eu network and information security nis directive
play

EU - Network and Information Security (NIS) Directive George - PowerPoint PPT Presentation

EU - Network and Information Security (NIS) Directive George Michaelides Commissioner of Electronic Communications and Postal Regulation http://www.ocecpr.org.cy 22 nd November 2016 1 Overview Cybersecurity Facts European Cybersecurity


  1. EU - Network and Information Security (NIS) Directive George Michaelides Commissioner of Electronic Communications and Postal Regulation http://www.ocecpr.org.cy 22 nd November 2016 1

  2. Overview • Cybersecurity Facts • European Cybersecurity Strategy • The Objectives • MS Capability Requirements • NIS Scope • NIS Requirements • National CSIRT o Coverage o Activities o Incident Management • Way Forward / Timeline 2

  3. Cybersecurity Facts Vulnerabilities • 2015 • 2014 Scanned Websites 78% 76% with Vulnerabilities Percentage cost for external Percentage of 15% 20% consequences Which Were Critical Information loss 39% Browser 879 639 Business disruption 35% Vulnerabilities Revenue loss 21% Web Attacks ~1 million Equipment damages 4% Blocked per Day 496,657 Other 2% Websites Found 1 in 3,172 (source Ponemon Institute 2015) with Malware 1 in 1,126 (source Symantec 2016) Global economic cost 10% probability of a of over $445B major CII breakdown in (Source Mcafee) the next 10 years (Source WEF) Size of Data Average total cost of Breach breach Industry • 2015 < 10.000 $2.1 million • 2014 Finance, Insurance 35% 20% 10.000 – $3.0 million & Real Estate 25.000 Services 22% 20% 25.000 – $5.0 million Manufacturing 14% 13% 50.000 Transportation 13% 9% > 50.000 $6.7 million Wholesale 9% 10% (source Ponemon Institute 2016) Top 10 Industries Targeted in Spear-Phishing Attacks (source Symantec 2016) 3

  4. European Cybersecurity Strategy European Cybersecurity Strategy NIS Directive Network and Cyberdefence Cybercrime Information Security (NIS) Technological Resources – Cooperation with industry and academia Digital European Policy - International cooperation on Cybersecurity Agenda Europe Electronic Communications Framework Electronic communications Framework Dirs 2009/140/EC, 2009/136/EC, Framework 21/2002, Art.13a,b Digital Agenda for Europe Pers. Data Prot. 58/2002/EC Art.4 REGULATION EU526/2013-European Union REGULATION EU 611/2013 Notification of Union Agency for Net. & Inf. Security (ENISA) personal data breaches 4

  5. OCECPR Role and Responsibilities Business Continuity, Contingency Plans (Electronic Com. Providers) - National Level Network Cybersecurity Cyber Risk and Cy Cybercrime Strategy of the Notifications: Assessment Center of Information - Availability of networks / Republic of - Excellence – Security infrastructures, Cyprus Crisis Management 3CE (NIS) - Personal data breaches [Coordination] - CSIRTs/CERTs [Implementation] Gov. / National CIIP–Critical - Awareness Information Infrastructure Protection 5

  6. The Objectives Increased National Risk EU Level Cyber Security Management Cooperation Capabilities and Reporting Boosting Cyber Security in Europe 6

  7. Member States (MS) Capability Requirements National NIS / NIS Competent Cybersecurity National National CSIRT Strategy Authority National Cyber Security Capability 7

  8. Scope of NIS Operators of Essential Service s • The entity provides a service which is essential for the maintenance of critical societal / economic activities • The provision of that service depends on network and information systems • A NIS incident would have significant disruptive effects on the provision of the essential service Digital Service Providers • Online marketplaces • Online search engines • Cloud computing services 8

  9. Security Requirements Prevent • Organisational measures that are appropriate and proportionate to the Risks risk • The measures should ensure a level of Ensure NIS NIS appropriate to the risks Handle • The measures should prevent and minimise the impact of incidents on the Incidents IT systems used to provide the services 9

  10. Notification Requirements • Incidents having a significant Operators of impact on the continuity of Essential the essential services they Services provide • Incidents having a substantial Digital Services impact on the provision of a Providers service 10

  11. Notification Requirements Parameter OES DSP ✔ ✔ Number of users affected / relying in the service ✔ ✔ Impact – Economic and Societal ✔ ✔ Geographic spread ✔ ✔ Duration of disruption ✔ Extent of the disruption to the functioning of the service ✔ Importance of the entity for maintaining a sufficient level of service ✔ Impact - Safety ✔ Market share (e.g. proportion of national power generated) ✔ Dependency of other essential sectors on the service OES: Operators of Essential Services DSP: Digital Service Providers 11

  12. NIS Cooperation Requirements • Operational cooperation between National CSIRTs, EU-CSIRT, EU, ENISA CSIRT Network Cooperation Group • Strategic cooperation between Members States (NIS Authorities), EC, ENISA 12

  13. National CSIRT – Sector Coverage Electricity Public Health Natural Gas/Oil Financial Sector Water supply Public Sector/Security Services “The protection of all critical information infrastructures of the state and the operation of information and communication Transport Electronic Communications technologies with the necessary levels of security, for the benefit of every citizen, the economy and the country” Cyprus National Cybersecurity Strategy Vision 13

  14. National CSIRT – Areas of activities • Incident Monitoring Incident Communication • Incident Response • Early warning, alerts, Management • Incident Analysis announcements, etc. • EC awareness on incident • General awreness regarding handling process incidents (public/media) etc. etc. • Cooperation with NIS Authority Cooperation • Mutual assistance with other national CSIRTs • Exchange non-classified information • Participation in exercises etc. Cybersecurity Strategy of the Republic 14 of Cyprus

  15. National CSIRT Functions – Incident Management Detection Continuous Classification Improvement Recovery Analysis Eradication Containment 15

  16. NIS Authority and National CSIRT National Cybersecurity Strategy European Cybersecurity Strategy International Collaboration National Collaboration Cooperation Group Cyber Crisis Management CSIRT Network Operational Coordination Supervision Operators of Essential Services (~50) Energy, Water, Transport, Health, Banking, Financial, Digital Infrastructure Digital Service Providers (<10) Cloud Computing Services, Online Marketplaces, Search Engines 16

  17. Implementation Timeline Nov 2018 – MS to identify 6 operators of essential services May 2018 – Transposition into national 5 law Feb 2018 – Cooperation Group 4 establishes work programme Aug August 2017 – Adoption of implementing 3 acts on requirements for DSPs Feb 2017 – Cooperation Group begins NIS 2 Directive tasks Aug 2016 – NIS Directive entry into Aug 1 force Cybersecurity Strategy of the Republic 17 of Cyprus

  18. Thank you 18

Recommend


More recommend