European Union Agency for Network and Information Security
Cyber security for Smart Infrastructures in EuropeDr. Cédric Lévy‐Bencheton | NIS ExpertETSI Security Week | Sofia‐Antipolis | 24 June 2015
2
ENISA’s activities
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
3
Sectors Energy ICT Water Food Health FinancialPublic &LegalOrder
CivilAdmin.
TransportChemical &NuclearIndustry
Space &Research
AU
BE
CZ
DK
EE
FI
FR
DE
EL
HU
IT
MT
NL
PL
SK
ES
UK
CH
Critical Sectors in EU28 + EFTA
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
4
FinanceTransport
Critical Information Infrastructure Protection in Europe: ENISA efforts
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
eHealth
Communication networks: Critical Information Infrastructure and Internet Infrastructure
5
New and emerging risks
• ICT Dependency is generalised• Cohabitation between IP‐connected systems and
older (legacy) systems
Threats with consequences on the society
• Economical consequences, but not only• Smart Infrastructures’ operators’ are not security
experts• Lack of clarity on the concept of “cyber security”
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
On the importance of securing smart infrastructures
Cyber security measures are not only technical but also operational and organisational
6
Several actions are possible
• Usually, after a risk assessment• Who is responsible? What role for everyone?• Who invest? Why invest?
ENISA is leading several actions in this direction
• Threat landscape• Regulation and incident sharing• Good practices and recommendations• Collaboration with all stakeholders
How to secure Smart Infrastructures?
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
Smart Operator secure their infrastructures and servicesCitizens are protected from cyber threats
7
Challenging area, emerging technology• Different types of stakeholders• Various sizes of organizations• Not a clear view of the market
Setting baseline cyber security measures for Smart Grids• Not an easy task• Consensus is needed
ENISA aims to reach better harmonisation across the EU• Collaboration with the European Commission Smart
Grids Task Force (SGTF)• Adoption by the SGTF EG2 and CEN/CENELEC/ETSI
Smart Grid Coordination Group• Practical guide to deploy baseline security measures
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
ENISA effort in Smart Grids
8
Setting a baseline cyber security is not an easy task
• Different stakeholders• Various sizes of organizations• Not a clear view of the market
Practical guide to deploy baseline security measures
• 3 degrees of sophistication• 11 domains of security• Mapping with ISO/IEC 27002, NISTIR 7628
and ISO/IEC TR 27019
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
Minimum security measures
9
1. Security governance & risk management
2. Management of third parties
3. Secure lifecycle process for smart grid components/systems and operating procedures
4. Personnel security, awareness and training
5. Incident response & information knowledge sharing
6. Audit and accountability
7. Continuity of operations
8. Physical security
9. Information systems security
10. Network security
11. Resilient and robust design of critical core functionalities and infrastructures
Security measures for Smart Grids: The 11 domains
Cyber Security is not only technicalbut also operational and organisational
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
10
Certification of components
• Ensure security of the whole supply chain• Create a “chain of trust” model• Mapping certification schemes with SGAM
and SG‐IS toolbox
Challenges
• No harmonisation in Europe: national certification schemes,ISO 9001, ISO/IEC 27001, IASME…
• Certification is not mandatory• Lack of incident report
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
Certification schemes for cyber security skills
11
Smart Grid Security Certification in Europe:Example for the Business Layer
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
12
Challenges• Shared mandate• TSOs do not consider security as their problem• Different types of authorities• Energy regulators usually not involved• Poor participation of Public authorities in EG2
Recommendations for MS and the European Commission• Establish incident response• Assess the cost of security measures• Foster public/private co‐operation• Common reference framework for harmonization
Smart grid security governance models in Europe
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
13
Experts from the industry
• Policy makers• Public and private sector
Objectives
• Provide ENISA with advice and input• Comment and validate ENISA deliverables• Drive selected initiatives and topics• Identify good practices• Propose recommendations to policy makers• Recommend R&D initiatives
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
ENISA Expert Groups
14
Experts from the industry: Policy makers, Public and private sector• Provide ENISA with advice and input• Drive selected initiatives and topics• Identify good practices and propose
recommendations
ENISA Collaborations in Smart Grids• EuroSCSIE• EU‐US WG on Smart Grids security (losing momentum)• European Reference Network for Critical
Infrastructure Protection• Thematic Network on Critical Energy Infrastructure
Protection• DENSEK – European Energy ISAC• NIS platform• ENISA Smart Infrastructures Security Experts
Community (SISEC)
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
Example: collaborations in Smart Grids
15
Security good practices in communication networks for Smart Grids• Different types of architectures
• Threats related to Internet technologies
• Establish a list of security measures
On‐going interviews • ENISA looking for participation
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
ENISA’s Project in 2015
16
Industry 4.0
• Industrial Internet of Things, Big Data…
• Cyber threats, but real‐world consequences
NIS Directive
• Incident report for Critical Sectors• Aim: Enhance the global level of security
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
Preparing the future
Collaboration with the industry to focus investmentsand facilitate compliance
Cyber Physical
17
ENISA’s work to enhance cyber security
• A practical approach• Targeted at different stakeholders
Promote a multi‐stakeholders collaboration• Certified “Chain of trust”• Harmonisation of governance models in
Member States
Prepare the future
• New technologies
• New regulations
Conclusion
Cyber security for Smart Infrastructures in Europe | Dr. Cédric Lévy‐Bencheton
Cyber Security for Smart Grid requires a global effort