Annual Report Trust Services Security Incidents 2017

Annual Report Trust Services Security Incidents 2017

Annual Report Trust Services Security Incidents 2017 OCTOBER 2018 www.enisa.europa.eu European Union Agency For Network And Information Security Annual Report Trust Services Security Incidents 2017 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact For contacting the authors please use [email protected]. For media enquires about this paper, please use [email protected]. Acknowledgements For the completion of this report ENISA has worked closely with a group of experts from Supervisory Bodies from across Europe. Listing the organizations (in no particular order): ILNAS (LU), CERT LV(LV), Bundesnetzagentur (DE), MCA (MT), NKOM (NO), ANSSI (FR), Austrian Regulatory Authority for Broadcasting and Telecommunications RTR (AT), Ministry of Digital Affairs (PL), GNS (PT), Agency for Digitisation (DK), Radiocommunications Agency (NL), FPS Economy (BE), EETT (GR), RRT (LT), FICORA (FI), Communications Regulation Commission CRC (BG), Agenzia per l'Italia Digitale (IT), National Media and Infocommucations Authority (HU), ICO (UK), Ministry of Communications and Informational Society (RO), National Security Authority NSA (SK), Ministry of Energy, Tourism and Digital Agenda (ES), Swedish Post and Telecom Authority PTS (SE), Ministry of Economy, Entrepreneurship and Crafts (HR), Ministry of the Interior (CZ), Estonian Information System Authority RIA (EE), DCCAE (IE), Ministry of Transport, Communications and Works (CY), Ministry of Public Administration, Information Society Directorate (SI), National Authority for Electronic Certification and Cyber Security (AL), MINGO (HR), Office for Communications AK (LI), European Commission (as observer) Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Copyright Notice © European Union Agency for Network and Information Security (ENISA), 2018 provided the source is acknowledged. ISBN: 978-92-9204-258-5, DOI: 10.2824/835041 02 Annual Report Trust Services Security Incidents 2017 Table of Contents Executive Summary 4 1. Introduction 6 2. Background 7 eIDAS regulation and Article 19 7 Legal text of eIDAS Article 19 7 Incident reporting flows in Article 19 8 Security incident reporting 9 2.4.1 Services in scope of reporting 9 2.4.2 Security incidents 9 2.4.3 Reportable security incidents 9 2.4.4 Annual summary reporting threshold 10 3. Analysis of reported security incidents 11 Trust services affected 11 Root causes of security incidents 12 Severity of security incidents 12 Security incidents with cross border impact 13 4. Examples of reported security incidents 14 The ROCA case 14 5. Conclusions 16 03 Annual Report Trust Services Security Incidents 2017 Executive Summary Electronic trust services are a range of services around digital signatures, digital certificates, electronic seals, timestamps, etc. which are used in electronic transactions, to make them secure. eIDAS1, an EU regulation, is the EU wide legal framework ensuring interoperability and security of these electronic trust services across the EU. One of the goals of eIDAS is to ensure that electronic transactions can have the same legal standing as traditional paper based transactions. eIDAS is important for the European digital market because it allows businesses and citizens to work and use services across the EU. The eIDAS regulation was adopted in July 2014 and came into force in 2016. Article 19 of the eIDAS regulation sets security requirements for trust service providers. National supervisory bodies have to supervise the trust service providers in their country to ensure that they fulfil these requirements. Cooperation and agreement on how to do this in practice is important not only to create a level playing field for providers operating out of different EU countries, but also to protect transactions based on these services. If there is, for instance, a cyber-attack on a trust service provider in one Member State, then this could have an impact on organizations in other parts of the EU who rely on the provider’s trust services. An important part of Article 19 is the mandatory security breach notification requirements: Trust service providers must notify the national supervisory body about security breaches, if there is a significant impact on the trust service(s) they provide. Article 19 requires national supervisory bodies to inform each other and ENISA if there is cross-border impact. Annually, the national supervisory bodies send annual summary reports about the notified breaches to ENISA and the European Commission. This document, the Annual Report Trust Services Security Incidents 2017, marks the second round of security incident reporting for the EU’s trust services sector For 2017, the national supervisory bodies reported 13 security breaches with a significant impact on trust services. We can draw the following conclusions: Notification increase: The number of notified security breaches increased significantly, in comparison to the previous year. This is not a sign of decreasing security, but rather shows that the implementation of the breach reporting requirements is maturing. Trust service providers are more aware of their breach reporting obligations and are becoming more familiar with the procedure. This leads to more notifications to the supervisory bodies. E-signatures and e-seals most affected: Almost half of the notified breaches, 43%, involve certificates for electronic signatures and electronic seals. Most common causes are system failures, third party failures: System failures, third party failures are both responsible for 36% of the breaches. Human errors are more rare (21%). Only 7% of the breaches are caused by malicious actions. Many security breaches had cross-border impact: Almost half of the notified breaches, 46%, had an impact across borders. This shows that indeed the EU trust services sector is cross-border. Many providers (and their suppliers) are offering services across the EU. Half those were severe, i.e. 50% the cross-border incidents had the highest severity rating (5- disastrous). A third of the breaches were due to ROCA: A number of notified breaches had the same underlying cause (the ROCA case). The general conclusion is that, particularly for security supervision of trust services, cross-border collaboration and information exchange between EU Member States are very important and are starting to produce concrete results 1 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, can be consulted at https://eur- lex.europa.eu/eli/reg/2014/910/oj 04 Annual Report Trust Services Security Incidents 2017 that are of value to the community. The eIDAS regulation, and Article 19 in particular, provides the legal basis for collaboration and information exchange between the supervisory bodies. Detailed discussions about security issues and supervision of the sector take place inside the ENISA Article 19 expert group, which is an informal group of experts from national supervisory bodies focusing on the practical implementation of Article 19. 05 Annual Report Trust Services Security Incidents 2017 1. Introduction According to Article 19 of the eIDAS Regulation, Electronic Trust Service Providers in the EU have to notify the national supervisory bodies in their country about security incidents. Annually the supervisory bodies send summaries of these incident reports to ENISA. Subsequently ENISA publishes an aggregated overview of these security incidents. This document gives an aggregate overview of the reported security incidents. This annual report marks the second round of security incident reporting in the EU’s trust services sector, covering the security incidents of 2017. This document only contains aggregated and anonymized information about incidents and does not include details about individual countries or individual trust service providers. Detailed discussions about the reported security incidents take place in the ENISA Article 19 expert

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    17 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us