Protecting European Critical Information Infrastructures...
Transcript of Protecting European Critical Information Infrastructures...
![Page 1: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/1.jpg)
European Union Agency for Network and Information Security
Protecting European Critical Information Infrastructures – ENISA’s ApproachDr. Evangelos OuzounisHead of Secure Infrastructures and Services
![Page 2: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/2.jpg)
2
Securing Europe’s Information society
![Page 3: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/3.jpg)
Positioning ENISA activities
![Page 4: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/4.jpg)
significant physical disasters affecting CIIs
complex networks and services
low quality of software and hardware
asymmetric threats allowing remote attacks to CII
increasing organised cybercrime and industrial espionage
lack of international agreements and regimes,
lack of well functioning, international operational mechanism
Dr. Evangelos Ouzounis, Head of Secure Infrastructures and Services, ENISA
Emerging Threat Environment
![Page 5: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/5.jpg)
EU Policy Context
EU Cyber Security Strategy (COM)
eIDAs Directive – article 19
EU Cloud Computing Strategy
and Partnership (COM)
Telecom Package – article 13 a, art. 4
ENISA II – new mandate
The NIS Directive
EU’s CIIP action plan
Dr. Evangelos Ouzounis, Head of Secure Infrastructures and Services, ENISA
![Page 6: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/6.jpg)
The NIS Directive
Operators of Essential Services
Digital Service Providers
StrategicCooperation Network
Cloud Computing Services
Online Marketplaces
Incident Reporting
Security Requirements
NationalCyberSecurityStrategies
Tactical/OperationalCSIRT Network
Transport
Energy
Banking and Financialmarket infrastructures
Search Engines
Digital Infrastructure
Healthcare
![Page 7: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/7.jpg)
National Cyber Security Strategies
Dr. Evangelos Ouzounis, Head of Secure Infrastructures and Services, ENISA
24 NCSS in EU; a few under development
Different maturity levels
CIIP - key subject in NCSS
PPPs - limited success so far
SMEs not properly covered
Overlaps in mandates
Assessment of NCSS is an issue
https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national-cyber-security-strategies-in-the-world
![Page 8: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/8.jpg)
Sectors Energy ICT Water Food Health Financial
Public &
Legal
Order
Civil
Admin.Transport
Chemical &
Nuclear
Industry
Space &
Research
AU
BE
CZ
DK
EE
FI
FR
DE
EL
HU
IT
MT
NL
PL
SK
ES
UK
CH
Critical Sectors in EU MS
![Page 9: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/9.jpg)
Today’s challenges
Increasing reliance on communication networks
Emerging threat environment hampering the availability, integrity and confidentiality of networks based on:
• Infrastructure vulnerabilities
• Interdependencies
• Privacy concerns
http://www.enisa.europa.eu/internetcii
![Page 10: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/10.jpg)
Current Internet infrastructure threats
![Page 11: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/11.jpg)
Incident Reporting for the Telecom Sector
CIIP in Europe| Evangelos Ouzounis, HoU Secure Infrastructure and Services, ENISA
• Article 13a of the Framework Directive (2009/140/EC), is introduced in the 2009 reform of the EU regulatory framework for electronic communications.
• Art. 13a addresses security and integrity of public electronic communications networks and services (availability of the service).
• Art. 13a of Telecom Package: • Expert Group with all NRAs (EU and EFTA) & EC • Non-binding technical guidelines (strong adoption
among MS)• 4 years of success annual reporting from Telecoms
to NRAs and then to ENISA and EC• Impact evaluation available March 2016.
• More incident reporting schemes: • Article 4 on data breaches - Telecom Package• Article 19 on breaches of trust services - eIDAS• NIS Directive (affecting many sectors)
![Page 12: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/12.jpg)
Total reported incidents (numeric)
51
79
90
137
Incidents reported
2011 2012 2013 2014
CIIP in Europe| Evangelos Ouzounis, HoU Secure Infrastructure and Services, ENISA
22
37
29
47
33
25
19
34
61
48 48
39
59
49
53
35
2011 2012 2013 2014
Fixed telephony Fixed internet Mobile telephony Mobile internet
Impact on services (percentage)
![Page 13: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/13.jpg)
Emergency Communications
• Some emergency services do use data services, often on commercial networks, but data is not used between the emergency services and the public
• Inter-agency communication problems are a common issue identified in post-crisis reviews of major incidents
http://www.eurescom.eu/news-and-events/eurescommessage/eurescom-message-1-2014/celtic-project-macico.html
![Page 14: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/14.jpg)
Good Practices for Communications during a Crisis
• National roaming could be used to improve resilience of mobile communication networks and services in case of large outages:
• Prioritize voice and SMS
• Favor open Wi-Fi as alternative solution for data connectivity
• Be prepared for an eventual mobile network outage
• Identify key people within CI services
• Use of Internet services such as social media have a part to play in crisis management, both as
• situational awareness tool
• responsive, direct communication channel between crisis managers on the ground and the public.
![Page 15: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/15.jpg)
Conclusions
CIIP in Europe| Evangelos Ouzounis, HoU Secure Infrastructure and Services, ENISA
1Cyber attacks on and failures of CIIs now becomes quite common
2Well functioning telecommunications are necessary for the handling of such crisis
3
MS and private sector, with the assistance of ENISA, should co-operate to protect CIIs
sharing experiences and information developing and deploying good practices co-operate with NRAs to achieve EU wide
harmonization of EU regulations
4 “Collaboration is Everything”.
![Page 16: Protecting European Critical Information Infrastructures ...s3.amazonaws.com/JuJaMa.UserContent/45dec19c-7ab8-4e75-8c1… · European Union Agency for Network and Information Security](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed35b4f080258622969b96d/html5/thumbnails/16.jpg)
www.enisa.europa.eu/internetcii
Thank you