Presentation on theme: "The French approach to CIIP ENISA workshop. Coordination of CIP in France ANSSI 2 A cross-ministerial issue The General Secretariat for Defense and National."— Presentation transcript:
The French approach to CIIP ENISA workshop
Coordination of CIP in France ANSSI 2 A cross-ministerial issue The General Secretariat for Defense and National Security (SGDSN) assists the Prime Minister in matters of national defense and security. 12 critical sectors Energy, communications, healthcare and public health, financial services, transportation, water… A list of critical operators “An operator whose unavailability could strongly threaten the economical or military potential, the security or the resilience of the Nation”
The ANSSI ANSSI 3 An interministerial agency, responsible for prevention and reaction to cyber attacks. Originally focused on the protection of governmental networks. Extended its missions to cover critical operators. Reports to the SGDSN. CIIP issues are under ANSSI’s responsibility.
The initial CIIP framework ANSSI 4 A CIP framework originally focused on the physical protection of critical infrastructures. A relatively slow interministerial process, unsuited to IT security. IT security obligations only for the communications sector.
A new basis for CIIP : the military programming law ANSSI 5 Article 22 introduces specific provisions to enhance the cyber security of critical operators. The military programming law (LPM) is promulgated on December 18, 2013, following the measures announced by the 2013 White Paper. The 2013 White Paper on Defense and National Security recognizes the need to reinforce the security of critical infrastructures.
Secondary legislation will define all implementation measures ANSSI 6 Security rules Security rules ANSSI can set technical and organizational rules Network mapping, network segmentation, implementation of detection capabilities, homologation, IT administration rules, IT security policy... Incident notification ANSSI shall be notified of incidents occuring on critical systems Types of incidents to be notified will be specified by sectorial orders. Direct notification to ANSSI by the critical operators. Inspection ANSSI can trigger security inspections Inspections done by ANSSI, an other governmental authority or a qualified provider. On a regular basis or following an incident. Major crises ANSSI can impose measures in case of major crises The threshold of what is a ”major crisis” is defined by the Prime Minister. Legal basis for action in the framework of crises management plans.
2014 : three phases of experiment ANSSI 7 February – May 2014 First listing of the critical systems (all operators). March – June 2014 Applicability of ANSSI’s recommendations on industrial control systems cybersecurity (4 operators). June – October 2014 Incident notification (a dozen operators).
A work in progress : what’s next ? ANSSI 8 End 2014 : Legal implementation texts to be published.2014 – 2015 : Sectorial working groups leaded by the ANSSI : Sectorial orders to define identification criteria for critical systems, security rules and types of incidents to notify – 2020 : Feedback – possible upgrading of the sectorial orders.