European (multi-layered) dialogue on cyber security4ª Conferenza nazionale Cyber Security Energia

Danilo D’EliaPolicy Manager - ECSO - 15th November 2017 – Rome-

➢ Global trends• Digitalisation is already there !• Cyber risk and cyber threats are very diverse• Some examples and figures

➢ Cyber-insecurity by design• Regulations have evolved, paving the way to improved cybersecurity• …but still looking for trusted supply chain• And the EU market is not - yet - structured

➢ ECSO as cooperation platform • A unique PPP Association• Governance• WG3 Verticals

Content

Digitalisation is already there !

Global trends

Source: https://icsmap.shodan.io/

Cyber risk and cyber threats are very diverse

Intangible assets growing and vulnerable• Human Capital• Hacking of computer systems, software or code• Reputations & brands• Theft of intellectual property or trade secrets

Business disruption• Small events big economic and reputational losses• Financial loss without physical damage• Extended supply chain risk (just-in-time, virtual factories, IT

providers)

Internet of Things creates product risks and may shift liability• Autonomous car technology• Industrial control malfunctions• Wearable devices

Global trends

Source: SCOR 2017

Since 2008 a steady progression in the severity and scale of cyberattacks on critical infrastructures

Sabotage: 2008 (Baku-Tbilisi-Ceyhan oil pipeline TBC) 2010 (Natanz-Stuxnet), 2012 (Aramco-Shamoon), 2015 &2016 (Ukraine’s power grid-BlackEnergy ), 2016 MIRAI IoT botnet (?)

Economic espionage & data theft : 2012 (Telvent-Canada) 2013-2014 (EnergeticBear/ Dragonffy >1000 targets inEU/US), 2014 (Korea Hydro&Nuclear Power)

Criminality : 2015 (Sabella-FR)

General trend:• Since 2011 malwares has been found searching the Internet for locations of particular brands of industrial

control equipment, in particular in energy sector• Cyberattacks on critical infrastructure have also become associated with political and even military conflict• Growing operational and financial costs

Source: Sentryo Blog , CLUSIF 2017, SANS.

Global trends

Upcoming EU regulation is expected to be a catalyst for acceleratedgrowth of Cyber in Europe - 1

Upcoming EU regulation is expected to be a catalyst for acceleratedgrowth of Cyber in Europe -2

Directive on Security of Network and Information Systems (6 July 2016- May 2018)Strategic objective : to achieve a high common level of security of network and information systems within the EU.A multi layered approach by placing obligations on all stakeholders (but missing link to regions and even cities ! )

1- Improved cybersecurity capabilities at national level• Establish a national NIS strategy and regulatory measures to achieve network security• Establish a competent authority to monitor the application of NIS Directive in their territory• Designate one or more Computer Security Incident Response Teams (CSIRTs) responsible for monitoring incidents,

providing early warning, responding to incidents, providing dynamic risk and incident analysis and situational awareness, participating in the network of the national CSIRTs

2- Increased EU-level cooperation• Establish a Cooperation Group, to support and facilitate strategic cooperation and the exchange of information among

MS and to develop trust and confidence• Establishes a network of the national CSIRTs

3- Risk management and incident reporting obligations for operators of essential services and digital service providers• Preventing risks: Technical and organisational measures that are appropriate and proportionate to the risk.• Ensuring security of network and information systems: The measures should ensure a level of security of network and

information systems appropriate to the risks.• Handling incidents: The measures should prevent and minimize the impact of incidents on the IT systems used to

provide the services.

Survey

What are operators of essential services ?“Operators of essential services are private businesses or public entities with an important role for the society and economy. Each Member State will identify the entities who have to take appropriate security measures and to notify significant incidents by applying these criteria:

(1) The entity provides a service which is essential for the maintenance of critical societal/economicactivities;(2) The provision of that service depends on network and information systems; and(3) A security incident would have significant disruptive effects on the provision of the essential service.

How many operators are present in the room ? National European Global

How many cybersecurity providers are present in the room ? National European Global

How many IT/OT providers are present in the room? National European Global

Bonus How many regions?

2017 EU strategy on cybersecurity

Cybersecurity package is a comprehensive work including :

• Joint Communication 'Resilience, Deterrence and Defence: Building strong cybersecurity for the EU’

• Proposal for a Regulation on ENISA, the "EU Cybersecurity Agency", and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'').

• Commission Recommendation on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

• Communication "Making the most of NIS – towards effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union

• Commission staff working document assessment of the EU 2013 cybersecurity strategy• Proposal for a Directive on combating fraud and counterfeiting of non-cash means of payment• Report assessing the extent to which the Member States have taken the necessary measures in

order to comply with Directive 2013/40/EU on attacks against information systems.Total pages: 562

Key elements of 2017 EU strategy oncybersecurity

• From reactive to pro-active and cross-policy approach bringing various work streams together to build EU's strategic cybersecurity autonomy

• Improving resilience and response by boosting capabilities (technology/skills), ensuring the right structures are in place and EU cybersecurity single market functions well

• Stepping up work to detect, trace and hold accountable those responsible for cyber attacks

• Strengthening international cooperation as a platform for EU leadership on cybersecurity

• Involving all key actors -the EU, Member States, industry and individuals to give cybersecurity priority it deserves

Key elements of 2017 EU strategy on cybersecurity

Three main areas

Source: EC DG CONNECT

Industrial cybersecurity challenges in Europe

• Global cybersecurity and ICT market dominated by global suppliers from outside Europe.

• Innovation led by imported ICT products.

• Strategic supply chain dependency.

• Mature commodity market; professional applications under development / evolution (e.g.Digitizing European Industry)

• Market fragmentation.

• Innovation: strong in Europe but not always properly funded due to a lack of a consistenttransnational approach and global EU strategy. Results of Research and Innovation arehardly reaching the market.

• Weak entrepreneurial culture, lack of venture capital.

• European industrial policies not yet addressing specific cybersecurity issues.

• Human factor.

• Sovereignty.

« Cyber-insecurity by design »

AIM1. Foster cooperation between public and private actors at early stages of the research and

innovation process in order to allow people in Europe to access innovative and trustworthyEuropean solutions (ICT products, services and software). These solutions take intoconsideration fundamental rights, such as the right for privacy.

2. Stimulate cybersecurity industry, by helping align the demand and supply sectors to allowindustry to elicit future requirements from end-users, as well as sectors that are importantcustomers of cybersecurity solutions (e.g. energy, health, transport, finance).

3. Coordinate digital security industrial resources in Europe.

BUDGETThe EC will invest up to €450 million in this partnership, under its research and innovationprogramme Horizon 2020 for the 2017-2020 calls (4 years). Cybersecurity market players areexpected to invest three times more (€ 1350 mln: leverage factor = 3) to a total of €1800 mln.

About the cyber cPPP3

A DOUBLE APPROACH, BEYOND TRADITIONAL EC PPPs: LINKING RESEARCH AND CYBERSECURITYINDUSTRIAL POLICY

The cPPP will focus on R&I, developing a SRIA and supporting its implementation in the H2020 WorkProgramme

The ECSO Association will tackle other industrial policy aspects for the market and the industrial / economicdevelopment

ECSO will support the development of the European cybersecurity industry and EU trusted solutions, includingcooperation with Third Countries.

REFERENCE DOCUMENTS1. Industry proposal2. Strategic Research and Innovation Agenda (SRIA) proposal (already evolving)

4About the cyber cPPP

ECSO membership

• Associations : 21

• Large companies and users: 70

• Public Administrations: 15

AT, BE, CY, CZ, DE, EE, ES, FI, FR, IT, SK, FI, NL, NO, PL,

UK + observers at NAPAC (BG, DK, HU, IE, LT, LU, LV,

PT, RO, SE, SI, MT, …)

• Regional clusters: 3

• RTO/Universities: 55

• SMEs: 54

Looking for increased membership from users /

operators ISRAEL 2

ITALY 30

At the time of the signature ceremony of the PPP contract (5th

July 2016), ECSO counted 132 founding members. Now we are

218 organisations (on November 13th 2017) from 28

countries and counting

15

European Cybersecurity Council(High Level Advisory Group: EC, MEP,

MS, CEOs, …)

ECS - cPPP Partnership Board (monitoring of the ECS cPPP - R&I priorities)

EUROPEAN COMMISSION

ECSO –Board of Directors(Management of the ECSO Association: policy/market actions)

R&I

ECSO General Assembly

INDUSTRIAL POLICY

Coordination / Strategy Committee Scientific & Technology Committee

WGStandardisation /

certification / labelling / supply

chain management

WGMarket deployment

/ investments / international collaboration

WGSectoral Demand

(market applications)

WGSupport to SMEs

and regions

WGEducation,

training, exercise, raising awareness

WGSRIA

Technical areas Products

Service areas

SME solutions / services providers;

local / regional SME clusters and

associations Startups, Incubators / Accelerators

Large companies Solutions / Services Providers; National

or European Organisation / Associations

Regional / Local administrations (with economic

interests); Regional / Local Clusters of Solution / Services providers or users

Public or private users /

operators: large

companies and SMEs

National Public Authority

Representatives Committee R&I Group /

Policy Advisory Group (GAG)

Others (financing

bodies, insurance,

etc.)

Research Centers (large and

medium / small), Academies /

Universities and their Associations

Governance

ECSO working groups

WG 1StandardisationCertification /

Labelling / Supply Chain Management

WG 2Market development /

Investments

WG 3Sectoral demand

(vertical market applications)

WG 4Support SME, coordination with countries (in particular

East EU) and regions

WG 5Education, training,

awareness, exercises

WG 6SRIA

Technical areasProducts

Services areas

WGs update

– WG1 - standards / certification / label / trusted supply chain (128 members with 264experts): Initial positions for an EU certification framework: State of the Art (SOTA), Challengesrelevant to the industrial sector (COTI), Meta-Scheme for EU certification. Initial cooperation(MoU) on standards with CEN/CENELEC – ETSI. Contact: roberto.cascella@ecs-org.eu

– WG2 - market / funds / international cooperation / cPPP monitoring (72 members with 137experts): Market analysis: Support Cybersecurity Industry Market Analysis (EC funded CIMAproject). Market investments: initial discussions with banks, insurances and investment funds.Investments for start-ups: support to national public and private bodies to understand anddevelop an EU approach. International cooperation: dialogue with US admin.; involvement viamembers in EC CSA projects (Japan and US). Contact: danilo.delia@ecs-org.eu

– WG3 - verticals: Industry 4.0; Energy; Transport; Finance / Bank; Public Admin / eGov;Health; Smart Cities; Telecom/Content/Media (115 members with 227 experts): State of theArt under finalisation; initial dialogue with ISACs (finance, energy) for exchange of informationacross operators; support to NIS Directive implementation. Contact: nina.olesen@ecs-org.eu

– WG4 - SMEs, Regions, East EU (69 members with 121 experts): SME – Position paper (roleof SMEs in the cybersecurity ecosystem); suggestion for an SME hub / Platform and a EU“ECSO Quadrant” scheme; REGIONS: – partner in proposals for INTERREG andInterregional cooperation in cybersec domain; EAST EU REGION: just started – envisaginghow to better support users and suppliers in East EU. Contact: danilo.delia@ecs-org.eu

– WG5 - education, training, awareness, cyber ranges (90 members with 181 experts):Initiation of a EHR-4CYBER Network to share best practices on training, harmonise courses,identify job needs; mapping of educational and professional training courses; startedtackling gender issue on education & training to increase number of cyber experts.Contact: nina.olesen@ecs-org.eu

– WG6 - Strategic Research and Innovation Agenda (147 members with 320 experts):Identification of research priorities for EC programmes: SRIA (Strategic Research &Innovation Agenda) priorities well incorporated in the 2018-2020 work programme ofH2020. Analysis to review technology and needs evolution in the next 10 years. Link withother PPPs to coordinate objectives (BDVA, EFFRA, 5G). Contact: roberto.cascella@ecs-org.eu

WGs update

WG3: Verticals / Sectoral Demand

• Digitalisation of the European Industry (including Industry 4.0)and ICS;

• Energy (oil, gas, electricity), and Smart Grids;

• Transportation (road, rail, air, sea, space);

• Banks and Financial Services, ePayments and Insurance;

• Public Services, eGovernment, Digital Citizenship;

• Healthcare;

• Smart Cities and Smart Buildings (convergence of digitalservices for Citizens) and other Utilities;

• Telecom, Media and Content

Purpose and Approach

• Identification of user/market needs

• Assess vertical sectors challenges and impact

– Understand market needs (e.g. demand driven requirements, threats, functional requirements, ecosystem impact etc.)

– Influence EU instruments on research and/or policy issues by input to other ECSO WG’s and other means as appropriate inthe scope/constitution of ECSO SU-DS04-2018-2020: Cybersecurity in the Electrical Power and Energy System (EPES): anarmour against cyber and privacy attacks and data breaches (40M€)

– Drive well founded sector impact into other ECSO WGs

WG3 planning for 2017

• Current SOTA drafts describe the sector and its challenges

• Further in depth refinements on SOTA’s, including input on enablement needs plus transversal aspects

• Interactions with vertical organisations, ENISA, Europol and connected ECSO WG’s (1,2,5,6)

• User engagement, i.e. through workshops (activity to be continued in Q1-2018)

• Support to implementation of the NIS Directive

WG3: Verticals – activity update

SOTA and workplan

• State of the Art deliverable being drafted (per sector), chapters 1-4 (stage 1) to be finalised by end of year

– Chapter 1: Landscape

– Chapter 2: User engagement

– Chapter 3: Sector specificities (challenges)

– Chapter 4: Market study

• Market Studies from SOTA’s to be shared with WG2. Initial exchange of views on taxonomy has already taken place

• Next steps for SOTA’s: Standardisation/Certification needs (link to WG1), Research needs beyond 2020 (link to WG6), and Education &training needs (link to WG5)

• WG3 will set up a joint meeting with WG1 asap to have an initial exchange of views on how to collaborate and consolidatestandardisation/certification needs from different sectors

• Matrix being developed for the transversal assessment of SOTA’s, i.e. on platforms and commonalities

• Engagement with users initiated through workshops, meetings with sectoral associations, etc. More sector workshops (i.e. energy,healthcare) to be organised in Q1 2018.

• SubWG meetings ongoing to define detailed needs / objectives / actions. Initial meetings with different Directorate Generals at theEuropean Commission (ICT, energy, transport, internal security, etc.) to better define technology priorities

• WG members to be surveyed on sector demands for ISAC’s (needs, appropriate structure, etc.).

Key Take-aways

1. Cyber Threat landscape is undergoing tremendous changes in nature, frequency and size ofrisks

2. Need for economic and regulatory incentives to better invest in security

3. Need for a multi layered cooperation to develop a trusted supply chain for sectoralapplications where Europe is a leader

4. Build the conditions of a trusted dialog among the stakeholders

CONTACT US

European Cyber Security Organisation 10, Rue Montoyer1000 – Brussels – BELGIUM

E-mail: Ms. Eda Aygen Head of Communications & Advisor to the SecGeneda.aygen@ecs-org.eu

Follow us Twitter: @ecso_eu

Phone:+32 (0) 27770256

www.ecs-org.eu