French view on the NIS Diretcive transposition Cybersecurity - - PowerPoint PPT Presentation

French view on the NIS Diretcive transposition

Cybersecurity Framework in France - ANSSI

> The Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) was created on July 7th 2009 by a decree (2009-834) of the Prime Minister, which defines precisely its authority and missions. > ANSSI is a service with national responsability, which reports to the General Secretary for Defence and National Security. > ANSSI has 2 mains missions: prevent and react to cyber attacks.

2

Cybersecurity Framework in France - From government to critical infrastructures

Rising awareness on the need to enhance cybersecurity of Operators of Vital Importance (OIV)

2008 White Paper on Defence and National Security 2009 Creation of ANSSI 2011 French Cybersecurity Strategy 2013 White Paper on Defence and National Security Information Systems Security Authority Information Systems Defence & Security Authority

3

CIIP - An existing critical infrastructures protection framework

4

More than 200 critical infrastructure operators (“Operators of Vital Importance”) identified, since 2006.

Food Energy Industry Water Transport Justice Military activities Civilian administration Health Finance Telecom & broadcasting Space & Research

.

12 sectors identified

All sectors Physical “points” 12 Public-Private critical sectors > 200

• perators

The CIIP law

5

Adopted in December 2013, the law aims at reinforcing the cybersecurity of critical

• perators and allows ANSSI – and other State bodies – to further support them in

the event of a cyberattack against their critical information systems.

• The new framework will apply to all public

and private critical operators already designated.

• In addition to their physical points,
• perators will need to identify their “critical

information systems”.

• Dedicated security measures will

complement existing cybersecurity

• bjectives.

12 sectors identified

12 critical sectors 200+ critical operators All sectors Critical information systems

The CIIP law

6

SECURITY REQUIREMENTS

ANSSI will impose to the operators a set

• f technical and organisational rules

INCIDENTS NOTIFICATION

ANSSI shall be notified directly by

• perators of incidents occuring on their

critical information systems.

The law provides with 4 set of measures INSPECTION

ANSSI can trigger security audits led by itself, another State authority or a Trust service provider.

MAJOR CRISIS

ANSSI can impose cybersecurity measures in case of major crisis, declared by the Prime Minister.

> A dynamic interministerial process to identify a new set of operators

that are essential to economic and societal activities : the operators of essential services

> ANSSI will impose to these operators a set of technical and

• rganizational rules very similar to the rules applying to the critical
• perators

NIS - Strategic objectives

7

Calendar and first challenges for the transposition

• Constrains : French presidential election in May and June 2017
• Promulgation of the law expected in beginning 2018
• Regulation : Decree to establish the list of essential services and

application measure for each operators

• Execution act for the rules regarding he functionment of the cooperation

group published in February 2017

• Bill submitted to ministries in May

8

Calendar for the transposition

Decree writing Formal consultation of minsitries State council Publication to the

• fficial

journal Notification to the European Commission

LAw Law decree Appliction decree

Travail en interne ANSSI sur les règles de sécurité pour se mettre en conformité avec le guide de référence européen Writing of 3 15.Oct 15.Nov 15.Dec 15.Jan 15.Feb 15.Mar 15.apr 9.May State council Ministry council Parliament Promulgati

• n

Publication to the

• fficial

journal Notification to the European Commission Publication to the official journal Notification to the European Commission

9

Where do we stand today

Interministerial meeting of 09/10/2017 outcomes: ➢ A dedicated law to transpose chapters IV and V ➢ ANSSI designated as single competent autority for the cooperation group; ➢ CERT-FR designated as single French CSIRT for the CSIRT Network ; ➢ Prime minsister will establish the list of essential services and the list of OES on the proposition of ministries or ANSSI; ➢ Prime minister will define security rules for OES information systems

10

>

In the critical sectors already defined, the operators of essential services will be of the same nature as the critical operators (airports, hospitals, electricity suppliers…) but less sensitive. The NIS directive covers many more companies. Are concerned and considered as OES :

>

Industrial production sites

>

Telecommunications operators

>

Transport companies

>

Hospitals, etc.

>

Operators of essential services might be identified in other areas of activity (democratic life, cybersecurity industry, tourism…)

>

Methodology: Mix of quantitative and qualitative criteria

Challenge N°1 - Identification of the OES

11

Challenge N°2 – Working with the Private sector (RETEX)

12

Regulators

Starting in late November 2014, working groups led by ANSSI were set up to define with the operators how core provisions would concretely apply.

Sectoral expertise Public & Private Operators Regulators Ministries

Challenge N°3 – Articulation with CIIP framework

Challenges

• Apply the same rules to non OIV actors essential to

the functioning of the economy and society

• Harmonize the different frameworks of EU member

states

• Avoid new requirements for IS already submitted to the

LPM Art 22 LPM (Code of Defense) OIV

 National Security

 Classified information

Dedicated law OES  Internal maket

Stakeholders essential to the functioning of the economy and society

13

Challenge N°4 – Reach an acceptable security level

Key characteristics

• Tailored cybersecurity measures.
• Mostly basic cybersecurity measures.
• Taking into account ANSSI’s and the operators’ operational experience and existing

international standards.

• 95 % common to all the sectors. But, depending on the sector’s maturity, the timelines

for application can differ (delays not public).

• Apply only to the operators’ critical information systems.

Note: the law will includes sanctions in case operators would not respect their obligations.

20 categories of security rules were elaborated and agreed upon by all operators : they are preventive actions aiming at reducing the risks of success for most cyberattacks.

14

Challenge N°5 – Efficient Incident notification

15

ANSSI

Sectoral Ministry Victim

Critical

• perator

Shares information

• n the cyber incident

Shares feedback on the incidents Sends a form to notify an incident on one of the SIIV Provides support to the victim (from recommendations to onsite support)

Other Critical

• perators

Voluntary Exchange Information Shares anonymised information

• n the incident to prevent

potential attacks

Challenge N°6 – Assistance to the OES

16

ANSSI

Service providers Critical

• perators

Government Industry Client

A rigorous evaluation process Provision of trustworthy services Feedback to strengthen the qualification process

In order to facilitate the implementation of the CIIP law, ANSSI has established a challenging and efficient process allowing the qualification of private “Trust Service Providers”.

General overview- Adapt the security level to the risk

Basic rules, Security of citizens / PME Cybersecurity tailored rules, security of the econmy Sectorial rules, Security of most critical IS, Government or critical infrastructures Hygiene and basic principles Normative and regulatory framework Risk analysis

COMPLEX MEDIUM SIMPLE

CYBERATTACK

17

ACYMA NIS CIIP framework