ENISAs Resilience and CIIP Program

Prof. Manel Medina

Deputy Head of Technical Competence Department of ENISA ENISA www.enisa.europa.eu

ENISAs Resilience and CIIP Program

collectively evaluate and improve resilience of European communications networks and services
CIIP COM ENISA II

Stock taking Policies/Strategy

Operators Measures Technology

Gap Analysis

Gap Mitigation Good practices Guidelines

New Telecom Package

Recommendations Exercises Article 13 a Good practices EP3R and EFMS

2008

2009

2010

2012

EU Commission and at least 50% of the Member States made use of ENISA recommendations in their policy making process

EU Activities on Resilience and CIIP

CIIP Action Plan
Pan European Public Private Partnership for Resilience (EP3R) Pan European Forum for Member States (EFMS) Cyber Europe 2010 first pan European Exercise Trusted Information Sharing

Telecom Package article 13a

Min. security requirements and guidelines for operators Mandatory reporting of significant incidents to regulators Annual reporting of incidents to ENISA and COM

ENISA II new mandate New COMs Communication on CIIP

Industrial Control Systems (ICS)

Old Technology New Problems
from isolated, well protected systems to widely connected massive deployment of Internet protocols

Reduce cost of operation but ... increase risk

deployment of off the self, commercial solutions remote access to systems (e.g. For maintenance and support )

Lack of understanding of cyber security issues

from physical/access control to cyber security culture products not always state of art in cyber security Plans, measures, policies and controls non existent

ICS Our Approach

Identify problems holistically through stock taking
technical, policy, R&D, standards, legal, socio-economic, awareness

Survey experts from all categories of stakeholders on

what works in reality and what not.., problems in operational reality good practices in use new or widely accepted initiatives

Develop insights and recommendations for further action, e.g.

propose new standards (ISA99, Vendor Requirements document of the WIB) foster trusted information sharing (e.g. E-SCSIE) and national/European PPPs develop national contingency plans build scenarios on future exercises identify new R&D topics raise awareness among stakeholders

Smart Grid Challenges

new architectures, standards, policies, measures and controls interoperability of components and integration of legacy systems (e.g SCADA) with new components portability of data across providers integrated cyber and physical risk assessment and management commitment of manufacturers and operators to cyber security incentives to deploy good security policies and standards information sharing on risks, vulnerabilities and threats

Smart Grids Our approach

advice the COM and MS on
regulatory recommendations for data safety, data handling & data protection system management and security Cyber security and system integrity Network and system management Data privacy

Contribute to EU policy developments (e.g. WG of DG ENER and DG INFSO on smart grids security) Contribute to EU standardization efforts (e.g. members of CEN/CENELECs and ETSIs WG) analyze the relationship of Smart Grids to ICS/SCADA study the interdependencies of energy sector to ICT study next year the cyber security aspects of Smart Grids

develop in the future a WG under EP3R