Assessment, selection & deployment of technological security solutions
On the 19-20th May 2014, the 2nd ERNCIP Operators’ Workshop took place, at the JRC premises in Ispra, Italy. It was organized by the European Reference Network for Critical Infrastructure Protection (ERNCIP). This was the second workshop, following the 1st ERNCIP Operators’ Workshop, held in Brussels on 12-13 September 2013.
Workshop’s Theme & Sessions
The work performed within the ERNCIP network aims to be a direct response to the lack of harmonised EU-wide testing or certification for CIP products and services, which is a barrier for future development and market acceptance of security solutions.
Therefore, this year’s workshop focused on the needs and practises of CI Operators regarding the assessment, selection and deployment of technological security solutions. The workshop gathered thirty-one professionals representing CI operators from several CI sectors - Energy, Information and Communication Technology (ICT), Transport and Water. The workshop facilitated the exchange among operators and sectors, and provided guidance for ERNCIP in its efforts to develop and leverage its role for the benefit of CI operators.
The workshop was structured into three closely linked sessions during which the operators interacted actively both in the flow of discussions and in the joint work on the questions posed by the three dedicated moderators (one for each session). Each session was centred on a driving question:
Session 1: (Moderator: Mr Klaus J Keus)
What are today’s challenges for operators regarding assessment, selection and deployment of technological security solutions?
Session 2: (Moderator: Dr Carmine Rizzo)
What tools are available for operators and how can these be best utilised in order to address the above challenges regarding the assessment, selection and deployment of technological security solutions?
Session 3: (Moderator: Dr Alois J Sieber)
How can the ERNCIP network help to address these challenges on an EU level?
During Session 1 and Session 2 the operators were initially divided into three sectoral working groups. The outcome of each working group was thereafter presented by a selected rapporteur (one of each working group) to all participants and followed by a discussion. This approach facilitated for discussion both on a sectoral level, but also on a horizontal level.
Session 3 addressed the outcomes from session 1 and 2 with a focus on ERNCIP’s role and took place in the form of an open discussion among all participants. In addition, during session 3, ‘green cards’ were distributed to all participants on which they could openly express any topic or suggestion. These green cards were reviewed and taken into account after the workshop by the session moderators.
Workshop Outcomes
In the following section, we summarise the main outcomes of the work performed. For more detail, please consult the Final Workshop Report compiled by the moderators.
General observations
While several challenges were identified as common to all sectors, recommendations coming from one sector need to be handled very carefully before applying them to other sectors.
read more
For example, the Energy sector requires a more global approach; the Transport sector focuses mainly on safety rather than security. In the ICT sector there is a strong need to secure the entire supply chain, down to the individual component. This is a main concern shared across sectors, as ICT has a direct impact on all other CI sectors. Despite such differences, there were several challenges which emerged commonly among the workgroups.
read less
Harmonized EU Legislation
With regards to legislation, an overall framework of existing or upcoming laws and regulations on national as well as European levels would offer the basis for a qualified assessment and would support the operators in their decision-making process, with respect to security technological solutions.
read more
During the workshop this request was particularly well illustrated in the Transport sector. In this sector, a legislative framework would need to take into account interoperability and inter-modality and to cover different areas and sectors within transport. A more fragmented approach would not benefit the operators as intermodality is required when considering an overall intelligent transport scheme. The Energy sector also highlighted a need for a comprehensive inventory of current legislation due to the uncertainty caused by the lack of harmonised European or international legislation.
Procedures and legislation need to be harmonised on a European level in order to improve coordination both at the European and the global level. Harmonisation legislation is a pre-requisite to reach a common level of security-related requirements within a sector and at the same time provide for a fair financial burden for the operators’ business.
read less
Cross-sectoral approach
The current work performed within the ERNCIP project was presented to the operators. The operators highlighted that the existing thematic areas appear scattered and that a clear structure linking the thematic groups on the basis of sectoral importance and relevance is missing.
read more
As a result, operators encouraged ERNCIP to identify new thematic areas more related to the overall theme of Critical Infrastructure Protection. Moreover, the operators welcomed the idea of a process for establishing new thematic areas which also takes into account the input of CI operators.
The CI operators proposed that new thematic areas could address, topics like:
- Modelling, Simulation & Analysis (MS&A) of:
- interdependencies between CIs
- security vulnerability identification, assessment & optimisation
- evaluation of security solutions, etc.;
- Human factors and security culture;
- The threat landscape in the energy sector, in particular the cybersecurity of smart grids and renewable energy.
read less
Harmonised EU-wide Training & Certification
The workshop participants pointed out that EU-wide harmonised training for operators’ staff does not exist, nor does a certification scheme for qualified CIP personnel. There is a need to support such efforts through relevant professional education and training/ research budgets.
read more
The implementation of an EU-wide security certification of qualified staff was also requested. This would allow experts to work within different CI sectors throughout the EU, and make it easier for the owners of the CIs to recruit staff.
The participating CI operators asked ERNCIP to facilitate the creation of such an EU-wide harmonised training scheme for CI operator staff. The training scheme should include training on realistic threat scenarios and vulnerabilities of CIs, meaning that an applied, hands-on approach should be favoured.
Participants also underlined that the proposed training schemes should be addressed to senior staff (engineers as well as managers). At the same time the creation of academic curricula for critical infrastructure protection at an undergraduate and postgraduate level was requested. This request is in line with the obligations and mandate of the Academic Committee of ERNCIP. The ERNCIP Office is asked to keep both operators and academia informed and facilitate the exchange of ideas between these two stakeholder groups. This exchange could be an interesting topic to address in a future ERNCIP operators’ workshop.
Also in terms of regulation policies, ERNCIP can help in communication among operators aiming at requesting DG Home Affairs to coordinate its CIP policy areas with those in other policy areas. It was stressed that at national levels politicians need strategy, management boards need regulations, and technicians need reference manuals for appropriate guidance on the assessment, selection and deployment of technological security solutions. There is also a need to create an EU-wide auditing scheme for operators of critical infrastructures, based on a harmonised methodology.
ERNCIP can also facilitate the efficient and effective bi-directional communication between operators and research bodies, and link the relevant stakeholders within the standardisation community to ensure standards are created rapidly and effectively.
read less
Learning from experience
Information sharing regarding threats and vulnerabilities, as well as available/needed tools and instruments, is still a huge challenge because of a missing central reliable point of trust.
read more
For example, CI operators recommended the establishment of an EU database of incidents, which should be updated on a regular basis. Such a central tool (as a single point of reference) would allow operators to stay informed about potential threats in an effective and timely manner. This activity could also be combined with training programs.
In the same context, operators invited ERNCIP to launch a systematic assessment of past events like the earthquake in Haiti, Hurricane Katrina in New Orleans, the oil crisis in the Gulf coast of the United States and the tsunami damage to the Fukushima nuclear plant in Japan. The focus should be placed on cross-sectoral interdependencies (e.g. between energy, communication, transportation, water supply) and the identified cascade effects.
Participants followed an all-hazards approach, discussing various threats ranging from terrorist attacks to natural hazards ranging from high probability/low impact threats to low probability/high impact threats. It was underlined that the probability may be perceived as less important in comparison to the consequences of failures of components of complex systems or sectors of CIs. Hence guidance is requested regarding low probability but potentially high impact risks. In such scenarios, operators may ignore the risk of unavailability for critical services (e.g. lack of energy due to extreme space weather, which would result in an inability to manage water supply).
There was common agreement among participants that exercises on a national and EU-wide scale, based on common threat scenarios, would be needed. ERNCIP is invited to facilitate such exercises, as well as support the design of scenarios.
The need for Modelling, Simulation & Analysis (MS&A), based on the assessment of past events and monitoring of threats to CIs reported worldwide, was also reported. MS&A efforts could drive the development of scenarios to be used for analysing possible cascade effects.
read less
Learning from research
Operators feel that there is not enough information available about security research efforts at EU or national level.
read more
Operators of CIs need information about European and national research results, as well as ongoing research projects, in order to be aware of emerging technologies, validation results concerning existing technologies and gaps in innovation which need to be communicated to the managers of research programmes. It was felt that at best, only promotional project leaflets are available. In particular, operators would like to be informed about the research results, and how these can be exploited in order to to increase security.
Participants invited ERNCIP to facilitate the production of this information and a dialogue between the managers of the research programmes and CI operators. By doing so, gaps and needs for further research can be established and the innovation process, the core of Horizon 2020, can be promoted.
There was common agreement among participants that exercises on a national and EU-wide scale, based on common threat scenarios, would be needed. ERNCIP is invited to facilitate such exercises, as well as support the design of scenarios.
read less
Risk Assessment
A major challenge consists in assessing risks, as well as calculating or estimating related costs. Scenario-oriented approaches, related but not limited to risk assessment, would enable a more structured process, as would new models for risk and costs estimation. Financing and related investments are challenges which have a direct impact on the business, and hence also on competiveness.
read more
A significant part of the discussion was related to the risk assessment of CIs. Risks are not easily quantified, particularly if they concern rare probability events. CI-related risk definition and assessment have to be reconsidered to ensure that all those involved are speaking the same language (with reference to ISO 31000:2009 and ISO Guide 73: 2009).
Building a comprehensive risk picture for CIP should include both accidental and intentional threats, should cover a wide range of security-related objectives (namely availability and safety), should look at multiple dimensions (physical infrastructures, information, technical systems, organisational artefacts and people); and it should follow a scenario-oriented approach, which can assist the operators to perform comprehensive exercises.
read less
New concepts for CIP
The operators underline the need to link security with existing safety efforts. More specifically, the Transport sector working group presented the new concept of ‘safeurity’ as an example of a concept being developed within the rail sector and aiming at the protection of infrastructures and operations of any kind.
ERNCIP’s role
ERNCIP should build on the very positive feedback from this workshop (the second in a series) and launch a systematic outreach initiative to operators. This might include information meetings at national level facilitated by authorities in the Member States.
read more
It is commonly agreed that it is difficult to validate models in a statistically significant approach. However, ERNCIP focuses on the testing of security solutions. Therefore it is recommended to use such models to disaggregate complex systems (which include security solutions) in order to identify components for testing and validation with subsequent aggregation of the results in order to validate the overall system.
This aspect relates to a further topic which has been discussed, namely the need to involve actively the ERNCIP network of test facilities. There is an urgent need to establish common test methodologies and test protocols for security solutions. (It should be noted that this is even part of the ERNCIP mission statement.) Perhaps a more suitable term could be evaluation of security solutions rather than testing. The ERNCIP office is invited to establish a dialogue with the laboratory network and operators of CIs to discuss such methodologies — not only in laboratories but also in the ‘real field’. In such context, in particular, collaboration with ETSI (European Telecommunications Standards Institute) would be instrumental.
Acknowledgements
This article summarizes the findings as presented by the moderators (Klaus Keus, Carmine Rizzo and Alois Sieber) and the ERNCIP Office in the official workshop report of the 2nd ERNCIP Operators’ Workshop. The previous version of this article has been published on the European CIIP Newsletter (ECN).