ETSI TR 103 303 V0.0.1 (2014-12) TECHNICAL REPORT CYBER; Protection measures for ICT in the context of Critical Infrastructure or [Release #] 2 ETSI TR 103 303 V0.0.1 (2014-12) Reference DTR/CYBER-001 Keywords <keywords> ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-préfecture de Grasse (06) N° 7803/88 Important notice The present document can be downloaded from: http://www.etsi.org The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http://portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. © European Telecommunications Standards Institute yyyy. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI or [Release #] 3 ETSI ETSI TR 103 303 V0.0.1 (2014-12) or [Release #] 4 ETSI TR 103 303 V0.0.1 (2014-12) Contents Logos on the front page ...................................................................................................................................... 3 Copyrights on page 2.......................................................................................................................................... 3 If an additional copyright is necessary, it shall appear on page 2 after the ETSI copyright............................... 3 Intellectual Property Rights ................................................................................................................................ 5 Foreword............................................................................................................................................................. 5 Multi-part documents.......................................................................................................................................................... 5 Modal verbs terminology ................................................................................................................................... 5 Executive summary ............................................................................................................................................ 6 Introduction ........................................................................................................................................................ 6 1 Scope ........................................................................................................................................................ 6 2 References ................................................................................................................................................ 6 2.1 2.2 3 Normative references ......................................................................................................................................... 6 Informative references ....................................................................................................................................... 7 Definitions, symbols and abbreviations ................................................................................................... 7 3.1 3.2 3.3 4 Definitions ......................................................................................................................................................... 7 Symbols ............................................................................................................................................................. 7 Abbreviations ..................................................................................................................................................... 8 User defined clause(s) from here onwards ............................................................................................... 8 4.1 User defined subdivisions of clause(s) from here onwards ................................................................................ 8 Proforma copyright release text block ............................................................................................................... 9 Annexes ........................................................................................................................................................................... 9 Annex <A>: Title of annex .......................................................................................................................... 9 Annex <B>: Title of annex .......................................................................................................................... 9 <B.1>First clause of the annex ......................................................................................................................... 10 <B.1.1> First subdivided clause of the annex ................................................................................................................ 10 Annex <C>: ATS in TTCN-2 .................................................................................................................... 10 <C.1> The TTCN-2 Machine Processable form (TTCN.MP) .......................................................................... 10 Annex <D>: ATS in TTCN-3 .................................................................................................................... 10 <D.1>TTCN-3 files and other related modules ................................................................................................ 10 <D.2>HTML documentation of TTCN-3 files ................................................................................................. 11 Annex <E>: Bibliography ......................................................................................................................... 11 Annex <F>: Change History ..................................................................................................................... 11 History .............................................................................................................................................................. 12 A few examples: ................................................................................................................................................................ 12 ETSI or [Release #] 5 ETSI TR 103 303 V0.0.1 (2014-12) Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http://ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee CYBER. Modal verbs terminology In the present document "shall", "shall not", "should", "should not", "may", "may not", "need", "need not", "will", "will not", "can" and "cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). "must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation. ETSI or [Release #] 1 6 ETSI TR 103 303 V0.0.1 (2014-12) Scope The present document reviews the roles and subsequent requirements for ICT protection, in the context of CyberSecurity, in the form of security technologies and security management, for infrastructures that may be defined, now or in the future, as Critical Infrastructures. The critical infrastructure protection addressed in the EU’s published directive is essentially Power and Transport. It is clear to most casual observers that the global economic infrastructure is now composed of a huge set of ICT networks and services. It would not be a stretch to say that ICT capabilities now underpin all of the other critical infrastructures. This means food security, economic activity security, citizen safety and just about everything else. The purpose of the TR to be delivered by this work item is to identify the role of ICT protections through the deployment of security technologies and security management to deliver effective Critical Infrastructures that are reliant on ICT technology. The topics to be addressed by the work item include: Resilience (taking as input the ENISA reports on this topic and work from related national programmes); M2M communications (in close liaison with oneM2M and smartM2M); eHealth (in order to give assurance of access to ICT enabled eHealth systems). The report is intended to highlight aspects of CI and ICT that have to be addressed to ensure that CI maintains its infrastructure role. EXAMPLE: 2 The present document provides the necessary adoptions to the endorsed document. References References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http://docbox.etsi.org/Reference. NOTE: 2.1 While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. Normative references The following referenced documents are necessary for the application of the present document. Not applicable. ETSI or [Release #] 2.2 7 ETSI TR 103 303 V0.0.1 (2014-12) Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. [i.1] National Institute of Standards and Technology (NIST): Framework for Improving Critical Infrastructure Cybersecurity; Version 1.0; February 12, 2014 [i.2] COUNCIL DIRECTIVE 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection [i.3] COMMISSION OF THE EUROPEAN COMMUNITIES; COM(2006) 786 final; COMMUNICATION FROM THE COMMISSION on a European Programme for Critical Infrastructure Protection (Brussels, 12.12.2006) [i.4] EUROPEAN COMMISSION; SWD(2013) 318 final; COMMISSION STAFF WORKING DOCUMENT on a new approach to the European Programme for Critical Infrastructure Protection Making European Critical Infrastructures more secure; Brussels, 28.8.2013 3 Definitions, symbols and abbreviations 3.1 Definitions For the purposes of the present document, the [following] terms and definitions [given in ... and the following] apply: Critical infrastructure: Critical infrastructure is an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the wellbeing of its citizens. 3.2 Symbols For the purposes of the present document, the [following] symbols [given in ... and the following] apply: <1st symbol> <1st Explanation> 3.3 Abbreviations For the purposes of the present document, the [following] abbreviations [given in ... and the following] apply: EPCIP NIST European Programme for Critical Infrastructure Protection National Institute of Standards and Technology ETSI or [Release #] 8 ETSI TR 103 303 V0.0.1 (2014-12) 4 Current status and definitions 4.1 EU perspective The list of Critical Infrastructure sectors given in COUNCIL DIRECTIVE 2008/114/EC [i.2] is copied in Table 1 below. Table 1: EU Critical Infrastructure Sectors from [i.2] 1 Sector Energy Subsector Electricity Infrastructures and facilities for generation and transmission of electricity in respect of supply electricity Oil production, refining, treatment, storage and transmission by pipelines Gas production, refining, treatment, storage and transmission by pipelines LNG terminals Oil Gas 2 Transport Road Transport Rail Transport Air Transport Inland Waterways Transport Ocean and short-sea shipping and ports These 2 sectors, Energy and Transport, are increasingly dependent on ICT capabilities to give assurance of their operations. 4.2 US perspective 4.3 Other global regional perspectives 5 Security domains for CI protection 5.1 Review of CIA paradigm 5.2 Resilience ETSI or [Release #] 9 Annex A: Title of annex <Text>. ETSI ETSI TR 103 303 V0.0.1 (2014-12) or [Release #] 10 Annex E: Bibliography <Publication>: "<Title>". ETSI ETSI TR 103 303 V0.0.1 (2014-12) or [Release #] 11 ETSI TR 103 303 V0.0.1 (2014-12) Annex F: Change History Date Version Information about changes ETSI or [Release #] 12 ETSI TR 103 303 V0.0.1 (2014-12) History Document history 0.0.1 December 2014 Outline Table of Contents and adoption of ETSI TR Template ETSI