ETSI TR 103 456-2017 CYBER Implementation of the Network and Information Security (NIS) Directive (V1 1 1).pdf

1、 ETSI TR 103 456 V1.1.1 (2017-10) CYBER; Implementation of the Network and Information Security (NIS) Directive TECHNICAL REPORT ETSI ETSI TR 103 456 V1.1.1 (2017-10) 2 Reference DTR/CYBER-0021 Keywords cyber security, cyber-defence, information assurance, privacy ETSI 650 Route des Lucioles F-06921

2、 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search T

3、he present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between suc

4、h versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on

5、 the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notificat

6、ion No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and

7、the foregoing restriction extend to reproduction in all media. ETSI 2017. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are trademarks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are trademarks of ETSI registered for the benefit of its Members and of the 3GP

8、P Organizational Partners. oneM2M logo is protected for the benefit of its Members. GSM and the GSM logo are trademarks registered and owned by the GSM Association. ETSI ETSI TR 103 456 V1.1.1 (2017-10) 3 Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 5g3Executive sum

9、mary 5g3Introduction 5g31 Scope 7g32 References 7g32.1 Normative references . 7g32.2 Informative references 7g33 Definitions and abbreviations . 9g33.1 Definitions 9g33.2 Abbreviations . 9g34 Overview of the NIS Directive . 10g34.1 The context for NIS 10g34.2 ENISA recommendations on standardization

10、 . 12g34.3 Processing of personal data 13g35 Cyber threat intelligence sharing: incidents and risks 13g35.1 Introduction 13g35.1.1 Context 13g35.1.2 Scope of incidents . 13g35.1.3 Incident notification thresholds . 14g35.1.4 Alignment of approaches 15g35.1.5 Incident classification indicators and me

11、trics . 15g35.2 Concepts, models, and technical methods 15g35.3 Cyber threat intelligence entity practices . 15g35.3.1 Introduction. 15g35.3.2 Operators of Essential Services 16g35.3.3 Digital Service Providers 16g35.3.4 Specialized, limited use, structured threat intelligence sharing platforms 16g3

12、6 Role of risk analysis in protecting NIS 17g36.1 Introduction 17g36.2 Concepts, models, and technical methods 18g36.2.1 Introduction. 18g36.2.2 Critical Security Controls . 19g36.2.3 National and intergovernmental programmes . 19g36.3 Cyber defence and cyber security risk management practices . 22g

13、36.3.1 Introduction. 22g36.3.2 Operators of essential services 23g36.3.3 Digital service providers . 23g37 Challenges and solutions 23g37.1 Introduction 23g37.2 New technologies and services . 24g37.3 New techniques 24g37.3.1 Use of middlebox security protocols for cyber defence 24g37.4 Harmonizing

14、implementations across the diverse network and service sectors and Member State legal and operational environments. 24g38 Recommendations 25g38.1 Operators of essential services . 25g38.2 Digital service providers 25g38.3 Facilitative mechanisms for network and information security 25g3ETSI ETSI TR

15、103 456 V1.1.1 (2017-10) 4 Annex A: Historical development of cyber threat intelligence sharing . 26g3History 28g3ETSI ETSI TR 103 456 V1.1.1 (2017-10) 5 Intellectual Property Rights Essential patents IPRs essential or potentially essential to the present document may have been declared to ETSI. The

16、 information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available fro

17、m the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (

18、or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Trademarks The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are ind

19、icated as being the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks. Foreword This Technic

20、al Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER). Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal f

21、orms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Executive summary The present document provides guidance on the available technical specifications and those in development by major cyber security communities worl

22、dwide designed to meet the legal measures and technical requirements relating to implementation of the NIS Directive, including the sharing of information and network based risks and incidents and necessary defence measures. The guidance includes: considerations for incident notification and best pr

23、actices in cyber security risk management. The present document provides a broader cyber security context than the NIS Directive or the ENISA Standardization Gaps Report to facilitate evolution toward significant emerging open global platforms, and includes treatment of challenges associated with ha

24、rmonizing the implementations across the diverse network and services sectors and Member State legal and operational environments. Introduction The Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 i.1 concerning measures for a high common level of security of net

25、work and information systems across the Union (commonly called the NIS Directive or NISD contains legal measures which include: requiring Member States to be appropriately equipped, e.g. via Computer Security Incident Response Teams (CSIRTs) a competent national NIS authority for a number of sectors

26、, and a national information security strategy; ETSI ETSI TR 103 456 V1.1.1 (2017-10) 6 setting up a cooperation framework among Member States by means of a Cooperation Group, in order to support and facilitate strategic cooperation and the exchange of information among Member States, including and

27、a CSIRT Network, for voluntary operational cooperation on specific cyber security incidents and sharing information about risks; and requiring Member States to provide the frameworks and necessary obligations on businesses in sectors identified by the Member States as operators of essential services

28、, including those that operate in sectors identified in the Directive, as well as providers of certain digital services, are implementing appropriate security measures and notifying the relevant national authority of serious incidents having significant impact in their services. These legal measures

29、 in turn invoke a set of common cyber security technical requirements that include: structured sharing of information on risks and incidents; notification of incidents; outcomes-focused cybersecurity risk management practices and controls to identify and protect assets, detect anomalous analyses and

30、 potential incidents, and respond to and recover from incidents that may impact network and information systems; and international cooperation to improve security standards and information exchange, and promote a common global approach to NIS issues through harmonised standards. The present document

31、 provides implementation guidance for meeting these requirements based on ETSIs capabilities as a regional and global organization that brings together industry expertise and global cyber security knowledge, including its own cyber security technical specifications and report. ETSI ETSI TR 103 456 V

32、1.1.1 (2017-10) 7 1 Scope The present document provides guidance in accordance with the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 i.1 concerning measures for a high common level of security of network and information systems across the Union (commonly call

33、ed the NIS Directive or NISD) on the available technical specifications and those in development by major cyber security communities worldwide designed to meet the legal measures and technical requirements relating to the sharing of information on network based risks and incidents and also the neces

34、sary defence measures to enable the protection of its essential security interests. The present document is intended be used by all that need to consider the effects, use or perform the legal transposition of the NIS Directive into national legislation. These include national regulators who need to

35、update regulations or guidelines for specific industries identified in the NIS Directive as Operators of Essential Services (OES) or national policy makers wishing to provide guidance for Digital Service Providers (DSP). The present document might also be used by OES and DSPs themselves for their ow

36、n implementation. The present document is not intended to be prescriptive in the selection or use of technical specifications or requirements as organizational risk based approach yields the most effective industry wide implementations. 2 References 2.1 Normative references Normative references are

37、not applicable in the present document. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of t

38、he referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but the

39、y assist the user with regard to a particular subject area. i.1 Directive (EU) 2016/1148 of The European Parliament and of The Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. NOTE: Available at http:/eur-lex.europa.e

40、u/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG. i.2 ENISA: “Gaps in NIS standardisation Recommendations for improving NIS in EU standardisation policy“ V.1.0, November 2016. i.3 ETSI TR 103 305: “CYBER; Critical Security Controls for Effective Cyber Defence“. i.4 ETSI TR 103 421:

41、“CYBER; Network Gateway Cyber Defence“. i.5 Transposition of the EU Network and Information Security (NIS) Directive, Digital Europe, Brussels, 5 July 2016. i.6 ETSI TR 103 331: “CYBER; Structured threat information sharing“. i.7 ETSI TS 102 165-1: “CYBER; Methods and protocols; Part 1: Method and p

42、roforma for Threat, Vulnerability, Risk Analysis (TVRA)“. i.8 ETSI ETR 340: “Telecommunications Security; Guidelines for security management techniques“. ETSI ETSI TR 103 456 V1.1.1 (2017-10) 8 i.9 Recommendation ITU-T X.700 series (ISO/IEC 10160): “Information technology - Open Systems Interconnect

43、ion - Systems Management“. i.10 Recommendation ITU-T X.800 series (ISO/IEC 10181, ISO/IEC 11586): “Information technology - Open Systems Interconnection - Security frameworks for open systems, Generic upper layers security“. i.11 Recommendation ITU-T X.1300 series: “Network security“. i.12 Recommend

44、ation ITU-T X.1050 series: “Security Management“. i.13 Recommendation ITU-T X.1200 series: “Cybersecurity“. i.14 Recommendation ITU-T M.3000 series: “Security for the management plan“. i.15 ISO/IEC 15408: “Information technology - Security techniques - Evaluation criteria for IT security“. i.16 ISO/

45、IEC 27000 series: “Information technology - Security techniques - Information security management systems“. i.17 IEC 62443: “Industrial communication networks - Network and system security“. i.18 ISACA: COBIT 5 series. i.19 ETSI GS ISI 001 (all parts): “Information Security Indicators (ISI)“. i.20 E

46、TSI TR 103 303: “CYBER; Protection measures for ICT in the context of Critical Infrastructure“. i.21 ETSI Security Week 2017. NOTE: Available at http:/www.etsi.org/etsi-security-week-2017. i.22 ETSI Security Week, NFV Security Tutorial. NOTE: Available at https:/docbox.etsi.org/Workshop/2017/201706_

47、SECURITYWEEK/04_NFVTUTORIAL/ETSI_ISGNFV_TUTORIALMATERIAL.pdf. i.23 ETSI Security Week, 5G Security: a government view. NOTE: Available at https:/docbox.etsi.org/Workshop/2017/201706_SECURITYWEEK/06_5GSECURITY/S02/NCSC_HAIGH.pdf. i.24 Sean Barnum: “The MITRE Corporation, Standardizing Cyber Threat In

48、telligence Information with the Structured Threat Information eXpression (STIX)“, 2012. i.25 ISO/IEC 15408: “Evaluation criteria for IT security“. i.26 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing o

49、f personal data and on the free movement of such data. i.27 Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. i.28 Recommendation ITU-T X.1500 series: “CYBEX Cyber security information Exchange“. i.29 U.S. NIST Cybersecurity Framework. NOTE: Available at https:/www.nist.gov/sites/default/fil