Transcript Secure and resilient ICT infrastructures

Security and Resilience of ICT
Infrastructures and Networks
An EU Perspective
14 Mar, 2008 – GMU Arlington
Jacques Bus, Head of Unit
DG Information Society and Media
Content




Policy activities
R&D activities
Future challenges
International cooperation
Network and information security:
The European Policy Context
 Strategy for a Secure Information Society [COM(2006)251]
 Policy initiatives on:
– fighting against spam, spyware and malware [COM(2006)688]
– promoting data protection by PET [COM(2007)228]
– fighting against cyber crime [COM(2007)267]
 Proposed package to reform the Regulatory Framework for ecommunications [COM(2007)697, COM(2007)698, COM(2007)
699]
 European Network and Information Security Agency, (ENISA)
established in 2004
 A policy initiative on CIIP is announced for 2008 [COM(2007)
640]
Towards a secure Information Society
DIALOGUE
PARTNERSHIP
structured and
multi-stakeholder
greater awareness &
better understanding
of the challenges
Open & inclusive
multi-stakeholder
debate
EMPOWERMENT
commitment to responsibilities
of all actors involved
Empowerment:
invitation to private sector to
 Develop definition of responsibilities for software
producers and Internet service providers for the
provision of adequate and auditable levels of security.
Need support for standardised processes meeting
commonly agreed security standards and best practice
rules.
 Promote diversity, openness, interoperability, usability
and competition as key drivers for security; stimulate
deployment of security-enhancing products, processes and
services to prevent and fight ID theft and other privacyintrusive attacks.
 Disseminate good security practices for network
operators, service providers and SMEs as baseline levels
for security and business continuity.
Empowerment:
invitation to private sector to
 Promote training programmes in business, i. p. for SMEs,
to provide employees with the knowledge and skills for
effective implementation of security practices.
 Affordable security certification schemes for products,
processes and services that will address EU-specific
needs (in particular with respect to privacy).
 Involve insurance sector in developing appropriate risk
management tools and methods to tackle ICT-related
risks and foster a culture of risk management in
organisations and business (in particular in SMEs).
EMPOWERMENT:
NIS in the new EC Telecom package
 Security and integrity
– Current framework (Art 23 Univ. Service Directive)
• telephone network / fixed location
– New proposal (Art 13 Framework Directive)
• level of security appropriate to risks
• prevent or minimise impact of security incidents on users and
interconnected networks
• focus on continuity of supply of services
 Responsibilities of operators
– stronger obligations to ensure security and integrity
(Art 13 Framework Directive)
– Mandatory breach notification
• to NRA (art 13 FWD): significant impact on operation
• to consumers and NRA (art 4 e-privacy D): personal data
compromised
Dialogue & Partnership:
EC 2008 Policy initiative on CIIP
 Objectives
– Enhance the level of Critical Information Infrastructure Protection
(CIIP) preparedness and response across the EU
– Ensure that adequate and consistent levels of preventive,
detection, emergency and recovery measures are put in operation
 Approach
–
–
–
–
Build on national and private sector initiatives
Engage relevant public and private stakeholders
Adopt All-hazards
Strengthen the synergies between 1st and 3rd pillar measures
Dialogue & Partnership:
Challenges for CIIP
 Organisational: build trusted relationships and engage the
stakeholders at the EU level
 Policy orientations: achieve a better understanding and clarity on
the guiding policy principles
 Issues:
–
–
–
–
–
–
–
–
National vs. European information Infrastructures (criteria);
long-term Internet stability & resilience;
preventive, detection/early warning & responsive measures;
recovery and continuity strategies;
sharing knowledge and good practices;
cross-sectors proactive information assurance methods;
risk management culture and tools;
inter-dependencies, in particular across heterogeneous infrastructures;
etc.
European Programme for
Critical Infrastructure Protection (EPCIP)
EPCIP Policy
2004: EU program on CIP (EPCIP) and CI Warning Info Network (CIWIN)
2006: Communication and Directive on EPCIP – sectoral approach
2007: Communication on Protecting Europe's Critical Energy and Transport
Infrastructure
2007: INFSO consultation process for policy initiative in ICT CIIP sector
ARECI study on Electronic Infrastructures
CIP Research
FP7 ICT-SEC (Nov 2007)
ICT-Security Research
Joint Call on Critical Infrastructure Protection
Content




Policy activities
R&D activities
Future challenges
International cooperation
Research Activities in NIS 2003-2008
 ICT Programme – Trust and Security
– FP6 2002-2006
– FP7 2007-2013
 European Security
– Preparatory Action for Security Research (20042006)
– FP7 2007-2013
FP6: Towards a global dependability &
security Framework (2003-2006)
Research Focus:
 security and dependability challenges arising
from complexity, ubiquity and autonomy
 resilience, self-healing, mobility, dynamic
content and volatile environments
 Multi-modal and secure application of
Biometrics
 Identification, authentication, privacy, Trusted
Computing, digital asset management
 Trust in the net: malware, viruses, cyber crime
Budget ~ 145 M€
FP6: Secure and resilient ICT infrastructures
~45M€ EU funding
SEINIT, DESEREC,
SERENITY, IRRIIS, RESIST,
UBISEC&SENSE,
HIDENETS,
CRUTIAL, MEDSI,
(FP6) SECURIST, CI2RCO,
GRID
 Research priorities
– secure and resilient network architectures and technologies
– secure transmission of data and services across heterogeneous
infrastructures
– secure resilient and always available Critical Information infrastructures
– risk assessment and management of interconnected and interdependent
Critical Infrastructures
FP6 - Building Trust in the Internet and
Protection against Emerging Threats
TRUST
ANTIPHISH,
FASTMATCH, MDS,
PEPERS, S3MS,
ESFORS
BIOMETRICS
3DFACE, BIOSEC,
BIOSECURE
MTIT, Humabio, Digital
Passport, SecurePhone
eJustice
~10M€ EU funding
 Research priorities
~25M€ EU funding
– Security and trust in dynamic and reconfigurable service architectures with
managed operation across several administrative or business domains;
– real time detection and recovery capabilities against intrusions, malfunctions
and failures;
– Biometric identification for lifelong secure access to data and services
without compromising trust and privacy
7th EU Framework Programme for RTD 2007-2013
Total 50,521 M€
FP7 Cooperation Programme: 32,413 M€
The 10 Themes
Space; 1430; 4%
Socio-economics; 623; 2%
Security; 1400; 4%
Health; 6100; 19%
Transport; 4160; 13%
Food, …; 1935; 6%
Environment; 1890; 6%
Energy; 2350; 7%
NMT; 3475; 11%
ICT; 9050; 28%
Strengthening Competitiveness through Co-operation
Security and Trust in FP7 - ICT WP 2007-08
110 M€
Identity management,
privacy, trust policies
Network
Dynamic, reconfigurable
infrastructures
service architectures
2 Projects
5.8 m€
1 Project
9.4 m€
4 Projects
3 Projects
4 Projects
11 m€
20.5 m€
18 m€
Critical Infrastructure Protection
Enabling technologies
for trustworthy infrastructures
20 m€
Biometrics, trusted computing, cryptography, secure SW
6 Projects: 22 m€
Coordination Actions
Research roadmaps, metrics and benchmarks,
international cooperation, coordination activities
4 Projects: 3.3 m€
Security in network infrastructures:
4 projects, 11 m€ EC funding
Main R&D project priorities
 An integrated security framework and tools for the security and resilience of
heterogeneous networks (INTERSECTION)
 A networking protocol stack for security and resilience across ad-hoc PANs & WSNs
(Awissenet)
 A message-oriented MW platform for increasing resilience of information systems
(GEMOM)
 Data gathering and analysis for understanding and preventing cyber threats (WOMBAT)
Security in service infrastructures:
4 projects, 18 m€ EC funding
Personalised Services
Main R&D project priorities
 Assuring the security level and regulatory compliance of SOAs handling business
processes (IP MASTER)
 Platform for formal specification and automated validation of trust and security of SOAs
(AVANTSSAR)
 Data-centric information protection framework based on data-sharing agreements
(Consequence)
 Crypto techniques in the computing of optimised multi-party supply chains without
revealing individual confidential private data to the other parties (SECURE-SCM)
Security enabling Technologies
6 projects, 22 m€ EC funding
Main R&D project priorities




Trusted Computing  IP TECOM
 trusted embedded systems: HW platforms with integrated trust components
Cryptography  NoE eCrypt II
Multi-modal Biometrics
 multi-biometric authentication (based on face and voice) for mobile devices (MOBIO)
 activity related and soft biometrics technologies for supporting continuous authentication and
monitoring of users in ambient environments (ACTIBIO)
Secure SW implementation
 providing SW developers with the means to prevent occurrences of known vulnerabilities when
building software (SHIELDS)
 A toolbox for cryptographic software engineering (CACE)
European security research Programme
ESRIF
(2007-2009)
ESRAB
(2005-2006)
GoP
FP7 Security Theme
(2007 -2013)
1400 M€
national programmes
(2003-2004)
PASR (2004-2006)
45 M€
2004
2005
2006
2007
2008
“European Security Research:
The Next Steps” (Sept 2004)
GoP report
“Research for a secure Europe”
(March 2004)
2009
2010
2011
2012
2013
time
“Fostering Public-Private Dialogue
in Security Research and Innovation”
(Sept 2007)
ESRAB report “Meeting the challenge:
the European Security Research Agenda”
(Oct 2006)
PASR Preparatory Action
for Security Research 2004 - 2006
 Outside FP6
 An overall budget of € 45M
 3 calls: 15 M€ budget each
and ~15x over-subscribed
 Participants from EU25 +
EEA (2005 & 2006)
Results
(funded)
2004 2005 2006
Projects
123
(7)
120
(8)
121
(8 )
Supporting
activities
50
(5)
36
(5)
44
Total
173
(12)
156
(13)
165
(7)
(15)
Security Research themes in FP7 2007 – 2013
 4 Security missions / activities
1. Security of citizens
2. Security of infrastructure and utilities
3. Intelligent surveillance and border security
4. Restoring security and safety in case of crisis
 3 Cross cutting activities
5. Security systems integration, interconnectivity
and interoperability
6. Security and Society
7. Security Research coordination and structuring
Content




Policy activities
R&D activities
Future challenges
International cooperation
Challenges for RTD for a
Trustworthy Information Society
 Technology
–
–
–
–
Cyber-threats, cyber-crime
The future of the Internet
Critical (Information) Infrastructures
Complex ICT Systems and Services
 Users
–
–
Trust
–
Privacy and Human Values
Empowerment
Complexity and interdependencies
The future Internet as a large
collection of heterogeneous
networks; Internet of things
“The Internet is broken”
Critical infrastructures being
interdependent and controlled
through vulnerable networks
Service architectures and infrastructures need security and
trust designed-in
Data Collection and its dangers
for business, to provide personalized
innovative applications and services
for citizens, to better communicate
and interact, improve the quality of
their life
for governments to service citizens
and business (e-government,
e-education or e-health)
for governments again, to provide public
security (protection against crime or terrorism,
border-control, protection of critical
infrastructures, etc.)
What about: security, proportionality,
user-centricity
Content




Policy activities
R&D activities
Future challenges
International cooperation
International Cooperation
Ongoing activities
 S&T Agreement between NSF and EU FP-RTD, within
this framework we organised jointly:
– Seminar Dublin (Nov 2006)
– Seminar Illinois (Apr 2007)
– Coordination Action INCO-Trust
 Ongoing discussions with US-DHS and EU Security
and ICT programmes
 Cooperation between EU initiative on Future Internet
and GENI/FIND (US), AKARE (JP)
 Trans-Atlantic Business Dialogue exist, as well as EUUS dialogue on Security and on the Information
Society, as frameworks for decisions on joint actions.
International Cooperation
Why , What
WHY
 Activities intrinsically cross border
 Attackers leverage power of laundering traffic
internationally
 Internet facilitates international “underground economy”
 Nation-state cyberwarfare ?
WHAT
 International coordination
 Sharing information via distributed sensors
 Cooperation in research for common goal
International Cooperation
Mutual Interest; Proposal
US side
 NSTAC international R&D exchange
 Fed Interagency Committee Cyber R&D Plan
 GMU International Cyber Centre
EU side
 EU policy actions: Secure Information Society, EPCIP (see above)
 EU research programmes (see above)
 ENISA, and new Telecom package proposal
An International Forum on Network and Information Security
where policy makers from US and EU administrations would
yearly meet high level research managers to discuss issues
of common interest ??
Within the international context (OECD, ITU, WSIS, ...)
With a first meeting in Dec 2008 in the EU ?