atw 2018-12

More documents

Recommendations

Info

atw Vol. 63 (2018) | Issue 11/12 ı November/December ENERGY POLICY, ECONOMY AND LAW 582 Sanctions: There are three criminal for the operators of essential services: • Directors that do not comply with the security rules, even after the timeline specified in a formal demand issued by the ANSSI shall be punishable with a fine of €100,000; • Directors that do not comply with their reporting obligation in case of an incident shall be punishable with a fine of €75,000; • Directors that obstruct an investigation shall be punishable with a fine of €125,000. NIS Implementation in Sweden The NIS Directive is transposed. Implementation acts are: Act (2018:000) “Information security for certain operators of essential services and digital service providers” Ordinance (2018:000) “Information security for certain operators of essential services and digital service providers” The national strategy on the security of network an information security is available on: https://www.government.se/ legal-documents/2017/11/ skr.-201617213/ Single point of contact is: Swedish Civil Contingencies Agency (MSB) 651 81 Karlstad E-Mail: spoc.nis@msb.se National Computer Security Incident Response Team (CSIRT) is: MSB/CERT-SE E-Mail: cert@cert.se Phone: +46 867 857 99 According tot he Swedish NIS Directive law the following sectors are identified as essential services: • Energy, • Transportation, • Banking, • Financial market infrastructure, • Health care, • Water management and digital infrastructure. Operators of essential services must immediately report significant disruptions to MSBT. The reporting obligation must not have a negative effect on correcting the disruption. Specifications on what defines a significant disruption are announced in an ordinance/government agency regulation. MSB established detailed assessment material to assist operators of essential services in deciding whether the directive is applicable to their service. MSB presented a catalogue of the identified criteria through a regulation. Operators of essential services are without delay obliged to report to the supervisory authority. Relevant regulatory authorities are: • Energy sector: Swedish Energy Agency • Transportation sector: Swedish Transport Agency • Banking: Swedish Financial Supervisory Authority • Finance: Swedish Financial Supervisory Authority • Health care: Swedish Health and Social Care Inspectorate • Distribution of Drinking water: The National Food Agency • Digital infrastructure: Swedish Post and Telecom Authority • Digital services: Swedish Post and Telecom Authority Reporting obligations: Operators of essential services must immediately report significant disruptions to the Swedish Civil Contingencies Agency. Sanctions: If the relevant authority finds that the supplier does not comply with the act or ordinance they can instruct the supplier to take actions. The request can be combined with a penalty fine. The MSB shall decide on administrative fines from 5,000 SEK up to 10,000,000 SEK for not complying with the security requirements or incident notification. NIS Implementation in the United Kingdom The NIS Directive is transposed. The implementation of the EU Security of Networks and Information Systems (NIS) Directive in May 2018 requires Competent Authorities (CAs) to have the ability to assess the cyber security of Operators of Essential Services (OES). In support of the UK NIS Directive implementation, the NCSC is committed to working with lead government departments, regulators and industry to develop a systematic method of assessing the extent to which an organisation is adequately managing cyber security risks in relation to the delivery of essential services. This assessment method, otherwise known as the Cyber Assessment Framework (CAF), is intended to meet both NIS Directive requirements and wider CNI needs. The implementation of the EU Security of Networks and Information Systems (NIS) Directive in May 2018 requires Competent Authorities (CAs) to have the ability to assess the cyber security of Operators of Essential Services (OES). In support of the UK NIS Directive implementation, the NCSC is committed to working with lead government departments, regulators and industry to develop a systematic method of assessing the extent to which an organisation is adequately managing cyber security risks in relation to the delivery of essential services. You find indicators of good practice for four different objectives: Objective A A.1. Governance A.2. Risk Management A.3. Asset Management Source: https://www.ncsc.gov.uk/ guidance/caf-objective-a Objective B B.1. Service Protection Policies and Processes B.2. Identity and Access Control B.3. Data Security B.4. System Security B.5. Resilient Networks and Systems B.6. Staff Awareness and Training Source: https://www.ncsc.gov.uk/ guidance/caf-objective-b Objective C C.1. Security Monitoring C.2. Proactive Securit Event Discovery Source: https://www.ncsc.gov.uk/ guidance/caf-objective-c Objective D D.1. Resource and Recovery Planning D.2. Lessons Learned Source: https://www.ncsc.gov.uk/ guidance/caf-objective-d The national strategy on the security of network an information security is available on: https://www.gov.uk/government/ publications/national-cyber-securitystrategy-2016-to-2021 Single Point of contact is: National Cyber Security Centre (NCSC) E-Mail: UKSPOC@ncsc.gov.uk Phone: +44 300 020 0973 National Computer Security Incident Response Team (CSIRT) is as well the National Cyber Security Centre (NCSC) In the UK unfortunately we find a lot of different national competent authorities for OES (=Operators of Essential Services): ENERGY – Electricity / Gas England, Scotland and Wales: Department for Business, Energy & Industrial Strategy, / the Office of Gas and Electricity Markets E-Mail: nis.energy@beis.gov.uk Phone: +44 20 7901 7000 Northern Ireland: Department of Finance Northern Ireland E-Mail: nis.ca@finance-ni.gov.uk ENERGY – Oil England, Scotland and Wales: Energy Policy, Economy and Law Development on NIS Directive in Different EU Countries in the Energy Sector ı Stefan Loubichi
atw Vol. 63 (2018) | Issue 11/12 ı November/December Department for Business, Energy & Industrial Strategy, / Health & Safety Executive E-Mail: nis.cyber.incident@hse.gov.uk Department of Finance Northern Ireland E-Mail: nis.ca@finance-ni.gov.uk By 6 November 2018 the Department for Business, Energy and Industrial Strategy gave the following implementation update; For the energy sector in England, Wales and Scotland, BEIS shares Competent Authority responsibilities with Ofgem and HSE. In downstream gas and electricity sector Ofgem delivers the compliance functions under a Memorandum of Understanding with BEIS. In the oil and upstream gas sector the compliance functions will be carried out by HSE under an Agency Agreement with BEIS. Both HSE and Ofgem have been engaging closely with NCSC, the BEIS NIS regulatory policy function, and with industry in order to develop further sector specific guidance. This guidance will tailor the CAF to the needs of energy sub sectors and will provide further information about the steps that Operators of Essential Services (OES) should take in order to identify their levels of cyber security, commence the improvement journey to address and manage cyber security risks, and be compliant with the NIS regulations. According to the view of the Department for Business, Energy & Industrial Strategy operators will need time to adjust to the new framework. They expect operators to undertake a robust but realistic CAF self- assessment supported by evidence. In the first year, they do not expect to take enforcement action on the basis of the operator’s CAF self-assessment and recognise development and improvement will likely be needed, having taken a risk-based approach. Key dates fort he future would be as follows: • 31 October 2018: CAF version 2 was published on NCSC website • End November 2018: publication of HSE operational guidance for the oil sector • End November 2018: publication of Ofgem Cyber Security Practices guidance for the electricity and gas sector, to be available on Ofgem website. • November 2018: DCMS returns notification of number of OES in scope of the regulations to the European Commission and BEIS provides a list of OES to GCHQ. • Late November / mid-December 2018: sub-sector events to be held with OES. HSE will launch its operational guidance and provide surgeries to launch the sub-sector CAF self-assessments on 21 November. Ofgem will focus on sub-sector workshops between 10-11 December. Invitations will be issued to OES. • From Q2 2019 or potentially earlier depending on the CA: Competent Authorities will review the selfassessment evidence and improvement plans; and establish a rolling programme of inspections or thirdparty assessments/validations of OES own self-assessments. Please refer to detailed guidance from Ofgem or HSE for further details on how and when you should return your self-assessment. Sanctions: Financial penalties will only be levelled as a last resort where it is assessed appropriate risk mitigation measures were not in place without good reason. In addition, the maximum penalties should be reserved for the most severe cases, and it is expected that mitigating factors (including steps taken to comply with the NIS Directive, actions taken to remedy any consequences) and sector specific factors will be taken into account by the competent authority when deciding appropriate regulatory response. In the event of any enforcement action by the competent authority, it will notify the operator of impending action, allow the operator an opportunity to make representations, and confirm the final decision and reasoning of the competent authority. NIS Implementation in the Netherlands The status of transposition is: In progress Implementation act is the Security Network- and Information Systems Act, 29 May 2018 The national strategy on the security of network an information security is available on: https://www. nctv.nl/ncsa/index.aspx Single point of contact is: National Cyber Security Centre (NCSC) E-Mail: info@ncsc.nl According to https://ec.europa.eu/ digital-single-market/en/implemen tation-nis-directive- netherlands a National Computer Security Incident Response Team (CSIRT) has to be determined. Although the Government declared that the Minister of Economic Affairs and Climate Policy is responsible for the energy infrastructure. OSE are obliged to notify immediately the following events: 1. Incidents with significant consequences for the continuity of the essential service 2. Breaches of the security of network and information systems which may have significant consequences for the continuity of the essential service; Sanctions: There are 3 types of sanctions defined, until now: 1. Up to EUR 5 million for any breach of the draft implementation act by essential service operators, 2. A maximum of EUR 1 million for failing to cooperate with a request for further information from the National Cyber Security Centre; and 3. A maximum fine of EUR 1 million for failure to adequately cooperate with supervisory authorities exercising their competencies. Compared to other countries at the moment the Netherlands has the highest sanctions, but the lowest level of clearly defined obligations. NIS Implementation in Hungary The status of transposition is: Partial transposition Implementation acts are: Act 134 of 2017 on modifying certain interior related tasks and corresponding laws Government Decree 394/2017 (XII.13) on modifying government decrees related to Act 134 of 2017 on modifying certain interior related tasks and corresponding laws Hungary has as well identified the following sectors: energy, transportation, health, finance, info communication technologies, water. The national strategy on the security of network an information security is (officially) not yet adopted. Single Point of contact is: National Cyber Security Centre (NCSC) Dózsa György út 86/B Budapest H-1068 E-Mail: spoc@govcert.hu Phone: +36 206 9320 National competent authorities for all sectors for OES is: National Directorate General for Disaster Management E-Mail: kikfo@katved.gov.hu Phone: +36 208 200 548 Contact Hours: 08:00 – 16:00 National Computer Security Incident Response Team (CSIRT) is the same as the single point of contact. Operators of essential services must immediately report extraordinary incidents to the Directorate and to other competent authorities as defined by Hungarian laws and regulations. ENERGY POLICY, ECONOMY AND LAW 583 Energy Policy, Economy and Law Development on NIS Directive in Different EU Countries in the Energy Sector ı Stefan Loubichi
Page 1: nucmag.com 2018 11/12 573 Should Nu
Page 4 and 5: atw Vol. 63 (2018) | Issue 11/12 ı
Page 68: Early Bird Discount! Register by 31

atw 2018-12

Create successful ePaper yourself

Delete template?

Save as template?