ENISA Cyber Crisis Management Best Practices

Posted by:

|

On:

|

The ENISA Study on Cyber Crisis Management Best Practices (February 2024) outlines a structured framework for handling large-scale cyber incidents across the EU. It presents 16 actionable best practices organized across four lifecycle phases (Prevention, Preparedness, Response, Recovery) and aligns them with the NIS2 Directive requirements. Key recommendations emphasize EU-wide coordination, secure communication channels, and regular crisis simulations to strengthen collective resilience.

What is ENISA?
The European Union Agency for Cybersecurity (ENISA) is the EU’s central body for cybersecurity policy, operational collaboration, and capacity-building.

Cyber Crisis Management Lifecycle

  1. Prevention – Reduce risk of cyber crises occurring
  2. Preparedness – Prepare to manage crises through planning
  3. Response – Stem the crisis and prevent further damage
  4. Recovery – Return to normal or improved security levels

Best Practices by Phase

Phase 1: Prevention

BP 1: Adoption of a national definition of cyber crisis

Example: Netherlands National Crisis Plan Digital identifies eight elements characterizing cyber crises, emphasizing transboundary nature.

Analysis: Joint understanding of transboundary nature would improve EU coordination. EU-CyCLONE could develop a cybersecurity dictionary of Member State definitions.

BP 2: Development of information security standards for public sector

Example: Estonia ISKE standard (being replaced by E-ITS) and France ANSSI self-assessment tool.

Analysis: Regular updates ensure standards remain relevant against evolving threats. Could be generalized at EU level for common cybersecurity baseline.

BP 3: Foster national prevention programs

Example: Dutch Anti-DDoS Coalition (ADC) shares attack metadata through DDoS Clearing House.

Analysis: Model could inspire coalitions for other attack types (ransomware, supply chain). Could be sector-specific or cross-sectoral.

Phase 2: Preparedness

BP 4: Define governance structure and appoint crisis coordinator

Example: Italy National Cybersecurity Agency (ACN) Director General as coordinator.

Analysis: Central authority with technical skills speeds decision-making. Should include diverse expertise (engineers, political scientists, etc.).

BP 5: Map critical entities and assets

Example: France requires operators of vital importance to map their information systems for ANSSI.

Analysis: Enables rapid reaction, impact qualification, and prevention of defensive action consequences. Should be regularly updated.

BP 6: Establish secure communication channels

Example: Germany BSI evaluating Wire for secure messaging.

Analysis: Should include end-to-end encryption, authentication, archiving, open specifications, and multi-platform support.

BP 7: Formalize role allocation in overall plan

Example: Belgium National Cyber Emergency Plan with annual evaluations.

Analysis: Prevents overlap during crisis. Should be regularly updated based on experience and technical progress.

BP 10: Test plans through multi-annual exercise programs

Examples: Finland joint exercises, ENISA Cyber Europe, CyberSOPex, CySOPex, BlueOLEX.

Analysis: Should involve all three levels (strategic, operational, technical). Different exercise types with expanding scenarios.

Phase 3: Response

BP 13: Mobilize certified trusted providers

Examples: Germany BSI list of qualified APT response providers, France ANSSI requirements.

Analysis: Relieves national authorities by allowing direct engagement between essential entities and pre-approved experts.

BP 14: Support victims crisis communication

Example: 2017 WannaCry attack response by French car manufacturer and ANSSI.

Analysis: Victims should be proactive but avoid speculation about causes, responsibility, or consequences during early stages.

Phase 4: Recovery

BP 15: Develop Business Resumption Plans (BRP)

Example: France ANSSI guide for gradual recovery approach.

Analysis: Should distinguish between recovery (return to normal) and resumption (limited capacity operation). Regular updates with lessons learned.

BP 16: Establish feedback and lessons learned unit

Example: France ANSSI post-crisis hotwash sessions after hospital ransomware attack.

Analysis: Immediate feedback session followed by evaluation within 30 days. Should cover governance, communication, decision-making, and capabilities.

Key Recommendations

  1. Coordinate working sessions involving all Member States to define EU-wide cyber crisis mechanisms
  2. Develop simulation exercises at EU level testing operational level players and procedures
  3. Support Member States in setup of secure communication platforms for information exchange
  4. Ensure regular updates of critical information system maps of essential entities
  5. Organize media training sessions for executives of national cyber crisis management authorities

Source

ENISA (2024). Best Practices for Cyber Crisis Management. European Union Agency for Cybersecurity. February 2024.

Retrieved from: https://www.enisa.europa.eu