1 / 24

Dr. Athanasios Drougkas Expert in Network and Information Security

Dr. Athanasios Drougkas Expert in Network and Information Security ENISA – The EU Agency for Cybersecurity 15 th International Maritime Conference 2019. 27. 09. 2019. The NIS Directive and Cybersecurity in Maritime. Agenda. Situational analysis of cybersecurity in Maritime

junec
Download Presentation

Dr. Athanasios Drougkas Expert in Network and Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dr. Athanasios Drougkas Expert in Network and Information Security ENISA – The EU Agency for Cybersecurity 15th International Maritime Conference 2019 • 27 • 09 • 2019 • The NIS Directive and Cybersecurity in Maritime

  2. Agenda • Situational analysis of cybersecurity in Maritime • Current and evolving cybersecurity profile of the sector • Attack surface and threat landscape • Evolving regulatory landscape for cybersecurity in Maritime • NIS Directive • Cybersecurity Act / Cybersecurity Certification Framework • ENISA’s activities for Maritime Cybersecurity • Related ENISA activities • 2019 study on Port Cybersecurity & Maritime Cybersecurity Workshop The NIS Directive and Cybersecurity in Maritime

  3. Positioning enisa’s activities The NIS Directive and Cybersecurity in Maritime

  4. The maritime sector is under attack! The NIS Directive and Cybersecurity in Maritime

  5. …And vulnerable The NIS Directive and Cybersecurity in Maritime

  6. Maritime Assets – Attack Surface • Positioning systems • Electronic Chart Display and Information System (ECDIS) • Engine Control and monitoring systems • Global Maritime Distress and Safety System (GMDSS) • Automatic Identification System (AIS) • Maritime ICS SCADA The NIS Directive and Cybersecurity in Maritime

  7. Maritime Cyber Threat Landscape The NIS Directive and Cybersecurity in Maritime

  8. Cybersecurity gaining more attention but still relatively low awareness and focus on maritime cyber security • Emerging standards/guidelines from IMO, industry etc. • Complexity of the maritime ICT environment including SCADA and emerging IoT usage • Fragmented maritime governance context • No holistic approach to maritime cyber risks and diversity between different actors in maritime • Overall lack of direct economic incentives to implement good cyber security in maritime sector Cyber security in the maritime sector – Situational Analysis The NIS Directive and Cybersecurity in Maritime

  9. Guidelines on maritime cyber risk management (IMO) • Maritime cyber risk management in safety management systems (IMO) • The Tanker Management and Self Assessment - TMSA (OCIMF) • The Guidelines on Cyber Security Onboard Ships (BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI) • The European Union Maritime Security Strategy (EUMSS) • Cyber Security Awareness (AMMITEC) • Recommendations on cyber safety for ships (IACS) Other maritime regulations, guidelines and standards The NIS Directive and Cybersecurity in Maritime

  10. EU Policy Context 2017 2013 2015 2016 2018 2019 2008 Cybersecurity Act ECI Directive 2008/114/EC EU Cybersecurity Strategy Proposal for a Cybersecurity Competence Network and Centre Digital Single Market NIS Directive 2016/1148 • More Proposals • Cybersecurity Act • Revised Cybersecurity for the EU • Coordinated Response to Large Scale Cybersecurity Incidents and Crises The NIS Directive and Cybersecurity in Maritime

  11. The Network and Information Security Directive The NIS Directive and Cybersecurity in Maritime

  12. Chapter 1 • Identification of operators of essential services • Minimum security measures to ensure a level of security appropriate to the risks • Incident notification to prevent and minimize the impact of incidents on the IT systems that provide services • Make sure authorities have the powers and means to assess security and check evidence of compliance for OES Obligations for MS on OES The NIS Directive and Cybersecurity in Maritime

  13. MS shall define the criteria for the identification of OES and identify the OES among the following: • Inland, sea and coastal passenger and freight water transport companies (Annex I to Regulation (EC) No 725/2004) • Managing bodies of ports (point (1) of Article 3 of Directive 2005/65/EC), including their port facilities (point (11) of Article 2 of Regulation (EC) No 725/2004), and entities operating works and equipment contained within ports. • Operators of vessel traffic services (point (o) of Article 3 of Directive 2002/59/EC) Identification of OES in the water transport sector The NIS Directive and Cybersecurity in Maritime

  14. Passenger transport • Freight and dangerous goods transport • Route planning • Ships maintenance • Ships accommodation • Management of water transport infrastructure • information, accommodation, screening, boarding of passengers • Vessel traffic services Examples of Essential Services identified by MS The NIS Directive and Cybersecurity in Maritime

  15. Working Groups under the NIS Directive The NIS Directive and Cybersecurity in Maritime

  16. Security Measures for OES The NIS Directive and Cybersecurity in Maritime

  17. NIS Directive - Timeline The NIS Directive and Cybersecurity in Maritime

  18. ENISA Reform • An EU Agency for Cybersecurity • Stronger Mandate • Permanent Status • Adequate Resources • EU Cybersecurity Certification Framework • One framework, many schemes • Certificates valid across all MS • Roles for MS and ENISA • Voluntary and risk-based approach; any need for mandatory schemes to be identified Cybersecurity Act The NIS Directive and Cybersecurity in Maritime

  19. The EU Cybersecurity Certification Framework 3 Ad Hoc Working Group ECCG SCCG 2 1 Candidate EU Cybersecurity Certification Scheme EU Cybersecurity Certification Scheme Union Rolling Work Programme 4 EU Member States Supervise & Accredit 1: Identification of strategic priorities 2: Preparation of a Candidate Scheme 3: Adoption through an Implementing Act 4: Certification against this scheme and issue of an EU Cybersecurity Certificate EU Cybersecurity Certificate Conformity Assessment Bodies The NIS Directive and Cybersecurity in Maritime

  20. Relevant ENISA Reports 2016 2016 2016 2011 2017 2017 The NIS Directive and Cybersecurity in Maritime

  21. ENISA’s on-going Work in Maritime 2019 Study: Port Cybersecurity • Port CISOs/CIOs • Good practices / Recommendations • Validation workshop – November 26th NIS Directive Transposition • National Approaches • OES identification, Security Measures, Incident Reporting Other Activities • Collaboration with DG MOVE and EMSA • Stakeholder Engagement (MARSEC, SAGMAS, Associations, Industry etc.) • Raise awareness via workshops and meetings The NIS Directive and Cybersecurity in Maritime

  22. Port Cybersecurity Workshop https://www.enisa.europa.eu/events/enisa-maritime-cybersecurity-workshop The NIS Directive and Cybersecurity in Maritime

  23. TRANSSEC – Maritime Work Stream The NIS Directive and Cybersecurity in Maritime

  24. Thank you for your attention VasilissisSofiasStr 1, Maroussi 151 24 Attiki, Greece +30 28 14 40 9711 info@enisa.europa.eu www.enisa.europe.eu

More Related