European Union Agency for Network and Information Security CIIP : ENISA’s Role in Assisting Member States Steve Purser | Head of Core Operations SEDE Committee | Brussels|21 April 2016
European Union Agency for Network and Information Security
CIIP : ENISA’s Role in Assisting Member States
Steve Purser | Head of Core OperationsSEDE Committee | Brussels|21 April 2016
2
ENISA was formed in 2004. The original mandate was renewedand extended in 2013.
The Agency is a Centre of Expertise that supports theCommission and the EU Member States in the area ofinformation and network security.
We facilitate the exchange of information between communities, with particular emphasis on the EU institutions, the public sector and the private sector.
ENISA
3
Positioning ENISA activities
4
ENISA Threat Landscape – Top threats
5
Communication networks: Critical information
Infrastructure and Internet Infrastructure
Smart grids ICS SCADA
eHealth Finance Transport
Critical Information Infrastructure Protection in Europe: ENISA efforts
6
• ENISA maintains an interactive map of NCSS on its website
• EU MS currently have different maturity levels
• CIIP is a key subject in NCSSs
• PPPs - limited success so far
• SMEs are, in general, not properly covered
• Overlaps in authorities and mandates
• Assessment of NCSS is an issue
National Cyber Security Strategies (NCSS)
https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss
7
Incident Reporting for the Telecom Sector
• Article 13a of the Framework Directive (2009/140/EC), is introduced in the 2009 by the EU regulatory framework for electronic communications.
• Art. 13a addresses security and integrity of public electronic communications networks and services (availability of the service).
• Art. 13a of Telecom Package: • Expert Group with all NRAs (EU and EFTA) & EC • Non-binding technical guidelines (strong adoption
among MS)• 4 years of success annual reporting from Telecoms
to NRAs and then to ENISA and EC• Impact evaluation available March 2016.
• More incident reporting schemes: • Article 4 on data breaches - Telecom Package• Article 19 on breaches of trust services - eIDAS• NIS Directive (affecting many sectors)
88
Incidents per root cause category (percentage)
12
6
14
5
12
5
19 20
68
69
47
76
61
66
0
10
20
30
40
50
60
70
80
2011 2012 2013 2014
Natural phenomena Human errors Malicious actions System failures
9
Cloud Computing Risk Assessment
• Updated Cloud Computing Risk Assessment.
• Identifies important security benefits as well as risks in moving to the Cloud.
• Explains and examines different cloud service models.
10
ICS SCADA
ICS Security Stakeholder Group
Can we learn from SCADA security incidents?
Window of exposure… a real problem for SCADA systems?
Good Practices for an EU ICS Testing Coordination Capability
Certification of Cyber Security skills of ICS/SCADA professionals
EuroSCSIE
Protecting Industrial Control Systems. Recommendations for Europe and Member States
In 2015 ENISA developed a study on ICS SCADA maturity models
11
EU Cybersecurity exercises
Joint EU-US Cybersecurity Exercise 2011
• First transatlantic cooperation exercise.
• Table-top exercise - ‘what-if’ scenarios.
Cyber Europe 2010-2014 • Large scale realistic cyber-crisis exercises.
• Public and private sector involved.
• Largest cyber exercise to date.
Cyber Europe 2016• The exercise will take place in Q4.
Cyber Exercise Platform (CEP)• Will offer opportunities for continuous cyber exercising.
More information on: http://www.enisa.europa.eu/c3e
12
Scope: to achieve a high common level of security of NIS within the Union (first EU regulatory act at this level).
Status: adoption pending.
Key Provisions:
• Obligations for all Member States to adopt a National NIS strategy and designate National Authorities.
• Obliges Member States to designate national competent authorities and CSIRTS.
• Creates first EU cooperation group on NIS, from all Member States.
• Creates an EU national CSIRTs network.
• Establishes security and notification requirements for operators of Essential Services (ESP) and Digital Service Providers (DSP).
The NIS Directive
13
The NIS Directive
Operators of Essential Services
Digital Service Providers
StrategicCooperation Network
Cloud Computing Services
Online Marketplaces
Incident Reporting
Security Requirements
NationalCyberSecurityStrategies
Tactical/OperationalCSIRT Network
Transport
Energy and Water
Banking and Financialmarket infrastructuresSearch Engines
Digital Infrastructure
Healthcare
14
Conclusions
ENISA works together with operational communities to identify pragmatic solutions to current security issues.
We issue concrete advice on how to improve system security and which implementations to favour.
The solutions we propose are based on industry best practice and are therefore known to work.
By working in this way, we put security to the service of EU industry and improve the competitiveness of our industries.
PO Box 1309, 710 01 Heraklion, Greece
Tel: +30 28 14 40 9710
www.enisa.europa.eu
Thank you for your attention!