Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving NIS in the EU Dr

Similar presentations


Presentation on theme: "Improving NIS in the EU Dr"— Presentation transcript:

1 Improving NIS in the EU Dr
Improving NIS in the EU Dr. Evangelos OUZOUNIS Head of Unit Secure Infrastructures and Services Unit ENISA

2 10 years ENISA A European Success Story

3 Securing Europe’s Information Society
Operational Office in Athens Building and actively supporting a growing network of national/governmental CERTs Seat in Heraklion

4 ENISA Activities Mobilising Communities Policy Implementation
Recommendations Mobilising Communities Think Tank Recommendations// deliverables.. Link to the enisa website Community Building Art 14 Requests Financial ISACs NIS Platform Cyber Security Coordination Group Legislation Hands on Cyber exercises CERT training Hands on

5 Recommendations aim at improving a situation or solving a problem
holistic in nature and not only technical impact and solutions driven targeted on stakeholders, validated by stakeholders realistic and implementable cover various topics of the NIS landscape

6 The ENISA Threat Landscape
The ENISA Threat Landscape provides an overview of threats and current and emerging trends. It is based on publicly available data and provides an independent view on observed threats, threat agents and threat trends. Over 250 recent reports from a variety of resources have been analysed.

7 Member States with NCSS
Austria Belgium Czech Republic Estonia Finland France Germany Hungary Italy Lithuania Luxemburg Netherlands Poland Romania Slovakia Spain United Kingdom These are the strategies that we have seen (obtained through NLOs, EFMS or from the Commission)

8 ENISA & Cloud Security 2009 Cloud computing risk assessment
2009 Cloud security Assurance framework 2011 Security and resilience of GovClouds 2012 Procure secure (Security SLAs) 2013 Critical cloud computing 2013 Incident reporting for cloud computing 2013 Securely deploying GovClouds 2013 Support EU Cloud Strategy 2014 Cloud Certification Meta-Framework 2014 Procurement security in GovClouds 2014 Security guide for SMEs This is an overview of the work we did in the past and are doing. Our early papers from 2009 are still widely downloaded and quoted. They basically give an overview of the main risks and benefits when moving to the cloud. Let me go over some of them quickly. Put in about “ENISA’s work on Cloud Computing, but concentrating on how we have helped industry secure a developing business model (work with CSA, support for the EU Cloud strategy). Here we can stress the fact that we look for security solutions that are economically viable and provide a reasonable trade-off between opportunity and risk. This is ENISA supporting economic growth.” All SecureCloud events are coorganized with CSA

9 Governmental Clouds in Europe
Different colours different deployment models: red circles refer to private Cloud services, yellow to public and blue to community Clouds. In some countries, two implementation types could exist. During this study we noticed that same deployment models where adjusted to the countries needs and General characteristics Governance and control by government or public body Ownership and management by government or public body Due diligence by government or public body Compliance with national laws Please read GovCloud_DL comments report from the package red = private yellow = public blue = community September 2013

10 Smart Grids Smart Grid Security, Recommendations for Europe and Member States, (Jul 2012). 90 key findings 10 recommendations Workshop on security certification of smart grid components (June 2012). Minimum Security Measures for Smart Grids, (Dec 2012). identify the minimum set of security measures for a more secure smart grid address the different sophistication levels for smart grid implementations EG2 deliverable on smart grids’ minimum security measures (Dec 2013). Threat landscape for smart grids (Dec 2013).

11 ICS-SCADA Security Protecting Industrial Control Systems, Recommendations for Europe and Member States, (published Dec 2011) Analyzing the European testing capabilities of ICS-SCADA Systems, (to be published) Recommendations to address ICS-SCADA patching, (published) Ex post analysis of security incidents in ICS-SCADA environments, (published)

12 Algorithms, Key Sizes & Parameters Report
Work carried out in collaboration with cryptographers from KUL and University of Bristol. Technical document addressed to decision makers, specialists designing and implementing cryptographic solutions. Collates recommendations for algorithms, keysizes, and parameters Addresses the need for a minimum level of requirements for cryptography across the EU.

13 Policy Implementation
called for by COM and/or MS to assist in implementing a policy or regulation aim at harmonisation and avoid fragmentation soft law approach with emphasis on reducing costs for private sector mixed bottom up and top down approach; enough flexibility for MS to introduce their own specific characteristics realistic and implementable

14 Security & Data Breach Notification
Supporting MS in implementing Article 13a of the Telecommunications Framework Directive Supported NRA’s in implementing the provisions under article 13a Developed and implemented the process for collecting annual national reports of security breaches Developed minimum security requirements and propose associated metrics and thresholds Supporting COM and MS in defining technical implementation measures for Article 4 of the ePrivacy Directive. Recommendations for the implementation of Article 4. Collaboration with Art.29 TS in producing a severity methodology for the assessment of breaches by DPAs

15 Incident Reporting for the eComs Sector
ENISA has formed an expert group consisting of all NRA’s (EU and EFTA) and the EC, to implement a reporting scheme harmonized implementation across the EU Non-binding technical guidelines on Security Measures on Incident reporting Most Member States use the guidelines 2012 and 2013 annual summary reporting from the NRA’s to EC and ENISA

16 … like curling Security is not a standard or a checklist.
It is a continuous process of improvement. Security is not about zero risks and not about baselines or checklists. NRAs can not dictate all the relevant security measures or predict all threats. … like curling

17 Incident Reports from 2012 - most major outages involved mobile networks - most major outages are caused by system failures

18 Root Causes

19 Hands On assist targeted stakeholders to develop expertise, knowledge and capabilities in specific areas within the mandate of ENISA usually in the form of training, seminars and exercises emphasis on people and how they can become better and efficient in their daily working life very focused projects usually at the request of stakeholders and within the mandate of ENISA

20 Cyber Exercises Cyber Europe 2010. EU-US exercise, 2011.
Europe’s first ever international cyber security exercise EU-US exercise, 2011. Also a first : work with COM & MS to build transatlantic cooperation Cyber Europe 2012. Developed from 2010 & 2011 exercises. Involves MS, private sector and EU institutions. Highly realistic exercise, Oct 2012 Objectives Test effectiveness and scalability of existing mechanisms, procedures and information flow for public authorities’ cooperation in Europe; Explore the cooperation between public and private stakeholders in Europe; Identify gaps and challenges on how large scale cyber incidents could be handled more effectively in Europe. Testing and evaluating how we conduct cyber exercises Scenario Combines several technically realistic threats into one simultaneously escalating DDoS attack on online services. Complexity 25 EFTA & EU countries actively playing, 4 observing More than 400 participants, 1200 injects and s sent Stakeholders ministries, cyber security authorities, regulators, CERTs, .. private sector (from Finance, ISPs and eGov) takes part for the first time

21 CERT Training

22 Supporting Operational Communities - Overview

23 Mobilising Communities
establish communities to share experiences, identify good practices and learn from each other validate possible solutions and recommendations to be sure that fit the needs of the stakeholders collect feedback about emerging trends and possible issues to address act as a facilitator between MS, COM and private sector making always sure that we remain focused, pragmatic and realistic

24 The NIS Platform Objectives
framework for supporting collaboration between public and private sectors on NIS policy issues powered by the EC, supported by ENISA ENISA’s role ensure exchange of expertise on policy and operational aspects provide good practices and lessons learnt facilitate collaboration and awareness on NIS issues 3 working groups WG1 on risk management WG2 on information sharing and incident coordination WG3 on secure ICT research and innovation The NIS platform is organized in 3 WGs: - WG1 on risk management, including information assurance, risks metrics and awareness raising; - WG2 on information exchange and incident coordination, including incident reporting and risks metrics for the purpose of information exchange; - WG3 on secure ICT research and innovation. The working groups are cross-cutting, with all relevant sectors represented. They seek to identify cross cutting / horizontal best practices. If relevant, sector-specific work could be undertaken at a later stage. Incentives to adopt best practices are addressed in each working group. The findings of the Platform will feed into Commission recommendations on cybersecurity to be adopted in 2014.

25 National/governmental CERTs the situation has changed…
ESTABLISHED IN 2005: SITUATION IN 2014: Armenia Austria Belgium Bulgaria Croatia Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Iceland Ireland Israel Italy Latvia Lithuania Luxembourg Malta Netherlands Norway Poland Portugal Romania Slovakia Slovenia Spain Sweden Switzerland Turkey Ukraine United Kingdom EU Institutions Finland France Germany Hungary The Netherlands Norway Sweden United Kingdom We are building and actively supporting a growing network of national/governmental CERTs CERT Interactive MAP:

26

27 Conclusions ENISA works together with targeted communities to identify pragmatic solutions to current security issues We issue concrete advice on how to improve system security and which implementations to favour The solutions we propose are based on industry good practice and are therefore known to work By working in this way, we put security to the service of EU industry, EU MS and COM and improve the competitiveness of our industries

28 Questions?


Download ppt "Improving NIS in the EU Dr"

Similar presentations


Ads by Google