1 / 27

Improving NIS in the EU Dr. Evangelos OUZOUNIS Head of Unit Secure Infrastructures and Services Unit ENISA

Improving NIS in the EU Dr. Evangelos OUZOUNIS Head of Unit Secure Infrastructures and Services Unit ENISA. 10 years ENISA A European Success Story. Securing Europe’s Information Society. Operational Office in Athens. Seat in Heraklion. ENISA Activities. Policy Implementation.

sasha
Download Presentation

Improving NIS in the EU Dr. Evangelos OUZOUNIS Head of Unit Secure Infrastructures and Services Unit ENISA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improving NIS in the EUDr. Evangelos OUZOUNISHead of UnitSecure Infrastructures and Services UnitENISA

  2. 10 years ENISAA European Success Story

  3. Securing Europe’s Information Society Operational Office in Athens Seat in Heraklion

  4. ENISA Activities Policy Implementation Recommendations Mobilising Communities Hands on

  5. Recommendations • aim at improving a situation or solving a problem • holistic in nature and not only technical • impact and solutions driven • targeted on stakeholders, validated by stakeholders • realistic and implementable • cover various topics of the NIS landscape

  6. The ENISA Threat Landscape • The ENISA Threat Landscape provides an overview of threatsand current and emerging trends. • It is based on publicly available data and provides an independent view on observed threats, threat agents and threat trends. • Over 250recent reports from a variety of resources have been analysed.

  7. Member States with NCSS • Austria • Belgium • Czech Republic • Estonia • Finland • France • Germany • Hungary • Italy • Lithuania • Luxemburg • Netherlands • Poland • Romania • Slovakia • Spain • United Kingdom

  8. ENISA & Cloud Security • 2009 Cloud computing risk assessment • 2009 Cloud security Assurance framework • 2011 Security and resilience of GovClouds • 2012 Procure secure (Security SLAs) • 2013 Critical cloud computing • 2013 Incident reporting for cloud computing • 2013 Securely deploying GovClouds • 2013 Support EU Cloud Strategy • 2014 Cloud Certification Meta-Framework • 2014 Procurement security in GovClouds • 2014 Security guide for SMEs http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing

  9. Governmental Clouds in Europe red = private yellow = public blue = community September 2013

  10. Smart Grids • Smart Grid Security, Recommendations for Europe and Member States, (Jul 2012). • 90 key findings • 10 recommendations • Workshop on security certification of smart grid components (June 2012). • Minimum Security Measures for Smart Grids, (Dec 2012). • identify the minimum set of security measures for a more secure smart grid • address the different sophistication levels for smart grid implementations • EG2 deliverable on smart grids’ minimum security measures (Dec 2013). • Threat landscape for smart grids (Dec 2013).

  11. ICS-SCADA Security • Protecting Industrial Control Systems, Recommendations for Europe and Member States, (published Dec 2011) • Analyzing the European testing capabilities of ICS-SCADA Systems, (to be published) • Recommendations to address ICS-SCADA patching,(published) • Ex post analysis of security incidents in ICS-SCADA environments, (published)

  12. Algorithms, Key Sizes & Parameters Report • Work carried out in collaboration with cryptographers from KUL and University of Bristol. • Technical document addressed to decision makers, specialists designing and implementing cryptographic solutions. • Collates recommendations for algorithms, keysizes, and parameters • Addresses the need for a minimum level of requirements for cryptography across the EU.

  13. Policy Implementation • called for by COM and/or MS to assist in implementing a policy or regulation • aim at harmonisation and avoid fragmentation • soft law approach with emphasis on reducing costs for private sector • mixed bottom up and top down approach; enough flexibility for MS to introduce their own specific characteristics • realistic and implementable

  14. Security & Data Breach Notification • Supporting MS in implementing Article 13a of the Telecommunications Framework Directive • Supported NRA’s in implementing the provisions under article 13a • Developed and implemented the process for collecting annual national reports of security breaches • Developed minimum security requirements and propose associated metrics and thresholds • Supporting COM and MS in defining technical implementation measures for Article 4 of the ePrivacy Directive. • Recommendations for the implementation of Article 4. • Collaboration with Art.29 TS in producing a severity methodology for the assessment of breaches by DPAs

  15. Incident Reporting for the eComs Sector • ENISA has formed an expert group consisting of all NRA’s (EU and EFTA) and the EC, to • implement a reporting scheme • harmonized implementation across the EU • Non-binding technical guidelines • on Security Measures • on Incident reporting • Most Member States use the guidelines • 2012 and 2013 annual summary reporting from the NRA’s to EC and ENISA

  16. … like curling

  17. Incident Reports from 2012 - most major outages involved mobile networks- most major outages are caused by system failures

  18. Hands On • assist targeted stakeholders to develop expertise, knowledge and capabilities in specific areas within the mandate of ENISA • usually in the form of training, seminars and exercises • emphasis on people and how they can become better and efficient in their daily working life • very focused projects usually at the request of stakeholders and within the mandate of ENISA

  19. Cyber Exercises • Cyber Europe 2010. • Europe’s first ever international cyber security exercise • EU-US exercise, 2011. • Also a first : work with COM & MS to build transatlantic cooperation • Cyber Europe 2012. • Developed from 2010 & 2011 exercises. • Involves MS, private sector and EU institutions. • Highly realistic exercise, Oct 2012

  20. CERT Training

  21. Supporting Operational Communities - Overview

  22. Mobilising Communities • establish communities to share experiences, identify good practices and learn from each other • validate possible solutions and recommendations to be sure that fit the needs of the stakeholders • collect feedback about emerging trends and possible issues to address • act as a facilitator between MS, COM and private sector making always sure that we remain focused, pragmatic and realistic

  23. The NIS Platform Objectives • framework for supporting collaboration between public and private sectors on NIS policy issues • powered by the EC, supported by ENISA ENISA’s role • ensure exchange of expertise on policy and operational aspects • provide good practices and lessons learnt • facilitate collaboration and awareness on NIS issues 3 working groups • WG1 on risk management • WG2 on information sharing and incident coordination • WG3 on secure ICT research and innovation

  24. National/governmental CERTsthe situation has changed… SITUATION IN 2014: ESTABLISHED IN 2005: • We are building and actively supporting a growing network of national/governmental CERTs • CERT Interactive MAP: http://www.enisa.europa.eu/activities/cert/background/inv/certs-by-country-interactive-map Lithuania Luxembourg Malta Netherlands Norway Poland Portugal Romania Slovakia Slovenia Spain Sweden Switzerland Turkey Ukraine United Kingdom EU Institutions Armenia Austria Belgium Bulgaria Croatia CzechRepublic Denmark Estonia Finland France Georgia Germany Greece Hungary Iceland Ireland Israel Italy Latvia Finland France Germany Hungary The Netherlands Norway Sweden United Kingdom

  25. Conclusions • ENISA works together with targeted communities to identify pragmatic solutions to current security issues • We issue concrete advice on how to improve system security and which implementations to favour • The solutions we propose are based on industry good practice and are therefore known to work • By working in this way, we put security to the service of EU industry, EU MS and COM and improve the competitiveness of our industries

  26. Questions?

More Related