You are on page 1of 37

Industrial Control System Security Workshop Update of EU NIS & CIIP policy

16 September 2011 Alejandro PINTO
European Commission Directorate General Information Society and Media - DG INFSO Unit A3 – Internet Governance; Network and Information Security Alejandro.pinto-gonzalez@ec.europa.eu

NIS & CIIP
The EU Policy Framework


• • • • •


• • •

2004: Establishment of the European Network and Information Security Agency - ENISA 2006: European Commission Strategy for a Secure Information Society COM(2006)251 2006: COM on European Programme for Critical Infrastructure Protection 2007: Council Resolution on a Strategy for a Secure Information Society in Europe [2007/C 68/01] 2008: Directive on Identification and Designation of European Critical Infrastructures Mar 2009: COM on Action Plan on Critical Information Infrastructure Protection - CIIP Dec 2009: Council resolution on a collaborative European approach to NIS [2009/C 321/01] May 2010: Adoption of the European Digital Agenda Mar 2011: COM on CIIP: achievements and next steps April 2011: COM on SmartGrids:From innovation to deployment

EU policies on NIS and CIIP
NIS has never been so high on the EU political agenda President Barroso “Political guidelines for the next Commission”, 3 September 2009: • “The next Commission will develop a European Digital Agenda [] to tackle the main obstacles to a genuine digital single market, promote investment in high-speed Internet and avert an unacceptable digital divide. Because of the increasing dependence of our economies and societies on the Internet, a major initiative to boost network security will also be proposed.”

• Global interconnection vs lack of transnational cooperation • Operational responsibility with private sector while public policy responsibility lies with governments • Limited incentives for wide NIS uptake • Fragmentation of NIS regimes and market maturity in MS .Network & Information Security (NIS) Facts • Increasing economic and social dependency on ICT vs growing sophistication of threats • Network and Information Security (NIS) is a key enabler for trust and is a shared responsibility.

usability. pan-European security incident exercises) . competition • Boost policy and operational cooperation (e. interoperability.g.Network and Information Security Challenges • Make security and resilience the front line of defence of critical ICT infrastructures • Develop a risk management culture in the EU • Identify socio-economic incentives • Promote openness. diversity.

Digital Agenda • 20 November 2010: Establishment of the EU-U.S. Working Group on Cybersecurity and Cybercrime – EU-U.Recent policy developments • May 2010. Summit – Lisbon • 22 November 2010: Adoption of EU Internal Security Strategy • CIIP COM(2011)163 “Achievements and next steps: towards global cybersecurity” .S.

COM(2010)245 The Seven Priority areas for action - “Every European Digital” N. 2. 6.A Digital Agenda for Europe . Kroes – May 2010 1. 3. skills and inclusion Applying ICT to address social challenges such as climate change. 5. Creating a Digital Single Market Improving the framework conditions for interoperability between ICT products and services Boosting Internet trust and security Guaranteeing the provision of much faster internet access Encouraging investment in research and development Enhancing digital literacy. . 4. 7. rising healthcare costs and the ageing population.

. EP3R ……………………….Overview of Pillar 3 “Trust and Security” KA 6 (28) 1 ENISA Regulation for mandate and duration 2 ToolBox ENISA ………………………… EFMS …………………………. CIIP Conference 3 EU institutions CERT Cybersecurity preparedness Cybercrime Safety and privacy of online content and services 40 –Harmful content hotlines and awareness campaigns 36 – Support for reporting of illegal content 31 – Create European Cybercrime center 32 –Cooperation on cybersecurity 33 – EU cybersecurity preparedness 30 – EU platform by 2012 39 – MS Simulation exercises as of 2010 41 – National alert platforms by 2012 37 –Dialogue and selfregulation minors Expert Group 38 – Network of CERTs by 2012 KA 7 (29)– Measures on cyberattacks 35 – Implementation of privacy and personal data protection INFSO CdF KA 6 (28) NIS Policy HOME CdF Others COM CdF Commission action Member States action 34 – Explore extension of personal data breach notification . Observer in Cyberstorm .. EPCIP ……………………….

The EU-US WG "will address a number of specific priority areas and will report progress within a year”.EU-U.S. EC and US will develop a common programme and roadmap towards joint/synchronised trans-continental cyber exercises in 2012/2013 • Public Private Partnership . • Cyber Incident Management (TTX exercise and a cooperation program) In 2011. Working Group on Cybersecurity and Cybercrime The EU-US Working Group on Cyber-security and Cyber-crime (EU-US WG) was established in the context of the EU-US summit of 20 November 2010 held in Lisbon to "tackle new threats to the global networks upon which the security and prosperity of our free societies increasingly depend".

best practices. Working Group on Cybersecurity and Cybercrime The EU-US Expert Sub-Group on Public Private Partnerships: Deliverables: • Briefings/reports on specific topics of mutual interest including best practices and models to engage with the private sector. • • . on selected areas. and others. as identified. legislative developments. A strategy and an action plan to engage the private sector in cooperative activities with governments. and/or standards.EU-U. private sector cybersecurity good practices.S. national approaches/programs for addressing botnets. including development of agreed guidelines. Common principles and guidelines on the resilience and stability of the Internet as well as on a reliable access to it. principles.

ESG focus will be maintained on achieving measurable and beneficial outcomes in the following areas: •EU and US coordinated efforts to fight botnets. Working Group on Cybersecurity and Cybercrime The EU-US Expert Sub-Group on Public Private Partnerships: Initially. •Cyber Security of industrial control systems and Smart grids.S. .EU-U.

vulnerabilities). pilots. SE…) as well as at European level (Euro-SCSIE. DE. composed of European public and private stakeholders. The last meeting of this Expert Group took place on 21 June 2011. privacy and security. possibly via Member States experts in the ESG and during the stock taking of the ENISA studies on ICS and Smart Grids) • Ongoing ENISA studies on Industrial control systems and Interdependencies of ICT sector to energy • Activities of the Expert Group on the security and resilience of communication networks and information systems for Smart Grids.S. Input from EU side: • Activities at national level (NL. UK. Working Group on Cybersecurity and Cybercrime CYBER SECURITY OF INDUSTRIAL CONTROL SYSTEMS AND SMART GRIDS Proposed tasks: Stock taking and comparative analysis of existing initiatives. good practises and methods in particular addressing ICT risks (threats.EU-U. .

• Plan of Action for EU and US public private engagement on cyber security of industrial control systems and Smart grids. Deliverables: • Strategy for EU and US engagement on the control system/smart grid priority area. Working Group on Cybersecurity and Cybercrime CYBER SECURITY OF INDUSTRIAL CONTROL SYSTEMS AND SMART GRIDS Input from US side: Experiences in international public-private coordination to mature acceptance of voluntary security standards. . this will also draw on an analysis of existing coordination bodies for security of industrial control systems and highlighting best practices for voluntary participation developed within them. Specific methodology and mechanisms to engage with the private sector to achieve cooperation and mutual engagement in public-private control system security coordination.EU-U.S.

EPCIP framework: • A procedure for the identification and designation of ECI • Measures: Critical Infrastructure Warning Information Network (CIWIN). identification and analysis of interdependencies. the Commission adopted the Communication on a European Programme on Critical Infrastructure Protection EPCIP (COM(2006)786) with the objective of improving the protection of critical infrastructures in the EU. the European Council asked for an overall strategy to protect critical infrastructures On 12 December 2006. CIP information sharing.CIP – European Context Need for action at the European level to enhance the protection and resilience of critical infrastructures : In June 2004. use of CIP expert groups. .

C(I)IP – European Context Because of their horizontal nature with inter-linkages into many other critical infrastructures. the protection of communication and information infrastructure is a priority .

in particular on Internet stability and resilience – – – – Build on national and private sector initiatives Engage public and private sectors Adopt an all-hazards approach Be multilateral. emergency and recovery measures – Foster International cooperation. open and all inclusive • Means • Approach .COM(2009)149 Objectives and scope • High level objectives – Protect Europe from large scale cyber attacks and disruptions – Promote security and resilience culture (first line of defence) & strategy – Tackle cyber attacks & disruptions from a systemic perspective – Enhance the CIIP preparedness and response capability in EU – Promote the adoption of adequate and consistent levels of preventive. detection.Communication on CIIP .

security and resilience” .Communication on CIIP “Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness. Detection and response 3.COM(2009)149 The five pillars of the CIIP Action Plan: 1. Criteria for European Critical Infrastructures in the ICT sector . Preparedness and prevention 2. International Cooperation 5. Mitigation and recovery 4.

“Achievements and next steps: towards global cyber-security” CIIP COM(2011)163 • Adopted on 31 March 2011 • Takes stock of results achieved since 2009 CIIP action plan • Builds on existing policy initiatives. in particular Digital Agenda. Stockholm Action Plan and ISS • Describes next steps at European and International level .

g.g. smart grids and water systems). given the increasing pervasiveness of ICT in Critical Infrastructures (e. submarine cable breaks) – destruction purposes. recent attacks against government systems and EU Institutions) – disruption purposes (e. This is a scenario that has not yet materialised but.g. Conficker. GhostNet. it cannot be ruled out for the years to come” .“Achievements and next steps: towards global cyber-security” CIIP COM(2011)163 • Threats and risks – exploitation purposes (e. StuxNet. ETS.

“Achievements and next steps: towards global cyber-security” • EU and the global context – A purely European approach is not sufficient and needs to be embedded into a global coordination strategy – The DAE calls for the “cooperation of relevant actors […] to be organised at global level to be effectively able to fight and mitigate security threats" and sets out the goal to “work with global stakeholders notably to strengthen global risk management in the digital and in the physical sphere and conduct internationally coordinated targeted actions against computer-based crime and security attacks” CIIP COM(2011)163 .

security incentives. . exchange of policy practises.To be further involved in discussions on International priorities on security and resilience (e. identification of priorities for Internet resilience and stability. CIIP COM(2011)163 Next steps . EU-US WG). . .To focus on CERTs cooperation.Progress on ICT criteria for ECIs. driving pan-European exercises.To finalise discussion on ICT criteria for ECIs.“Achievements and next steps: towards global cyber-security” Preparedness and prevention (1/3) • European Forum for Member States (EFMS) Achievements .g.

“Achievements and next steps: towards global CIIP COM(2011)163 cyber-security” Preparedness and prevention (2/3) • European Public-private Partnership for Resilience (EP3R) Achievements . .A modernised ENISA would provide a long-term and sustainable framework for EP3R. .EP3R to be leveraged in support of the EU-US WG on Cyber-security and Cyber-crime. Next steps .WGs to deliver first results. .2010: ENISA Three WGs launched within EP3R.

2010: ENISA gave recommendations on baseline capabilities for Nat/Gov CERTs.ENISA to cooperate with Nat/Gov CERTs towards EISAS by 2013 (ISS).20 MS with Nat/Gov CERTs in place*. .“Achievements and next steps: towards CIIP COM(2011)163 global cyber-security” Preparedness and prevention (3/3) • Baseline of capabilities and services for panEuropean cooperation Achievements . * Based on information provided to ENISA by MS .ENISA to continue support MS – towards wellfunctioning network of CERTs at national level by 2012 (DAE). Next steps . .

FISHA and NEISAS currently producing results .ENISA devised a high-level roadmap for development of EISAS by 2013 Next steps .2012: ENISA to develop “interoperability services” CIIP COM(2011)163 .“Achievements and next steps: towards global cyber-security” Detection and response • European Information Sharing and Alert System (EISAS) Achievements .2011: ENISA to support MS by developing basic services needed for national ISAS .

ENISA to continue support MS in developing national contingency plans * Based on information provided to ENISA by MS CIIP COM(2011)163 .To date. 12 MS* have carried out cyber-exercises at national level Next steps .“Achievements and next steps: towards global cyber-security” Mitigation and Recovery (1/2) • National contingency planning and exercises Achievements .

MS to work on future pan-European exercise to take place in 2012 .Eurocybex project .Cyber Europe 2010 carried out on 4th November 2010 Next steps .ENISA to work with MS on a EU cyber-incident contingency plan by 2012 CIIP COM(2011)163 .“Achievements and next steps: towards global cyber-security” Mitigation and Recovery (2/2) • Pan-European exercise on large-scale network security incidents Achievements .

CIIP COM(2011) 163 “Achievements and next steps: towards global cyber-security” ICT sector criteria for ECIs • Sector specific criteria for identifying European Critical Infrastructures in the ICT sector Achievements .EFMS to complete discussions by 2011 .EC to discuss with MS on ICT-sector elements for review of Directive 2008/114/EC .Development within EFMS of draft criteria of fixed/mobile communications and the internet Next steps .

in particular in the field of cyber security. have become critical to the energy sector. At the extreme. • ICT infrastructures. vulnerabilities of communication networks and information systems of Smart Grids may be exploited for financial or political motivation to shut off power to large areas or directing cyberattacks against power generation plants. in electricity transmission and distribution) could come to an abrupt halt. but at the cost of exposing the entire electricity network to new challenges.g.Cyber security and resilience Smart Grids Problem Statement • Smart Grids concept brings improvement in operations and services. . as underpinning platform. without which some services (e.

Better understand of the views and objectives of the private and public sectors on the ICT security and resilience challenges for the smart grids. with the support of the European Network and Information Security Agency (ENISA). convened an Expert Group for: I. II. .Expert Group on Security and Resilience of communication networks and information systems for the Smart Grid The European Commission (EC). Identification and discussion about the related policy at EU level.

g. smart grids and water systems). it cannot be ruled out for the years to come” COM(2011) 202 on Smart Grids “The Commission will continue bringing together the energy and ICT communities within an expert group to assess the network and information security and resilience of Smart Grids as well as to support related international cooperation. given the increasing pervasiveness of ICT in Critical Infrastructures (e. This is a scenario that has not yet materialised but.” .The Policy Context for the Expert Group COM(2011) 163 on Critical Information Infrastructure Protection “destruction purposes.

. The Expert Group is also expected to define recommendations on how to progress on each priority area at European level. Objective 1 Identify European priority areas for which action should be undertaken to address the security and resilience of communication networks and information systems for Smart Grids.Expert Group: Concrete objectives The Expert Group is discussing how to strengthen at European Level the security and resilience of communication networks and information systems for Smart Grids.

smart transmission) and to what level. smart distribution.g. The Expert Group will: • Identify key strategic and high level requirements • Identify a good practices guideline based on lessons learned • Propose mechanisms/messages to raise awareness of decision makers . The use of an existing common concept model should be considered. smart appliances.Expert Group: Concrete objectives Objective 2 Identify which elements of the smart grid should be addressed by the Expert Group (e. smart metering. smart (local) generation.

Policy issues will include (but not limited to): objectives of risk analysis. the activities of the two sub-Working Groups . a small group of experts will work on a Work Program for the Expert Group taking into consideration. process for prioritizing risk. attributes of security measures. and indentify the European stakeholders which are affected by these challenges and therefore should be involved in the development of measures to address them. Moreover. Sub-Working Group 2: Challenges and recommendations for ICT security and resilience of Smart Grids Objective: To identify European challenges of ICT security and resilience of Smart Grids and propose actions to be undertaken. and formulation of high level security requirements and measures to reduce risk levels to acceptable levels and to improve the resilience of the network.Expert Group: How to achieve objectives. categories of security requirements. and phases and stages for risk mitigation. Exploring and setting the road ahead to address these challenges.State of Play Sub-Working Group 1: ICT security and resilience of Smart Grids: High Level Risk Analysis and Security Requirements Objective: Identify and explore policy issues related to risk analysis. Challenges for securing the communication networks and information systems that will be central to the performance and availability of the Smart Grid. enumeration of levels at which stakeholders should conduct risk analysis. among others.

Networking of initiatives The Expert Group is also well engaged with related initiatives at EU and international level: • Task Force Smart Grid (Expert Group 2) • CEN/CENELEC/ETSI Smart Grids Co-ordination Group and its subgroup on Smart Grid Information Security • EuroScsie • US NIST.Cyber security Working Group .

EU Policy on NIS and CIIP Thanks! .

Web Sites • EU policy on Critical Information Infrastructure Protection – CIIP http://ec.htm • A Digital Agenda for Europe http://ec.htm • EU policy on promoting a secure Information Society http://ec.htm .eu/information_society/policy/nis/strat egy/activities/ciip/index_en.europa.eu/information_society/digitalagenda/index_en.europa.eu/information_society/policy/nis/index _en.europa.

COM(2010)245 of 19 May 2010 http://eurlex.Links to policy documents • Commission Communication on Critical Information Infrastructure Protection – "Achievements and next steps: towards global cybersecurity" .pdf • Digital Agenda for Europe .eu/commission_20102014/malmstrom/archive/internal_security_strategy_in_action_e n.pdf • Commission Communication on Critical Information Infrastructure Protection – "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness.do?uri=COM:2010:0245:FIN: EN:PDF • The EU Internal Security Strategy in Action: Five steps towards a more secure Europe COM(2010)673 http://ec.eu/information_society/policy/nis/docs/comm_ 2011/comm_163_en. security and resilience" COM(2009) 149 http://eurlex.europa.do?uri=COM:2009:0149:FIN: .europa.COM(2011) 163 http://ec.eu/LexUriServ/LexUriServ.europa.eu/LexUriServ/LexUriServ.europa.