ENISA Report: New Light Shed on Capabilities in Energy & Healthcare

A new report released by the EU Agency for Cybersecurity (ENISA) showcases the product vulnerability management landscape, unveiling challenges faced by sectoral CSIRTs and PSIRTs.
Europeans can count on more than 500 Computer Incident Response Teams (CSIRTs) and on the CSIRTs network to respond to cybersecurity incidents and attacks.
In addition to CSIRTs, Product Security Incident Response Teams (PSIRTs) have emerged more recently. Their role is to manage the vulnerabilities of a company’s products and services.
PSIRTs have been mostly developed in a heterogeneous way. For instance, while some of them are well developed and independent from the main Incident Response (IR) team of the host company, others belong to their Security Operations Centre (SOC) or are just part of the development team.
Why a report on CSIRTs and PSIRTs capabilities?
The Directive on Security of Network and Information Systems (NISD) adopted in 2016 provides legal measures to boost the level of cybersecurity in the EU. Both CSIRTs and PSIRTs are essential players in the global Incident Response (IR) ecosystem.
The study published today - PSIRT Expertise and Capabilities Development - provides recommendations on the role of PSIRTs in the IR setup of the Member States according to the NISD, specifically in the energy and health sectors.
ENISA had already explored in details the IR setup across all sectors of the NISD in a study published in 2019: “EU Member States incident response development status report”.
Sectoral PSIRTs as energy or healthcare ones may benefit from an aligned approach in terms of processes and collaboration to ensure legal compliance in relation to their business partners, clients and possibly Operators of Essential Services or other actors subject to EU cybersecurity regulation.

Recommendations for measures to prevent hospital fires

The European Commission’s Joint Research Centre (JRC) issued a series of recommendations to help prevent the hospital fires associated with medical oxygen needed for Covid-19 severely ill patients, from electrical maintenance to administrative measures and largely spread training and guidance on prevention and risk management strategies for oxygen hazards.

Since the outbreak of the pandemic in March 2020, at least 36 incidents of hospital fires associated with intense oxygen use have been found to have occurred in various countries around the world, causing the deaths of over 200 people and injuring many more.

The majority of the dead and injured were patients extremely ill with the novel Coronavirus and others were their health care providers. Most deaths resulted directly from the fire but there were also several deaths from patients deprived of oxygen because of the event.

In comparison, up until 2020, the media shows an average of just over one such event per year since 2011.

According to the JRC recommendations, the strategies to prevent and mitigate the fire risk in intensive care units should evolve around three main elements:

• Guidance on oxygen therapy for Covid-19 and other diseases needs to identify specific prevention measures that can reduce the risk of oxygen-enriched environments in these settings;

• All hospitals should establish a risk management strategy for oxygen hazards led by hospital management, involving all staff, including healthcare workers, maintenance, housekeeping and administration;

• As part of this policy, all hospitals should track the number of patients having medical gas treatment and, when elevated, an appropriate fire risk management policy should be applied.

The hospitals should use as examples strategies developed for chemical process safety to manage flammable and explosive atmospheres. The management procedures should involve medical and non-medical staff, and prevention and emergency preparedness should take into account potential intensive care unit fires.

Exploring Research Directions in Cybersecurity

ENISA, the European Union Agency for Cybersecurity, has identified key research directions and innovation topics in cybersecurity to support the efforts of the EU towards a Digital Strategic Autonomy.
Resilience, technological sovereignty and leadership are essential for the EU and as such, they are addressed by the new EU Cybersecurity Strategy. In an effort to support this cybersecurity strategy, the European Union Agency for Cybersecurity releases today a report intended to look into digital strategic autonomy in the EU and suggests future research directions.
What is Digital Strategic Autonomy?
Digital strategic autonomy can be defined as the ability of Europe to source products and services designed to meet the EU’s specific needs and values, while avoiding being subject to the influence of the outside world. In the digital world, such needs may encompass hardware, software or algorithms, manufactured as products and/or services, which should comply with the EU values, and thus preserve a fair digital ecosystem while respecting privacy and digital rights.
To ensure the sourcing of such products and/or services complies with the EU’s needs and values, the EU has the option to self-produce them autonomously, or in the case where products and services are acquired from third countries, to certify them and validate their compliance.
However, in cases where there is a high dependence on sourcing, the EU should still be capable of operating its digital infrastructures without giving rise to any possible detrimental influence. Hence, Europe needs to maintain the capability to produce its critical products and services independently.
In short, digital strategic autonomy means the capacity for the EU to remain autonomous in specific areas of society where digital technologies are used.
Why such a move?
The new challenges brought about by the digitalisation of our environment raise questions on our capacity to retain ownership and control of our personal data, of our technological assets and of our political stand. Such are the main dimensions to be considered under the idea of digital strategic autonomy.
Furthermore, the COVID-19 pandemic highlighted the importance of cybersecurity and the need for the EU to continue to invest in research & development in the digital sector. Within this context, ENISA’s report sets and prioritises the key research and innovation directions in cybersecurity.
Key Research Directions: which are they?
The report identifies the following seven key research areas:
- Data security;
- Trustworthy software platforms;
- Cyber threat management and response;
- Trustworthy hardware platforms;
- Cryptography;
- User-centric security practices and tools;
- Digital communication security.
For each of these areas, the report introduces the current state-of-play in the EU, includes an assessment of current and expected issues. The analyses included serve the purpose of issuing recommendations on cybersecurity related research topics. Such recommendations intend to highlight the bases needed to bolster the EU’s digital autonomy.

Guidelines for Cybersecurity in Hospitals: New Online tool

The new tool helps healthcare organisations identify best practices in order to meet cybersecurity needs when procuring products or services.
To facilitate the use of the Procurement Guidelines for Cybersecurity in Hospitals published in 2020, ENISA releases an online tool today to support the healthcare sector in identifying procurement good practices to meet cybersecurity objectives when procuring products or services.
In addition, the Agency also publishes a concise version of the procurement guidelines dedicated to the sector in each of the 24 EU official languages.
Cybersecurity in Healthcare: why does it matter?
The COVID-19 pandemic demonstrated the value of eHealth services such as telemedicine and remote patient care.
Since it has become increasingly digital and interconnected, the healthcare sector needs to consider cybersecurity as an enabler and as a key factor for ensuring the resilience and availability of key healthcare services.
Cybersecurity needs to be envisaged throughout the procurement lifecycle. IT departments should be involved in procurement activities as the cybersecurity implications in the procurement of any product or service should be well understood and consistently addressed by healthcare organisations.
EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, declared: “Securing eHealth today means ensuring the resilience of the EU’s life support system, the healthcare sector. ENISA is committed to shape the ICT environment needed to prevent cybersecurity incidents and attacks on our healthcare sector.”
Procurement Guidelines and online tool: What for?
The online tool was developed as a complement to the procurement guidelines for cybersecurity in hospitals. Its purpose is:
- To help healthcare organisations to quickly identify the guidelines that are most relevant to their procurement context such as assets procured or related threats;
- To promote the importance of a good procurement process to ensure appropriate security measures.
To facilitate the dissemination of good practices across all healthcare organisations across the EU, a concise version of the procurement guidelines is now made available in the 22 official EU languages and the full version is available in english and spanish languages.
The report on procurement guidelines has already generated a significant interest in the healthcare cybersecurity community.
Stakeholders in the sector, including members of the eHealth Security Experts Group suggested the idea of an interactive format of the guidelines making it possible to customise searches and help decision making through informed procurement.
The guidelines were translated in order to allow health organisations across Member States to directly access the content in their own language.
Who is it meant for?
- Procurement officers of healthcare organisations;
- Healthcare professionals with technical positions or in charge of IT systems and equipment;
- Chief level executives such as CIO, CISO, CTO;
- The EU citizens involved in or seeking to develop knowledge and awareness on such processes.

Building Trust in the Digital Era: ENISA boosts the uptake of the eIDAS regulation

The European Union Agency for Cybersecurity issues technical guidance and recommendations on Electronic Identification and Trust Services helping Member States to implement the eIDAS regulation.
The European Union Agency for Cybersecurity (ENISA) completed a package of five reports in order to boost the implementation of the eIDAS regulation and promote the uptake of Electronic Identification and Trust Services. This work falls under the scope of the EU Cybersecurity strategy for the Digital Decade.
ENISA has been in the forefront of the developments on eIDAS since 2013 and with the Cybersecurity Act, established in 2019, the Agency has an extended mandate to support and assist the European Commission and the Member States in the area of electronic identification.
In this challenging period, the “EU digital ID scheme for online transactions across Europe” initiative will drive the revision of the eIDAS and will promote digital identities for all Europeans. ENISA in order to support the Commission has undertaken activities to explore the security considerations for trust service providers and remote identity proofing.
Four of the reports on trust services form an update of ENISA’s guidelines for qualified trust service providers. They represent a voluntary toolset designed to help those trust service providers comply with eIDAS. Specifically, they include:
- technical guidance on the security framework for Qualified Trust Service Providers (QTSP) and for the non-Qualified ones;
- security recommendations for Qualified Trust Service Providers based on Standards;
- guidelines on Conformity Assessment of Trust Service Providers.
A fifth report includes an analysis of the methods used to carry out identity proofing remotely and exploring security considerations. Remote identification allows customers to have their identification information collected and validated without the need for physical presence to the premises of the operator. This has become crucial during the COVID-19 pandemic as it allows access to cross-border online services offered by Member States.
Technical Guidelines on Trust Services
ENISA issued the reports in order to update existing recommendations and guidelines issued in 2017 for qualified trust services. The purpose of these reports is therefore to focus on the requirements set by the eIDAS regulation and the emergence of new standards and new TSP services.
The new guidelines are presented in four different reports according to the following topics:
- trust service providers (qualified or not) looking for guidance on how to meet the requirements of the eIDAS Regulation;
- service providers seeking to clarify whether they qualify as a trust service provider according to the provisions under the eIDAS regulation;
- relying parties seeking to evaluate to what extent their trust service provider complies with the eIDAS requirements.
As a result, the set of recommendations include:
- Security Framework for Qualified Trust Service Providers and for Non-Qualified Trust Service Providers. These guidelines consider the greater potential variety encountered in non-qualified trust service providers;
- Security Recommendations for Qualified Trust Service Providers based on Standards, and Guidelines on Conformity Assessment of Trust Service Providers.
These guidelines have been consulted with and validated by experts in the eIDAS field from various sectors.

Building a Resilient Railway Infrastructure

2021 has been chosen as the European Year of Rail by the European Commission. The European initiative aims to highlight the benefits of rail as a sustainable, smart and safe means of transport to support the delivery of its European Green Deal objectives in the transport field.
Cybersecurity is a key requirement to enable railways to deploy and take advantage of the full extent of a connected, digital environment.
However, European infrastructure managers and railway undertakings face a complex regulatory system that requires a deep understanding of operational cybersecurity actions. In addition, European rail is undergoing a major transformation of its operations, systems and infrastructure due to digitalisation, mass transit and, increasing interconnections. Therefore, the implementation of cybersecurity requirements is fundamental for the digital enhancement and security of the sector.
ENISA, the EU Agency for Cybersecurity, and ERA, the EU Agency for Railways, have joined forces to organise a virtual Conference on Rail Cybersecurity.
Policy
The European Commission has proposed the revision of the Network Information Security Directive (NIS2) to strengthen the cybersecurity measures to be adopted by the Member States and applied, among others, by European railway undertakings (RU) and infrastructure managers (IM).
The European Commission’s Directorate-General for Mobility and Transport (DG MOVE) also encourages awareness-raising of railway stakeholders by promoting the use of its Land Transport Security platform. A cybersecurity toolkit was also developed and shared with the participants. Cybersecurity is now a major concern for National Safety Authorities. The French rail safety authority, l’établissement public de sécurité ferroviaire (the EPSF) compiled the related challenges in a white paper, jointly with the French IM and main RU, the French Cybersecurity Agency, ANSSI and ERA.
Standardisation & Certification
The Working Group 26 of the European Committee for Electrotechnical Standardisation (CENELEC) delivered the promising Technical Specification 50701 on cybersecurity for railways, now under review by the National Committees. A published version of the technical specification is expected before the summer. A voluntary reference to this standard will be made through the application guides developed by ERA. Railway stakeholders expect the technical specification to lay the foundations of a common risk analysis methodology. As demonstrated by the case study proposed by the Italian railway stakeholders, such methodology will link the security analysis to the safety case.
Research & Innovation
Shift2Rail the Joint Undertaking has gained maturity, and the Technical Demonstrator 2.11 on cybersecurity will soon demonstrate the applicability of their findings on specific projects such as Automatic Train Operation or Adaptable Communication Systems.
Technical interoperability standards for EU railway automation are being proposed for consideration in the railway regulatory framework, proposing "secure by design" shared railway services. In addition, The International Union of Railways (UIC), recently launched a Cyber Security Solution Platform, taking a pragmatic approach in building a solutions catalogue to risks and vulnerabilities identified by railway users.
Information Sharing & Cooperation
The European Railway-ISAC is attracting an increasing number of participants willing to share concerns or even vulnerabilities to trusted members and ensuring a collective response to the cybersecurity challenge. An open call by Shift2Rail, namely the 4SECURERAIL project, is developing a proposal for a European Computer Security Incident Response Team, allowing for identified threats to be instantly shared with targeted railway stakeholders.
With such developments, the railway industry, represented by the European Rail Industry Association (UNIFE), discussed how ready the sector is to increase the level of cybersecurity. UNIFE highlighted several priorities, such as: the approval and usage of the TS 50701, the need for adequate certification schemes on product level,the need for specific protection profiles on interface-specific devices and subsystems. This would allow for a more harmonized approach for manufacturers and system integrators.
Conclusions
The participants voted topics for future conferences and these include, among others:
- new technologies;
- cyber risk management for railways;
- cyber threat landscape;
- the update of Technical Specifications for Interoperability (TSI);
- cyber skills and training and cyber incident response.
Both agencies are paying very close attention to all the developments in the field of railway cybersecurity.
The success of the online conference of the last two days shows how railway stakeholders can benefit from close cooperation to ensure that both the cybersecurity and the railway regulatory framework are cross-fertilised.

When & How to Report Security Incidents - ENISA releases new guidelines

The European Union Agency for Cybersecurity (ENISA) releases new guidelines to facilitate the reporting of security incidents by national telecom security authorities.
The guidelines published help national telecom security authorities in the reporting of significant incidents to ENISA and the European Commission under the European Electronic Communications Code (EECC).
These new guidelines replace the previous ones issued by ENISA on incident reporting under Article 13a of the EU Telecoms Framework Directive. This revised version takes into account the scope and the provisions of the EECC and provides non-binding technical guidance to national authorities supervising security in the electronic communications sector.
The following three types of incident reporting are provided for under article 40 of the EECC:
1. National incident reporting from providers to national security authorities;
2. Ad-hoc incident reporting between national security authorities and ENISA;
3. Annual summary reporting from national security authorities to the European Commission and ENISA.
The new guidelines focus firstly on the ad-hoc incident reporting between the security authorities and ENISA and secondly on the annual summary reporting. More specifically, the document includes information on how and when security authorities can report security incidents to ENISA, to the European Commission and to other security authorities.
The information provided considers the services and incidents within the scope of the EECC - incidents affecting confidentiality, availability, integrity and authenticity of networks and services.  The thresholds needed for the annual reporting are also defined.  These thresholds are both of a quantitative and of a qualitative nature.
The quantitative elements considered include the number of users affected and the duration of the incident. Qualitative information was also used, such as the geographical coverage of the incident and the impact on the economy, on society and on users.
The new guidelines also include an incident report template and draw the distinction between national and annual reporting.
This report was drafted by ENISA in close cooperation with the ECASEC expert group of national telecom security authorities.

ENISA provide statement on Microsoft Exchange vulnerabilities

The EU Agency for Cybersecurity (ENISA) has provided a statement with an assessment and advice on Microsoft Exchange vulnerabilities.
Microsoft released security updates for Microsoft (MS) Exchange server suite. Active exploitation has been observed on-premises running MS Exchange installations.
MS Exchange vulnerabilities once exploited may lead to network compromise, data exfiltration and ransomware attacks. Across the EU, an increasing number of MS Exchange installations have also been found to be the target of malicious attacks.
ENISA published a situation report which provides an assessment as well as advice and mitigation measures. It reports that threat has been assessed as severe and considers these types of attacks probable and of high risk.
The Agency calls on organisations using affected Microsoft Exchange versions to patch the flaws immediately and thoroughly investigate for potential signs of compromise.
At EU level, the EU CSIRTs Network and EU Cyber Crises Liaison Organisation Network (CyCLONe) are monitoring the situation and collecting information at both the technical and operational levels.
Microsoft is updating advisories and guidance while additional technical information and advice are provided by CERT-EU technical advisory.

Cybersecurity for 5G: ENISA Releases Report on Security Controls in 3GPP

Cybersecurity for 5G: ENISA Releases Report on Security Controls in 3GPP
The European Union Agency for Cybersecurity (ENISA) provides authorities with technical guidance on the 5G Toolbox measure for security requirements in existing 5G standards.
The Agency has released its Security in 5G Specifications Report about key security controls in the Third Generation Partnership Project (3GPP), the main body developing technical specifications for fifth generation of mobile telecommunications (5G) networks. As vendors, system integrators and operators build, deploy and manage 5G networks, the ENISA publication underlines the need for cybersecurity and for the national regulatory authorities in charge of cybersecurity policy development and implementation to have a good understanding of these controls.
This new ENISA report is directly driven by the objectives set in the EU toolbox for 5G security - mainly technical measure ‘TM02’. This technical measure calls on the relevant authorities in EU Member States to ensure and evaluate the implementation of security measures in existing 5G standards (3GPP specifically) by operators and their suppliers.
The aim of the report is to help national and regulatory authorities to better understand the standardisation environment pertaining to 5G security, 3GPP security specifications and key security controls that operators must implement to secure 5G networks.
More specifically, the report provides:
- A high-level overview of the specification and standardisation landscape for the security of 5G networks, and of the main activities by various standardisation organisations and industrial groups in the area of 5G;
- An explanation of the technical specifications developed by 3GPP for the security of 5G networks, with a focus on optional security features;
- Summary of key findings and good security practices.
The ENISA report also covers security considerations beyond standards and specifications, such as testing and assurance, product development, network design, configuration and deployment, and operation and management.

ENISA release new report and training material to fight cybercrime and improve cooperation

The European Union Agency for Cybersecurity releases a new report and training material to support the cooperation among CSIRTs, Law Enforcement Agencies (LEAs) and their interaction with the judiciary.
The publications are designed to help tackle the challenges of this complex multi-stakeholder cooperation. The report, the handbook and the toolset are a set of deliverables complementing each other as follows:
- The report analyses roles, duties, competences, synergies and potential interferences across Computer Security Incident Response Teams (CSIRTs) - in particular, national and governmental ones, LE and judiciary (prosecutors and judges);
- The handbook helps a trainer explain these concepts through different scenarios;
- The toolset consists of exercises meant for trainees based on the handbook’s scenarios.
The report proposes a methodology to analyse the legal and organisational framework defining the roles and duties, the required competencies of CSIRTs and LE. It also identifies synergies and the potential interferences that may occur while engaging in the activities needed to respond to incidents of criminal nature and in fighting cybercrime.
In addition, it presents a detailed analysis focusing on Czechia, France, Germany, Luxembourg, Norway, Portugal, Romania, and Sweden. The methodology proposed can be used for a more comprehensive future analysis covering additional countries as it is based on:
- desk research;
- subject matter expert interviews;
- the segregation of duties (SoD) matrix.
This SoD matrix is also available in the ENISA repositories in GitHub, as well as the documentation on the Reference Security Incident Taxonomy Working Group (RSIT).
The RSIT working group will meet today as part of the 62nd TF-CSIRT Meeting. These are two other examples of the efforts ENISA engages in to contribute to building a bridge between CSIRTs and LE communities.
Main conclusions of the 2020 report on CSIRTs and LE cooperation include:
- The communities already engage in a number of actions meant to:
  - Avoid interferences wherever possible;
  - Create effective partnerships;
  - Use their synergies to support each other.
- However, interferences may still happen in the process of incident handling and cybercrime investigations, mainly because of the difference in purpose and mandate of each of these communities, i.e. incident mitigation (CSIRTs) compared with evidence preservation and criminal prosecution (LE and the judiciary).
- Joint training activities are organised mainly in community pairs, being either CSIRT and LE or LE and the judiciary. Such activities rarely involve the three communities. The joint training activities help the wider development of the competences required to respond to cybercrime.
- Overall, the 2019 pandemic of the COVID-19 virus did not have any significant impact on cooperation and exchanges between the three communities and their ability to function. Interaction even increased in some instances. For example, daily dialogues became more frequent in order to ensure that each community was kept informed as the situation evolved.
The response to cybercrime requires the cooperation of all actors involved. In this response, CSIRTs, LE and the judiciary perform each a different role and seek different objectives. Helping CSIRTs, LE and the judiciary understand their roles, duties and competences reciprocally will allow a closer cooperation while building on synergies and hence avoid possible interferences.
ENISA has been collecting input from the communities and compiling reports to shed light on the different aspects of the cooperation. These efforts are meant to further enhance the cooperation between CSIRTs and LE and their interaction with the judiciary, In addition, the Agency has been developing training material and co-organising the annual ENISA-EC3 workshop on CSIRT-LE Cooperation. The last edition of this event took place on 16 September 2020.
This new report and training material build on the work already completed in the area over the past. It contributed to the implementation of the ENISA programming document 2020-2022. The work conducted by ENISA in this area is planned to continue in 2021.
1 2 3