CYBER-RESILIENCE towards Cyber-Reliance
WHITE PAPER
Cyber-Resilience
Resilience:
the key to success in the 21st century Yves Reding CEO I EBRC
3
RESILIENCE: THE KEY TO SUCCESS IN THE 21ST CENTURY
two challenges for humanity
5
RESILIENCE AND HUMANITY
We changed the world, pushing back boundaries that confined us for hundreds of thousands of years by making miraculous discoveries. But this has come at the price of a degraded ecosystem.
making this an innate characteristic in cyberspace
MULTIDIMENSIONAL THREATS
6
Now we face the twin challenges of a changing climate and the exciting opportunities of modern digital technology. In both, resilience is the goal.
18 months in the eye of the storm
8
DIGITAL HYGIENE
essential basic principles
9
NAVIGATING
in cyberspace is not without risk
1O 11
GOING FURTHER CERT, SOC AND NIS
14 16 17
Resilience is the ability of a species, a state, an organisation, a company or an individual, to confront and respond to challenges. They emerge from this process stronger and better able to face the future.
more awareness needed
central to strategies
12
HARNESSING NATURAL RESILIENCE... Finding ways to mitigate and adapt to the effects of global warming is the challenge of our era.
CYBER-RESILIENCE
The first two industrial revolutions, and the hydrocarbons which powered them, have had a severe impact on our world. Action is needed quickly.
KEY POINTS
The 2015 Paris Agreement was a good start. It was the first global, binding agreement working towards keeping temperature increases in check. The path towards a world with carbon-free energy production is now clearly traced. This will enable our planet’s natural resilience to flourish.
a new paradigm
fundamental principles
A CYBER-RESILIENT FINANCIAL SECTOR
ECB guidelines for cyber-resilience
EUROPE ACTIVE
EU’s efforts to promote cyber-resilience
18 19 2
Ever more sophisticated technology and technical know-how have driven human development since the stone age. The current rate of change has never been quicker.
STANDARDS AND CERTIFICATIONS
three key standards
TOWARDS CYBER-RELIANCE
take up the cyber-resilience challenge
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
3
Where oil has driven our economies until today, data will propel the third industrial revolution. By the end of this century we will be living in a fully virtual world as artificial intelligence, robotics, quantum computing, nanotechnology and genetic engineering fulfil their promise. The world economy and local communities will be supported by data-driven technology as a global ecosystem emerges. This will be the fourth industrial revolution, where the physical, digital, and biological spheres will come together. This will improve the quality of our lives immeasurably, just as the harnessing of power and electricity did in previous centuries. This is not to deny the new risks which will need to be identified and controlled.
RESILIENCE IN CYBERSPACE Just as Homo Sapiens were shaped by, and then learned to manage, the natural world, we are understanding and adapting to the challenges and opportunities of cyberspace. Our immune system developed as we adapted over hundreds of thousands of years, so now our bodies respond automatically to threats. However, although we are seeing the emergence of digital native Homo Digitalis we have yet to build this profound resilience. This work must be accomplished for the good of our and future generations. This will involve almost instinctive threat recognition and response, as well as awareness of digital hygiene. This Cyber-Resilience will develop as an integral facet of the burgeoning fourth industrial revolution. In our earlier white paper "Digital needs Trust" we explained how digital requires trust.
Cyber-resilience is the key to cyber-trust and to cyber-reliance.
4
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
Resilience and humanity
... TO ADAPT TO DIGITAL CHANGE
RESILIENCE: AN INNATE HUMAN QUALITY
Once an add-on to our lives, cyberspace
Humanity survived in a hostile physical world
is becoming central to our existence.
by developing defence mechanisms over
Intertwined with the physical world, we have
millions of years. We evolved powerful active
to adapt quickly to new threats that are often
and instinctive response mechanisms based on
imperceptible to the five senses and intuition
effective memory systems, and we passed this
we have evolved. We have yet to develop
onto future generations. The result of this long
automatic cyber immune-systems, and this
Darwinian process is that by the 21 century
means fragility for the systems on which we
Homo Sapiens has established a previously
have grown to depend. Malware and human-
unimaginable mastery of the planet.
directed social engineering attacks result in
st
CYBERSPACE IS OUR NEW WORLD
data being destroyed, changed and stolen. This was based on highly effective auto-
Whether this might lead to confidentiality
immune biological systems which ensured our
breaches, intellectual property theft, extortion
survival, allowing us to build our civilisations.
threats, or simply vandalism, this is a serious
We must now go through a similar process if we
threat.
are to thrive in the digital realm of cyberspace.
CYBER-RESILIENCE, A MAJOR CHALLENGE FOR HUMANITY
Our ancestors learned biological hygiene through trial and error. Fortunately we have the intelligence to avoid this painful, slow
Compared with the hundreds of thousands of
process by adapting quickly to build new
years when humans carved out a precarious
digital hygiene rules.
existence, our digital age is tiny part of the story of our species. We have created a new world, and it takes substantial effort to keep up with the pace of change. The result is new services on which we have come to rely, sometimes only after a few months of use. GPS, smartphones, and contactless payments have to a certain extent become part of our organism as we have come to take them for granted. Even the motor car, the signature invention of the 20th century, is about to change into a new concept. Smart cities will manage infrastructure and security precisely and efficiently. Agriculture is being optimised. Banking and finance has always led the way, and will be transformed again by the massive adoption of artificial intelligence. Manufacturing and logistics sectors will rely more heavily on automation and robotics. Even professions such as journalism, legal, law enforcement, medicine and more will be transformed.
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
5
Multi
18 months
dimensional threats in the eye of the storm
PRIVILEGED ACCESS FOR SALE
DATA THEFT
SECURITY VULNERABILITIES
A journalist with the Indian daily "The Tribune" gained access to the huge “Aadhaar� government database featuring personal data (including biometrics) of nearly 1.2 billion people. This took her ten minutes and cost her 500 rupees (about 7 euros) paid to someone she accessed via WhatsApp. For an 300 extra rupees, she downloaded software that could print ID documents that give free and wide access to the database. The Indian information website "The Quint" then found out how to acquire administrator accounts for the database, which would enable rogue users to create fictitious accounts, including other administrator accounts.
Equifax, one of the largest credit institutions in the US, was the victim of a breach that could have affected 143 million customers. This data leak is recognised as being one of the largest of 2017. It was notable in particular due to the extremely sensitive nature of the data exposed, including customer identities, driving licence numbers, and social security numbers.
After chip manufacturer TSMC (Taiwan Semiconductor Manufacturing Company) was a victim of a virus that spread into old computer systems, it took almost three days before normality could be restored. As well as the cost incurred, the company warned that the incident could account for around 3 percent of its Q3 revenue, and that manufacturing delays could occur until the end of the year.
Source: U.S. Security and Exchange Commission, SEC - incident of 07/09/2017
Source: TSMC - 05/08/2018
CRIME
MANIPULATION
The WannaCry ransomware, which swept the globe in May 2017, massively affected companies such as Vodafone, FedEx and Deutsche Bahn. The UK National Health Service was forced to cancel thousands of medical appointments between 12 and 18 May 2017 after being infected.
On Friday 5 May 2017, just two days before the second round of the French presidential elections, the office of the En Marche party of future French president Macron acknowledged that had been the "victim of a massive and coordinated act of hacking". The goal was to harm the democratic process by disseminating fake #MacronLeaks news online.
Source: The Tribune India - 04/01/2018 Source: Le Monde - 10/01/2018
DATA LEAKAGE "You've probably never heard of Exactis, yet, Exactis had heard of you," is how Wired magazine reported a recent data leak. This marketing firm, which is a data provider, left two terabytes of data from an Elastic-Search database in front of a firewall. The database contained nearly 340 million personal data records.
Source: National Audit Office, NAO - 25/04/2018
Source: En-Marche - 05/07/2017
Source: Wired - 27/06/2018
HUMAN ERROR
SOFTWARE ERROR
Nice Systems, a service provider to Verizon, exposed a database hosted on Amazon S3. Due to human error, lists of 14 million US customers was inadvertently left unprotected and unencrypted. In December 2017, Verizon stated that only the UpGuard researcher, who uncovered the vulnerability, had access to the data and that no data was stolen or lost.
On 3 April 2018, the European Sky Management Application (which covers more than 36,000 daily flights) ceased to work at the EuroControl air-traffic control centre. An incorrect link between a test version of the new software and the operating system triggered the incident. EuroControl stated that the breakdown was not due to any outside interference.
Source: Verizon - 07/12/2017
Source: Eurocontrol - 03/04/2018
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
7
Digital hygiene Developing and using the digital realm involves risks. Just as in the physical world, to survive and then thrive, digital hygiene best practice is essential. This means building an informed digital culture that instinctively understands risks and responds effectively. This requires regular awareness-raising action among users and professionals, the people who are best-placed to limit the impact of threats. Increased awareness is a matter of urgency. It is often easy to forget the difference between our digital and physical worlds. Just think of the postal service and e-mail. We pay for physical post which is run by organisations with long-standing reputations for reliability. Deliveries can be time-stamped with universal legal certainty, with letters and parcels physically closed and thus secure and confidential.
NAVIGATING IN CYBERSPACE IS NOT WITHOUT
RISK
WHOEVER INVENTED THE BOAT ALSO INVENTED THE SHIPWRECK attaching advertising to our deliveries. We would be outraged if the delivery people forced their way into our homes and offices to search for useful information about our private lives and professional activity. Yet we let this happen in our online lives with barely a thought. We leave the cyber-equivalent of our doors wide open without deploying any alarm systems. This makes us vulnerable to legal and illegal attempts to exploit and monetise this access. Applying basic protection and hygiene techniques we are used to in the physical world helps prevent 90% of cyberattacks.
Compare this to the virtual world. Messaging is free-of-charge but this makes data open to be used by the service providers for their own commercial ends. Our awareness of this reality is not as it should be. We would protest if the postal service was scanning our letters and
8
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
Lao Zi
While this quote is true, it is an overly pessimistic view of one of our most important technologies. Boats also facilitate adventure, exchange, trade, human connections and much more. Yet in both the physical and virtual worlds, there are oceans to navigate, natural and human threats, and the ever-present potential for disaster.
Mastering the risks and opportunities of each new technology has always been central to the story of humanity, and digitalisation is no different. One of the key challenges of our age is the struggle to identify online threats and vulnerabilities to accidents, errors and malicious people. We can then design our technology to be resistant and resilient, with a back-up plan just in case. The digital world is still in its infancy, but the rate of growth is increasing. For example, the data stored and made accessible via data centres or the public cloud will increase tenfold by 2020, reaching 44 zettabytes (44 trillion GB).
ICT systems and cyber-security professionals were put to the test in 2017 and 2018. Massive DDoS attacks and several ransomware outbreaks disrupted the activities of many organisations across the world. Several companies and individuals were in effect taken hostage or paralysed by malicious attacks. Elections were disrupted by cyber-activists with anti-democratic intentions. These were landmark years for our societies as we move toward a digital age. The revelation that Cambridge Analytica misused Facebook data and drove the circulation of politically motivated “fake news� highlighted new dimensions of vulnerability.
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
The potential threats for states, organisations, businesses and citizens are now huge. They involve risks related to availability, confidentiality and data integrity, and are facilitated by a variety of human failings from malice to negligence, as well as technological vulnerabilities.
9
Computer Emergency Response Teams (CERT) and Security Operations Centres (SOC) are command hubs that are central to defence efforts.
NECESSARY AWARENESS The potential financial, human, societal, reputational, and legal impact of failures in the digital world drives the urgent need to acquire knowledge and to strengthen security and resilience. Here, every stakeholder (states, communities, companies, organisations or individuals) should be able to trust their digital activity. Until now, accidents, errors, flaws and malicious intent impacted goods. Tomorrow, as digital becomes an integral part of all aspects of our world, human lives could be at stake. Potential harm will be limited only by the imaginations of terrorists and criminals.
Going further than
Cyber-Security 10
IN CYBERSPACE, RISK IS A CERTAINTY
WHAT IS A CERT?
WHAT IS A SOC?
It’s no longer a question whether or not the digital world will feature failures, but rather when they will happen and what their impact will be on individuals, companies, states, and more.
Computer Emergency Response Teams, also known as Computer Security Incident Response Teams (CSIRT), are skill centres tasked with alerting and responding to cyber-attacks. They centralise requests for support following security incidents, process alerts, establish and maintain a database of vulnerabilities, and disseminate information on risk minimising precautions. They also coordinate with other entities such as network competence centres, internet operators and ISPs, and national and international CSIRTs. In short, they accumulate knowledge to anticipate and maximize responsiveness to cyber-attacks.
A Security Operations Centre is an information systems supervision mechanism which detects and analyses incidents, and defines strategies to respond to security incidents. SOC experts continuously analyse events reported by the system, and identify potential cyber security risks.
We have used our senses and ingenuity to tame our physical environment, and we will need all our creativity to master cyberspace. Risks linked to data are a certainty, and their impacts are often far-reaching. The effect of underestimating or failing to identify risks is amplified when information systems are nested and interoperable. These risks become greater if they are not anticipated, detected and contained. A first step towards resilience is to understand that any organisation can be affected, directly or indirectly. Yet much more needs to be done, as we are still building our capability of responding organically to cyber threats. The good news is that the methodologies and tools we need exist. Due to the urgency of the task, the cyber-resilience market is growing and developing. Awareness is being raised with states in their roles as legislators, ICT infrastructure-systems facilitators, and the providers of funding to universities that generate knowledge and train IT engineers. Companies, users and clients are also learning the imperatives of this new world.
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
Its main purpose is to provide 24/7 monitoring of the information system.
THE NIS DIRECTIVE The European NIS (Security of Network and Information Systems) directive aims to significantly strengthen resilience and trust as Europe digitalises. It concerns all stakeholders and especially the "essential service operators", such as stakeholders in energy, transport, banking, finance, infrastructures, health, supply and the distribution of drinking water, as well as digital services. This directive also aims to strengthen Digital Europe’s cyber-resilience. Operators of essential services as well as online marketplaces, search engines and cloud services will therefore be subject to new security and incident notification requirements. The goal is to ensure a common high-level of network and information system security across the European Union. And although security creates trust, the latter will be strengthened thanks to this directive which provides for the establishment of an international network of CSIRT/CERT (Computer Security Incident Response Team/Computer Emergency Response Team). Thus, it will contribute to the strengthening of trust between member states, as well as promoting rapid and effective operational cooperation.
THE ESSENTIAL ROLE OF THE ENISA In addition, the European Parliament and the Council of Europe jointly agreed in September 2017 to endow the EU with "strong cyber security" status based on resilience, deterrence and defence measures. Outside the efforts to promote cyber-security in the member states and in the institutions, agencies and bodies of the Union, Europe is also establishing a more robust cyber-resilience strategy. This provides the ENISA (European Network and Information Security Agency) with a permanent and expanded mandate to strengthen cyber-resilience and the EU's ability to respond to the challenges of cyberspace. "A vital role to play in strengthening cyber-resilience and the EU's response", according to the European Parliament and the Council of Europe. The ENISA, in collaboration with the relevant national bodies, and in particular the CSIRT/CERT network, the CERT-EU, Europol and INTCEN (the EU Intelligence and Situation Centre) will contribute to an improvement in the effective framework of European cyber-resilience, mainly regarding the monitoring of the threat landscape, and in responding to large-scale crossborder incidents.
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
11
CYBER-
A NEW
Prepare I Identify
The exponential growth in the use of digital, its central role in the economy, and how human societies and companies have come to rely on it exposes cyberspace to potential attacks. The meteoric rise of the number and scale of digital threats is evidence of this. This has significantly raised the level of risk as a consequence. All users of cyberspace are vulnerable, and we will all be faced with an incident sooner or later. It is important to understand the full implications of this paradigm shift. In cyberspace everyone will inevitably encounter specific risks related to that environment. We must all accept this situation and work to better anticipate threats, create strong defences, and make preparations to absorb the impact of attacks, thus making us able to react to and bounce back from any eventuality.
12
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
RESILIENCE
PARADIGM Protect I Detect I Analyse I Respond I Recover
Given these challenges, a narrow approach to cyber-security focused just on data protection does not meet the full scale of the threat. It is just one, vital part of a rich, fully integrated overall strategy. Cyber-resilience is an holistic and systemic approach. It is proactive and based on a process of constant learning in an ever more complex digital world. It must be custom built with sensitivity for unique organisational and business-related characteristics. Adopting a purely defensive strategy has been shown not to work given the sophistication of the threats. Rather, risks must be managed naturally "by design". A "business as usual� approach is needed to contend with changing and adaptable threats, just as the immune system protects the human body.
Compared to previous revolutions, the digital revolution is all the more pernicious in that its resources are neither tangible nor theoretically limited, making it more difficult to master.
TOWARDS CYBER-IMMUNITY Cyber-resilience is a methodology that must become a culture aimed at constantly
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
being able to prepare, identify, protect, detect, analyse, respond and recover from incidents and threats. It needs to restore systems and processes to ensure the continuity of the business, and recover even after being impacted. It is necessary to develop a powerful immune system for each activity dependent on digital. For it to be effective it is necessary for the different components of the organisation to interact in a systematic and coordinated manner. We can take inspiration from nature and use bio-mimicry to design a digital defence system with the same properties. This cyber immune system will protect cyberspace, will communicate and will mobilise to deal with threats. It will have to learn from its environment and will therefore evolve and improve constantly.
13
CONTINUOUS IMPROVEMENT 1
PREPARE
ADV KEY PEOPLE CEO, CISO, BCM, CRO, DPO
CYBER-RESILIENCE IN YOUR ORGANISATION Ensuring the continuity of your business
7
RECOVER
KEY PEOPLE CIO, CISO, BCM, CRO
ADV
ACTIVITIES • Back to normal operations • Forensics • Continuous improvement • Legal • Communication
IDENTIFY
2
ACTIVITIES • Business impact analysis • Risk assessment • Cyber-Resilience audit • Compliance & standards • Cyber-Resilience strategy • Governance & policies • Awareness & exercise
KEY PEOPLE CIO, CISO, BCM
ACTIVITIES • Gap analysis Business/IT • Vulnerability assessment • Penetration test • Technology watch • Vulnerability watch
KEY POINTS OF CYBER-RESILIENCE: • Knowledge of and compliance with the regulatory framework: GDPR, NIS, supervisory authorities (finance, insurance, transport, health, etc.) • Adopting international standards for risk management and business resilience: ISO 31OOO, ISO 27OO1, ISO 27O18, ISO 27O32, ISO 223O1, ISO 22316 • Adopting and/or impose on service providers the appropriate level of security and continuity on the basis of certifications: Tier IV Data Centre, PCI DSS, HDS (Health Data Host), ISO 27OO1, ISO 223O1 • Designing or transforming existing infrastructures by adopting an approach based on ensuring ¨Security and privacy by design¨: Proxy, Firewall, Anti-Virus, Anti-DDoS, Mail Security, Sandboxing, IPS/IDS, WAF • Raising awareness, continuously training and informing all employees and stakeholders about cyber-resilience • Decide on the company’s ability to deploy such resources or opt for a partner able to provide support in the implementation of Cyber-Resilience: audit, consulting, risk management, business continuity, certified data centres, operational and integrated security management (SOC/CERT), IT infrastructure management, certification programmes, etc.
14
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
ADV
3 6
KEY PEOPLE CIO, CISO, BCM
RESPOND
KEY PEOPLE CEO, CISO, BCM, CRO, DPO
ADV
ACTIVITIES • Decisional crisis management • Crisis communication • Containment • Remediation • Business continuity
PROTECT
4 5
ANALYSE
KEY PEOPLE CIO, CISO, BCM ACTIVITIES • Threat analysis • Prioritisation • Operational crisis management
ADV
ACTIVITIES • Risk mitigation • Continuity management • Security management • High availability architecture • Data centre availability • Change management
DETECT
KEY PEOPLE CIO, CISO, BCM
ADV
ADV
ACTIVITIES • Log correlation • Real-time alert • Incident management
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
EBRC EXPERTISE ADV – ADVISORY CERT – COMPUTER EMERGENCY RESPONSE TEAM MS – MANAGED SERVICES SOC – SECURITY OPERATION CENTER
15
A cyber-resilient
financial sector ECB ISSUES GUIDANCE IN FAVOUR OF CYBER-RESILIENCE The financial sector is at the heart of the economy: an indispensable pillar of past and future growth. It acts as a guarantor of trust among systems, states, businesses and individuals, and thus needs to be resilient to its core. The desire to build stability is the founding principle of many global regulations, such as the Basel capital adequacy rules. But just as we rely on the financial system, we have become cyber-dependent by putting ICT at the centre of our lives. Recently, the European Central Bank issued guidance on the cyber-resilience of market infrastructure. In doing so, it established a new benchmark for the sector which will help set standards into the future. Financial market infrastructure (FMI) systems such as those related to interbank payments, central counterparty services, and securities settlement are at the core of the financial sector. This shows the ECB believes these services have a systemic role that must be resistant to existential risks. They also noted the growing range and changing character of cyber threats. This has led
16
the ECB to draft recommendations which, after public consultation, will form the basis of how these key institutions address cyber-resilience.
These are documents business managers must read as they work to build the foundations for future growth based on cyber-resilience and cyber-reliance.
In its Cyber Resilience Oversight Expectations (CROE) report, the Bank outlines three levels of maturity for cyberresilience: basic, intermediate and advanced. The Central Bank established a framework of compliance and multidisciplinary action for each of these. Cyber-resilience is not limited to highlighting digital risks. It is also about informing how businesses can be run efficiently in a sometimes uncertain digital world. The ECB’s expectations thus relate to the FMI's ability to equip themselves with strong governance structures, identification capabilities, protection measures, detection systems, and post-cyber crisis response and recovery solutions. The document also details expectations relating to continuous simulation, awareness-raising, improvement, communication and learning. The ECB didn’t stop there. It also published a European framework for testing resiliency after cyber-attacks. Threat Intelligencebased Ethical Red Teaming (TIBER-EU) also provides for voluntary national implementation across sectors to all eurozone countries.
Europe active
in Cyber-Resilience In late 2017, the European Commission decided to strengthen the mandate of the European Union Network and Information Security Agency (ENISA), with the aim of creating a true cyber-security agency for the European Union. The ENISA regularly organises cyber-resilience training exercises called "Cyber Europe" across the continent. In 2016, for example, it organised a training exercise on cloud providers and internet service providers. In 2018, the "Cyber Europe 2018" exercise targeted the field of aviation, and directly involved civil aviation authorities, the sector’s service providers (ANSPs: Air Navigation Service Providers), airport operators, and airlines.
CONVERGENT INTERNATIONAL STANDARDS Cyber-resilience is an integrated approach that combines risk analysis, cyber security, business continuity, crisis management and resilience organisation. To support stakeholders as they optimise protection, both international organisations and public authorities are promoting the development of and compliance with ever more stringent standards such as: ISO 27001 (information security management), 20000 (IT service management), 27018 (personal data protection) and 22301 (management of business continuity). Thus, the new French Standard for Hosting Personal Health Data (HDS) implemented in 2018 requires ISO 27001, 20000 and 27018 standards. Moreover, the new "Organisation of Resilience" standard was published in March 2017. It aims at defining an "organisation’s ability to absorb and adapt to a changing environment”. Cyber-resilience is covered by the following international standards: ISO 31000, which defines the framework for risk management ISO 27001, which covers the Information Security Management System (ISMS) ISO 22301, which covers the Business Continuity Management System (BCMS) ISO 22316, the new "organisation of resilience" standard Sources: Cyber Resilience Oversight Expectations (CROE) For Financial Market Infrastructures", European Central Bank, April 2018. "TIBER-EU Framework: How to implement
Cyber-Resilience = ISO 31000 + ISO 27001 + ISO 22301 + ISO 22316
the European framework for Threat Intelligence-based Ethical Red Teaming ", European Central Bank, May 2018.
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
Cyber risks are now multidimensional. However, the level of data protection is determined by the weakest point of the protection chain. Cyber-resilience is a comprehensive and systematic approach that aims to provide balanced and consistent protection. It is based on two major pillars: the Business Continuity Management (ISO 22301) and Information Security Management (ISO 27001) approach. Other standards, such as the PCI DSS payment standard, further strengthen cyber-resilience.
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
17
Standards and certifications
TOWARDS CYBER-RELIANCE
three key standards BUSINESS CONTINUITY MANAGEMENT - 223O1 Societal Security - Business Continuity Management Systems ISO 22301 specifies the requirements for planning, the establishment, setting up, implementation, monitoring, revising, maintaining and continuously improving a documented management system. The aim is to protect against disruptive incidents, reduce the probability of their occurrence, prepare for robust response, and provide help to recover from them when they occur. Source: ISO.org
INFORMATION SECURITY MANAGEMENT - 27OO1 Information technologies - Security techniques – Information Security Management systems - Requirements as above ISO 27001 specifies the requirements for establishing, maintaining, implementing, updating, and continuously improving an information security management system within an organisation. It also includes requirements for the assessment and handling of information security risks, tailored to the needs of the organisation. Source : ISO.org
PCI DSS DATA SECURITY STANDARD The Payment Card Industry Data Security Standard (PCI DSS) was developed with the aim of encouraging and strengthening the security of cardholders’ data, and facilitating the adoption of uniform security measures worldwide. The PCI DSS standard serves as a reference as regards the technical and operational conditions for protecting cardholders’ data. The PCI DSS standard applies to all entities involved in the processing of payments, including traders, processing companies, acquirers, issuers and service providers, as well as to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Source: PCI Security Standards Council
18
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
DIGITAL REQUIRES CYBERRESILIENCE Regulators set frameworks for businesses in the first two industrial revolutions, and a similar process is underway for the digital revolution. Of course there are many differences in business life between these epochs. In the late eighteenth and nineteenth centuries, economic actors considered the planet’s resources as being unlimited, freelyavailable public goods. But in the early twenty-first century humanity faces one of its biggest challenges: managing the side effects of the mass exploitation of fossilfuel resources. While this underpinned the growth of human civilization, the key side effect is global warming that we are struggling to keep under control. The stakes are high, as our economies and societies are under direct threat, not to mention the survival of other species. This challenge can only be met through a globally organised resilience programme. The third and fourth industrial revolutions will, in the course of the twenty-first century, take civilization into a new, virtual world. Our dependence on digital will become entrenched. But socio-economic stakeholders rushing into cyberspace have yet to acquire the protective reflexes that have become natural in the physical world.
It is now urgent for all stakeholders to develop a resilience approach to cyber in order to protect data, which will be the key raw material of the twenty-first century. Risk is inherent to, and is indeed a certainty, in cyberspace. It concerns us all: states, associations, communities, organisations, businesses, and citizens. In the digital world that is under construction, becoming able to continuously prevent and identify threats, prepare, protect, detect, analyse, respond and recover is the challenge that we must meet. The challenge lies in designing an immune system for cyberspace. This will ensure, by its very nature and design, that whatever the threat or attack, all activities will be carried out on a "business as usual" basis.
Cyber-resilience in the digital world is the second major challenge which humanity must face by the mid twentyfirst century. OUR EXPERTS ARE AT YOUR DISPOSAL TO HELP YOU MEET THE CHALLENGE OF CYBER-RESILIENCE Contact us: www.ebrc.com/contact
WWW.EBRC.COM I CYBER-RESILIENCE TOWARDS CYBER-RELIANCE
Visit our cyber-resilience page www.ebrc.com/en/offer/cyber-resilience
19
5, rue Eugène Ruppert L-2453 Luxembourg www.ebrc.com/contact