European Union Agency for Network and Information Security

CIIP : ENISA’s Role in Assisting Member States

Steve Purser | Head of Core OperationsSEDE Committee | Brussels|21 April 2016

2

ENISA was formed in 2004. The original mandate was renewedand extended in 2013.

The Agency is a Centre of Expertise that supports theCommission and the EU Member States in the area ofinformation and network security.

We facilitate the exchange of information between communities, with particular emphasis on the EU institutions, the public sector and the private sector.

ENISA

3

Positioning ENISA activities

4

ENISA Threat Landscape – Top threats

5

Communication networks: Critical information

Infrastructure and Internet Infrastructure

Smart grids ICS SCADA

eHealth Finance Transport

Critical Information Infrastructure Protection in Europe: ENISA efforts

6

• ENISA maintains an interactive map of NCSS on its website

• EU MS currently have different maturity levels

• CIIP is a key subject in NCSSs

• PPPs - limited success so far

• SMEs are, in general, not properly covered

• Overlaps in authorities and mandates

• Assessment of NCSS is an issue

National Cyber Security Strategies (NCSS)

https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss

7

Incident Reporting for the Telecom Sector

• Article 13a of the Framework Directive (2009/140/EC), is introduced in the 2009 by the EU regulatory framework for electronic communications.

• Art. 13a addresses security and integrity of public electronic communications networks and services (availability of the service).

• Art. 13a of Telecom Package: • Expert Group with all NRAs (EU and EFTA) & EC • Non-binding technical guidelines (strong adoption

among MS)• 4 years of success annual reporting from Telecoms

to NRAs and then to ENISA and EC• Impact evaluation available March 2016.

• More incident reporting schemes: • Article 4 on data breaches - Telecom Package• Article 19 on breaches of trust services - eIDAS• NIS Directive (affecting many sectors)

88

Incidents per root cause category (percentage)

12

6

14

5

12

5

19 20

68

69

47

76

61

66

0

10

20

30

40

50

60

70

80

2011 2012 2013 2014

Natural phenomena Human errors Malicious actions System failures

9

Cloud Computing Risk Assessment

• Updated Cloud Computing Risk Assessment.

• Identifies important security benefits as well as risks in moving to the Cloud.

• Explains and examines different cloud service models.

10

ICS SCADA

ICS Security Stakeholder Group

Can we learn from SCADA security incidents?

Window of exposure… a real problem for SCADA systems?

Good Practices for an EU ICS Testing Coordination Capability

Certification of Cyber Security skills of ICS/SCADA professionals

EuroSCSIE

Protecting Industrial Control Systems. Recommendations for Europe and Member States

In 2015 ENISA developed a study on ICS SCADA maturity models

11

EU Cybersecurity exercises

Joint EU-US Cybersecurity Exercise 2011

• First transatlantic cooperation exercise.

• Table-top exercise - ‘what-if’ scenarios.

Cyber Europe 2010-2014 • Large scale realistic cyber-crisis exercises.

• Public and private sector involved.

• Largest cyber exercise to date.

Cyber Europe 2016• The exercise will take place in Q4.

Cyber Exercise Platform (CEP)• Will offer opportunities for continuous cyber exercising.

More information on: http://www.enisa.europa.eu/c3e

12

Scope: to achieve a high common level of security of NIS within the Union (first EU regulatory act at this level).

Status: adoption pending.

Key Provisions:

• Obligations for all Member States to adopt a National NIS strategy and designate National Authorities.

• Obliges Member States to designate national competent authorities and CSIRTS.

• Creates first EU cooperation group on NIS, from all Member States.

• Creates an EU national CSIRTs network.

• Establishes security and notification requirements for operators of Essential Services (ESP) and Digital Service Providers (DSP).

The NIS Directive

13

The NIS Directive

Operators of Essential Services

Digital Service Providers

StrategicCooperation Network

Cloud Computing Services

Online Marketplaces

Incident Reporting

Security Requirements

NationalCyberSecurityStrategies

Tactical/OperationalCSIRT Network

Transport

Energy and Water

Banking and Financialmarket infrastructuresSearch Engines

Digital Infrastructure

Healthcare

14

Conclusions

ENISA works together with operational communities to identify pragmatic solutions to current security issues.

We issue concrete advice on how to improve system security and which implementations to favour.

The solutions we propose are based on industry best practice and are therefore known to work.

By working in this way, we put security to the service of EU industry and improve the competitiveness of our industries.

PO Box 1309, 710 01 Heraklion, Greece

Tel: +30 28 14 40 9710

info@enisa.europa.eu

www.enisa.europa.eu

Thank you for your attention!