Improving NIS in the EU Dr

Slides:



Advertisements
Similar presentations
How to form a consortium
Advertisements

The European Law Students Association Albania ˙ Austria ˙ Azerbaijan ˙ Belgium ˙ Bosnia and Herzegovina ˙ Bulgaria ˙ Croatia ˙ Cyprus ˙ Czech Republic.
UNIVERSITY OF JYVÄSKYLÄ INTERNATIONAL COOPERATION.
We’re here for you. “European Exchange of Best Practice in Arson Investigation and Prevention” European exchange of best practice in arson investigation.
SMART GRID DEVICES SECURITY CERTIFICATION
NIS Directive and NIS Platform
Geneva, Switzerland, September 2014 ENISA role in ICT standardization Sławomir Górniak, ENISA ITU Workshop on “ICT.
European Union Agency for Network and Information Security Follow ENISA: ENISA and standards Sławomir Górniak European Union Agency.
Delegations ICM Cluj-Napoca, 20th April The European Law Students’ Association Albania ˙ Austria ˙ Azerbaijan ˙ Belgium ˙ Bosnia and Herzegovina.
Delegations III KAM, Bratislava 4th to 8th September 2013.
Knowledge Management LXV International Council Meeting Qawra, Malta 16 th - 23 rd of March 2014.
Institutional Visits IV KAM Prague, 3 rd to 7th September.
Knowledge Management and Transition ICM Cluj-Napoca, 24th April 2015.
Delegations IV KAM Prague 3rd to 7th September 2014.
Institutional Visits ICM Cluj Napoca, 19 th to 26 th April 2015 Patrick Zischeck, Assistant for IV and SV.
ELSA Shop(ping) LXIV International Council Meeting Opatija, Croatia October 28 th - November 3 rd 2013.
Inspire services from the EuroGeographics point of view Antti Jakobsson Programme manager.
Area Definition III KAM,Bratislava. The European Law Students’ Association Albania ˙ Austria ˙ Azerbaijan ˙ Belgium ˙ Bosnia and Herzegovina ˙ Bulgaria.
ELSA Law Schools ICM Cluj-Napoca, 21st April 2015.
Cloud services security Prof. Manel Medina Head of Unit CERT Operations support ENISA
7 November 2006VI Eurosai Training Event - Prague1 Auditing EU funds – National SAI experiences Jan van den Bos – Netherlands Court of Audit.
CONSTRUCTING NEW KNOWLEDGE SPACES: THE CASE OF THE EUROPEAN HIGHER EDUCATION AREA Roger Dale U of Bristol Policy Futures in Higher Education CKS/WUN Horizon’s.
Grants LXIV International Council Meeting 19th – 26th October, Bodrum Turkey.
The Research Council of Norway's international strategy Kristin Danielsen Director.
INTERNATIONALA CONFERENCE Security and Defence R&D Management: Policy, Concepts and Models R&D HUMAN CAPITAL POLICY ASSISTANT PROFESSOR KONSTANTIN POUDIN.
KAM Prague 3-7 th September AA Workshop Legal Research Group.
THE EUROPEAN UNION. HISTORY 28 European states after the second world war in 1951 head office: Brussels 24 different languages Austria joined 1995.
Make it Smart&Creative ICM Cluj-Napoca, 21st April 2015.
Doing Business in Europe Bay Area CITD Seminar Series Tuesday, September 21st, 2004 Kemarra Inc. - Key Marketing Resources & Associates San Francisco USA.
Schools for Health in Europe SHE Goof Buijs NIGZ 8 June 2008 Vancouver, partnership track.
ICM Bodrum 24 th October AA Workshop Legal Research Group.
IRC: ICT Presentation Sept Opportunities through Collaboration Ing.Pierre Theuma Manager, IRC Malta.
COST Workshop on Developing Knowledge- Sharing Partnerships in Europe and Central Asia Orsolya Tóth National Innovation Office Gödöllő, 4 December, 2013.
NextLastEurope. NextLastEurope  The region of Europe is the area on the map shaded dark purple. Europe.
© World Energy Council 2014 Energy Security in Focus: from Local to Global The Baltic States as the testing ground for more balanced energy policy Einari.
Institutional Visit LXV International Council Meeting Qawra, Malta 16 th - 23 rd of March 2014.
ELSA as the Franchise? LXV International Council Meeting Qawra, Malta 16 th - 23 rd of March 2014.
Natural gas, and oil sectors in Europe Vaidotas Levickis Fort Worth, Texas 2015.
Map - Region 3 Europe.
ELSA Summer Law Schools IV KAM Prague, 3rd to 7th September 2014.
© Enterprise Europe Network South West 2009 The Eurostars Programme Kenny Legg R&D Funding for the Environmental Sector – 29 June 2010 European Commission.
Which role is yours? ADV and Promotion of ELSA projects/events LXIV International Council Meeting Opatija, Croatia October 28 th - November 3 rd 2013.
Bureau for International Research and Technology Cooperation Herlitschka 1 Warsaw FP6 Launch Conference - 26 Nov Small and Medium Enterprises -
Geneva, Switzerland, 14 November 2014 ENISA and Cloud Certification Dimitra Liveri Security and Resilience of Communication Networks Officer ENISA ITU.
E u r o g u i d a n c e A Network of National Resource and Information Centres for Guidance Established in 1992.
Social Studies: Europe & Russia Lesson 34 Practice & Review
E u r o g u i d a n c e A Network of National Resource and Information Centres for Guidance Established in 1992.
The United States of Europe
The European Law Students’ Association Albania ˙ Austria ˙ Azerbaijan ˙ Belgium ˙ Bosnia and Herzegovina ˙ Bulgaria ˙ Croatia ˙ Cyprus ˙ Czech Republic.
Maps of Topic 2B Multilingualism in Europe Europe A Story of Empire (a united Europe) & Language.
11 Copyright Source Text EU Government Barometer Assessing progress on the FLEGT Action Plan commitments and EUTR across the EU 27 Beatrix Richards, Head.
Eurostat Latest developments at EU level and relation with Eurostat's energy statistics United Nations Oslo Group on Energy Statistics Aguascalientes (Mexico),
LXVI Internationl Council Meeting Turkey 19th – 26th of October 2014 Academic Activites Workshop Monday 20th of October –
The Role of the Rectors’ Conferences in Europe Henriette Stöber Central European University & University of York Erasmus Mundus MAPP - Master of Public.
European Innovation Scoreboard European Commission Enterprise and Industry DG EPG DGs meeting, May 2008.
CONFIDENTIAL 1 EPC, European Union and unitary patent/UPC EPC: yes EEA: no EU: no (*) (*) Also means no unitary patent Albania, Macedonia, Monaco, San.
France Ireland Norway Sweden Finland Estonia Latvia Spain Portugal Belgium Netherlands Germany Switzerland Italy Czech Rep Slovakia Austria Poland Ukraine.
INTERNATIONAL BUSINESS Unit 2 Business Development GCSE Business Studies.
Best Sustainable Development Practices for Food Security UV-B radiation: A Specific Regulator of Plant Growth and Food Quality in a Changing Climate The.
OneM2M TP March 2017 Bruno Chenard.
EUROPEAN UNION – MAKING OFF European Economic Community
European Union Duy Trinh.
Dan Tofan | Expert in NIS 21st Art. 13a WG| LISBON |
The European Parliament – voice of the people
The European Parliament – voice of the people
Support to National Helpdesks
EU: First- & Second-Generation Immigrants
European Union Membership
Prodcom Statistics in Focus
Presentation transcript:

Improving NIS in the EU Dr Improving NIS in the EU Dr. Evangelos OUZOUNIS Head of Unit Secure Infrastructures and Services Unit ENISA

10 years ENISA A European Success Story

Securing Europe’s Information Society Operational Office in Athens Building and actively supporting a growing network of national/governmental CERTs Seat in Heraklion

ENISA Activities Mobilising Communities Policy Implementation Recommendations Mobilising Communities Think Tank Recommendations// deliverables.. Link to the enisa website Community Building Art 14 Requests Financial ISACs NIS Platform Cyber Security Coordination Group Legislation Hands on Cyber exercises CERT training Hands on

Recommendations aim at improving a situation or solving a problem holistic in nature and not only technical impact and solutions driven targeted on stakeholders, validated by stakeholders realistic and implementable cover various topics of the NIS landscape

The ENISA Threat Landscape The ENISA Threat Landscape provides an overview of threats and current and emerging trends. It is based on publicly available data and provides an independent view on observed threats, threat agents and threat trends. Over 250 recent reports from a variety of resources have been analysed.

Member States with NCSS Austria Belgium Czech Republic Estonia Finland France Germany Hungary Italy Lithuania Luxemburg Netherlands Poland Romania Slovakia Spain United Kingdom These are the strategies that we have seen (obtained through NLOs, EFMS or from the Commission)

ENISA & Cloud Security 2009 Cloud computing risk assessment 2009 Cloud security Assurance framework 2011 Security and resilience of GovClouds 2012 Procure secure (Security SLAs) 2013 Critical cloud computing 2013 Incident reporting for cloud computing 2013 Securely deploying GovClouds 2013 Support EU Cloud Strategy 2014 Cloud Certification Meta-Framework 2014 Procurement security in GovClouds 2014 Security guide for SMEs This is an overview of the work we did in the past and are doing. Our early papers from 2009 are still widely downloaded and quoted. They basically give an overview of the main risks and benefits when moving to the cloud. Let me go over some of them quickly. Put in about “ENISA’s work on Cloud Computing, but concentrating on how we have helped industry secure a developing business model (work with CSA, support for the EU Cloud strategy). Here we can stress the fact that we look for security solutions that are economically viable and provide a reasonable trade-off between opportunity and risk. This is ENISA supporting economic growth.” All SecureCloud events are coorganized with CSA http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing

Governmental Clouds in Europe Different colours different deployment models: red circles refer to private Cloud services, yellow to public and blue to community Clouds. In some countries, two implementation types could exist. During this study we noticed that same deployment models where adjusted to the countries needs and General characteristics Governance and control by government or public body Ownership and management by government or public body Due diligence by government or public body Compliance with national laws Please read GovCloud_DL comments report from the package red = private yellow = public blue = community September 2013

Smart Grids Smart Grid Security, Recommendations for Europe and Member States, (Jul 2012). 90 key findings 10 recommendations Workshop on security certification of smart grid components (June 2012). Minimum Security Measures for Smart Grids, (Dec 2012). identify the minimum set of security measures for a more secure smart grid address the different sophistication levels for smart grid implementations EG2 deliverable on smart grids’ minimum security measures (Dec 2013). Threat landscape for smart grids (Dec 2013).

ICS-SCADA Security Protecting Industrial Control Systems, Recommendations for Europe and Member States, (published Dec 2011) Analyzing the European testing capabilities of ICS-SCADA Systems, (to be published) Recommendations to address ICS-SCADA patching, (published) Ex post analysis of security incidents in ICS-SCADA environments, (published)

Algorithms, Key Sizes & Parameters Report Work carried out in collaboration with cryptographers from KUL and University of Bristol. Technical document addressed to decision makers, specialists designing and implementing cryptographic solutions. Collates recommendations for algorithms, keysizes, and parameters Addresses the need for a minimum level of requirements for cryptography across the EU.

Policy Implementation called for by COM and/or MS to assist in implementing a policy or regulation aim at harmonisation and avoid fragmentation soft law approach with emphasis on reducing costs for private sector mixed bottom up and top down approach; enough flexibility for MS to introduce their own specific characteristics realistic and implementable

Security & Data Breach Notification Supporting MS in implementing Article 13a of the Telecommunications Framework Directive Supported NRA’s in implementing the provisions under article 13a Developed and implemented the process for collecting annual national reports of security breaches Developed minimum security requirements and propose associated metrics and thresholds Supporting COM and MS in defining technical implementation measures for Article 4 of the ePrivacy Directive. Recommendations for the implementation of Article 4. Collaboration with Art.29 TS in producing a severity methodology for the assessment of breaches by DPAs

Incident Reporting for the eComs Sector ENISA has formed an expert group consisting of all NRA’s (EU and EFTA) and the EC, to implement a reporting scheme harmonized implementation across the EU Non-binding technical guidelines on Security Measures on Incident reporting Most Member States use the guidelines 2012 and 2013 annual summary reporting from the NRA’s to EC and ENISA

… like curling Security is not a standard or a checklist. It is a continuous process of improvement. Security is not about zero risks and not about baselines or checklists. NRAs can not dictate all the relevant security measures or predict all threats. … like curling

Incident Reports from 2012 - most major outages involved mobile networks - most major outages are caused by system failures

Root Causes

Hands On assist targeted stakeholders to develop expertise, knowledge and capabilities in specific areas within the mandate of ENISA usually in the form of training, seminars and exercises emphasis on people and how they can become better and efficient in their daily working life very focused projects usually at the request of stakeholders and within the mandate of ENISA

Cyber Exercises Cyber Europe 2010. EU-US exercise, 2011. Europe’s first ever international cyber security exercise EU-US exercise, 2011. Also a first : work with COM & MS to build transatlantic cooperation Cyber Europe 2012. Developed from 2010 & 2011 exercises. Involves MS, private sector and EU institutions. Highly realistic exercise, Oct 2012 Objectives Test effectiveness and scalability of existing mechanisms, procedures and information flow for public authorities’ cooperation in Europe; Explore the cooperation between public and private stakeholders in Europe; Identify gaps and challenges on how large scale cyber incidents could be handled more effectively in Europe. Testing and evaluating how we conduct cyber exercises Scenario Combines several technically realistic threats into one simultaneously escalating DDoS attack on online services. Complexity 25 EFTA & EU countries actively playing, 4 observing More than 400 participants, 1200 injects and 30 000 e-mails sent Stakeholders ministries, cyber security authorities, regulators, CERTs, .. private sector (from Finance, ISPs and eGov) takes part for the first time

CERT Training

Supporting Operational Communities - Overview

Mobilising Communities establish communities to share experiences, identify good practices and learn from each other validate possible solutions and recommendations to be sure that fit the needs of the stakeholders collect feedback about emerging trends and possible issues to address act as a facilitator between MS, COM and private sector making always sure that we remain focused, pragmatic and realistic

The NIS Platform Objectives framework for supporting collaboration between public and private sectors on NIS policy issues powered by the EC, supported by ENISA ENISA’s role ensure exchange of expertise on policy and operational aspects provide good practices and lessons learnt facilitate collaboration and awareness on NIS issues 3 working groups WG1 on risk management WG2 on information sharing and incident coordination WG3 on secure ICT research and innovation The NIS platform is organized in 3 WGs: - WG1 on risk management, including information assurance, risks metrics and awareness raising; - WG2 on information exchange and incident coordination, including incident reporting and risks metrics for the purpose of information exchange; - WG3 on secure ICT research and innovation. The working groups are cross-cutting, with all relevant sectors represented. They seek to identify cross cutting / horizontal best practices. If relevant, sector-specific work could be undertaken at a later stage. Incentives to adopt best practices are addressed in each working group. The findings of the Platform will feed into Commission recommendations on cybersecurity to be adopted in 2014.

National/governmental CERTs the situation has changed… ESTABLISHED IN 2005: SITUATION IN 2014: Armenia Austria Belgium Bulgaria Croatia Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Iceland Ireland Israel Italy Latvia Lithuania Luxembourg Malta Netherlands Norway Poland Portugal Romania Slovakia Slovenia Spain Sweden Switzerland Turkey Ukraine United Kingdom EU Institutions Finland France Germany Hungary The Netherlands Norway Sweden United Kingdom We are building and actively supporting a growing network of national/governmental CERTs CERT Interactive MAP: http://www.enisa.europa.eu/activities/cert/background/inv/certs-by-country-interactive-map

Conclusions ENISA works together with targeted communities to identify pragmatic solutions to current security issues We issue concrete advice on how to improve system security and which implementations to favour The solutions we propose are based on industry good practice and are therefore known to work By working in this way, we put security to the service of EU industry, EU MS and COM and improve the competitiveness of our industries

Questions?