The French approach to CIIP
ENISA workshop
Coordination of CIP in France
A cross-ministerial issue
12 critical sectors
A list of critical operators
The General Secretariat for Defense and
Energy, communications, healthcare
“An operator whose unavailability could
National Security (SGDSN) assists the
and public health, financial services,
strongly threaten the economical or
Prime Minister in matters of national
transportation, water…
military potential, the security or the
defense and security.
ANSSI
resilience of the Nation”
2
The ANSSI
Originally focused on the
An interministerial agency,
protection of governmental
Reports to the SGDSN.
responsible for prevention and
networks.
CIIP issues are under ANSSI’s
reaction to cyber attacks.
Extended its missions to cover
responsibility.
critical operators.
ANSSI
3
The initial CIIP framework
A CIP framework originally focused on the physical protection of
critical
infrastructures.
A relatively slow interministerial process, unsuited to IT security.
IT security obligations only for the communications sector.
ANSSI
4
A new basis for CIIP :
the military programming law
The 2013 White Paper on Defense and National Security recognizes the
need to reinforce the security of critical infrastructures.
The military programming law (LPM) is promulgated on December 18,
2013, following the measures announced by the 2013 White Paper.
Article 22 introduces specific provisions to enhance the cyber security of
critical operators.
ANSSI
5
Secondary legislation will define all
implementation measures
ANSSI can set technical and organizational rules
Security
rules
Network mapping, network segmentation, implementation of detection capabilities,
homologation, IT administration rules, IT security policy...
ANSSI shall be notified of incidents occuring on critical systems
Incident
notification
 Types of incidents to be notified will be specified by sectorial orders.
 Direct notification to ANSSI by the critical operators.
ANSSI can trigger security inspections
Inspection
 Inspections done by ANSSI, an other governmental authority or a qualified provider.
 On a regular basis or following an incident.
ANSSI can impose measures in case of major crises
Major crises
 The threshold of what is a ”major crisis” is defined by the Prime Minister.
 Legal basis for action in the framework of crises management plans.
ANSSI
6
2014 : three phases of experiment
February – May 2014
First listing of the critical systems (all operators).
March – June 2014
Applicability of ANSSI’s recommendations on industrial control systems cybersecurity
(4 operators).
June – October 2014
Incident notification (a dozen operators).
ANSSI
7
A work in progress : what’s next ?
End 2014 : Legal implementation texts to be published.
2014 – 2015 : Sectorial working groups leaded by the ANSSI.
2015 : Sectorial orders to define identification criteria for critical
systems, security rules and types of incidents to notify.
2017 – 2020 : Feedback – possible upgrading of the sectorial orders.
ANSSI
8