The European Platform in
Network and Information
Security (NIS)
Fabio Martinelli
Istituto di Informatica e Telematica
Consiglio Nazionale delle Ricerche
Cyber security directive -
(Network and Information Security NIS)
• A new initiative launched by the Commission for member states and companies in order to support the adoption of the new Cyber Security Directive (launched on Jan 2013 – revised this Jan.)
• The aim of the proposed Directive is to ensure a high common level of network and information security (NIS).
• This means improving the security of the Internet and the private networks and information systems underpinning the functioning of our societies and economies.
• This will be achieved by requiring the Member States to increase their preparedness and improve their cooperation with each other, and by requiring operators of critical infrastructures, such as energy, transport, and key providers of information society services, as well as public
administrations to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities.
Cyber security directive (NIS) -2
• The directive mainly addresses the necessity
to increase the cyber security level of all the
member states
• In particular, consolidation and cooperation of
national CERTs
• able to share incidents information
• creation of national preparedness plans for
cyber security (including authorities etc)
• including risk management plans
• …
Cyber security directive (NIS) -3
At the national level it recommends:
(a) The definition of the objectives and priorities of the strategy based on an up-to-date risk and incident analysis;
(b) A governance framework to achieve the strategy objectives and priorities, including a clear definition of the roles and responsibilities of the government bodies and the other relevant actors;
(c) The identification of the general measures on preparedness, response and recovery, including cooperation mechanisms between the public and private sectors;
(d) An indication of the education, awareness raising and training programmes; (e) Research and development plans and a description of how these plans reflect
Cyber security directive (NIS) -4
• Among the requirements:
Member States shall ensure that
public administrations and
market operators
take appropriate technical and
organisational measures to manage the
risks
posed to the
security of the networks and information systems
which they
control and use in their operations. Having regard to the
state of the art, these
measures shall guarantee a level of
security appropriate to the risk presented
. In particular,
measures shall be taken to prevent and minimise the
impact of
incidents affecting their network and information
system on the core services
they provide and thus ensure
the
continuity
of the services underpinned by those
networks and information systems.
The NIS platform
•
To support the EU cyber security directive EU decided
to create a public/private/cooperation in the form of a
EU platform on Network and Information Security (NIS)
• Unique opportunity to better understand NIS
Challenges, Threats and Risks
• A platform for bringing together policy and technical
experts to debate about the current and future
challenges
Topics of the NIS platform
1. Organisational measures: practices to define, guide or evaluate an
organisation’s cybersecurity, specifically its capability to identify, assess and mitigate cybersecurity risks, and to deter and handle incidents;
(Risk management for cyber security)
2. Secure products and services: practices to demonstrate the ability of products or services to provide a “good” level of cybersecurity
performance as part of the ICT value chain; (Assurance)
3. Metrics, measurement and language / taxonomy for cyber risk: practices for measuring, describing and evaluating cyber risks, impacts, threats, controls, etc. (Metrics and measurements for cybersecurity)
4. Information exchange: practices for the exchange of cyber incident information, to allow cyber incident reports to be understood and acted upon in the framework of complex cooperation schemes; to facilitate a high level view of all cyber incidents which facilitates spotting trends and directing resources; (Information exchange)
5. Cybersecurity resources: practices to manage and develop
cybersecurity knowledge, skills and resources within an organisation or a sector. (Cybersecurity best practices)
WGs structure
• Eventually 3 WGs have best established (two mainly
operational and one mainly research&innovation oriented):
• WG1 on Risk Management aims to identify best practice in cybersecurity risk management activities, provide guidance to enhance levels of information security and facilitate the voluntary take-up of the practices;
• WG2 on Information Sharing aims to promote the sharing of cyber threat information and incidents and allowing coordination in both the public and private segments of the EU;
• WG3 on Secure ICT R&I WG3 will address issues related to Cyber
Security research and innovation in the context of the EU Strategy for Cyber Security.
WG3 Main deliverables
WG3 initial activities
WG3 met in Sept. 27 / Dec. 12:
• Get participants to know each other;
• Contribute to the terms of reference (TOR);
• Share knowledge and content related to the Strategic
Research Agenda (SRA);
WG3 Steps achieved Strategic Research Agenda
ToC (draft)
:
Executive Summary
Introduction
Background
Description of Area of Interest
● Description of the AoI’s vision
● Description of the issues and challenges
● Identification of Technology, Policy and Regulation ○ Enablers
○ Inhibitors
● Gap analysis (tech., policy, regulation, and competences) for achieving the vision
ToC (draft)
: (cont.)
Cross-analysis of all areas of interest’s enablers and
inhibitors
● Finding commonalities (e.g., two enablers shared by AoIs) ● Finding conflicts (e.g., one enabler becomes and inhibitor) ● Giving research priorities
○ Roadmap ● Timelines
● Identification of R&D&I instruments ● Key performance indicators
Other aspects as Economic and Social benefits (using
results from the business and educations deliverables)
Deliverable: Strategic Research Agenda (SRA)