protecting eu’s critical
TRANSCRIPT
1 www.enisa.europa.eu 1 www.enisa.europa.eu
PROTECTING EU’S CRITICAL INFORMATION INFRASTRUCTURES
THE ENISA APPROACH
Dr Evangelos Ouzounis, Head of Secure Infrastructure and Services
ENISA
2 www.enisa.europa.eu
Threat Environment
significant physical disasters affecting CIIPs
complex networks and services
low quality of software and hardware
asymmetric threats allowing remote attacks to CII
increasing organised cybercrime and industrial espionage
lack of international agreements and regimes,
lack of well functioning, international operational mechanism
3 www.enisa.europa.eu 3 www.enisa.europa.eu
Policy Context
ENISA II – new mandate
Proposal for a NIS Directive
Proposal for a new Directive on eIDs – article 15
EU Cyber Security Strategy (COM)
EU Cloud Computing Strategy and Partnership (COM)
Telecom Package – article 13 a, art. 4
4 www.enisa.europa.eu 4 www.enisa.europa.eu
ENISA’s Approach
Risk assessment
Security Measures Incident reporting
RA
SM IR
PPPs
Preparedness
Information Sharing
5 www.enisa.europa.eu 5 www.enisa.europa.eu
Security Measures & Controls
Identifying baseline measures and controls
Good practices, Standards, National requirements
Voluntary approach (no regulation)
Used by NRAs to define national requirements
Basis for auditing
Challenges
Different stakeholders
Various sizes of organizations
Difficult to reach momentum
Different maturity capability levels
6 www.enisa.europa.eu 6 www.enisa.europa.eu
ENISA’s Security Measures
Minimum Security Measures for Telcos’ (Dec 2011) security & privacy measures
different sophistication/maturity levels
used by EU NRAs in the context of art. 13 a and art 4 implementation
Minimum Security Measures for Smart Grids (Dec 2012)
security measures for smart grid architectures
different sophistication levels for smart grid implementations
EG2’s deliverable on smart grids’ minimum security
Minimum Security Measures for Cloud (in progress)
7 www.enisa.europa.eu 7 www.enisa.europa.eu
Security Measures - Domains
7
Domains - set of practices
D1 – Security Governance
D2 DN
Info
rmat
ion
secu
rity
po
licy
Org
aniz
atio
n of
in
form
atio
n se
curi
ty
Info
rmat
ion
secu
rity
pr
oced
ures
3
Soph
isti
cati
on le
vels
2
1
• R1• R2• ..
• ..• ..• ..
• ..• ..• ..
• ..• ..• ..
• ..• ..• ..
• ..• ..• ..
• ..• ..• ..
• ..• ..• ..
• ..• ..• ..
Requirements
Model Structure for the method
applied to define Security
Measures
Secu
rity
Mea
sure
s
8 www.enisa.europa.eu 8 www.enisa.europa.eu
An example
8
Security governance & risk management
SM1.1 Information security policy
SM1.2 Organisation of information security
SM1.3 Information security procedures
SM1.4 Risk management methodology
SM1.5 Risk assessment
SM1.6 Risk treatment plan
Domain
Measures
9 www.enisa.europa.eu 9 www.enisa.europa.eu
Incident Reporting
Good Practices on Reporting Security Incidents (2009)
Technical guidance on the incident reporting in Article 13a (2012)
Cyber Incident Reporting in the EU (2012)
An overview of security articles in EU legislation
Cloud Security Incident Reporting (2013)
Annual incident reports (2011 & 2012)
Network or service
provider
Competent national authority
EC and ENISANational
authorities abroad and ENISA
3
6
Victims
Public
2
4
1
1
Security measures
Notification
Informing
Summary reporting
4
5
10 www.enisa.europa.eu 10 www.enisa.europa.eu
2012 Incident Reporting
18 MS reported 79 significant incidents
9 countries reported no significant incidents.
Most incidents (around 48%) affected mobile telephony or mobile internet
Most incidents have an impact on two or more services
37% of the incidents had an impact on emergency calls
38
23
13 11 9 6 6 4 3 1 1 1 1 1 1 1
0
5
10
15
20
25
30
35
40
11 www.enisa.europa.eu
ENISA’s Threat Landscape
We can not perform your risk assessment
we don’t know your systems, your assets, your business processes, etc.
We can
Give examples of risk assessments for hypothetical organizations, systems, processes, services, etc.
Give an overview of existing widely used RA methods
• http://www.enisa.europa.eu/activities/risk-management/current-risk/risk-management-inventory
• http://rm-inv.enisa.europa.eu/methods
Give information about changing threats
Annual threat landscape report fives an overview of changes and trends in cyber attacks.
• Based on open source intelligence (OSINT)
12 www.enisa.europa.eu
ENISA’s Threat Landscape (2)
Asset
T Threat
Vulnerability
Measure
13 www.enisa.europa.eu 13 www.enisa.europa.eu
ENISA’s Threat Landscape (3)
Helps you navigate more safely in cyber space
Is Based on Open Source Intelligence (OSINT)
Contains information about current threats and threat trends
Threat landscape 2012 & 2013
Cloud Computing Security Risk Assessment (2009)
Smart grid threat landscape
14 www.enisa.europa.eu
EU PPP for NIS & Resilience
provide a platform for information sharing and stock taking of good policy and industrial practices
identify and promote the adoption of good baseline practices for security and resilience
discuss public policy priorities, objectives and measures
improve coherence and coordination of policies for security and resilience in Europe;
EP3R – previous EU effort on PPP and NIS
NIS Platform – a new EU initiative on PPPs and NIS
15 www.enisa.europa.eu 15 www.enisa.europa.eu
Other Sectors
Cloud • SLAs
• Procure Secure
• Critical Cloud
• Governmental clouds
• Meta Framework for Cloud Certification
ICS-SCADA • Recommendations for Europe
• European testing capabilities
• Patching
• Ex post analysis of security incidents
• Certification of IT and Cyber Security skills of ICS-SCADA administrators
Internet Infrastructures • National Roaming
• Methodology for identifying critical links, networks and components
Finance • Stock taking of national
requirements (in progress)
eHealth • TBD
16 www.enisa.europa.eu 16 www.enisa.europa.eu
Conclusions
security & resilience of CII extremely important
uneven and uncoordinated national & European activities
strategic Public & Private Partnership is needed to enhance co-operation among public and private stakeholders
early adoption of good practices and information sharing key
ENISA’s role stronger than ever to meet the challenges
17 www.enisa.europa.eu 17 www.enisa.europa.eu
Thank you!
Q&A
Secure Services and Infrastructures Unit
European Network and Information Security
Agency
1 Vass Sofias & Meg. Alexandrou, Marousi
GR-151 24, Athens, Greece