Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

SC7 Workshop 3: Enhancing cyber defence of cyber space systems

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 32 Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie SC7 Workshop 3: Enhancing cyber defence of cyber space systems (20)

Anzeige

Weitere von BigData_Europe (20)

Aktuellste (20)

Anzeige

SC7 Workshop 3: Enhancing cyber defence of cyber space systems

  1. 1. Enhancing cyber defence of cyber space systems 1 Dr. Nineta Polemi Programme Manager- E.U. Policies Directorate-General for Communications Networks, Content and Technology Cybersecurity and Digital Privacy Unit H.1
  2. 2. Topics  Introduction  Cyber-attacks in Space ecosystem  Security Management –Cyber Defence  Cybersecurity Package- Cyber Space Technologies & Infrastructures  Conclusions and the way forward 2
  3. 3. Introduction 3
  4. 4.  In our days, most business and military activities depend upon space technologies & space infrastructures.  Space attracts new companies and the "New Space" will enhance the DSM.  Space and cyberspace share common critical assets e.g. networks, software, ICT components, protocols  The Space Strategy for Europe (2016) recognizes the importance of cyber security threats to critical European space infrastructure 4
  5. 5. Security Confidentiality Making asset accessible only to those authorized to use it Integrity, Authenticity Safeguarding accuracy, identity, completeness of asset + processing methods Availability, Non-repudiation Ensuring that asset is available when required and it is not denied 5
  6. 6.  Loss of Availability DoS , wiretapping, key stealth, insertion, session hijacking, network routing, hidden channel  Loss of Integrity Key guessing, cryptanalytic attacks Loss of Authenticity unauthorized access, site impersonation client-system intrusion (viral infection, backdoor installation, infor-mation stealing, forged/unvoluntary user actions, command execution)  Loss of Confidentiality Espionage, data & information breach  Loss of Non-repudiation key guessing, cryptanalytic attacks Cyber threats Cyber attacks
  7. 7. Cyber Threats in Space 7 ""Protecting satellites from cyber-attacks isn’t getting any easier" SpaceNews— March 9, 2017
  8. 8. Cyber- Attacks on Satellites  Signals jamming, monitoring (between satellites and receivers or between transmitting ground stations and satellites) • Spoofing manipulates the information and thus reduces its integrity • DoS by interrupting electrical power to the space ground nodes • ....... • Impacts of Attacks: take control of the satellite, shut it down, alter its orbit 8
  9. 9. Cyber-attacks in space infrastructures • Space Critical Information Infrastructures (CII) can face physical and cyber-attacks at all levels (networks, ICT systems/equipment, services, processes) • Impact of Attacks: destroy space control, operations, missions, services 9
  10. 10. Cyber-attacks in space software  Back doors for espionage or sabotage  Unencrypted data  Insecure protocols  Exploitable software flaws  ….. Space operations and services are global supply chain services and the propagation rate of a cyber- attack may catastrophically impact the whole world!!!! 10
  11. 11. Cyber Risk Assessment - Security Management 11
  12. 12. Risk Assessment risk Vulnera bility Threat Impact Controls/ countermeasures risk Risk Management
  13. 13. 13
  14. 14. Security Management (SM) Risk Management (RM) Risk Assessment (RA) Context Establishment General considerations Basic Criteria Scope & boundaries Organization for RM Risk Identification Identification of assets Identification of threats Identification of existing controls Identification of vulnerabilities Identification of impacts Risk Estimation Selection of risk assessment methodology Assessment of threat level Assessment of impact level Risk level estimation Risk Treatment Categorize risks Select controls Implement controls Evaluate- controls Security Reporting Monitor/Adjust SLA security management Internal/External Audit Training Recommendations
  15. 15. Cyber Defence 15
  16. 16. 16
  17. 17. Cyber security directives and standards 17
  18. 18. 18 • CIIP Directive (2012) Critical information infrastructure protection: towards global cyber-security • The Cybersecurity Strategy for the European Union (2013) and the European Agenda on Security (2015) provide the overall strategic framework for the EU initiatives on cybersecurity/cybercrime. • eIDAS Regulation (2014) on electronic identification and trust services for e-transactions in the internal market. • cPPP Initiative 2015 ensures that Europe will have a dynamic, efficient market in cybersecurity products / services. • Directive (EU) 2016/1148 (NIS) sets obligations: national strategies, CSIRT, requirements for operators, national competent authorities. EU Cyber Security policies
  19. 19. Cyber security standards  ISO/IEC 27001:2005 followed by draft ISO/IEC 27001:2013 (building a SM system)  ISO/IEC 27005:2011 (provides guidelines for information security risk management)  ISO 31000:2009 - Principles and Guidelines on Implementation  ISO/IEC 31010:2009 - Risk Management - Risk Assessment Techniques  ISO/IEC 27002:2005 (best practice recommendations)  AS/NZS 4360:2004 (Australian/New Zeland standard for RM) • Supported by a variety of methodologies (see ENISA repository) and guidelines (ENISA report 2017 "Technical Guidelines for the implementation of minimum security measures for Digital Service Providers"). 19
  20. 20. 1. ISO 28000:2007 on Specification for security management systems for the SC; 2. ISO 28001:2007 on Security management systems for SC– Best practices for implementing SC security); 3. ISO 28003:2007 on Security management systems for the SC- Requirements for auditors of SC security management systems; 4. ISO 28004:2007 on Security management systems for the SC– Guidelines for the implementation of ISO 28000. ISO Supply Chain (SC) security standards
  21. 21. Cybersecurity Package 21
  22. 22. Building EU Resilience to cyber attacks Reformed ENISA EU cybersecurity Certification Framework NIS Directive Implementation Rapid emergency response – Blueprint & Cybersecurity Emergency Response Fund Cybersecurity competence network with a European Cybersecurity Research and Competence Centre Building strong EU cyber skills base, improving cyber hygiene and awareness Creating effective EU cyber deterrence Identifying malicious actors Stepping up the law enforcement response Stepping up public-private cooperation against cybercrime Stepping up political response Building cybersecurity deterrence through the Member States' defence capability Strengthening international cooperation on cybersecurity Promoting global cyber stability and contributing to Europe's strategic autonomy in cyberspace Strengthening cyber dialogues Modernising export controls, including for critical cyber- surveillance technologies Continue rights-based capacity building model Deepen EU-NATO cooperation on cybersecurity, hybrid threats and defence 22 Cybersecurity Act Communication Recommendation
  23. 23. ENISA: towards a reformed EU Cybersecurity Agency 23 Be an independent centre of expertise Promote cooperation &coordination at Union level Promote high level of awareness of citizens & businesses Support capacity building & preparedness Assist EU Institutions/ MSs in policy development & implementation Increase cybersecurity capabilities at Union level to complement MSs action Promote the use of certification & contribute to the cybersecurity certification framework Contribute to high Cybersecurity
  24. 24. ICT cybersecurity certification • The issue • The digitalisation of our society generates greater need for cyber secure products and services • Cybersecurity certification plays an important role in increasing trust of digital products and services Current landscape • emergence of separate national initiatives lacking mutual recognition (e.g. France, UK, Germany, Netherlands, Italy) • Current European mechanisms (SOG-IS MRA) have limited membership (12 MSs), involve high costs and long duration
  25. 25. ENISA Prepares candidate scheme ECCG Advises and assists preparation ENISA Consults Industry & Standardization Bodies ENISA Transmits candidate scheme to the European Commission European Commission Adopts Candidate Scheme A European Cybersecurity Certification Scheme European Commission Requests ENISA to prepare a Candidate Scheme European Cybersecurity Certification Group (MSs) Advices ENISA or may propose the preparation of a scheme to the Commission How will the certification framework work in practice In a nutshell: EC proposes & decides, Group advices (and may propose), ENISA prepares schemes
  26. 26. 1. Blueprint - Recommendation on Coordinated Response to Large Scale Cybersecurity Incidents and Crises (COM(2017) 6100). 2. ENISA (COM(4776/2)) - Tasks relating to operational cooperation at Union level • The Agency shall contribute to develop a cooperative response, at Union and Member States level, to large-scale cross-border incidents or crises related to cybersecurity 3. Cybersecurity Emergency Response Fund - Joint Communication "Resilience, Deterrence and Defence: Building strong cybersecurity for the EU", JOIN(2017) 450/1 3 lines of actions for improving resilience:
  27. 27. A cybersecurity competence network with a European Cybersecurity Research and Competence Centre • Reinforcing EU's cybersecurity technologic capabilities and skills
  28. 28. 28 European Cybersecurity Research and Competence network & Centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre MS cybersecurity competence centre Idea in a nutshell •Builds on the work of Member States and the cPPP to: •Stimulate development and deployment of technology in cybersecurity •Give impetus to innovation and competitiveness of the EU industry on the global scene in the development of next- generation digital technologies (AI, quantum computing, block chain, secure digital identities) •Support industry through testing and simulation to underpin the cybersecurity certification •Complement skills development efforts at EU and national level •In the second phase - stimulate synergies between civilian and defence markets that share common challenges
  29. 29. Making the Most of NIs • Core elements of the Communication Presenting key conclusions of the analysis of the issues covered in the Annex, which are seen as important points of reference and potential inspiration from the point of view of the transposition into national law.  Accompanied by an Annex with practical suggestions • Based on good practices and recommendations issued by ENISA • Examples from Member States • Interpretation of Directive's provisions and of how they would work in practice
  30. 30. Conclusions • Space and cyber space ecosystems are merging • Cyber secure space systems, technologies and infrastructures can be regarded as a strategic opportunity to:  enhance the DSM in connection to "New Space",  guarantee mission assurance for space assets ,  enhance cyber defence operations. • The cyber security community & the space community need to collaborate and get prepared to defend all space assets against the growing sophisticated cyber-attacks.
  31. 31. Next Steps • Build (national, EU, international) synergies between space and cyber security stakeholders. • Develop mutually agreed mitigation frameworks for space-cyber risks, compliant with:  EU strategies/policies (e.g. Space Strategy for Europe 2016/2325(INI), Common Security and Defence Policy –CSDP-, Decision No 541/2014/EU),  directives (e.g. NIS, GDPR); COM(2017)294; COM(2017)477  international standards (e.g. ISO27005). 31
  32. 32. • Thank you for your attention • Nineta.POLEMI@ec.europa.eu 32

×