Industrial Control System Security Workshop Update of EU NIS & CIIP policy

16 September 2011 Alejandro PINTO

European Commission Directorate General Information Society and Media - DG INFSO Unit A3 Internet Governance; Network and Information Security Alejandro.pinto-gonzalez@ec.europa.eu

NIS & CIIP

The EU Policy Framework

2004: Establishment of the European Network and Information Security Agency - ENISA 2006: European Commission Strategy for a Secure Information Society COM(2006)251 2006: COM on European Programme for Critical Infrastructure Protection 2007: Council Resolution on a Strategy for a Secure Information Society in Europe [2007/C 68/01] 2008: Directive on Identification and Designation of European Critical Infrastructures Mar 2009: COM on Action Plan on Critical Information Infrastructure Protection - CIIP Dec 2009: Council resolution on a collaborative European approach to NIS [2009/C 321/01] May 2010: Adoption of the European Digital Agenda Mar 2011: COM on CIIP: achievements and next steps April 2011: COM on SmartGrids:From innovation to deployment

EU policies on NIS and CIIP

NIS has never been so high on the EU political agenda President Barroso Political guidelines for the next Commission, 3 September 2009: The next Commission will develop a European Digital Agenda [] to tackle the main obstacles to a genuine digital single market, promote investment in high-speed Internet and avert an unacceptable digital divide. Because of the increasing dependence of our economies and societies on the Internet, a major initiative to boost network security will also be proposed.

Network & Information Security (NIS) Facts

Increasing economic and social dependency on ICT vs growing sophistication of threats
Network and Information Security (NIS) is a key enabler for trust and is a shared responsibility. Global interconnection vs lack of transnational cooperation Operational responsibility with private sector while public policy responsibility lies with governments Limited incentives for wide NIS uptake Fragmentation of NIS regimes and market maturity in MS

Network and Information Security Challenges

Make security and resilience the front line of defence of critical ICT infrastructures Develop a risk management culture in the EU

Identify socio-economic incentives

Promote openness, diversity, interoperability, usability, competition Boost policy and operational cooperation (e.g. pan-European security incident exercises)

Recent policy developments

May 2010, Digital Agenda 20 November 2010: Establishment of the EU-U.S. Working Group on Cybersecurity and Cybercrime EU-U.S. Summit Lisbon 22 November 2010: Adoption of EU Internal Security Strategy

CIIP COM(2011)163 Achievements and next steps: towards global cybersecurity

A Digital Agenda for Europe - COM(2010)245

The Seven Priority areas for action -

Every European Digital

N. Kroes May 2010 1. 2. 3. 4. 5. Creating a Digital Single Market Improving the framework conditions for interoperability between ICT products and services Boosting Internet trust and security Guaranteeing the provision of much faster internet access Encouraging investment in research and development Enhancing digital literacy, skills and inclusion Applying ICT to address social challenges such as climate change, rising healthcare costs and the ageing population.

6. 7.

Overview of Pillar 3 Trust and Security

KA 6 (28) 1 ENISA Regulation for mandate and duration 2 ToolBox ENISA EFMS . EP3R .. Observer in Cyberstorm . EPCIP .. CIIP Conference 3 EU institutions CERT
Cybersecurity preparedness Cybercrime Safety and privacy of online content and services 40 Harmful content hotlines and awareness campaigns 36 Support for reporting of illegal content 31 Create European Cybercrime center

32 Cooperation on cybersecurity

33 EU cybersecurity preparedness

30 EU platform by 2012

39 MS Simulation exercises as of 2010

41 National alert platforms by 2012

37 Dialogue and selfregulation minors

Expert Group

38 Network of CERTs by 2012

KA 7 (29) Measures on cyberattacks

35 Implementation of privacy and personal data protection

INFSO CdF

KA 6 (28) NIS Policy

HOME CdF
Others COM CdF Commission action Member States action

34 Explore extension of personal data breach notification

EU-U.S. Working Group on Cybersecurity and Cybercrime

The EU-US Working Group on Cyber-security and Cyber-crime (EU-US WG) was established in the context of the EU-US summit of 20 November 2010 held in Lisbon to "tackle new threats to the global networks upon which the security and prosperity of our free societies increasingly depend". The EU-US WG "will address a number of specific priority areas and will report progress within a year.
Cyber Incident Management (TTX exercise and a cooperation program)
In 2011, EC and US will develop a common programme and roadmap towards joint/synchronised trans-continental cyber exercises in 2012/2013

Public Private Partnership

EU-U.S. Working Group on Cybersecurity and Cybercrime

The EU-US Expert Sub-Group on Public Private Partnerships:
Deliverables:
Briefings/reports on specific topics of mutual interest including best practices and models to engage with the private sector; national approaches/programs for addressing botnets; private sector cybersecurity good practices; legislative developments; and others, as identified. A strategy and an action plan to engage the private sector in cooperative activities with governments, on selected areas, including development of agreed guidelines, principles, best practices, and/or standards. Common principles and guidelines on the resilience and stability of the Internet as well as on a reliable access to it.

EU-U.S. Working Group on Cybersecurity and Cybercrime

The EU-US Expert Sub-Group on Public Private Partnerships:
Initially, ESG focus will be maintained on achieving measurable and beneficial outcomes in the following areas:

EU and US coordinated efforts to fight botnets;

Cyber Security of industrial control systems and Smart grids;

EU-U.S. Working Group on Cybersecurity and Cybercrime

CYBER SECURITY OF INDUSTRIAL CONTROL SYSTEMS AND SMART GRIDS
Proposed tasks: Stock taking and comparative analysis of existing initiatives, pilots, good practises and methods in particular addressing ICT risks (threats, vulnerabilities), privacy and security. Input from EU side: Activities at national level (NL, DE, UK, SE) as well as at European level (Euro-SCSIE, possibly via Member States experts in the ESG and during the stock taking of the ENISA studies on ICS and Smart Grids) Ongoing ENISA studies on Industrial control systems and Interdependencies of ICT sector to energy Activities of the Expert Group on the security and resilience of communication networks and information systems for Smart Grids, composed of European public and private stakeholders. The last meeting of this Expert Group took place on 21 June 2011.

EU-U.S. Working Group on Cybersecurity and Cybercrime

CYBER SECURITY OF INDUSTRIAL CONTROL SYSTEMS AND SMART GRIDS
Input from US side: Experiences in international public-private coordination to mature acceptance of voluntary security standards. Specific methodology and mechanisms to engage with the private sector to achieve cooperation and mutual engagement in public-private control system security coordination. Deliverables: Strategy for EU and US engagement on the control system/smart grid priority area; Plan of Action for EU and US public private engagement on cyber security of industrial control systems and Smart grids; this will also draw on an analysis of existing coordination bodies for security of industrial control systems and highlighting best practices for voluntary participation developed within them.

CIP European Context

Need for action at the European level to enhance the protection and resilience of critical infrastructures : In June 2004, the European Council asked for an overall strategy to protect critical infrastructures On 12 December 2006, the Commission adopted the Communication on a European Programme on Critical Infrastructure Protection EPCIP (COM(2006)786) with the objective of improving the protection of critical infrastructures in the EU. EPCIP framework: A procedure for the identification and designation of ECI Measures: Critical Infrastructure Warning Information Network (CIWIN), use of CIP expert groups, CIP information sharing, identification and analysis of interdependencies.

C(I)IP European Context

Because of their horizontal nature with inter-linkages

into many other critical infrastructures, the protection of communication and information infrastructure is a priority

Communication on CIIP - COM(2009)149

Objectives and scope

High level objectives

Protect Europe from large scale cyber attacks and disruptions Promote security and resilience culture (first line of defence) & strategy Tackle cyber attacks & disruptions from a systemic perspective Enhance the CIIP preparedness and response capability in EU Promote the adoption of adequate and consistent levels of preventive, detection, emergency and recovery measures Foster International cooperation, in particular on Internet stability and resilience Build on national and private sector initiatives Engage public and private sectors Adopt an all-hazards approach Be multilateral, open and all inclusive

Means

Approach

Communication on CIIP Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience - COM(2009)149

The five pillars of the CIIP Action Plan:

1. Preparedness and prevention 2. Detection and response

3. Mitigation and recovery

4. International Cooperation

5. Criteria for European Critical Infrastructures in the ICT sector

Achievements and next steps: towards global cyber-security

CIIP COM(2011)163

Adopted on 31 March 2011

Takes stock of results achieved since 2009 CIIP action plan Builds on existing policy initiatives, in particular Digital Agenda, Stockholm Action Plan and ISS Describes next steps at European and International level

Achievements and next steps: towards global cyber-security

CIIP COM(2011)163

Threats and risks exploitation purposes (e.g. GhostNet, ETS, recent attacks against government systems and EU Institutions) disruption purposes (e.g. Conficker, StuxNet, submarine cable breaks) destruction purposes. This is a scenario that has not yet materialised but, given the increasing pervasiveness of ICT in Critical Infrastructures (e.g. smart grids and water systems), it cannot be ruled out for the years to come

Achievements and next steps: towards global cyber-security EU and the global context
A purely European approach is not sufficient and needs to be embedded into a global coordination strategy
The DAE calls for the cooperation of relevant actors [] to be organised at global level to be effectively able to fight and mitigate security threats" and sets out the goal to work with global stakeholders notably to strengthen global risk management in the digital and in the physical sphere and conduct internationally coordinated targeted actions against computer-based crime and security attacks

CIIP COM(2011)163

Achievements and next steps: towards global cyber-security Preparedness and prevention (1/3) European Forum for Member States (EFMS)
Achievements
- Progress on ICT criteria for ECIs, identification of priorities for Internet resilience and stability, exchange of policy practises.

CIIP COM(2011)163

Next steps
- To finalise discussion on ICT criteria for ECIs; - To be further involved in discussions on International priorities on security and resilience (e.g. EU-US WG); - To focus on CERTs cooperation, security incentives, driving pan-European exercises.

Achievements and next steps: towards global

CIIP COM(2011)163

cyber-security Preparedness and prevention (2/3)

European Public-private Partnership for Resilience (EP3R)

Achievements - 2010: ENISA Three WGs launched within EP3R; - A modernised ENISA would provide a long-term and sustainable framework for EP3R. Next steps - WGs to deliver first results; - EP3R to be leveraged in support of the EU-US WG on Cyber-security and Cyber-crime.

Achievements and next steps: towards

CIIP COM(2011)163

global cyber-security Preparedness and prevention (3/3)

Baseline of capabilities and services for panEuropean cooperation

Achievements - 2010: ENISA gave recommendations on baseline capabilities for Nat/Gov CERTs; - 20 MS with Nat/Gov CERTs in place*. Next steps - ENISA to continue support MS towards wellfunctioning network of CERTs at national level by 2012 (DAE); - ENISA to cooperate with Nat/Gov CERTs towards EISAS by 2013 (ISS).
* Based on information provided to ENISA by MS

Achievements and next steps: towards global cyber-security Detection and response European Information Sharing and Alert System (EISAS)
Achievements - FISHA and NEISAS currently producing results - ENISA devised a high-level roadmap for development of EISAS by 2013 Next steps - 2011: ENISA to support MS by developing basic services needed for national ISAS - 2012: ENISA to develop interoperability services

CIIP COM(2011)163

Achievements and next steps: towards global cyber-security Mitigation and Recovery (1/2) National contingency planning and exercises
Achievements - To date, 12 MS* have carried out cyber-exercises at national level Next steps - ENISA to continue support MS in developing national contingency plans
* Based on information provided to ENISA by MS

CIIP COM(2011)163

Achievements and next steps: towards global cyber-security Mitigation and Recovery (2/2) Pan-European exercise on large-scale network security incidents
Achievements - Cyber Europe 2010 carried out on 4th November 2010 Next steps - Eurocybex project - MS to work on future pan-European exercise to take place in 2012 - ENISA to work with MS on a EU cyber-incident contingency plan by 2012

CIIP COM(2011)163

CIIP COM(2011) 163

Achievements and next steps: towards global cyber-security ICT sector criteria for ECIs

Sector specific criteria for identifying European Critical Infrastructures in the ICT sector
Achievements - Development within EFMS of draft criteria of fixed/mobile communications and the internet Next steps - EFMS to complete discussions by 2011 - EC to discuss with MS on ICT-sector elements for review of Directive 2008/114/EC

Cyber security and resilience Smart Grids Problem Statement

Smart Grids concept brings improvement in operations and services, but at the cost of exposing the entire electricity network to new challenges, in particular in the field of cyber security.

ICT infrastructures, as underpinning platform, have become critical

to the energy sector, without which some services (e.g. in electricity

transmission and distribution) could come to an abrupt halt. At the extreme, vulnerabilities of communication networks and information systems of Smart Grids may be exploited for financial or political motivation to shut off power to large areas or directing cyberattacks against power generation plants.

Expert Group on Security and Resilience of communication networks and information systems for the Smart Grid The European Commission (EC), with the support of the European Network and Information Security Agency (ENISA), convened an Expert Group for:

I.

Better understand of the views and objectives of the private and public sectors on the ICT security and resilience challenges for the smart grids.

II. Identification and discussion about the related

policy at EU level.

The Policy Context for the Expert Group

COM(2011) 163 on Critical Information Infrastructure Protection

destruction purposes. This is a scenario that has not yet materialised but, given the increasing pervasiveness of ICT in Critical Infrastructures (e.g. smart grids and water systems), it cannot be ruled out for the years to come

COM(2011) 202 on Smart Grids

The Commission will continue bringing together the energy and ICT communities within an expert group to assess the network and information security and resilience of Smart Grids as well as to support related international cooperation.

Expert Group: Concrete objectives

The Expert Group is discussing how to strengthen at European Level the security and resilience of communication networks and information systems for Smart Grids.

Objective 1
Identify European priority areas for which action should be undertaken to
address the security and resilience of communication networks and information systems for Smart Grids. The Expert Group is also expected to define recommendations on how to progress on each priority area at European level.

Expert Group: Concrete objectives

Objective 2
Identify which elements of the smart grid should be addressed by the Expert Group (e.g. smart appliances, smart metering, smart distribution, smart (local) generation, smart transmission) and to what level. The use of an existing common concept model should be considered.

The Expert Group will: Identify key strategic and high level requirements

Identify a good practices guideline based on lessons learned

Propose mechanisms/messages to raise awareness of decision makers

Expert Group: How to achieve objectives- State of Play

Sub-Working Group 1: ICT security and resilience of Smart Grids: High Level Risk Analysis and Security Requirements Objective: Identify and explore policy issues related to risk analysis; and formulation of high level security requirements and measures to reduce risk levels to acceptable levels and to improve the resilience of the network. Policy issues will include (but not limited to): objectives of risk analysis, enumeration of levels at which stakeholders should conduct risk analysis, process for prioritizing risk, categories of security requirements, attributes of security measures, and phases and stages for risk mitigation.

Sub-Working Group 2: Challenges and recommendations for ICT security and resilience of Smart Grids Objective: To identify European challenges of ICT security and resilience of Smart Grids and propose actions to be undertaken. Challenges for securing the communication networks and information systems that will be central to the performance and availability of the Smart Grid. Exploring and setting the road ahead to address these challenges, and indentify the European stakeholders which are affected by these challenges and therefore should be involved in the development of measures to address them.
Moreover, a small group of experts will work on a Work Program for the Expert Group taking into consideration, among others, the activities of the two sub-Working Groups

Networking of initiatives
The Expert Group is also well engaged with related initiatives at EU and international level:
Task Force Smart Grid (Expert Group 2) CEN/CENELEC/ETSI Smart Grids Co-ordination Group and its subgroup on Smart Grid Information Security EuroScsie US NIST- Cyber security Working Group

EU Policy on NIS and CIIP

Thanks!

Web Sites

EU policy on Critical Information Infrastructure Protection CIIP http://ec.europa.eu/information_society/policy/nis/strat egy/activities/ciip/index_en.htm A Digital Agenda for Europe http://ec.europa.eu/information_society/digitalagenda/index_en.htm EU policy on promoting a secure Information Society http://ec.europa.eu/information_society/policy/nis/index _en.htm

Links to policy documents

Commission Communication on Critical Information Infrastructure Protection "Achievements and next steps: towards global cybersecurity" - COM(2011) 163 http://ec.europa.eu/information_society/policy/nis/docs/comm_ 2011/comm_163_en.pdf Digital Agenda for Europe - COM(2010)245 of 19 May 2010 http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0245:FIN: EN:PDF

The EU Internal Security Strategy in Action: Five steps towards a more secure Europe COM(2010)673 http://ec.europa.eu/commission_20102014/malmstrom/archive/internal_security_strategy_in_action_e n.pdf
Commission Communication on Critical Information Infrastructure Protection "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience" COM(2009) 149 http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN: