European Reference Network for Critical Infrastructure Protection: ERNCIP Handbook 2017 edition Version 1.0

The ERNCIP network has been established to improve the protection of critical infrastructures in the EU. The European Reference Network for Critical Infrastructure Protection (ERNCIP) therefore works in close cooperation with all types of CIP stakeholders, focusing particularly on the technical protective security solutions. This handbook aims to assist the dissemination of the activities and results of ERNCIP. It is intended that the document will be updated and issued by the ERNCIP Office in spring each year. The information provided will be up to date as of the end of the previous calendar year, i.e. in this case as at 31 December 2016. The report summarises the achievements of all the ERNCIP Thematic Groups, providing a convenient way to access information on any specific theme of interest covered by ERNCIP. The report also describes current thematic group activities, to allow subject-matter experts and critical infrastructure operators to identify ongoing areas of research they might be interested in assisting. This report is publicly available via the ERNCIP web site, and is distributed to all ERNCIP Group of EU CIP Experts for onward dissemination within their Member State.JRC.E.2-Technology Innovation in Securit

The IACS Cybersecurity Certification Framework (ICCF). Lessons from the 2017 study of the state of the art.

The principal goal of this report is to present the experiments of the IACS component Cybersecurity Certification Framework (ICCF) performed in 2017 by the NETs (National Exercise Teams) of several Member States, namely France, Poland and Spain. Based on real life use cases and simulations of ICCF activities, this report documents the current practices of these countries and NET members’ views in relation to IACS products cybersecurity certification. These studies have led to a series of findings that will be useful for the future of the ICCF in the context of the European Cybersecurity Certification Framework. In conclusion, a plan of action is proposed for the 2018-2019 period.JRC.E.2-Technology Innovation in Securit

ERNCIP training for professionals in Critical Infrastructure Protection: from risk management to resilience

This report, about the ERNCIP Pilot “Training for professionals in Critical Infrastructure Protection: from risk management to resilience”, contains an analysis of the roadmap followed by the JRC in establishing, in cooperation with DG Home, a first-of-its-kind training event strongly based on the European Programme for Critical Infrastructure Protection (EPCIP). This deliverable contains references to all the steps that this project implied; from its embryonic conceptualisation, passing through the validation of its functional requirements and modules, to its final execution in Brussels from the 21st to the 23rd of June 2016. The aim of this document is to disseminate the methodologies and material collected during the execution of the project and provide useful references, topics and suggestions to educators and trainers - and their organisations - that are willing to organise or fine-tune courses on Critical Infrastructure Protection and Resilience with a focus on European policies and strategies. The ERNCIP Office's goal, following the publication of this report, is to receive feedback from institutions and experts that have made use of the Course’s material in view to integrate them in the execution of new iterations of training events. The Course’s material could also be used by DG HOME as one of the actions put in place to foster the improvement of the “external domain” of the European programme for Critical Infrastructure Protection (EPCIP). The fact that the EPCIP also aims at reaching out to neighbouring countries of the Union, in view to establish CIP-related form of cooperation, puts the “training” among the most useful and direct tools to be exploited to achieve such objective.JRC.E.2-Technology Innovation in Securit

European CIP-related Testing Capabilities: Gaps and Challenges

One of ERNCIP’s goals is to identify gaps in European CIP-related experimental and testing capabilities, and to set up a wider debate on how to deal with these gaps. This report draws an indicative picture about the known state of European CIP-related test capabilities. The analysis is primarily based on an ERNCIP online questionnaire on the issue circulated at the end of 2012, which was completed by 65 respondents representing different types of ERNCIP stakeholders. The ERNCIP Thematic Groups have also provided information about their respective capabilities and perceived gaps in their sectors. This report aims to provoke further debate among the ERNCIP stakeholder communities.JRC.G.6-Security technology assessmen

Proposals from the ERNCIP Thematic Group, “Case Studies for the Cyber-security of Industrial Automation and Control Systems”, for a European IACS Components Cyber-security Compliance and Certification Scheme. Thematic Area Industrial Control Systems and Smart Grids

All studies recently published agree. Industrial Automation and Control Systems (IACS) increasingly constitutes a target for cyber-attacks aiming at disturbing Member States’ economies, at disabling our critical infrastructures or at taking advantage from our people. Such hostile acts take place in a context of geostrategic tensions, for the satisfaction of organised crime’s purposes, or else in support of possible activist causes. In this context, the ERNCIP Thematic Group (TG) “Case studies for the cybersecurity of Industrial Automation & Control Systems” was started in January 2014 to answer the question: “Do European critical infrastructure operators need to get IACS’ components or subsystems tested and “certified” (T&C) with regards to their cybersecurity?” And should the answer have been yes, it had to answer a corollary question: “What are (roughly) the conditions of feasibility for implementing successfully a European IACS components cybersecurity Compliance & Certification Scheme?” This TG’s undertaking was a research project, not a task force seeking to deliver an immediately applicable standard. It mobilised representatives of IACS vendors, industrial operators, European Istitutions and national cybersecurity authorities.JRC.G.5-Security technology assessmen

Science for Standards: a driver for innovation - JRC Thematic Report

This report aims to give a comprehensive overview of the work of the Commission's in-house science service, the Joint Research Centre (JRC) in relation to global standardisation challenges. The description of the JRC's work on standards is divided into six chapters. For each chapter, the detailed policy context is cited, showing clearly how and where the JRC is providing its scientific and technical support to standardisation-related policies.JRC.A.6-Communicatio

Data Protection and Cybersecurity Certification Activities and Schemes in the Energy Sector

Cybersecurity concerns have been at the forefront of regulatory reform in the European Union (EU) recently. One of the outcomes of these reforms is the introduction of certification schemes for information and communication technology (ICT) products, services and processes, as well as for data processing operations concerning personal data. These schemes aim to provide an avenue for consumers to assess the compliance posture of organisations concerning the privacy and security of ICT products, services and processes. They also present manufacturers, providers and data controllers with the opportunity to demonstrate compliance with regulatory requirements through a verifiable third-party assessment. As these certification schemes are being developed, various sectors, including the electrical power and energy sector, will need to access the impact on their operations and plan towards successful implementation. Relying on a doctrinal method, this paper identifies relevant EU legal instruments on data protection and cybersecurity certification and their interpretation in order to examine their potential impact when applying certification schemes within the Electrical Power and Energy System (EPES) domain. The result suggests that the EPES domain employs different technologies and services from diverse areas, which can result in the application of several certification schemes within its environment, including horizontal, technological and sector-specific schemes. This has the potential for creating a complex constellation of implementation models and would require careful design to avoid proliferation and disincentivising of stakeholders. © 2022 by the authors. Licensee MDPI, Basel, Switzerland

Robotic equipment carrying RN detectors: requirements and capabilities for testing

77 pags., 32 figs., 5 tabs.-- ERNCIP Radiological and Nuclear Threats to Critical Infrastructure Thematic Group . -- This publication is a Technical report by the Joint Research Centre (JRC) . -- JRC128728 . -- EUR 31044 ENThe research leading to these results has received funding from the European Union as part of the European Reference Network for Critical Infrastructure Protection (ERNCIP) projec

Security and defence research in the European Union: a landscape review

This landscape report describes the state of play of the European Union’s policies and activities in security and defence and the EU-funded research aimed at supporting them, with an exclusive focus on intentional harm. It is organised around several thematic building blocks under the umbrella of the three core priorities defined in the European agenda on security. The report reviews the current main risks and threats but also those that may emerge within the next 5 years, the policy and operational means developed to combat them, the main active stakeholders and the EU legislation in force. In this context, a short history of EU research on security and defence is presented, followed by an inventory of relevant research and development projects funded under the Horizon 2020 framework programme during the period 2014-2018. The specific contributions of the Joint Research Centre to security research are also highlighted. Finally, future avenues for security and defence research and development are discussed. Please note that the executive summary of this landscape report has been published simultaneously as a companion document.JRC.E.7-Knowledge for Security and Migratio

JRC Services

The handbook provides a broad overview of the Joint Research Centre's (JRC) science-for-policy capabilities to help national governments and institutions achieve their goals on a sound evidence basis. Services are presented both in a thematic section covering different policy areas, and in a horizontal section covering more generic offering such as access to data and infrastructure, education and training or certified reference materials. The handbook is primarily directed at government personnel in the EU Member States and Associated Countries to Horizon 2020, but can also be of interest to national and regional science organisations, academics and policy makers.JRC.A.3-Inter-institutional, International Relations and Outreac