A glance at the interdependency landscape reveals several emerging interdependencies between operators of essential services (OES) and digital service providers (DSP), at both system and service level. Due to these interdependencies, there is an increasing number of cybersecurity incidents that either propagated across organisations (often across borders), or had a cascading effect at the level of essential services.
Yet, despite the clear need to address interdependencies as part of their overall cybersecurity risk management, organisations and National Competent Authorities (NCA) face difficulties due to the lack of suitable methods, tools, available data and expertise.
In this context, ENISA publishes today a report aiming to support OES, DSP and NCA in identifying and assessing interdependencies effectively. The report has the following objectives:
- to provide a description of interdependencies among OES and DSP;
- to highlight risk assessment practices for the evaluation of the potential impact of interdependencies;
- to propose a framework for assessing interdependencies; and
- to define good practices for assessing interdependencies.
Effective analysis of emerging dependencies and interdependencies will also support decision-makers in defining mitigation measures, thus enhancing the security of network and information systems.
In order for OES, DSP and NCA to effectively identify and assess interdependencies, a framework based on a four-phase approach appears to be a suitable way forward. Existing methods, tools and good practices for interdependencies can be mapped easily on to these four phases, based on the respective individual or sectorial specificities and needs.
The development of indicators for the interdependencies' assessment (which are mapped on to well known and widely used industry standards and frameworks) would also constitute a practical approach.
In addition to this framework, this report identifies the main challenges that OES, DSP and NCA face in identifying and assessing interdependencies, and proposes a set of practical recommendations to support the relevant risk assessment.
For the full report: Good practices on interdependencies between OES and DSPs