protecting eu’s critical

1 www.enisa.europa.eu 1 www.enisa.europa.eu

PROTECTING EU’S CRITICAL INFORMATION INFRASTRUCTURES

THE ENISA APPROACH

Dr Evangelos Ouzounis, Head of Secure Infrastructure and Services

ENISA

2 www.enisa.europa.eu

Threat Environment

significant physical disasters affecting CIIPs

complex networks and services

low quality of software and hardware

asymmetric threats allowing remote attacks to CII

increasing organised cybercrime and industrial espionage

lack of international agreements and regimes,

lack of well functioning, international operational mechanism


Policy Context

ENISA II – new mandate

Proposal for a NIS Directive

Proposal for a new Directive on eIDs – article 15

EU Cyber Security Strategy (COM)

EU Cloud Computing Strategy and Partnership (COM)

Telecom Package – article 13 a, art. 4


ENISA’s Approach

Risk assessment

Security Measures Incident reporting

RA

SM IR

PPPs

Preparedness

Information Sharing


Security Measures & Controls

Identifying baseline measures and controls

Good practices, Standards, National requirements

Voluntary approach (no regulation)

Used by NRAs to define national requirements

Basis for auditing

Challenges

Different stakeholders

Various sizes of organizations

Difficult to reach momentum

Different maturity capability levels


ENISA’s Security Measures

Minimum Security Measures for Telcos’ (Dec 2011) security & privacy measures

different sophistication/maturity levels

used by EU NRAs in the context of art. 13 a and art 4 implementation

Minimum Security Measures for Smart Grids (Dec 2012)

security measures for smart grid architectures

different sophistication levels for smart grid implementations

EG2’s deliverable on smart grids’ minimum security

Minimum Security Measures for Cloud (in progress)


Security Measures - Domains

7

Domains - set of practices

D1 – Security Governance

D2 DN

Info

rmat

ion

secu

rity

po

licy

Org

aniz

atio

n of

in

form

atio

n se

curi

ty

Info

rmat

ion

secu

rity

pr

oced

ures

3

Soph

isti

cati

on le

vels

2

1

• R1• R2• ..

• ..• ..• ..

• ..• ..• ..

• ..• ..• ..

• ..• ..• ..

• ..• ..• ..

• ..• ..• ..

• ..• ..• ..

• ..• ..• ..

Requirements

Model Structure for the method

applied to define Security

Measures

Secu

rity

Mea

sure

s


An example

8

Security governance & risk management

SM1.1 Information security policy

SM1.2 Organisation of information security

SM1.3 Information security procedures

SM1.4 Risk management methodology

SM1.5 Risk assessment

SM1.6 Risk treatment plan

Domain

Measures


Incident Reporting

Good Practices on Reporting Security Incidents (2009)

Technical guidance on the incident reporting in Article 13a (2012)

Cyber Incident Reporting in the EU (2012)

An overview of security articles in EU legislation

Cloud Security Incident Reporting (2013)

Annual incident reports (2011 & 2012)

Network or service

provider

Competent national authority

EC and ENISANational

authorities abroad and ENISA

3

6

Victims

Public

2

4

1

1

Security measures

Notification

Informing

Summary reporting

4

5


2012 Incident Reporting

18 MS reported 79 significant incidents

9 countries reported no significant incidents.

Most incidents (around 48%) affected mobile telephony or mobile internet

Most incidents have an impact on two or more services

37% of the incidents had an impact on emergency calls

38

23

13 11 9 6 6 4 3 1 1 1 1 1 1 1

0

5

10

15

20

25

30

35

40


ENISA’s Threat Landscape

We can not perform your risk assessment

we don’t know your systems, your assets, your business processes, etc.

We can

Give examples of risk assessments for hypothetical organizations, systems, processes, services, etc.

Give an overview of existing widely used RA methods

• http://www.enisa.europa.eu/activities/risk-management/current-risk/risk-management-inventory

• http://rm-inv.enisa.europa.eu/methods

Give information about changing threats

Annual threat landscape report fives an overview of changes and trends in cyber attacks.

• Based on open source intelligence (OSINT)

http://www.enisa.europa.eu/activities/risk-management/current-risk/risk-management-inventory











http://rm-inv.enisa.europa.eu/methods






ENISA’s Threat Landscape (2)

Asset

T Threat

Vulnerability

Measure


ENISA’s Threat Landscape (3)

Helps you navigate more safely in cyber space

Is Based on Open Source Intelligence (OSINT)

Contains information about current threats and threat trends

Threat landscape 2012 & 2013

Cloud Computing Security Risk Assessment (2009)

Smart grid threat landscape


EU PPP for NIS & Resilience

provide a platform for information sharing and stock taking of good policy and industrial practices

identify and promote the adoption of good baseline practices for security and resilience

discuss public policy priorities, objectives and measures

improve coherence and coordination of policies for security and resilience in Europe;

EP3R – previous EU effort on PPP and NIS

NIS Platform – a new EU initiative on PPPs and NIS


Other Sectors

Cloud • SLAs

• Procure Secure

• Critical Cloud

• Governmental clouds

• Meta Framework for Cloud Certification

ICS-SCADA • Recommendations for Europe

• European testing capabilities

• Patching

• Ex post analysis of security incidents

• Certification of IT and Cyber Security skills of ICS-SCADA administrators

Internet Infrastructures • National Roaming

• Methodology for identifying critical links, networks and components

Finance • Stock taking of national

requirements (in progress)

eHealth • TBD


Conclusions

security & resilience of CII extremely important

uneven and uncoordinated national & European activities

strategic Public & Private Partnership is needed to enhance co-operation among public and private stakeholders

early adoption of good practices and information sharing key

ENISA’s role stronger than ever to meet the challenges


Thank you!

Q&A

Secure Services and Infrastructures Unit

[email protected]

European Network and Information Security

Agency

1 Vass Sofias & Meg. Alexandrou, Marousi

GR-151 24, Athens, Greece

mailto:[email protected]

protecting eu’s critical

Documents