BITKOM hubconference #hub16

The digital avant-garde comes to the hub conference with more than 2000 participants from 50 countries, over 400 start-ups and 130 speakers, including visionary masterminds, global players, start-ups and hidden champions, CEOs and CIOs.

For interviews and press enquiries please contact [email protected]

ENISA, as the EU Cyber Security Agency, is permanently studying on how cyber-security impacts different modern technologies.  Some of our most relevant work in areas closely related to the main topics in this year’s BITKOM hub event feature below:

Internet of Things (IoT)

ENISA is working closely with industry players in the area of IoT and M2M communication, engaging with the corresponding expert groups. Based on the consultation with stakeholders, desktop analysis and research, ENISA develops good practices and proposes baseline security requirements targeted at EU and national policymakers, operators and manufacturers.

The Internet of Things (IoT) is an emerging concept where interconnected devices and services collect, exchange and process data in order to adapt dynamically to a context. Along with several advantages these technologies present numerous cyber threats, with possible consequences on the life, health and safety of the inhabitants. Hence, it becomes important for manufacturers, solution vendors, developers, and end-users to understand how to secure devices and services.

The security of these devices can be difficult to implement within a heterogeneous ecosystem which integrates several types of devices and services, which usually have limited security due to their weak capacities (CPU, battery, etc.). Moreover the service they provide usually relies on remote infrastructures for cloud storage, analytics or even remote access to the devices. It becomes necessary to follow a holistic approach of security as the multiple dependencies open new ways of remote attacks.

The Agency engages with relevant public and private stakeholders in working groups and jointly take stock of and analyse the current situation in terms of cybersecurity and resilience. The early adoption of these good practices will boost trust and confidence of potential users of such infrastructures and pave the way for the wide deployment of them. In this way ENISA will help EU industry to become more competitive and innovative. For more visit: ENISA's work on IoT and Smart Infrastructures 

Smart airports

In 2016, ENISA conducted a study on "Securing Smart Airports". The goal is to provide a guide for airport decision makers (CISOs, CIOs, IT Directors and Head of Operations) and airport information security professionals that are in charge of cyber-security for airports and passengers.

Smart airports are those airports making use of networked, data driven response capabilities that, on the one hand, provide travellers with a better and seamless travel experience and, on the other hand, aim to guarantee higher levels of security for the safety of the passengers and operators. 

Smart components can be defined as any networked ICT system that has a data processing capability ranging from aggregating simple data to extracting insights to support human decisions and/or triggering an automated response. These components while enhancing the user experience, they also pave the way for new attack vectors and expose airport assets to a larger attack surface. Therefore, airport decision makers need to acknowledge the threats emerging from smart components, increase their awareness of security implications and improve the security of their infrastructure in order to enhance safety for passengers and all airport stakeholders.

This ENISA report maps the entire attack surface, possible attack scenarios and lists available good practices to support Information security professionals and airport decision makers in their security efforts and risk management activities. The goal of this study is to provide airport operators with a start-up kit to enhance cybersecurity in smart airports. The study additionally identifies gaps on different areas, including future steps to enhance cybersecurity in the field. Details available: ENISA's work on smart cities

Smart cars

Over the last few years, there have been a number of publications on attacks targeting automotive systems, and in particular smart cars. To understand the cybersecurity challenges involved, in 2016 ENISA started to work on automotive cyber security.

For these reasons ENISA performed a study on cyber security measures for smart cars and earlier this year launched the ENISA CaRSEC (Cars and Roads SECurity) expert group. Smart Cars integrate Internet of Things (IoT) components to bring added-value services to drivers and passengers. These components communicate with each other and with the outside of the car (other cars, external services). An attack on a smart car would threaten the safety and privacy of passengers and other citizens. These threats are already having a big impact on car manufacturers, with millions of cars being recalled because of their vulnerability, not to mention the effects of the widespread media coverage of the issues.

The objective of this study is to identify good practices that ensure the security of smart cars against cyber threats, with the particularity that smart cars security shall also guarantee safety. The study lists the sensitive assets present in smart cars, as well as the corresponding threats, risks, mitigation factors and possible security measures to implement. To obtain this information, experts in the fields and areas related with smart cars were contacted to gather their know-how and expertise. These exchanges led to three categories of good practices: Policy and standards, Organizational measures, and Security functions. Moreover, the ENISA study puts forward specific recommendations for the cyber security and resilience of smart cars. To find out more:  ENISA's work on smart cars

Securing Smart Homes

Currently “smart home environments” complement traditional home appliances with connected devices that collect, exchange and process data to create added-value services and enhance the quality of life of inhabitants.

Emerging smart homes’ cyber threats such as malware on Smart TV or remote access to baby monitors, underscore the dependence on various technologies. As the security and privacy implications are not always clear to developers and users, they lead to possible consequences on the life, health and safety of users. Smart homes face several challenges: traditional manufacturers develop connected objects with innovative functionalities but a limited investment to ensure their security. The rapid development of smart home devices reuses several third-party components such as hardware, software and services, while the security implications of these building-blocks still remain a difficult aspect.

This year, ENISA proposes a holistic approach with actionable  good practices to secure smart home devices and services and has reported on good practices and common threats on Intelligent Transport Systems.The agency has analysed intelligent transport systems with a view to evaluate the current status of cyber security by public transport operators across the EU while in 2016, ENISA will focus on how to secure Smart Cars.

Smart Hospitals

New technologies, such as cloud computing, smart devices and the Internet of Things, already provide the innovation drive eHealth needs. As cyber security challenges grow alongside services in 2016, ENISA  focuses on the adoption of Cloud computing by healthcare providers and carry out an analysis regarding Smart Hospitals.

eHealth

The term eHealth is widely used in academia, private and public sector, standardisation bodies, manufacturing organisations and vendors. eHealth systems extend from regional systems, where patients can access online basic data on their treatment, to national schemes like ePrescription services or cross border eHealth information sharing.

ENISA acknowledges the significance of eHealth not only as a major contributor to the societal and financial welfare but more specifically as a critical information infrastructure and focuses for the first time on the security challenges and risks of ICT of the health sector in the Member States. Given that healthcare services have been recognized as a critical societal function, it is important to analyse the degree to which various eHealth systems and infrastructures are critical for the secure provision of healthcare services.

Annual Incidents Report 2015

The annual incidents report provides an overview of the root causes of the incidents and an aggregated level of which services and network assets were impacted in 2015 in the telecom sector.

Incidents are reported on an annual basis by the Telecom Regulators under Article 13a of the Framework Directive (2009/140/EC) to ENISA and the European Commission. In 2015, 138 major incidents were reported, from twenty-one (21) EU countries and two (2) EFTA members while nine (9) countries reported no significant incidents. Most incidents reported, involve mobile telephony, which was the most affected service in 2015. The most frequent causes for incidents are system failures. The report is available online: Annual Incidents Report 2015

The cost of incidents

"The cost of incidents" represents a systematic review of studies on the economic impact of cyber-security incidents on critical information infrastructures (CII) which provide resources of core functions which society depends upon. An unavailability of these resources would have a debilitating effect on society as a whole. A prevalent challenge for all stakeholders involved (decision makers, companies and others) is to identify the exact magnitude of incidents in terms of national or EU-wide economic impact.

In this context, the aim of the study is to provide an estimate, on the basis of available public source information. The study demonstrates that the absence of a common approach and criteria for performing such an analysis has led to the development of rarely comparable standalone approaches that are often only relevant to a specific context and to a limited audience.  While some studies show annual economic impact per country, other studies provide cost per incident or per organisation. Furthermore, some studies use real cost while others use approximations based on different techniques or on internal frameworks. Despite the lack of comparable studies, this systematic review has allowed to come up with compelling findings for future work in the field, and build an early view on the current situation in the EU and beyond. Visit: Determining the real economic impact of cyber incidents a mission almost impossible

Network information Security in Finance Sector

The growing relevance of information and communication technologies in the essential functions of the economy has reinforced the necessity of prevention and protection measures in all sectors, naturally including the finance sector. This report aims at understanding and comparing the obligations relevant to Information Security within the finance sector in the EU Member States, to compare them with the Industry’s prospects, and to draw a clear vision of important priorities.

Cyber Insurance

ENISA recognising the growing need of insurance companies and customers alike, developed a report, focusing on key developments, challenges, and an insurers’ pre-policy risk assessment. The aim of the report is to raise awareness for the most impactful market advances, by shortly identifying the most significant cyber insurance developments for the past four years – during 2012 to 2016 – and to capture the good practices and challenges during the early stages of the cyber insurance lifecycle. Founded to address residual risk, the cyber insurance market is anticipating a growth in both technological and sales volume terms; a growth that is expected to be further accelerated by the legislative additions of the GDPR and NIS Directive. Full report available here

ENISA Threat Landscape

The ENISA threat landscape report (ETL) provides an overview of threats, together with current and emerging trends. It is based on publicly available data and provides an independent view on observed threats, threat agents and threat trends. It is a collection of threats. It contains identified threats, trends observed and threat agents involved. ETL consists of a list with top threats prioritized according to the frequency of appearance and NOT according to the impact caused. It is a report summarizing cyber threats that have been accessed by collecting publicly available information. This report appears on a yearly basis. Moreover, every year thematic threat landscapes are developed. Find out more: ENISA Threat Landscape

ICS-SCADA security

The security of ICS-SCADA (Industrial Control and Supervisory Control and Data Acquisition Systems) is increasingly recognized as a high priority area among European Critical Infrastructure operators due to its strategic impact on processes essential for uninterrupted functioning of the EU industries and economy.

A rapidly increasing number of incidents in the ICS-SCADA domain, many of which are confirmed or believed to result from cyber-attacks, reveals the vulnerability and fragility of this area and highlights the importance of continuous improvement of ICS-SCADA security for critical service providers. Furthermore, dependencies of Critical Infrastructure across the EU increases the attack surface and potential impact of cyber incidents. ENISA, as part of its activities, released a series of reports and documents tackling the topic of cyber security in industrial control systems.

In 2016 ENISA investigated the communication network interdependencies in ICS-SCADA systems. The goal was to map all the attack surface coming from network exposure, analyse most threatening attacks scenarios and list all the good practices that asset owners can implement to defend their systems. See also:  ENISA's work on SCADA

Supply chain integrity

ENISA has identified what supply chain integrity means in the ICT context and it has proposed measures to improve assurance in supply chain integrity. The support of ENISA for network and information security in finance, aim at the outsourced assets of the finance sector, the supply chain and the reporting of breaches.

Cloud Security for SMEs

The target of this initiative is public and private sector information security officers that are using and have integrated cloud services in their everyday life or would consider procuring cloud services for their business. It also addresses all digital users that are using everyday popular cloud services (social media etc.) e.g. Facebook, Dropbox, Instagram, Twitter and many more, so that they know how the cloud model functions, which are the benefits and which are the drawbacks and to be in the position to assess what kind of information they should or should not put in the “cloud”. ENISA focuses more on supporting SMEs and public administration bodies to assess the situation before moving to cloud services. For more information: ENISA's work on Security for SMEs
                    
                          
                                 ---------------------------------------------------

ENISA’s work does not stop here, as cyber-security is reaching into other relevant areas, which are not in the main focus of this conference:

Personal data and Privacy

ENISA provides expert analysis, guidance and recommendations in terms privacy enhancing technologies (PETs), support to Data Protection Authorities on selected information security implementation issues and advice to the European Commission and the Member States on future provisions concerning the implementation of the legal framework.

Services based on information and communication technologies are a commodity of our modern society. This means we use these services with less care and we are less conscious about the massive data processing that is needed to implement them. Parts of this data is personal data or privacy relevant data; this makes network and information security ever more important. ENISA, as body of expertise, plays a proxy role between technology and policy.

The General Data Protection Regulation (GDPR) provides the updated legal framework in EU on personal data protection. Additional privacy requirements emanating from the Directive on privacy and electronic communications 2002/58/EC (ePrivacy Directive), impact the confidentiality of communications conditions of in electronic communications.

Trust Services

Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market, provides a predictable regulatory environment for electronic identification and defines a set of electronic trust services, namely electronic signatures, seals, time stamps, registered delivery services and certificates for website authentication.

ENISA engages with institutional stakeholders and private sector actors alike to provide guidance and recommendations for the technical implementation of the regulation for three groups of stakeholders: trust service providers, conformity assessment bodies and supervisory authorities. ENISA seeks to ease up the intensity of implementation of the eIDAS Regulation and promote Trust services as a desirable means to add trust to the Digital Single Market in the EU.

 

Privacy enhancing Technologies (PETs)

With the progress in the field of information and communication technologies, and especially due to the decrease in calculation and storage costs, new challenges to privacy and data protection have emerged. One important element in this endeavour are technical mechanisms, most prominently so-called Privacy-Enhancing Technologies (PETs).

ENISA contributes to bridging the gap between the legal framework and the available technological implementation measures by providing an inventory of existing approaches, privacy design strategies, and technical building blocks of various degrees of maturity from research and development. Moreover, ENISA provides tools to assess the maturity and quality of these building blocks as well as their limitations. For more information: ENISA's work on Securing Personal Data

The Agency's poster ‘Time to adopt PETs’ promotes awareness and the uptake of PETs by internet and mobile users following the simple approach ‘reduce, protect, detect’. PETs refer to technologies/tools that can support users in safeguarding their privacy and personal data, especially when using online applications and services. Examples of PETs include tools that can offer protection against online tracking, as well as tools providing encryption and secure messaging functionality. For more studies and details: ENISA adopts PET's on data protection day and ENISA study looks into the adoption of security and privacy standards by SMES

 
Standardisation and Certification

In its Cybersecurity strategy of the European Union, a multi-stakeholder governance approach seeks to promote standardization as a pillar of Cybersecurity where public sector requirements are implemented to a large extent by private sector service providers. ENISA support the standardization process by means of gap analyses and validation activities. 

In the emerging environment of the Internet of Things, ENISA also brings stakeholders together for the purpose of help shaping and possibly converging views on the certification of products. These activities are for goal to lead to the development of a common European framework for security certification of ICT products. Beyond a brokering role, ENISA supports with practical measures the various and diverse EU Commission activities in this field especially in the area of Contractual Private Public Partnership (cPPP).

 
National Cyber Security Strategies

In a constantly changing cyber threats environment, EU Member States need to have flexible and dynamic cyber security strategies to meet new, global threats. A national cyber security strategy (NCSS) is a plan of actions designed to improve the security and resilience of national infrastructures and services. ENISA is helping the MS create their own strategy and keeps an updated map of all existing strategies in the EU.

ENISA published its first National Cyber Security Strategy Good Practice Guide in 2012. Since then, EU Member States and EFTA countries have made great progress in developing and implementing their strategies. This year, ENISA published a new Good Practice guide, which updates the different steps, objectives and good practices of the original one and analyses the status of NCSS in the European Union and EFTA area. The aim is to support EU Member States in their efforts to develop and update their NCSS. Therefore, the target audience of this guide are public officials and policy makers. The guide also provides useful insights for the stakeholders involved in the lifecycle of the strategy, such as private, civil and industry stakeholders.

Art. 13a and the telecom sector

In today’s interconnected world, telecommunications are transforming the way people engage in their everyday lives. Economic development is strongly related to the existence and well-functioning of the telecommunication networks. Art. 13a, of the Directive 2009/140 EC, is part of the Telecom Package and aims at ensuring the security and integrity of electronic communication networks and services (telecom). In this area, ENISA has the responsibility of collecting incidents and actions taken within member states telecom sectors, and contribute to the “harmonization of appropriate technical and organizational security measures by providing expert advice” and by “promoting the exchange of best practices”.

As incident reporting within the telecom sector, became one of the most important pillars in the Agency’s activities, some considerable work has been produced in this area over time:

Impact evaluation on the implementation of Article 13a incident reporting scheme within EU, Annual Incident Reports 2014, Technical Guideline on Incident Reporting, Technical Guideline on Security Measures, Guideline for Threats and Assets

Cyber Crisis Cooperation

Crises originating in cybersecurity incidents are no more science fiction. European companies regularly face such situations which, in several cases already, escalated in national and multinational crises. ENISA assists EU public and private cybersecurity experts in preventing and reacting to future crises. In particular, ENISA organises regular crisis exercises with hundreds of participants to train experts, foster cooperation amongst them and provide guidance on best practices. The Agency also provides expert trainings on crisis management, crisis planning or exercise development, conducted several studies and organised international conferences on the topic of cyber crisis cooperation.

ENISA Cyber Security Training

ENISA Cyber Security Training material was introduced in 2008, and was complemented ever since. The material contains essential material for success in the CSIRT community and in the field of operational security. In the link you will find all the needed material to organise a successful training like tutorials for teachers, handouts for students and virtual image to support hands on training sessions.Some of the highlights of training scenarios are available here.