French view on the NIS Diretcive transposition
Cybersecurity Framework in France - ANSSI > The Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) was created on July 7 th 2009 by a decree (2009-834) of the Prime Minister, which defines precisely its authority and missions . > ANSSI is a service with national responsability , which reports to the General Secretary for Defence and National Security. > ANSSI has 2 mains missions: prevent and react to cyber attacks. 2
Cybersecurity Framework in France - From government to critical infrastructures 2013 2008 2011 2009 French White Paper on White Paper on Creation of Defence and Cybersecurity Defence and ANSSI Strategy National Security National Security Rising awareness on the need to enhance cybersecurity of Operators of Vital Importance (OIV) Information Systems Information Systems Security Authority Defence & Security Authority 3
. CIIP - An existing critical infrastructures protection framework More than 200 critical infrastructure operators (“Operators of Vital Importance”) identified, since 2006. All sectors 12 Public-Private critical sectors Telecom & Food Energy Civilian broadcasting administration > 200 operators Physical Health Space & Military Transport “points” 12 Research activities sectors identified Water Industry Justice Finance 4
The CIIP law Adopted in December 2013, the law aims at reinforcing the cybersecurity of critical operators and allows ANSSI – and other State bodies – to further support them in the event of a cyberattack against their critical information systems. All sectors • The new framework will apply to all public and private critical operators already 12 designated. critical sectors • In addition to their physical points, 200+ operators will need to identify their “critical critical operators information systems”. • Critical Dedicated security measures will information complement existing cybersecurity 12 systems objectives. sectors identified 5
The CIIP law The law provides with 4 set of measures S ECURITY R EQUIREMENTS I NCIDENTS NOTIFICATION ANSSI will impose to the operators a set ANSSI shall be notified directly by of technical and organisational rules operators of incidents occuring on their critical information systems. I NSPECTION M AJOR CRISIS ANSSI can trigger security audits led by ANSSI can impose cybersecurity measures itself, another State authority or a Trust in case of major crisis, declared by the service provider. Prime Minister. 6
NIS - Strategic objectives > A dynamic interministerial process to identify a new set of operators that are essential to economic and societal activities : the operators of essential services > ANSSI will impose to these operators a set of technical and organizational rules very similar to the rules applying to the critical operators 7
Calendar and first challenges for the transposition • Constrains : French presidential election in May and June 2017 • Promulgation of the law expected in beginning 2018 • Regulation : Decree to establish the list of essential services and application measure for each operators • Execution act for the rules regarding he functionment of the cooperation group published in February 2017 • Bill submitted to ministries in May 8
Calendar for the transposition 15.Oct 15.Nov 15.Dec 15.Jan 15.Feb 15.Mar 15.apr 9.May Parliament Promulgati Publication Notification to LAw State Ministry on the European to the council council Commission official journal Formal Publication State Decree writing Notification Law decree consultation of to the council to the minsitries official European journal Commission Publication Travail en interne ANSSI sur les règles de Appliction to the official Writing of 3 sécurité pour se mettre en conformité decree journal avec le guide de référence européen Notification to the European Commission 9
Where do we stand today Interministerial meeting of 09/10/2017 outcomes: ➢ A dedicated law to transpose chapters IV and V ➢ ANSSI designated as single competent autority for the cooperation group; ➢ CERT-FR designated as single French CSIRT for the CSIRT Network ; ➢ Prime minsister will establish the list of essential services and the list of OES on the proposition of ministries or ANSSI; ➢ Prime minister will define security rules for OES information systems 10
Challenge N°1 - Identification of the OES > In the critical sectors already defined, the operators of essential services will be of the same nature as the critical operators (airports, hospitals, electricity suppliers…) but less sensitive. The NIS directive covers many more companies. Are concerned and considered as OES : > Industrial production sites > Telecommunications operators > Transport companies > Hospitals, etc. > Operators of essential services might be identified in other areas of activity (democratic life, cybersecurity industry, tourism…) > Methodology: Mix of quantitative and qualitative criteria 11
Challenge N°2 – Working with the Private sector (RETEX) Starting in late November 2014, working groups led by ANSSI were set up to define with the operators how core provisions would concretely apply. Public & Private Sectoral expertise Operators Ministries Regulators Regulators 12
Challenge N°3 – Articulation with CIIP framework Art 22 LPM (Code of Defense) Dedicated law OIV OES National Security Internal maket Classified information Stakeholders essential to the functioning of the economy and society • Apply the same rules to non OIV actors essential to the functioning of the economy and society • Harmonize the different frameworks of EU member Challenges states • Avoid new requirements for IS already submitted to the LPM 13
Challenge N°4 – Reach an acceptable security level 20 categories of security rules were elaborated and agreed upon by all operators : they are preventive actions aiming at reducing the risks of success for most cyberattacks. Key characteristics • Tailored cybersecurity measures. • Mostly basic cybersecurity measures. • Taking into account ANSSI’s and the operators’ operational experience and existing international standards. • 95 % common to all the sectors. But, depending on the sector’s maturity, the timelines for application can differ (delays not public). • Apply only to the operators’ critical information systems. Note: the law will includes sanctions in case operators would not respect their obligations. 14
Challenge N°5 – Efficient Incident notification Sends a form to notify an incident on one of the SIIV Victim Critical Voluntary Exchange operator Information Shares information ANSSI on the cyber incident Provides support to the victim (from Other recommendations to onsite support) Critical operators Shares feedback on Shares anonymised information the incidents Sectoral on the incident to prevent Ministry potential attacks 15
Challenge N°6 – Assistance to the OES In order to facilitate the implementation of the CIIP law, ANSSI has established a challenging and efficient process allowing the qualification of private “Trust Service Providers” . A rigorous evaluation ANSSI process Government Service Industry providers Provision of trustworthy Feedback to strengthen the services qualification process Critical operators Client 16
General overview- Adapt the security level to the risk COMPLEX Sectorial rules, Security of most critical IS, Risk Government or critical analysis CIIP CYBERATTACK infrastructures framework MEDIUM NIS Cybersecurity tailored Normative and rules, security of the regulatory econmy framework SIMPLE Hygiene and basic Basic rules, principles Security of citizens / PME ACYMA 17
Recommend
More recommend
