Home / Blog / Lines of Action within the National Industrial Security Scheme

Lines of Action within the National Industrial Security Scheme

Posted on 12/05/2016, by INCIBE
National Industrial Security Scheme

The Protection of Critical Infrastructure Act 8/2011 establishes measures for the Protection of Critical Infrastructure, demonstrating the importance of security in Critical Infrastructure for National Security.
To address the improvement of security in the industrial sector, the creation of a National Industrial Security Scheme (ENSI, as per the Spanish acronym) is proposed. 
The ENSI arises as an element that facilitates the development of actions related to industrial security within a framework that can be used to standardise the way common problems are dealt with from specific perspectives and in accordance with the regulations established.
The following are the goals pursued with this initiative:

  • To improve industrial security, guaranteeing the continuity of the services and complying with the regulations established.
  • To improve the current capacities of the industry and providers while fostering the flexible adaptation to new threats.
  • To collaborate with the Industry to ensure a comprehensive improvement of security in the industrial sector.
  • To seek understanding among companies in the security sector from a comprehensive, sector-based perspective.
  • Flexibility to adapt to new cases and sectors.

In addition, the ENSI also has a broader objective of closing the gap between knowledge of the information security sector and security applied to industrial operations.

What type of organisations is the ENSI applied to?

The National Industrial Security Scheme can support any organisation or company in the industrial sector, and is especially customised for Critical Operators distributed across the twelve strategic sectors defined by the Protection of Critical Infrastructure Act.

What are the goals and benefits expected from the implementation of ENSI?

The following are the goals pursued by the National Security Scheme:

  1. To improve the security of Industrial Control Systems deployed in industrial organisations.
  2. To improve resilience to increase the capacity of systems to withstand and recover from disasters and disturbances.
  3. To facilitate the application of regulations related to Critical Infrastructure Protection.
  4. To standardise the way security is dealt with (both physical security and cybersecurity) in industrial environments.
  5. To expand security to the value chain to improve the security of organisations and their providers.

The following are the benefits expected from the National Security Scheme:

  1. Improvement of the internationalisation and competitiveness of industrial organisations.
  2. Revitalisation of the physical security and cybersecurity sector.
  3. Promotion of a culture of security within industrial organisations.
  4. A catalysing effect on the creation of new standards.
  5. Promotion of synergies between IT security and Operation security.

What are the action guides presented by the ENSI?

Guías de actuación del ENSI

In order to comply with the goals pursued with the ENSI, four key elements are defined:

  • General Policy: The ENSI policy establishes a context that promotes the creation of the National Industrial Security Scheme, conveying the need for its creation and the regulatory support underpinning it. In addition, the policy mentions the principles pursued and the goals and benefits of the implementation of the scheme at industrial level, identifying actors and interested parties called to participate in the ENSI and seeking the comprehensive improvement of security in the industry.
  • Methodology of Slight Risk Analysis of Integral Security (SRA-IS): This methodology allows for the identification, analysis, assessment and prompt treatment of those risks affecting facilities with industrial control systems; at the same time, it allows for comparable and reproducible results to be obtained, providing a simple and convenient model of integral risk analysis in industrial control systems. For its part, the methodology of Light Risk Analysis of Industrial Cybersecurity (SRA-CB) allows for a specific, yet light approach to the analysis of cybersecurity risks within industrial control systems. SRA-CB provides a tool that facilitates the application of the methodology of analysis of cybersecurity risks by the operators of industrial control systems.
  • Indicators for Cyber Resilience Improvement (ICRI): The model of indicators for the improvement of the cyber resilience capacity (ICRI) of organisations to respond to different attacks, threats or incidents they may suffer is based on a model that allows for measurement of the cyber resilience status of the defined goals and objectives: anticipate, resist, recover and evolve. It allows the organisation to measure the resilience of the critical functions of the provision of its essential services. ICRI also includes a catalogue of indicators that can be applied to measure the cyber resilience of industrial organisations, thus providing a tool that facilitates the application of the model of Cyber Resilience Indicators on the part of the operators of industrial control systems.
  • Capacity Construction Model in Cybersecurity of the Value Chain (C4V): C4V provides a series of controls based on a maturity model at different levels that allows an internal and value chain assessment as well as establishing minimum acceptable levels according to the results obtained during the risk analysis phase. This model is designed to assess Availability, Confidentiality and Integrity of information independently, thus obtaining a rating for each of these three variables according to the application of the de minimum rule to the different applicable controls.C4V provides a catalogue of controls to assess the maturity of organisations and their value chain.

The different documents and tools currently comprising the ENSI are published for consultation on INCIBE-CERT’s website: https://www.incibe-cert.es/publicaciones/ensi

These guides are currently being assessed through different tests and pilot processes with companies, operators, providers and experts to improve them and ensure their suitability.