公告&动态 第216页

Roadmap for Advanced Metering Standards – Report

Standards Australia is pleased to announce the publication of the Roadmap for Advanced Metering Standards – Report.

The development of the Roadmap over a four month period between March and June 2016 involved a series of forums and industry-wide consultations which allowed for stakeholders to consider the standards that would be necessary to support Australia’s advanced metering equipment infrastructure.

In June 2016 Australian stakeholders came together for the final forum in the Roadmap for Advanced Metering Standards. The Roadmap (including a Work Program involving the development of 23 Australian Standards) was released to stakeholders on the day.

This report provides a background on advanced metering standards and explains the process of developing the Roadmap.

The publication of this Roadmap for Advanced Metering Standards paves the way for stakeholders to work with Standards Australia to prepare and submit proposals for the development of contemporary Australian Standards for advanced metering.

The proposal forms and standards development activities will be informed by the work program and priority projects as set out in the Roadmap. However, Standards Australia recognises that this Roadmap only serves as a guide and that stakeholders may ultimately not seek to develop Australian Standards for advanced metering exactly in accordance with the Roadmap.

Standards Australia is grateful for the support provided by co-resourcing partners (Vector, Landis+Gyr, EDMI, ENA and Origin) to undertake the development of the Roadmap for Advanced Metering Standards.

Standards Australia also gratefully acknowledges the contributions and participation of stakeholders from industry, government and consumer groups in the development of the Roadmap.

BSI, business standards company has revised BS 8555 Environmental management systems – Phased implementation – Guide. The standard was originally published in 2003, and provides guidance for all organizations on how to implement an environmental management system (EMS) or work towards ISO 14001 using a phased approach. BS 8555 is now at public comment stage until September 2016.

What does BS 8555 offer?
•A step by step approach to setting up an environmental management system• A series of stages that an organization can work through with the option to stop at any point or work through to become ISO 14001 ready
•Advice on the integration and use of environmental performance evaluation (EPE) techniques during the implementation process; and the coordination of such an EMS with other management systems, where appropriate
•It has been updated to ensure that it continues to help organizations improve business processes, save money and deal with future environmental challenges

EMS standards have been shown to help organizations develop their business whilst reducing the environmental impact of growth, decrease waste and save energy. They can help businesses become more innovative, improve management system process, meet regulatory requirements and enhance corporate reputation among investors, customers and the public. BS 8555 can help organizations stay abreast of the changes in the environmental arena, ensuring they remain ahead of the curve.

Who can BS 8555 help?
•BS 8555 is for all sizes and sectors of organization who want to start to work on their environmental management system
•It can be useful to small and medium sized enterprises (SMEs) who need a framework to work to, but who can choose to stop at any of the 5 stages. The standard helps SMEs to achieve regulatory requirements and demonstrate to stakeholders that they are giving consideration to environmental impacts whilst helping them to manage resources and changes in circumstances
•It is useful to large, multi-site companies because it provides a framework and step-wise approach that all sites can work to in order to implement ISO 14001

What has changed?
•A robust approach in terms of managing risk and compliance with legislation during phases 2 and 3
•Phases and stages have been updated to reflect changes in BS EN ISO 14001:2015, such as understanding the context of the organization, an increased focus on leadership, improvement in environmental performance and a new focus on risk and opportunity
•Phase 6 and the associated guidance has been removed in order to simplify the standard and make it easier for people to use

David Fatscher, Head of Market Development for Sustainability & Services at BSI, said: “A successful EMS helps organizations remain commercially successful without compromising their environmental responsibilities. However, such projects can sometimes seem daunting and management may be unable to commit the required resources. By phasing implementation with BS 8555, all organizations, regardless of the nature of the business activity undertaken, location, or level of maturity, can improve their environmental performance.”

BS 8555 was developed using a collaborative consensus-based approach with input from such experts as CIRIA, IEMA, UKAS, the UK Environment Agency, as well as environmental consultants, some of whom took part in the recent major revision of ISO 14001. Comment on the standard here.

Sustainable development of communities standard is published

BSI, the business standards company has published BS ISO 37101:2016, Sustainable development in communities — Management system for sustainable development — Requirements with guidance for use.

In a fast-changing world, ensuring cities and communities are fit for the future is a key priority for many city leaders. Providing sustainable energy supplies, coping with environmental and climate changes, building and maintaining durable infrastructures and meeting the needs and expectations of citizens are just some of the considerations to be made. BS ISO 3701 has been developed to help city leaders set their city's sustainable development agenda.

The UK has already developed similar guidance in the shape of BS 8904:2011 Guidance for community sustainable development which is suited to local grass roots organizations, with this standard contributing towards the development of BS ISO 37101.

The international standard sets out requirements and guidance to attain sustainability with the support of methods and tools including smartness and resilience. It can help communities improve in a number of areas such as:
•Developing holistic and integrated approaches instead of working in silos (which can hinder sustainability)
•Fostering social and environmental changes
•Improving health and wellbeing
•Encouraging responsible resource use and achieving better governance

David Fatscher Head of Market Development for Sustainability and Services at BSI said: “As societies grow and populations within a community increase in density, more thought has to be put into the sustainable development of those communities. This is not just about population size but also the economic, social and environmental issues that a community faces. Whilst previous guidance has enabled individuals to take control of their communities locally, from improving social and economic opportunities to protecting the local environment, this international standard takes a broader view. City leaders can be at the forefront of any decisions that impact their communities and now have the guidance they need to implement changes to benefit their environment in multiple ways.”

BS ISO 37101 was first proposed by the French National Standards Body, Afnor to reflect the interests of the construction and services industries. In accordance with the normal collaborative ISO practices, each country submitted their comments to their country representative for consideration by the ISO committee. Outreach and liaison was established with the Global City Indicators Facility and the United Nations Environment Programme. This included harmonizing work being done in ISO on city indicators and smart infrastructure.

Some of the other countries involved in the development of BS ISO 37101 include: Austria, Canada, China, Denmark, France, Germany, Japan, Mexico, Netherlands, Russia, Sweden, Sri Lanka and USA.

BS ISO 37101 will be able to help city CEOs, sustainability officers, smart city managers and compliance managers, policy advisors, NGOs and consultants plan their city’s long term sustainability agenda.

Cybersecurity is now central to the safe operation of industrial installations, but user accounts for many devices used in these installations are not properly managed. Central user account management combined with Role Based Access Control is the perfect solution for managing user accounts and permissions efficiently and centrally while still providing a state of the art security solution. This eliminates the nightmare of having unmanaged user accounts on hundreds of devices.

Too many user accounts are not properly managed

In many cases the factory default user accounts and passwords used in devices in industrial installations are unmanaged and remain unchanged. Shared and / or weak passwords are also an issue.

From a cybersecurity perspective, in today’s interconnected world, both factory default accounts and shared accounts represent a huge cybersecurity risk and are unacceptable. Besides cybersecurity concerns, both factory default and shared accounts can make control system management a nightmare for control system owners.

Consider the case in which a power outage occurs as a result of a changed configuration, but it cannot be established which employee actually changed the configuration because a shared account or a factory default account was used to access the system and make the change.

Another possible scenario is connected with a single employee leaving an organization. Since this member of staff knows a password that is shared by several other employees, a huge effort is required to change this shared password in a number of devices and locations, to ensure that the departing employee can no longer access the system. Last but not least, the remaining employees must also be informed of the new password, so that they can continue to carry out their work.

Legacy processes, tools and technologies can make it hard for security managers and system operators to change systems so as to adapt to and defend against new security threats. Security managers need proven standardized technologies and modern tools to move to the next level. Central user account management combined with Role Based Access Control (RBAC) is the perfect solution for managing user accounts and user permissions centrally and efficiently, while still providing a state of the art security solution. It also eliminates the nightmare of having unmanaged user accounts on hundreds of devices.

Technological change has brought both operational benefits and cybersecurity risks

Substation automation, protection and control systems have changed significantly in the past decade. Systems have become more interconnected and provide end users with much more information, resulting in higher reliability, increased levels of control and higher productivity. Interoperability between different vendor products and systems has been achieved by deploying products and solutions based on open standards such as publications from the IEC 61850 series, Communication networks and systems for power utility automation, or IEC 60870-5-104, Telecontrol equipment and systems – Part 5-104: Transmission protocols – Network access for IEC 60870-5-101 using standard transport profiles, and by leveraging proven Ethernet technology.

This change in technology has brought huge benefits from an operational point of view, but it has also exposed utilities to the kind of cybersecurity threats that have been confronting traditional enterprise systems for years. Cybersecurity is an essential component of modern networks, but fragmented access policies across network devices risk exposing critical vulnerabilities.

Careless practices make system access easy

The heterogeneous nature of automation networks has complicated tasks such as revoking staff credentials, or changing default passwords. Factory default accounts often remain unchanged after handover from manufacturer to customer, and may even remain unchanged on devices for their entire lifetime. Such practices and unchanged factory default accounts make it easy for an attacker to access devices rapidly and without needing to possess any special skills or knowledge.

Furthermore, most control and network devices provide logging capabilities to record what users have done, but if all actions are performed under the umbrella of a factory default account, then the logged information and audit trail say nothing about who has really performed which actions.

Setting the stage for a possible solution

Control system owners and managers would probably welcome positive answers to the following questions to ensure the security of their systems:

• Would you like to manage user accounts easily?
• Would you to like to administer new employees’ access and permissions in your company from a central point?
• Would you like to be able to remove or disable user credentials quickly from a single central location when an employee leaves your company?
• Would you like the changes you made in the central location to be immediately effective on all products from different vendors throughout your organization?
• Would you like to eliminate worry about default user accounts remaining active on unmanaged local devices?

The industry strikes back

Following demands from the North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC-CIP) Standards, and many other cybersecurity requirements, the industry is adopting a common path to the future: IEC TS 62351-8: Power systems management and associated information exchange – Data and communications security – Part 8: Role-based access control. This Technical Specification sets out how vendors should implement and provide RBAC and central user account management to their customer base.

Since the arrival of IEC TS 62351-8 in 2011, users have been able to authenticate themselves across their organization to all devices in all networks, with a user-specific and unique user-id and password. Moreover, the addition or removal of users is done centrally, in a single step.

This technology offers not only the central management of user-ids and passwords, but also the management of user permissions by assigning roles to users, depending on their job roles in the organization (RBAC).

Possible solution for a nightmare scenario

Control systems need to be managed to ensure sustainable infrastructures. Managing a system means continually keeping its devices up-to-date.

The management of a cybersecurity policy can become complex; therefore to be efficient, security managers need support from software applications. A Role Based Access Control system is such an application. RBAC allows responsible persons to be able to manage users and their roles consistently from a central point – even for multiple control systems in different locations.

Not everybody needs to be a system administrator. A common sense approach in cybersecurity management is to grant the fewest possible privileges to every user. A RBAC system based on IEC TS 62351-8 enables the person responsible for security in a company to manage users for the entire system and assign roles to those users from one place.

IEC 62351 is a series of technical security International Standards that aims to secure power system-specific communication protocols such as IEC 61850 or IEC 60870-5-104. While most parts of the series have been released, more work is needed before systems compliant to IEC 62351 can be put on the market. IEC 62351-8, finalized and published in 2011, defines RBAC for power systems. This is not a new concept; it is in fact part of best practice in many IT systems. The use of RBAC in power systems makes it possible to reduce the number of permissions that have to be assigned to certain users so that these users have only the permissions they need to perform their duties. This reduces the risk to the power system, as permissions are only assigned when they are actually needed, according to the principle of fewest privileges. The standard also defines a list of pre-defined roles (e.g., Viewer, Operator, etc.) and of pre-defined rights.

Adhering to International Standards as closely as possible

To ensure high quality and dependable cybersecurity functionality in heterogeneous installations, it is fundamental to adhere to International Standards as far as possible. A high level of cybersecurity can only be achieved by deploying and using reviewed, approved and standardized technologies and methods, especially when installing devices from different vendors. Utilities not following such a wise path can find themselves locked in to a single supplier offering proprietary solutions.

Cybersecurity cannot be optimized without knowing everything that is going on in the system. Security related events, like access and other user activities in different system components, need to be monitored to identify potential attacks and to optimize protection. Central user activity logs collect cybersecurity related events from the system devices and make the information available to responsible personnel. An efficient and user-friendly approach, such as automatic recognition of event patterns, is a key feature of such monitoring applications.

State of the art cybersecurity products based on International Standards such as IEC TS 62351-8 enable efficient RBAC management of user accounts in multi-vendor control systems. They provide utilities with real-time visibility of the security-relevant user activity within their systems.

Proprietary cybersecurity implementations should be avoided for seamless integration of multi-vendor control systems. The adoption of interoperable solutions that accord to IEC TS 62351-8 makes performing these tasks much easier.

About the authors

Frank Hohlbaum – Security Manager Grid Automation,ABB Switzerland Ltd.

Frank is globally responsible for all aspects of cybersecurity within ABB’s Power System Substations and drives the security activities in this business unit. He is an active member of the Power System Security Council and represents the business unit Power System Substations. Frank Hohlbaum joined ABB in 1996 and has 20 years’ experience in substation automation. Frank is a Member of IEC Technical Committee (TC) 57/Working Group (WG) 3: Telecontrol protocols.

Bart de Wijs – Head of Cybersecurity for ABB's Power Grids Division.

Bart represents this division in the ABB Group Cybersecurity Council, which is a cross-disciplinary team staffed with resources from various corporate functions. Additionally, he is a member of the ABB Cybersecurity Response Team, handling vulnerabilities and incidents. Within the division he leads a team of cybersecurity specialists dealing with the different aspects of all the security-related concerns that could affect ABB customers. He is a member of various cybersecurity expert groups. Between 2007 and 2010 Bart was responsible for cybersecurity in ABB’s Power Generation business unit.

Fernando Alvarez – Cybersecurity Technical Product Manager,ABB Switzerland Ltd.

Fernando is responsible for supporting the development of different cybersecurity technologies in ABB products and for managing and tracking ABB’s cybersecurity intellectual property. He is also an active member of IEC TC57/WG15: Data and communication security, the IEC group working on the IEC 62351 series of International Standards for power systems management and associated information exchange. Previously Fernando worked on securing the internal IT infrastructure of banks and on securing military communications.

Cybersecurity is now central to the safe operation of industrial installations, but user accounts for many devices used in these installations are not properly managed. Central user account management combined with Role Based Access Control is the perfect solution for managing user accounts and permissions efficiently and centrally while still providing a state of the art security solution. This eliminates the nightmare of having unmanaged user accounts on hundreds of devices.

Too many user accounts are not properly managed

In many cases the factory default user accounts and passwords used in devices in industrial installations are unmanaged and remain unchanged. Shared and / or weak passwords are also an issue.

From a cybersecurity perspective, in today’s interconnected world, both factory default accounts and shared accounts represent a huge cybersecurity risk and are unacceptable. Besides cybersecurity concerns, both factory default and shared accounts can make control system management a nightmare for control system owners.

Consider the case in which a power outage occurs as a result of a changed configuration, but it cannot be established which employee actually changed the configuration because a shared account or a factory default account was used to access the system and make the change.

Another possible scenario is connected with a single employee leaving an organization. Since this member of staff knows a password that is shared by several other employees, a huge effort is required to change this shared password in a number of devices and locations, to ensure that the departing employee can no longer access the system. Last but not least, the remaining employees must also be informed of the new password, so that they can continue to carry out their work.

Legacy processes, tools and technologies can make it hard for security managers and system operators to change systems so as to adapt to and defend against new security threats. Security managers need proven standardized technologies and modern tools to move to the next level. Central user account management combined with Role Based Access Control (RBAC) is the perfect solution for managing user accounts and user permissions centrally and efficiently, while still providing a state of the art security solution. It also eliminates the nightmare of having unmanaged user accounts on hundreds of devices.

Technological change has brought both operational benefits and cybersecurity risks

Substation automation, protection and control systems have changed significantly in the past decade. Systems have become more interconnected and provide end users with much more information, resulting in higher reliability, increased levels of control and higher productivity. Interoperability between different vendor products and systems has been achieved by deploying products and solutions based on open standards such as publications from the IEC 61850 series, Communication networks and systems for power utility automation, or IEC 60870-5-104, Telecontrol equipment and systems – Part 5-104: Transmission protocols – Network access for IEC 60870-5-101 using standard transport profiles, and by leveraging proven Ethernet technology.

This change in technology has brought huge benefits from an operational point of view, but it has also exposed utilities to the kind of cybersecurity threats that have been confronting traditional enterprise systems for years. Cybersecurity is an essential component of modern networks, but fragmented access policies across network devices risk exposing critical vulnerabilities.

Careless practices make system access easy

The heterogeneous nature of automation networks has complicated tasks such as revoking staff credentials, or changing default passwords. Factory default accounts often remain unchanged after handover from manufacturer to customer, and may even remain unchanged on devices for their entire lifetime. Such practices and unchanged factory default accounts make it easy for an attacker to access devices rapidly and without needing to possess any special skills or knowledge.

Furthermore, most control and network devices provide logging capabilities to record what users have done, but if all actions are performed under the umbrella of a factory default account, then the logged information and audit trail say nothing about who has really performed which actions.

Setting the stage for a possible solution

Control system owners and managers would probably welcome positive answers to the following questions to ensure the security of their systems:

• Would you like to manage user accounts easily?
• Would you to like to administer new employees’ access and permissions in your company from a central point?
• Would you like to be able to remove or disable user credentials quickly from a single central location when an employee leaves your company?
• Would you like the changes you made in the central location to be immediately effective on all products from different vendors throughout your organization?
• Would you like to eliminate worry about default user accounts remaining active on unmanaged local devices?

The industry strikes back

Following demands from the North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC-CIP) Standards, and many other cybersecurity requirements, the industry is adopting a common path to the future: IEC TS 62351-8: Power systems management and associated information exchange – Data and communications security – Part 8: Role-based access control. This Technical Specification sets out how vendors should implement and provide RBAC and central user account management to their customer base.

Since the arrival of IEC TS 62351-8 in 2011, users have been able to authenticate themselves across their organization to all devices in all networks, with a user-specific and unique user-id and password. Moreover, the addition or removal of users is done centrally, in a single step.

This technology offers not only the central management of user-ids and passwords, but also the management of user permissions by assigning roles to users, depending on their job roles in the organization (RBAC).

Possible solution for a nightmare scenario

Control systems need to be managed to ensure sustainable infrastructures. Managing a system means continually keeping its devices up-to-date.

The management of a cybersecurity policy can become complex; therefore to be efficient, security managers need support from software applications. A Role Based Access Control system is such an application. RBAC allows responsible persons to be able to manage users and their roles consistently from a central point – even for multiple control systems in different locations.

Not everybody needs to be a system administrator. A common sense approach in cybersecurity management is to grant the fewest possible privileges to every user. A RBAC system based on IEC TS 62351-8 enables the person responsible for security in a company to manage users for the entire system and assign roles to those users from one place.

IEC 62351 is a series of technical security International Standards that aims to secure power system-specific communication protocols such as IEC 61850 or IEC 60870-5-104. While most parts of the series have been released, more work is needed before systems compliant to IEC 62351 can be put on the market. IEC 62351-8, finalized and published in 2011, defines RBAC for power systems. This is not a new concept; it is in fact part of best practice in many IT systems. The use of RBAC in power systems makes it possible to reduce the number of permissions that have to be assigned to certain users so that these users have only the permissions they need to perform their duties. This reduces the risk to the power system, as permissions are only assigned when they are actually needed, according to the principle of fewest privileges. The standard also defines a list of pre-defined roles (e.g., Viewer, Operator, etc.) and of pre-defined rights.

Adhering to International Standards as closely as possible

To ensure high quality and dependable cybersecurity functionality in heterogeneous installations, it is fundamental to adhere to International Standards as far as possible. A high level of cybersecurity can only be achieved by deploying and using reviewed, approved and standardized technologies and methods, especially when installing devices from different vendors. Utilities not following such a wise path can find themselves locked in to a single supplier offering proprietary solutions.

Cybersecurity cannot be optimized without knowing everything that is going on in the system. Security related events, like access and other user activities in different system components, need to be monitored to identify potential attacks and to optimize protection. Central user activity logs collect cybersecurity related events from the system devices and make the information available to responsible personnel. An efficient and user-friendly approach, such as automatic recognition of event patterns, is a key feature of such monitoring applications.

State of the art cybersecurity products based on International Standards such as IEC TS 62351-8 enable efficient RBAC management of user accounts in multi-vendor control systems. They provide utilities with real-time visibility of the security-relevant user activity within their systems.

Proprietary cybersecurity implementations should be avoided for seamless integration of multi-vendor control systems. The adoption of interoperable solutions that accord to IEC TS 62351-8 makes performing these tasks much easier.

About the authors

Frank Hohlbaum – Security Manager Grid Automation,ABB Switzerland Ltd.

Frank is globally responsible for all aspects of cybersecurity within ABB’s Power System Substations and drives the security activities in this business unit. He is an active member of the Power System Security Council and represents the business unit Power System Substations. Frank Hohlbaum joined ABB in 1996 and has 20 years’ experience in substation automation. Frank is a Member of IEC Technical Committee (TC) 57/Working Group (WG) 3: Telecontrol protocols.

Bart de Wijs – Head of Cybersecurity for ABB's Power Grids Division.

Bart represents this division in the ABB Group Cybersecurity Council, which is a cross-disciplinary team staffed with resources from various corporate functions. Additionally, he is a member of the ABB Cybersecurity Response Team, handling vulnerabilities and incidents. Within the division he leads a team of cybersecurity specialists dealing with the different aspects of all the security-related concerns that could affect ABB customers. He is a member of various cybersecurity expert groups. Between 2007 and 2010 Bart was responsible for cybersecurity in ABB’s Power Generation business unit.

Fernando Alvarez – Cybersecurity Technical Product Manager,ABB Switzerland Ltd.

Fernando is responsible for supporting the development of different cybersecurity technologies in ABB products and for managing and tracking ABB’s cybersecurity intellectual property. He is also an active member of IEC TC57/WG15: Data and communication security, the IEC group working on the IEC 62351 series of International Standards for power systems management and associated information exchange. Previously Fernando worked on securing the internal IT infrastructure of banks and on securing military communications.

DIN launches innovation funding programme

Innovative ideas can be submitted up to 31 October 2016

DIN and DKE (German Association for Electrical, Electronic & Information Technologies in DIN and VDE) have launched a new funding programme for supporting innovative ideas through standardization called "DIN Connect". The programme will promote R&D in innovative areas and will make it easier to bring results to the market. Standards create trust and market acceptance, which innovations need in order to be successful. With their extensive international contacts and mature infrastructures, DIN and DKE can provide access to global networks of potential customers and partners. Start-ups, established companies, research organizations and academic institutions are invited to submit their ideas.

Projects will last one to two years and will be funded with up to € 35,000 per year for the project management. The objective is to draw up one or more DIN SPECs and/or VDE Application Guides, or other preliminary standardization work results.

Ideas should be submitted by 31 October 2016. Projects will be selected based on their degree of innovation, the benefits for German industry and relevance for standardization. After the submitted project has been reviewed internally by DIN, the applicants with the best ideas will be invited in November to make a full application for funding. The winners will be announced in December and the projects can be initiated at the start of 2017.

IT security "Made in Europe"

2016 KITS Conference

"Cybersecurity is the foundation upon which digitalization is being built" said Kerstin Jorna, Director of the European Commission's Single Market Policy, Regulation and Implementation, DG GROWTH, at the third Conference held by DIN's IT Security Coordination Office (KITS) on 30 June 2016 in Berlin.

The motto of the conference was "Make digitalization more secure!". This year's KITS conference was again a resounding success, with over 70 participants from industry, politics and research. Lectures and panels covered various aspects of IT security. The participants pointed out that because this topic is so complex, special efforts will have to be taken to achieve the necessary transparency on the market. Labels and certificates based on standards and specifications can help, and an "IT Security – Made in Europe" branding can help set the right tone.

But everyone agreed on one thing:  IT security can only be achieved with the help of all economic players, including professional users and consumers. This requires consensus-based standards and the assistance of cross-sectoral organizations such as DIN's IT Security Coordination Office (KITS).

Other topics addressed at the conference include the fragmentation of the European security market and new European funding programmes. It was stressed that it must be possible to measure IT security on the basis of concrete protection profiles. But there is currently no basis for such profiles, and thus standards are desperately needed. Also, the concept of "IT security by design" needs to be implemented more effectively to achieve a thorough, interoperable IT security. Experts agreed that there is a great need for competent specialists, and they discussed the challenges of including IT security in training and education. The conference was made possible by contributions from CISCO, itWatch GmbH and Siemens.

Experts are looking forward to next year's conference, which should be just as successful as this year's.   Information on the 2017 KITS Conference 2017 and impressions of past conferences can be found at www.kits-konferenz.de.

European Commission – Press release

Commission signs agreement with industry on cybersecurity and steps up efforts to tackle cyber-threats

Brussels, 5 July 2016

The Commission today launches a new public-private partnership on cybersecurity that is expected to trigger €1.8 billion of investment by 2020. This is part of a series of new initiatives to better equip Europe against cyber-attacks and to strengthen the competitiveness of its cybersecurity sector.

According to a recent survey, at least 80% of European companies have experienced at least one cybersecurity incident over the last year and the number of security incidents across all industries worldwide rose by 38% in 2015. This damages European companies, whether they are big or small, and threats to undermine trust in the digital economy. As part of its Digital Single Market strategy the Commission wants to reinforce cooperation across borders, and between all actors and sectors active in cybersecurity, and to help develop innovative and secure technologies, products and services throughout the EU.

Andrus Ansip, Vice-President for the Digital Single Market, said: "Without trust and security, there can be no Digital Single Market. Europe has to be ready to tackle cyber-threats that are increasingly sophisticated and do not recognise borders. Today, we are proposing concrete measures to strengthen Europe's resilience against such attacks and secure the capacity needed for building and expanding our digital economy."

Günther H. Oettinger, Commissioner for the Digital Economy and Society, said: "Europe needs high quality, affordable and interoperable cybersecurity products and services. There is a major opportunity for our cybersecurity industry to compete in a fast-growing global market. We call on Member States and all cybersecurity bodies to strengthen cooperation and pool their knowledge, information and expertise to increase Europe's cyber resilience. The milestone partnership on cybersecurity signed today with the industry is a major step ."

Today's action plan includes the launch of the first European public private partnership on cybersecurity. The EU will invest €450 millionin this partnership, under its research and innovation programme Horizon 2020. Cybersecurity market players, represented by the European Cyber Security Organisation (ECSO), are expected to invest three times more. This partnership will also include members from national, regional and local public administrations, research centres and academia. The aim of the partnership is to foster cooperation at early stages of the research and innovation process and to build cybersecurity solutions for various sectors, such as energy, health, transport and finance. Commissioner Oettinger today signs the partnership with the ECSO in Strasbourg (photos and videos to be available at around 12.00 CET).

The Commission also sets out different measures to tackle the fragmentation of the EU cybersecurity market. Currently an ICT company might need to undergo different certification processes to sell its products and services in several Member States. The Commission will therefore look into a possible European certification framework for ICT security products.

A myriad of innovative European SMEs have emerged in niche markets (e.g. cryptography) and in well-established markets with new business models (e.g. antivirus software), but they are often unable to scale up their operations. The Commission wants to ease access to finance for smaller businesses working in the field of cybersecurity and will explore different options under the EU investment plan.

The Network and Information Security Directive, which is expected to be adopted by the European Parliament tomorrow, already creates a network of Computer Security Incident Response Teams across the EU in order to rapidly react to cyber threats and incidents. It also establishes a ‘Cooperation Group’ between Member States, to support and facilitate strategic cooperation as well as the exchange of information, and to develop trust and confidence. The Commission today calls on Member States to make the most of these new mechanisms and to strengthen coordination when and where possible. The Commission will propose how to enhance cross-border cooperation in case of a major cyber-incident. Given the speed with which the cybersecurity landscape is evolving, the Commission will also bring forward its evaluation of the European Union Agency for Network and Information Security (ENISA).This evaluation will assess whether ENISA's mandate and capabilities remain adequate to achieve its mission of supporting EU Member States in boosting their own cyber resilience. The Commission also examines how to strengthen and streamline cybersecurity cooperation across different sectors of the economy, including in cybersecurity training and education.

Background

Today's action plan finds its main roots in the 2015 Digital Single Market strategy, the 2013 EU Cybersecurity strategy and the forthcomingNetwork and Information Security (NIS) Directive. It builds on the recent Communications on Delivering the European Agenda on Security andCountering Hybrid Threats.