Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Reports
Risk & Compliance
Secure Remote Access
Technology & Solutions

ENISA releases CVD policies for common EU approach concerning NIS 2 objectives

February 17, 2023
ENISA releases CVD policies for common EU approach concerning NIS 2 objectives

The European Union Agency for Cybersecurity (ENISA) published Thursday a report that explores how to develop harmonized national vulnerability programs and initiatives in the European Union (EU). Apart from insights on industry expectations, the findings feed into the guidelines ENISA and the NIS Cooperation Group intend to prepare to help EU member states establish their national CVD (Coordinated Vulnerability Disclosure) policies. These guidelines would primarily focus on vulnerability management, dedicated processes, and related responsibilities.  

The report looks into the expectations of the industry and the member states about the NIS2’s objective while analyzing related legal, collaborative, and technical challenges arising from such initiatives. It looks into what industry expects such as a national or European CVD policy which may encourage organizations to set vulnerability management and security practices as a priority; policymakers should consider the existing initiatives and standards around CVD; and global cooperation across different legislations, and cooperation between industry players and the public sector needs to be strengthened to avoid silos.

The ENISA report assessed that based on the experiences and perspectives gathered from industry players and national governments, and on the documentation developed by multiple players involved with national vulnerability initiatives and programs, the EU CVD ecosystem remains fragmented. Although interesting approaches and initiatives are taking place in some EU member states, further steps can be taken towards an integrated EU vision and action, it added.

“This report shows that, despite recent efforts by national governments in developing CVD policies, some industry players have taken the lead and developed vulnerability policies and programmes at organisation level,” the ENISA document said.  “Nevertheless, among the top industry expectations is that the development of a national or European level CVD policy could help organisations and public administrations to set vulnerability management as a priority and further encourage security practices. In addition, the alignment of such policies with existing international standards can greatly help in promoting harmonization.”

The report is targeted at public bodies holding responsibility for the design and implementation of CVD policies in EU member states. These entities are expected to receive and explore showcased outputs, evidence, and results, as a result of a multi-disciplinary consultation engaging more than 30 stakeholders. The added value of the ENISA report lies in the facilitation of a discussion framework that helps to identify common approaches for the implementation of CVD programs across the EU.

The research paper is directed at those in the cybersecurity industry and any entity that has to manage vulnerabilities. It offers a range of insights, challenges, and best practices to help them gain an advantage.

The implementation of national CVD policies is expected to have a positive impact on security research around vulnerabilities, and their timely discovery, reporting, and treatment, the ENISA document said. “However, there is little doubt that these national frameworks will also have an impact on industry, as manufacturing becomes highly digitalised and increasingly dependent on technology, software code, and data.”

Despite the EU’s strong push towards cybersecurity within a global digital transformation trend, the EU market is fragmented among EU member states. Belgium, France, Lithuania, and the Netherlands are the only four EU member states with a fully established national CVD policy. 

ENISA revealed that four other member states intend to set up a policy. “In these cases, a proposal is either being examined at the level of policymakers or is tested in pilot projects. 10 other EU Member States are in the process of implementing a national CVD policy or are preparing to do so. However, failure to reach an agreement at the political or legislative level has slowed down such a process. Finally, nine Member States have not implemented a CVD policy and the process for establishing one has not yet started,” it added.

From the mapping of the state of play of CVD implementation, a relatively greater maturity can be seen in western European countries compared to other European regions, ENISA evaluates. Conversely, southern European countries and central and eastern European countries are rather lagging in this process.

“With this state of play in mind, the EU member states are encouraged by the European Commission, Parliament, and ENISA to set up national cybersecurity strategies and resilience programmes, surely including notions and action plans on vulnerability management,” the ENISA document said. “The EU landscape on CVD may evolve due to the NIS2 directive and cyber resilience act pointing out the importance of vulnerability considerations and encouraging EU Member States to take further action.”

In line with considerations presented in ENISA’s report 2022 on CVD, the agency’s role was to facilitate harmonization and guide EU member states in the development and implementation of national policies. The role particularly applies to support-related activity and the elaboration of CVD guidelines at the EU level. The idea would be to provide governmental entities with guidelines on vulnerability management, dedicated processes, and related responsibilities. Progress can be made, for example, through a standard template for implementation at the EU level and later transposed at the national level for all public entities, with some specifications for certain countries and potentially for industries and sectors.

The ENISA document identifies certain challenges faced when developing and implementing a national CVD policy. These include the lack of a legal framework and therefore no clear guidance in terms of cooperation among actors at the national and EU level is the most important challenge; lack of financial resources; and lack of human capital and expertise which are often interdependent, and affect efficient management of operational tasks on dealing with vulnerabilities and the production of a policy. 

Another challenge pointed out by industry players was the need for more cooperation and governance among EU institutions. Lastly, a national CVD policy should be created and implemented by considering the underlying IT infrastructure used by states and private actors. 

As far as vulnerability initiatives are concerned, Bug Bounties Programmes (BBP) is an area that grew remarkably over the past few years. BBPs have considerably adapted their business models in offering different types of services, hence different coverages of IT systems and levels of involvement in vulnerability management processes. Today, BBP platform providers are now cooperating with key public institutions to run customized programs adapted to their needs and IT infrastructures. 

Further expansion is expected as long as the community can continue relying on BBPs (i.e., the confidentiality of internal information and data protection) and ensuring trust between the stakeholders involved, the ENISA document identified.

“In terms of human capital, researchers play a fundamental role in the disclosure of vulnerabilities. Accordingly, it is interesting to understand motivations, incentives, and challenges influencing researchers’ contribution,” the ENISA document said. “From their perspective, reputation remains as one of the key incentives to legally report vulnerabilities, as it leads to fame and recognition. However, legal protection is also highly considered, especially because the absence, uncertainty or non-clarity of legal conditions can push to illegal channels.”

Collaborative challenges arise in the use of tools to improve vulnerability disclosure processes. For example, when looking into vulnerabilities related to open-source software (OSS) and considering how intertwined commercial and OSS are today, a need to further improve coordination between OSS developers and private vendors was identified. Aspects such as OSS vulnerability handling, responsibility, and accountability are not yet clearly defined, and among actors involved across the IT product supply chains, which may hinder coordination efforts.

Challenges related to technical and technological issues also constitute a key area of discussion and analysis. A forward-looking perspective on the use of automation as an enabler to efficiently manage vulnerability identification, sourcing, and classification is also provided by this report. It is observed that as vulnerability analysis and treatment still require human expertise, the risk of deskilling experts due to automated processes may be minimized.

Finally, alignment across different legislation as well as cooperation between industry players and governments are needed to avoid silos. Harmonization of CVD practices, coordination, and international cooperation among players are essential priorities both from a legal and technical perspective. In this regard, ENISA will continue offering advice, publishing guidelines, promoting information sharing, raising awareness, and coordinating CVD-related activities at the national and EU levels.

In conclusion, the ENISA document said that national CVD policies can be an important example for the industry; the CVD ecosystem remains fragmented; education and awareness should be prioritized; legal, economic, and technological challenges have been identified and brought under the spotlight and there is a growing effort to address them; and to promote ‘security and privacy by design’ ideologies.

Earlier this week, the ENISA and the CERT of the EU institutions, bodies and agencies (CERT-EU) jointly published a report to alert on sustained activity by particular APT (advanced persistent threat) hacker groups, known as APT27, APT30, APT31, Ke3chang, GALLIUM, and Mustang Panda. These threat groups have recently conducted malicious cyber activities against businesses and governments in the Union.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation