• No results found

The European Platform in Network and Information Security (NIS) Fabio Martinelli

N/A
N/A
Protected

Academic year: 2021

Share "The European Platform in Network and Information Security (NIS) Fabio Martinelli"

Copied!
14
0
0

Loading.... (view fulltext now)

Full text

(1)

The European Platform in

Network and Information

Security (NIS)

Fabio Martinelli

Istituto di Informatica e Telematica

Consiglio Nazionale delle Ricerche

(2)

Cyber security directive -

(Network and Information Security NIS)

• A new initiative launched by the Commission for member states and companies in order to support the adoption of the new Cyber Security Directive (launched on Jan 2013 – revised this Jan.)

• The aim of the proposed Directive is to ensure a high common level of network and information security (NIS).

• This means improving the security of the Internet and the private networks and information systems underpinning the functioning of our societies and economies.

• This will be achieved by requiring the Member States to increase their preparedness and improve their cooperation with each other, and by requiring operators of critical infrastructures, such as energy, transport, and key providers of information society services, as well as public

administrations to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities.

(3)

Cyber security directive (NIS) -2

• The directive mainly addresses the necessity

to increase the cyber security level of all the

member states

• In particular, consolidation and cooperation of

national CERTs

• able to share incidents information

• creation of national preparedness plans for

cyber security (including authorities etc)

• including risk management plans

• …

(4)

Cyber security directive (NIS) -3

At the national level it recommends:

(a) The definition of the objectives and priorities of the strategy based on an up-to-date risk and incident analysis;

(b) A governance framework to achieve the strategy objectives and priorities, including a clear definition of the roles and responsibilities of the government bodies and the other relevant actors;

(c) The identification of the general measures on preparedness, response and recovery, including cooperation mechanisms between the public and private sectors;

(d) An indication of the education, awareness raising and training programmes; (e) Research and development plans and a description of how these plans reflect

(5)

Cyber security directive (NIS) -4

• Among the requirements:

Member States shall ensure that

public administrations and

market operators

take appropriate technical and

organisational measures to manage the

risks

posed to the

security of the networks and information systems

which they

control and use in their operations. Having regard to the

state of the art, these

measures shall guarantee a level of

security appropriate to the risk presented

. In particular,

measures shall be taken to prevent and minimise the

impact of

incidents affecting their network and information

system on the core services

they provide and thus ensure

the

continuity

of the services underpinned by those

networks and information systems.

(6)

The NIS platform

To support the EU cyber security directive EU decided

to create a public/private/cooperation in the form of a

EU platform on Network and Information Security (NIS)

• Unique opportunity to better understand NIS

Challenges, Threats and Risks

• A platform for bringing together policy and technical

experts to debate about the current and future

challenges

(7)

Topics of the NIS platform

1. Organisational measures: practices to define, guide or evaluate an

organisation’s cybersecurity, specifically its capability to identify, assess and mitigate cybersecurity risks, and to deter and handle incidents;

(Risk management for cyber security)

2. Secure products and services: practices to demonstrate the ability of products or services to provide a “good” level of cybersecurity

performance as part of the ICT value chain; (Assurance)

3. Metrics, measurement and language / taxonomy for cyber risk: practices for measuring, describing and evaluating cyber risks, impacts, threats, controls, etc. (Metrics and measurements for cybersecurity)

4. Information exchange: practices for the exchange of cyber incident information, to allow cyber incident reports to be understood and acted upon in the framework of complex cooperation schemes; to facilitate a high level view of all cyber incidents which facilitates spotting trends and directing resources; (Information exchange)

5. Cybersecurity resources: practices to manage and develop

cybersecurity knowledge, skills and resources within an organisation or a sector. (Cybersecurity best practices)

(8)

WGs structure

• Eventually 3 WGs have best established (two mainly

operational and one mainly research&innovation oriented):

• WG1 on Risk Management aims to identify best practice in cybersecurity risk management activities, provide guidance to enhance levels of information security and facilitate the voluntary take-up of the practices;

• WG2 on Information Sharing aims to promote the sharing of cyber threat information and incidents and allowing coordination in both the public and private segments of the EU;

• WG3 on Secure ICT R&I WG3 will address issues related to Cyber

Security research and innovation in the context of the EU Strategy for Cyber Security.

(9)

WG3 Main deliverables

(10)

WG3 initial activities

WG3 met in Sept. 27 / Dec. 12:

• Get participants to know each other;

• Contribute to the terms of reference (TOR);

• Share knowledge and content related to the Strategic

Research Agenda (SRA);

(11)

WG3 Steps achieved Strategic Research Agenda

ToC (draft)

:

Executive Summary

Introduction

Background

Description of Area of Interest

● Description of the AoI’s vision

● Description of the issues and challenges

● Identification of Technology, Policy and Regulation ○ Enablers

○ Inhibitors

● Gap analysis (tech., policy, regulation, and competences) for achieving the vision

(12)

ToC (draft)

: (cont.)

Cross-analysis of all areas of interest’s enablers and

inhibitors

● Finding commonalities (e.g., two enablers shared by AoIs) ● Finding conflicts (e.g., one enabler becomes and inhibitor) ● Giving research priorities

○ Roadmap ● Timelines

● Identification of R&D&I instruments ● Key performance indicators

Other aspects as Economic and Social benefits (using

results from the business and educations deliverables)

(13)

Deliverable: Strategic Research Agenda (SRA)

(14)

References

Related documents

An analysis of the economic contribution of the software industry examined the effect of software activity on the Lebanese economy by measuring it in terms of output and value

The Border Security, Economic Opportunity, and Immigration Modernization Act (S. 744), for example, would require carriers to collect electronic machine-readable biographic data

This chapter covers two Internet Engineering Task Force (IETF) gateway control protocols that are used to control Voice over IP (VoIP) gateways from external call-control

Currently, Bronwen works as a Child Care Centre Policy Analyst for the Nova Scotia Department of Community Services in Early Childhood Development Services. Shelley Thompson has

35 Female labor participation may generate many intra-household effects: time allocation effects (e.g., both parents working have less time to allocate to child care or domestic

For maximum performance we recommend you have your Audiobahn product installed by an Authorized Audiobahn Dealer, as we provide specialized training through our Audiobahn

Since the vast majority of names, even on the Web, refer to things which are not accessible, this requires the vast majority of referring URIs to perform a. completely pointless

Embed in our decision- making environmental, social, and governance issues relevant to our insurance business. Work together with governments, regulators and other key