industry

• Policy makers• Public and private sector

Objectives

• Provide ENISA with advice and input• Comment and validate ENISA deliverables• Drive selected initiatives and topics• Identify good practices• Propose recommendations to policy makers• Recommend R&D initiatives


ENISA Expert Groups

14

Experts from the industry: Policy makers, Public and private sector• Provide ENISA with advice and input• Drive selected initiatives and topics• Identify good practices and propose

recommendations

ENISA Collaborations in Smart Grids• EuroSCSIE• EU‐US WG on Smart Grids security (losing momentum)• European Reference Network for Critical

Infrastructure Protection• Thematic Network on Critical Energy Infrastructure

Protection• DENSEK – European Energy ISAC• NIS platform• ENISA Smart Infrastructures Security Experts

Community (SISEC)


Example: collaborations in Smart Grids

15

Security good practices in communication networks for Smart Grids• Different types of architectures

• Threats related to Internet technologies

• Establish a list of security measures

On‐going interviews • ENISA looking for participation


ENISA’s Project in 2015

16

Industry 4.0

• Industrial Internet of Things, Big Data…

• Cyber threats, but real‐world consequences

NIS Directive

• Incident report for Critical Sectors• Aim: Enhance the global level of security


Preparing the future

Collaboration with the industry to focus investmentsand facilitate compliance

Cyber Physical

17

ENISA’s work to enhance cyber security

• A practical approach• Targeted at different stakeholders

Promote a multi‐stakeholders collaboration• Certified “Chain of trust”• Harmonisation of governance models in

Member States

Prepare the future

• New technologies

• New regulations

Conclusion


Cyber Security for Smart Grid requires a global effort

[email protected]

www.enisa.europa.eu

Thank you

Dr. Cédric LÉVY‐BENCHETONcedric.levy‐[email protected]

Documents

for Smart Infrastructures in Europe• Establish incident response • Assess the cost of security measures • Foster public/private co‐operation • Common reference framework