The base goal of the directive is to extend and make uniform all EU-level security and incident reporting requirements,( which at the moment only applies to electronic communication network and service providers), to the broader universe of private sector companies. The NIS Directive applies to operators of“ essential services” in“ critical sectors” and covers Energy( including oil and gas), Transport including water transport and port authorities), Banking, Financial market infrastructures, Health, Drinking water supply and distribution, as well as to“ digital service providers” including Digital infrastructure, online marketplace, Online search engines and Cloud computing services.
Under the framework of NIS the cybersecurity operators of critical infrastructures, such as energy, transport, and key providers of information society services( e. g e-commerce platforms, social networks, etc), as well as public administrations, will be required to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities. This work will be coordinated by our office and will be relevant to the maritime and energy sectors, as well as the forthcoming development of oil and natural gas infrastructure in Cyprus.
Ladies and Gentlemen,
Today’ s cyber threats are persistent, well organized, constantly evolving and often successful. Many incidents appear within the information technology( IT) ecosystem in a manner that is all but impossible to distinguish them from legitimate activity.
Last year, one of the world’ s largest oil and natural gas producers discovered that a virus had affected more than 30,000 of its computer workstations. The company’ s immediate reaction was to isolate all of its computer systems from outside access. While the incident had no immediate impact on the company’ s production operations, employees were cut off from e-mail and corporate servers for several days. Furthermore, the virus erased significant data, documents, and e-mail files on about 75 % of corporate computers. Another example is the“ stuxnet” worm which affected nuclear plans in an Asian country with significant damage to the affected infrastructure. Considering that some of the infected systems were not even connected to the internet, makes the issue more alarming. It is estimated that there is 10 % probability of a major Critical information infrastructure breakdown, realistically possible in the next 10 years.
In the maritime sector, a recent ENISA analysis of cyber security aspects, highlighted several issues that should be addressed by the maritime industry and member states.
ICT systems supporting maritime operations including SCADA devices, from port management to ship communication, are generally highly complex and employ a variety of ICT technologies that also include very specific elements. The fast technology development and the struggle towards complete automation in the maritime sector have, in cases, reduced the focus on the security features. Therefore, it is a major challenge to ensure adequate maritime cybersecurity. A common strategy and development of good practices for the technology development and implementation of ICT systems would therefore ensure“ security by design” for all critical maritime ICT components.
At the same time maritime cybersecurity awareness is currently low, to non-existent. Targeted maritime sector awareness, raising campaigns, and cyber security training of shipping companies, port authorities, national cyber security offices, etc., are necessary. As current maritime regulations and policies consider only physical aspects of security and safety, policy makers should add cyber security aspects to them.
ENISA proposes a holistic, risk-based approach; assessment of maritime specific cyber risks, as well as identification of all critical assets within this sector. Additionally ENISA identifies that maritime governance is fragmented between different levels( international, European, national), and proposes that the International Maritime Organisation together with the EU Commission and the Member States
2 / 3