Presentation is loading. Please wait.

Presentation is loading. Please wait.

French Port Cybersecurity Initiative

Similar presentations


Presentation on theme: "French Port Cybersecurity Initiative"— Presentation transcript:

1 French Port Cybersecurity Initiative
PROTECT Group Rotterdam 23, March 2017 Jerome Besancenot

2 MPL Principles Military Program Law (MPL)
Item 22 –December 18, 2013 : Measures to strengthen the security of Vital Operators’IS in the objective to protect vital national infrastructures from cyber attacks. article 22 : On behalf of the Prime Minister, Security on Information System Agency (ANSSI) may impose security measures and controls on VO information systems. In addition, Article 22 makes it obligatory to declare incidents detected by VOs on their information systems.

3 MPL WorkGroups During the year 2015, ANSSI organized by sectors working groups especially involving maritime ports and river organizations Specify the scope of ISVI (Information Systems of Vital Importance) Systems that could adversely affect the war or economic potential, security or survivability of the Nation Specify the timeframe and expected timeframe for strengthening SIIV measures Evaluate with ports the costs and difficulties of the project Orders specifying the law are issued in August with a date of application from October 1, 2016

4 Order of August 11, 2016 Chapter 1: Security rules
Chapter 2: ISVIs Declaration (3 months) Chapter 3: Security Incident Reporting (1 year) Chapter 4: Final provisions -> contact details of the person mentioned in Article R of the Defense Code (3 months)

5 MPL Main rules Information Systems Security Policy
Rule relating to security approval Rule on cartography Rule on safekeeping Logging rule Rule Relating to the Correlation and Analysis of logs Detection Rule Rule on the handling of security incidents Alert processing rule Crisis management rule Identification rule Authentication rule Access Rights Rule Administrative Account Rules Rule relating to administrative information systems Rule on network partitioning Filtering rule Rule for remote access Rule relating to the installation of services and equipment Rule on indicators

6 cybersecurity incidents
Planning : main steps Governance of cybersecurity Protecting systems Managing cybersecurity incidents Homologation of our ISVI y1 y2 y3 Order enforcement Checking our ISVI Risk management

7 NIS Directive DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning measures for a high common level of security of network and information systems across the Union adopted by the European Parliament and the Council on 6 July 2016 will apply in the Union Member States from 10 May 2018 Implementation evaluation will be done every 2 years

8 Operator of essential services
Legal definition of the essential services operator (OSE). It is any "public or private entity" in one of the sectors or sub-sectors described below, which meets the three criteria for identifying Article 5 (2) of the Directive, namely: The entity provides a service that is essential to maintaining critical social and economic activities; The provision of this service depends on networks and information systems; An incident would have a significant disruptive effect on the provision of said service.

9 The sectors or sub-sectors concerned
The sectors in which operators of essential services provide services dependent on networks and information systems number 7. These are the energy sectors, transport, banks, financial market infrastructures , Health, the supply and distribution of drinking water, and digital infrastructure. There are two sub-sectors, energy (sub-sectors of electricity, oil and gas) and transport (sub-sectors of air transport, rail transport, water transport, truck transport). France has identified 12 sectors, as well as several sub-sectors.

10 Water transport sector
(10) In the water transport sector, security requirements for companies, ships, port facilities, ports and vessel traffic services under Union legal acts cover all operations, including radio and telecommunication systems, computer systems and networks. Part of the mandatory procedures to be followed includes the reporting of all incidents and should therefore be considered as lex specialis, in so far as those requirements are at least equivalent to the corresponding provisions of this Directive. (11) When identifying operators in the water transport sector, Member States should take into account existing and future international codes and guidelines developed in particular by the International Maritime organisation, with a view to providing individual maritime operators with a coherent approach.

11 Minimum content of any national strategy of a MS :
The objectives and priorities of the national strategy; The governance framework to achieve the objectives and priorities and the roles and responsibilities of public bodies and private actors; The inventory of preparedness, response and recovery measures including measures of cooperation between public and private actors; An overview of education programs and, above all, awareness and training in relation to the objectives of the national strategy; An overview of research and development plans; A risk assessment plan; A list of actors responsible for implementing the national strategy.

12 Group of strategy cooperation between MS
Establishment of a group for strategic cooperation and exchange of information between Member States of the Establishment of computer security incident response centers (CSIRTs) and the CSIRT network National authorities and single point of contact The development of security and incident reporting requirements for operators of essential services Establishing security and incident reporting requirements for digital service providers The impact of the NIS Directive on our current legal framework

13 Conclusion & Proposal Conclusion
PCS, CCS, MSW are mainly concerned by such European strategy IMO matters Increasing concerns related to ships and ports, MSC & FAL Committees probably should converge on a global issue Proposal for PROTECT Data sensitivity identification How to secure in an harmonized way EDI exchanges BtoG, GtoG SW interoperability To build a european Protect « Cyber circle » Recognized Think Tank Possibility to arrange a meeting with Cyber community The future begins immediatly After the end of this sentence


Download ppt "French Port Cybersecurity Initiative"

Similar presentations


Ads by Google