Nowe przepisy Komisji Europejskiej dotyczące cyberbezpieczeństwa (strategia UE, NIS, GDPR obejmuje certyfikację) i jej wpływ na codzienną pracę telco w praktyce

1. European Cyber
Security Organization
POLNOG’20, Warszawa, 19-20.03.2018
Janusz Pieczerak (Orange Labs)
Lessons learned

2. Orange Labs2

3. Orange Labs3

4. Orange Labs4
Co robić ???
 POLITYKA
 OPERACJE
 BADANIA i ROZWÓJ
 STANDARYZACJA
 CERTYFIKACJA
 ZNAKOWANIE
Jak żyć ???

5. Orange Labs5
Polityka

6. Orange Labs6

7. Orange Labs7
EU Cybersecurity certification framework

8. Orange Labs8
Certyfikacja …

9. Orange Labs9
Badania i rozwój (R&I)
 Programy ramowe (FP), HORIZON 2020
 Cele (KPI)
 Partnerstwo publiczno prywatne (PPP)
 Styczeń 2016: Komisja Europejska (EC) uruchamia Cybersecurity
cPPP
 Czerwiec 2016: Europejska Organizacja Cyberbezpieczeństwa (ECSO
– Association)
https://www.ecs-org.eu/
 450 mEUR z budżetu H2020, oczekiwany poziom inwestycji sektora
prywatnego 1300 mEUR
 Strategiczny Plan Badań i Rozwoju (SRIA)

10. Orange Labs10

11. ECS - cPPP Partnership Board
(monitoring of the ECS cPPP - R&I priorities)
EUROPEAN
COMMISSION
ECSO –Board of Directors
(Management of the ECSO Association: policy/market actions)
R&I
ECSO General Assembly
INDUSTRIAL POLICY
Coordination / Strategy Committee
WG 1
Standardisation /
certification /
labelling / supply
chain management
WG 2
Market deployment
/ investments /
international
collaboration
WG 3
Sectoral Demand
(Industry 4.0; Energy;
Transport; Finance;
eGov; Health; Smart
Cities; Telecom/media )
WG 4
Support to SMEs
and REGIONS
(in particular
East EU)
WG 5
Education,
training, cyber
ranges, awareness
WG 6
Strategic Research &
Innovation Agenda
Technologies,
Products & Services
SME solutions /
services providers;
local / regional SME
clusters and
associations Startups,
Incubators /
Accelerators
Large companies
Solutions / Services
Providers; National
or European
Organisation /
Associations
Regional / Local
administrations
(with economic
interests); Regional
/ Local Clusters of
Solution / Services
providers or users
Public or
private users /
operators:
large
companies
and SMEs
National Public
Authority
Representatives
Committee
R&I Group /
Policy Advisory
Group (GAG)
Others
(financing
bodies,
insurance,
etc.)
Research Centers
(large and
medium / small),
Academies /
Universities and
their Associations
Governance

12. WORKING GROUPS & TASK FORCES
WG 1
Standardisation
Certification /
Labelling / Supply Chain
Management
WG 2
Market deployment /
investments /
international collaboration
WG 3
Sectoral demand
(vertical market applications:
Industry 4.0; Energy;
Transport; Finance; eGov;
Health; Smart Cities;
Telecom/media )
WG 4
Support SME, REGIONS and
coordination with local
bodies (in particular East EU)
WG 5
Education, training,
awareness,
cyber ranges
WG 6
Strategic Research &
Innovation Agenda (SRIA)
Technologies, Products &
Services

13. Orange Labs13
Europejski certyfikat bezpieczeństwa
 Obowiązkowy czy dobrowolny
 Koszty
 Czas ważności
 Przyznawanie
 Odnawianie
 Monitorowanie
 Co ?
 Jak ?
 Kto ?
 Gdzie ?
 Kiedy ?
 Dlaczego ?

14. Ogólna koncepcja klasyfikacji certyfikatu
cyberbezpieczeństwa (wg ECSO)
14

15. 15
Cybersecurity Act: levels proposed
Assurance
Level
Definition proposed
Basic Provides a limited degree of confidence in the claimed or asserted
cybersecurity qualities of an ICT product or service, and is characterized with
reference to technical specifications, standards and procedures related
thereto, including technical controls, the purpose of which is to decrease the
risk of cybersecurity incidents.
Substantial Provides a substantial degree of confidence in the claimed or asserted
cybersecurity qualities of an ICT product or service, and is characterized with
reference to technical specifications, standards and procedures related
thereto, including technical controls, the purpose of which is to decrease
substantially the risk of cybersecurity incidents.
High Provides a higher degree of confidence in the claimed or asserted
cybersecurity qualities of an ICT product or service than certificates with the
assurance level substantial, and is characterized with reference to technical
specifications, standards and procedures related thereto, including technical
controls, the purpose of which is to prevent cybersecurity incidents.

16. 16
Risk assessment: impact levels and relevant
factors mapping
Level of
impact
Attributes Weighting factors
Privacy Confidenti
ality
Integrity Availa
bility
Authenti
city
Safety Reputatio
n and
financial
loss
High
Disclosure
of
biometric
data
Disclosure of
classified IP
System
behaves
different
than
expected
Compl
ete
DoS
Impersona
tion
Death or
permanent
environment
al damage
Break of
business
Substan-
tial
Disclosure
of any
other
personal
data
Disclosure of
any other
information
Some
functionali-
ties features
impacted
Partial
DoS
Impossible
to verify
authentici
ty
Injury or
remediable
environment
al damage
Long term
impact
Basic No
disclosure
of data
No disclo-
sure of
information
No feature is
impacted
No
impact
No impact No harm No impact

17. 17
Possible mapping of levels
Levels of
assurance in the
Cybersecurity
Act
Levels of
assurance from
the ECSO’s
meta-scheme
Levels of
assurance from
the ECSO’s meta-
scheme (alt.)
Body performing
the evaluation
High
A Ag National
(governmental)
body
B A
3rd party
evaluation facility
(lab)
Substantial C B
Basic
D Ce
E Ci Self-evaluation

18. Orange Labs18
ECSO WG1 - 135 members
Standardization, certification, labelling and supply chain
 Structure
– SWG 1.1 Products & components manufacturers
– SWG 1.2 ICT infrastructure operators (chaired byOrange)
– SWG 1.3 Users, Integrators and other service providers
– SWG 1.4 Basic Layer
 Deliverables:
 Challenges of the Industry (COTI)
- Collection of member’s views
 State-of-the-Art Syllabus (SOTA)
- Standards and certification schemes
 Certification Meta Scheme Approach
- Certification framework proposal

19. Orange Labs19
ECSO WG2 - 41 members
Market deployment
 Structure
– SWG 2.1 Market development, products and stakeholders
– SWG 2.2 Investments, innovative business models
– SWG 2.3 International cooperation, global competetiveness and support to
export
– SWG 2.4 Dissemination and awareness, events

20. Orange Labs20
ECSO WG3 - 123 members
Sectoral demand
 Structure
– SWG 3.1 Digitalisation of the European Industry (including Industry 4.0) and ICS;
– SWG 3.2 Energy (oil, gas, electricity), and Smart Grids;
– SWG 3.2 Transportation (road, rail, air, sea, space);
– SWG 3.4 Banks and Financial Services, ePayments and Insurance;
– SWG 3.5 Public Services, eGovernment, Digital Citizenship;
– SWG 3.6 Healthcare;
– SWG 3.7 Smart Cities and Smart Buildings (convergence of digital services for Citizens) and
other Utilities;
– SGW 3.8 Telecom, Media and Content
 Deliverables (landscape, user engagement, sector specifics, market study):
 2018_SWG3.1Industry4.0andICS_sectorreport_final_v0.1
 2018_SWG3.4FinancialServicesInsurance_sectorreport_final_v0.1
 2018_SWG3.6Healthcare_sectorreport_final_v0.1
 2018_SWG3.7Smartcities_sectorreport_final_v0.1

21. Orange Labs21
ECSO WG4 - 23 members
Support to SME and regions
 Structure
– SWG 4.1 SMEs, start-ups and high growth companies
– SWG 4.2 Coordination with activities in EU countries and regions
– SWG 4.3 Support to East EU Members
 WG4_Deliverable_Positionpaper_Consolidated_VF
 Support to SME’s, coordination with countries (in particular East EU) and
regions

22. Orange Labs22
ECSO WG5 - 98 members
Education, training, awareness, exercises
 Structure
– TF 5.0.1 EHR4CYBER Task Force
– SWG 5.1 Cyber Range environments and technical exercises
– SWG 5.2 Education and professional training
– SWG 5.3 Awareness
 Deliverables
 “Report on market overview of European cyber range landscape“
 “Report on overview of European cyber education and professional training,
including gap analysis“
 “Report on awareness activities already in place and actors involved”
 Cyber range questionnaires
 Questionnaire #1: Understanding/mapping existing cyber range platforms
and activities (technology focused)
 Questionnaire #2: Understanding of attitude and experience towards cyber
trainings and exercises (usage, acceptance, etc.)

23. Orange Labs23
ECSO WG6 – 66 members
Strategic Research and Innovation Agenda
 Structure
– SWG 6.1 Ecosystem
– SWG 6.2 Application domains
– SWG 6.3 Transversal infrastructures
– SWG 6.4 Basic technologies
 Deliverable: 2017_WG6_ECSO_SRIA
 H2020-WP2018-20-LEIT-ICT
 SU-ICT-03-2018: Establishing and operating a pilot for a Cybersecurity
Competence Network to develop and implement a common Cybersecurity
Research & Innovation Roadmap
 Network of Competence Centres
 Questionnaire on competences
 European Cyber Security Centres of Expertise Map
 WG6 cyber security vision 2020 and beyond: R&I future priorities for the
European cyber security strategy - towards FP9

24. Orange Labs24

25. Dziękuję !

janusz.pieczerak@orange.com