European Cybersecurity Strategic Research and Innovation Agenda

European Cyber Security cPPP Strategic Research & Innovation Agenda

Disclaimer: The following document represents solely the views of its authors from

industry, research and technical organisations and cannot in any circumstances be

regarded as the official position of the European Commission.



Contents

1 Executive Summary ......................................................................................................................... 4

2 Research and Innovation Strategy .................................................................................................... 9 2.1 Context, overview and Implementation Strategy for SRIA ...................................................................... 9

2.1.1 Cybersecurity products and services ...................................................................................................... 11 2.1.2 SRIA Preparation Process with broader community ............................................................................... 13

2.2 Mechanisms for SRIA implementation ................................................................................................. 13 2.2.1 Interaction among instruments for implementation .............................................................................. 15

2.3 Relationships with other cPPPs ............................................................................................................ 15

3 Estimated budget .......................................................................................................................... 17

4 Cyber Pillars ................................................................................................................................... 19 4.1 Cyber Pillar for cybersecurity trustworthy Innovation .......................................................................... 20 4.2 Cyber Pillar for a technical cybersecurity experimentation and training ecosystem ............................... 22

5 Cyber technical projects / technical priority areas .......................................................................... 25 5.1 Identification and analysis of technical priority areas. .......................................................................... 25

5.1.1 Assurance / risk management and security/privacy by design .............................................................. 25 5.1.2 Identity, Access and Trust Management ................................................................................................ 27 5.1.3 Data security ........................................................................................................................................... 29 5.1.4 Protecting the ICT Infrastructure ............................................................................................................ 31 5.1.5 Cybersecurity Services ............................................................................................................................ 33

6 Innovation deployment and validation ........................................................................................... 35 6.1 Cyber trustworthy infrastructures ........................................................................................................ 36

6.1.1 Digital citizenships (including identity management) ............................................................................. 36 6.1.2 Risk management for managing SOC, increasing cyber risk preparadness plans for NIS etc. ................ 36 6.1.3 Information sharing and analytics for CERTs and ISACs (includes possibly trusted SIEM, cyber intelligence .............................................................................................................................................................. 36 6.1.4 Secure Networks and ICT (Secure and trusted Routers, Secure and Trusted Network IDS, Secure Integration, Open source OS) ................................................................................................................................. 36

6.2 Demonstration/ cyber pilots projects ................................................................................................... 37 6.3 Bottom-up Track for Cybersecurity Innovation ..................................................................................... 42

7 Non-Technical Aspects ................................................................................................................... 43 7.1 Education, training, and skills development ......................................................................................... 43 7.2 Fostering innovation in cybersecurity .................................................................................................. 45

7.2.1 Develop a cybersecurity ecosystem ........................................................................................................ 46 7.2.2 Define the cybersecurity value chain ...................................................................................................... 48 7.2.3 Boosting SMEs ......................................................................................................................................... 52

7.3 Standardisation, regulation and certification ....................................................................................... 54 7.3.1 Standardisation ....................................................................................................................................... 54 7.3.2 European Cybersecurity quality/ trust label ........................................................................................... 56

7.4 Societal aspects ................................................................................................................................... 59

8 Key Performance Indicators KPIs .................................................................................................... 60

9 Contributors .................................................................................................................................. 62

10 Annexes ..................................................................................................................................... 65 10.1 Detailed technical topics with timeline ................................................................................................ 65

10.1.1 Assurance and security and privacy by design ........................................................................................ 65 10.1.2 Identity, Access and Trust Management ................................................................................................ 68 10.1.3 Data security ........................................................................................................................................... 73 10.1.4 Protecting the ICT Infrastructure ............................................................................................................ 76


10.1.5 Cybersecurity Services ............................................................................................................................ 89

1 Strategic vision for the SRIA

This SRIA defines the priorities for research, and innovation for European cybersecurity industry in upcoming years. As SRIA of a contractual Public Private Partnership, the emphasis is on transforming innovation and applications into new business opportunities that help to solve the challenges that Europe (and others) are facing, but also brings growth to cybersecurity industry, helping to create new technical solutions and services and support their go to market actions in the European internal market as well as in entering to other markets.

The initial SRIA we are proposing to initiate the European cybersecurity cPPP has been developed to answer the main strategic objectives of the cPPP, namely:

Foster and protect from cyber threats the growth of the European Digital Single Market considering its cultural and economic ecosystem, ensuring a level playing field (access to products and services with adequate security, independently of the provider);

Develop the European cybersecurity market and the growth of a strong, competitive European cybersecurity and ICT industry, with an increased market position;

Develop and implement European cybersecurity solutions for the critical steps of trusted supply chains, in sectoral applications where Europe is a leader.

1.1 An evolving environment

The cybersecurity environment is in perpetual evolution. In order to develop the SRIA we had to consider existing technologies / solutions / services / threats and their possible evolution. In addition, we also to consider the current and future ICT and ICT security market.

We are entering a period of transformation due to the nature of systems and services, including 5G, IoT, and more. Here are some (certainly not exhaustive) high level “market evolutions / needs” that may be used to justify the investment.

For instance, we have to consider the following phenomena:

ICT convergence

o Softwarisation and virtualization dynamics and perimeters of the systems disruption (part of 5G, for instance)

o Risk and opportunities to converge security functions/capabilities in a “Software Defined” approach

o XaaS1 end of perimetric/proprietary systems and its defence, usage (and industry) going to consumption of services instead of by system property

o ICT and OT (Operations Technologies) convergence

Infrastructure required to become up to mission critical

Scalability, distribution and limited intrinsic IoT in terms of security capabilities

Increased B2B needs

Market fragmentation with FOG2, IoT, XaaS etc.

1 XaaS= Anything as a Service : the acronym refers to an increasing number of services that are delivered over the Internet rather than provided locally or on-site. 2 FOG computing or FOG networking is an architecture that uses one or a collaborative multitude of end-user clients or near-user edge devices to carry out a substantial amount of storage (rather than stored primarily in cloud data centers),


Data exchange in confidentiality (not just privacy) much more necessary than before (including security data)

Analytics availability

Both a risk (privacy, data quality, and so on) and an opportunity (e.g. to increase smart detection of threats of any kind: fraud, terrorism, etc.)

Security as a service

Is increasingly seen as a solution to compensate for lack of skills and means (from citizen to industry / economy)

Label/SLA

European industry needs an EU label (despite different points of view from MS)

European industry needs standards or ways to describe a security service and the SLA attributes of a service in terms of security

1.2 Cyber coordination and cyber pillars (ecosystem) projects

The development of the SRIA has considered the wide palette of threats and an agreed products & services segmentation. Once defined with experts the present and potential future needs / gaps, we have tried to group the many priorities in an appropriate way to take the best decision for investments on R&I but also on further implementation of the developed innovation.

At the same time, we had to consider the development of the whole ecosystem that will provide awareness and sustainability for the best implementation of these solutions.

To support and better coordinate the implementation of the SRIA, we have proposed (about 10% of the overall cPPP budget for the two following topics):

Cyber Coordination Projects: mainly devoted to coordination and support activities at several levels (e.g. market update, link across R&I projects, dissemination & awareness, events etc.)

Cyber Pillars: socio-technical ecosystems for innovation and experimentation

o Cyber Pillar for cybersecurity trustworthy Innovation (to support SMEs and start-ups, innovative business models, etc.)

o Cyber Pillar for a technical cybersecurity experimentation and training ecosystem (e.g. support to cyber range environments enabling the growth of cybersecurity industry and strengthen Europe’s cybersecurity capacity by enabling practical hands-on training, testing, exercising, evaluating, education, experimentation and validation activities, support to standardisation and possibly to certification and trust labels, validation of the elements in the value chain, etc.).

These are support actions that can have an impact on all the other different projects, market segments and application areas.

Adequate investment in these projects will provide the solid substrate to build and develop innovation and the European cybersecurity users and suppliers.

Other non-technical aspects identified in the SRIA (for further development in the frame of an European cybersecurity industrial policy) are:

Education, training, skills development

Fostering innovation in cybersecurity: development of a cybersecurity ecosystem

communication (rather than routed over the internet backbone), and control, configuration, measurement and management (rather than controlled primarily by network gateways such as those in the LTE core network).


Define the cybersecurity value chain

Boosting SMEs

Bottom-up Track for Cybersecurity Innovation

Standardisation, regulation and certification

Societal aspects

1.3 Cyber technical projects / technical priority area

A more consistent work is expected when dealing with Cyber technical projects / technical priority areas which accounts for about 40% of the SRIA budget.

Five main areas have been identified for such basic Products & Services:

Assurance / risk management and security / privacy by design

Identity, access and trust management (including Identity and Access Management, Trust Management)

Data security

Protecting the ICT Infrastructure (including Cyber Threats Management, Network Security, System Security, Cloud Security, Trusted hardware/ end point security/ mobile security)

Security services (including Auditing, compliance and certification, risk Management, cybersecurity operation, security training services)

This is the sector for R&I activities deeply involving the entire supply chain, from academia for basic research and modelling, to RTOs for further development of the ideas, to users for specification of operational needs and industries (large / SMEs) to bring technologies and basic solutions to higher readiness levels.

1.4 Innovation deployment and validation

1.4.1 Cyber trustworthy infrastructures / Integration project

These Products & Services are the basic “building blocks” which should be integrated and validated in a wider Innovation deployment and validation approach that accounts for about 50% of the SRIA budget.

Consistent with the industry-driven approach and the objectives of the cPPP, this is the part where suppliers and users / operators should integrate, test, validate and demonstrate innovations. These projects are intended to integrate and bring innovations as close as possible to market and initiate a close cooperation across the different stakeholder to close the “death valley” gap.

Four main areas of integration have been identified by the cyber trustworthy infrastructures / Integration projects:

Digital citizenships (including identity management)

Risk management for managing SOC, increasing cyber risk preparedness plans for NIS etc.

Information sharing and analytics for CERTs and ISACs (includes possibly trusted SIEM, cyber intelligence)

Secure Networks and ICT (Secure and trusted Routers, Secure and Trusted Network IDS, Secure Integration, Open source OS). Particular emphasis and budget is given to this area, as considered fundamental and strategic for Europe and the possibility to develop solutions in sensitive / strategic areas where an increased Digital Autonomy is needed.


1.4.2 Demonstration/ cyber pilots project

The next step foreseen by the SRIA roadmap is the implementation of these (transversal / generic) solutions to different kind of verticals, each with their own specific needs. This approach dealing with Demonstration/ cyber pilots projects has been proposed to work closely with users and operators (public and private) to allow them to verify the need and the results of the introduction of innovative solutions in effective environments. Main targets and priorities are those areas that present strategic interest (economic, political / national security, societal) in Europe, including but not limited to:

Smart Grids (Energy)

Transportation (including Automotive / Electrical Vehicles / Logistics/ Aeronautics/ Maritime)

Smart Buildings and Smart Cities

Industrial Control Systems (Industry 4.0)

Public Administration and Open Government

Healthcare

Finance and Insurance

1.4.3 Bottom-up Track for Cybersecurity Innovation

A last approach is dedicated to the Bottom-up Track for Cybersecurity Innovation. It aims at reducing the time from idea to market, stimulate private sector investment and to take best-in-class-innovations on a fast track to outpace international competition. For cybersecurity and privacy innovations industry can propose any R&I topic related to any sector. This track aims at complementing the pre-defined pillars as well as set priority R&I topics.

1.5 Examples of prioritisation

We have seen that the palette of priorities is very wide and the SRIA is very ambitious in its formulation of challenges and envisaged projects.

Yet, all these topics are important for the cybersecurity of the specific systems or of the specific applications.

Prioritisation should be found for Products/Services/Technologies (Technical Projects) and the Cyber Infrastructures (Integration Projects). The Vertical Applications (Pilots) could be considered as “use cases” for the demonstration of evolution and do not necessarily need to be prioritized (they can also take advantage from the complementarity with other H2020, Regional funded initiatives and other PPPs on Transports, Energy, 5G, Security, Healthcare …).

If we are looking for a possible prioritisation in terms of Technical Projects, we could consider as priorities the following:

Protecting the ICT Infrastructure and enabling secure execution.

Data Protection/Security.

The above two technologies are partially provided through Security & Privacy by Design and Identity & Access Management, which are to be considered as enablers of the top priorities.

Managed Security Services are also to be considered a priority due to the need of empowering widespread baseline Cyber Security adoption (also justified by the very high market dynamics, as presented in § 4.2.2 of the Industry Proposal).

Looking for a possible prioritisation in terms of Cyber Infrastructures we could consider that:

The evolving needs for ICT security, e.g. for mobile communication, cloud, virtualization etc. For instance, the evolution of communication networks towards 5G is ongoing, and also linked with 3GPP and ETSI standards new releases. The 5G goal of providing an ecosystem for reducing costs and favouring new services above is directly related to solutions considering multiple bearers, network slicing, network functions virtualization with provision via Cloud, etc.… All of these solutions need increased protection from cyberattacks, including


a way to validate the guaranteed reliability and level of protection of each component within the ecosystem. Therefore Cyber Infrastructure for Secure ICT is necessarily a top priority in the budget.

The Digital Citizenship with all aspects related to Digital Identity Management and secure access to all Public Administration services is rapidly proceeding in all European nations, and this requires an adequate protection of the related platforms, so also the Cyber Infrastructure for digital citizenship is a priority (also justified by the high market dynamics, as presented in § 4.2.2 of the Industry Proposal).

New services are more and more based on information sharing and data analytics, with data gathered from the web, sensors, and information providers. Data must be protected and trusted if we want to generate value from them, especially if we think of applications in Health, Finance, and Critical Infrastructures. Therefore we have also to consider as a priority the related Cyber Infrastructures for Information sharing, storage and analytics, with a relevant support given by the Cyber Infrastructures for Intelligence, Threat and Risk Management, relying on technologies as Artificial Intelligence, High Performance Computing, and Advanced Visualization. Probably the budget related to these two last cyber infrastructures can be lower, but the activities cannot be delayed.

2 Executive Summary

The rapid development in the digitalisation of economic activities and societies, the emergence of new technologies and the rise in digital connectivity and interconnectedness are matched by a corresponding acceleration of needs for technologies and solutions to provide security, ensure privacy and maintain trust in digital systems and networks. These needs are reinforced by the increasing prevalence and changing nature of cyber threats, and modes of attack and forms of malicious behaviour. These developments are not delimitated by national borders and, specifically in the context of the Digital Single Market (DSM), require a response at a European-level.

Building on the fast digitalisation of several sectors of the European economy, the need for a comprehensive, pan-European approach on cybersecurity is gaining strategic importance for the European society and industry as a whole.

Cyber security is an essential enabling factor for the development and exploitation of digital technologies and innovation and is, therefore, inextricably linked to future prospects for growth, job creation and Europe’s response to environmental and societal goals. Specifically, Europe’s ambitions to develop or reinforce its leadership in key economic areas (e.g. health, energy, transport, finance, communications, Industry 4.0, and public services) must be accompanied by cybersecurity solutions that meet the needs of emerging digital markets.

The European cybersecurity market is about 25% (i.e. about €17bln) of the world market (estimated at €70bln in 2015), with an average yearly growth slightly larger than 6%, when the world market is growing at about 8%/year. Also for this reason, it is urgent for Europe to boost its growth in the cybersecurity / IT security sector.

Recent study compiled by European cybersecurity industry leaders pointed out that Europe is in danger of falling behind in the international digital economy field. The study report also emphasised an important strength: the fact that Europe is the most trusted area in the world when it comes to ensuring high level of data security and privacy. This competitive advantage needs to be maintained and built upon. To improve the situation, we need to build on our strengths and tackle the weaknesses taking advantage from the many opportunities the dynamic digital market is offering.

The proposed cPPP should provide an important component to delivering this response, bringing together actors throughout Europe and across the diverse segments of the economy and society implicated in the development of a secure and trusted digital market (e.g. technology and solution suppliers and service providers, public and private sector customers and users, policy makers and public administrations) in pursuit of an agreed and coordinated strategy and policy actions aimed at:

Protecting the (growth of the) European Digital Single Market from cyber threats;

Structuring, consolidating and strengthening the European cybersecurity market with trustworthy and privacy aware technologies, products services and solutions;


Supporting the development of European capabilities to develop and bring to market innovative cybersecurity technologies and, thereby, building a strong, resilient and globally competitive European cybersecurity industry with a strong European-based offering and an equal level playing field.

The objective of this proposal is to bridge the gap between capacity building and the deployment of trusted European cybersecurity solutions on European and international markets. Therefore, creating new business opportunities for European industry while addressing the challenges faced by Europe and defending its stance on safeguarding the privacy of citizens.

This objective substantiates the intention to build a sustainable cybersecurity industry in Europe, even beyond the scope of the ECS cPPP, by setting up a long term industrial strategy to reach expected impacts monitored through Key Performance Indicators (KPIs).

It should be noted that this proposal should be aligned with the establishment of a shared ecosystem and the support of cybersecurity industrial activities fostering the exchange of experiences, competences, pooling of resources, raising general awareness, setting up general education / specific training programmes etc.

Based on an analysis of the current nature and evolution of cyber threats in Europe supplemented by a detailed SWOT and market analysis, the proposal suggests to build this long term industrial strategy upon the strategic priority areas (both technical and non-technical) identified in the SRIA (Strategic Research & Innovation Agenda).

The commitment of stakeholders, for project activities running in the context of the ECS cPPP, is targeted to add a leverage factor of 3 in addition to the European Commission (EC) contributions under Horizon 2020 instruments. Therefore, the economic and industrial relevance of the scope of the cybersecurity cPPP coupled to relevant activities for market development, will facilitate Research and Innovation (R&I) investments in addition to and beyond the engagement of the EC in this partnership.

Having strong offering in the cybersecurity domain is also a crucial part in increasing the European digital autonomy for sensitive applications. Another relevant aspect is that there are many new emerging technological realities that are still in the early adoption phase and need the cybersecurity offering to be developed to match their specific needs. As these new areas (e.g. IoT, Big Data, Quantum Computing, Cloud, Mobile and embedded systems, smart grids etc.) are still emerging and escalating, then everybody has an equal chance to provide necessary cybersecurity products and services.

European cybersecurity industry should take advantage of these opportunities, particularly in those economic sectors and applications where Europe is leader. In some field, several cPPPs have already been brought to life. In these areas, collaboration with those other cPPPs is foreseen in the current proposal.

The proposal recommends the creation of an international non-profit association called ECSO with a governance model structuring the work and activities of actors engaged in the ECS cPPP. This Association will allow open participation of all legal entity established in the countries participating in H2020. As security is a national prerogative, the participation of representatives from the national administrations is expected as well.

While the ECS cPPP will focus on R&I, the ECSO Association will tackle also other industry policy aspects for market and industrial / economic development.

The link between the SRIA priorities with its R&I priorities - which are the target of the ECS cPPP - and the policy support activities - which are one of the main targets of the ECSO Association - is essential to get the commitment of the private sector and reach a satisfying leverage factor as envisaged in the cPPP H2020 rules.

3 Research and Innovation Strategy

3.1 Context, overview and Implementation Strategy for SRIA

We remind some initial guidelines for the cPPP (that includes recommendations for the SRIA):

Gather industrial and public resources to deliver innovation against a jointly agreed strategic research and innovation roadmap.

Maximize available funds through better coordination with European countries.


Focus on a few technical priorities defined jointly with industry.

Seek synergies to develop common, sector-neutral technological building blocks with maximum replication potential

Obtain economies of scale through engagement with users/demand side industries and bringing together a critical mass of innovation capacities.

Be a platform to discuss other supporting measures for the industry

Several projects and initiatives have been launched for defining strategic research and innovation agendas on cybersecurity (and related fields as cybercrime and cyber defence). Many stakeholders are involved. The cPPP would maintain an open process of structuring its SRIA.

The initial SRIA has been elaborated by the informal cPPP SRIA WG (informally created during the Jan. 20th kick-off meeting) starting from findings of the NIS WG3 SRA and defining and agreeing priorities together with the industry (and Member States representatives) by using qualitative and quantitative methods.

The NIS WG3 SRA covers the whole cybersecurity spectrum from different but complementary socio-technical perspectives. It is thus structured around 3 areas so-called Areas of Interest (AoI), with the titles of:

1. Citizen Digital Rights and Capabilities (looking at cybersecurity from an individual perspective),

2. Resilient Digital Civilisation (taking a collective/societal perspective),

3. Trustworthy Hyper-connected Infrastructures (looking at the secure and resilient infrastructures – in particular critical infrastructures). This Area of Interest is the largest and can be articulated in:

a. ICT Infrastructure (including cloud, mobile, networks, etc.)

b. Smart Grids (Energy)

c. Transportation (including Automotive / Electrical Vehicles)

d. Smart Buildings and Smart Cities

e. Industrial Control Systems (Industry 4.0)

f. Public Administration and Open Government

g. Healthcare

h. Finance and Insurance

Each of these areas provides a Vision, a list of issues challenges, an inventory of (Technology, Policy, Regulatory) enablers vs inhibitors and ends with an analysis of the gaps where a number actions are recommended (as per nature of the gap) to fill in those gaps and so achieve the Vision (this may range from research action to standardisation action going through regulation action).

In addition, to the recommended actions at individual level (i.e. AoI level), there are the recommended actions at collective level that this section stresses and which result from the cross-analysis performed of the 3 AoIs. Taking inspiration from the cross analysis we can give here the main research commonalities identified by NIS WG3:

1. Fostering assurance

2. Focussing on data

3. Enabling secure execution

4. Preserving privacy

5. Increasing trust

6. Managing cyber risks

7. Protecting ICT infrastructures

8. Achieving user-centricity


These topics are illustrated more into the details in in the NIS WG3 SRA, giving their further refinements in subtopics and proving a timeline for their solution. We claim that those topics should be of interest of the scientific, technological and industrial communities3.

One of the main recommendations of the NIS WG3 SRA was also the creations of a global contractual governance that would approach holistically the business and innovation issues related to cybersecurity.

This definitely demands considering market as well as strategic national issues.

3.1.1 Cybersecurity products and services

In this cPPP the industry perspective will be analysed and developed in order to contribute to the creation of the Digital Single Market:

1. Stimulate the competitiveness and innovation capacities of the digital security and privacy industry in

Europe.

2. Ensure a sustained supply of innovative cybersecurity products and services in Europe.

We thus consider the main elements of the market and the security products and services and make those the cornerstone of our approach for the identification of the cybersecurity technical priorities as well as the main vertical sector of analysis as depicted by the NIS directive and consultation for cPPP.

We use the following classification for cybersecurity product and services (others could be used as well):

Cybersecurity Products & Services:

Assurance, security / privacy by design

Identity, access and trust management

o Identity and access management

o Trust management

Data security

Protecting the ICT Infrastructure and enabling secure execution:

o Cyber threats management

o Network security

o System security

o Cloud security

o Trusted hardware/ end point security/ mobile security

Cybersecurity services

o Auditing, compliance and certification

o Risk management

o Cybersecurity operation

o Security training

Another alternative segmentation (proposed in the NIS WG3 Business cases and innovations paths deliverables) proposes the following classification based on sectors where in the next years good market opportunities are envisioned:

Security services and capabilities

3 While there is a general consensus that those topics are relevant we leave as future work the finer-grained classification of the relevance based on other criteria as scientific and technological excellence, business relevance and societal impact.


Trusted and resilient infrastructure

Secure software/systems engineering methods and tools

Security management solutions

The “Products & Services” approach will be the cornerstone of our analysis for defining the technical priorities for the cPPP. In doing so we will consider the vertical sectors (as smart grids, e-health,…) and their needs vs security products. The main goal is to provide a set of cybersecurity capabilities technologies that can be used in different application domains with maximum efficiency and impact.

The first phase is to set up these priorities. Also the maturity level of such products should be analysed in order to see the European cybersecurity strength and weaknesses.

In the following picture we link the vertical sectors (or application domains or hyper connected infrastructures as mentioned in the NIS WG3 SRA) with the products and eventually with the research areas/topics to be funded to fill the existing gaps.

The vertical sectors will provide requirements and needs to the lower layers, by requiring proper technologies and processed to secure the development and operation. These products in turn will use security product and services. These are still in an evolution phase and research needs will be further identified or detailed.

cPPP perspective on Products and Services and relationships with application domains and Secure ICT infrastructures

From Application domains to Secure ICT infrastructures to Security Products & Services

Hyperconnected (Critical) Infrastructures

Application Domains

Industry 4.0 Energy Transport Finance Public Services

/ eGovernment

Health Smart & Secure Cities

Other

Built on top of

Secure ICT infrastructures

IoT Mobile Embedded Networks/5G Cloud/

web services Other

Relying on

Products& Services

Secu

rity

an

d p

riva

cy b

y

des

ign

Id

enti

ty a

nd

acc

ess

man

agem

en

t

Tr

ust

man

agem

en

t

Dat

a se

curi

ty

Net

wo

rk s

ecu

rity

syst

em

s se

curi

ty

clo

ud

sec

uri

ty

Har

dw

are

(dev

ice/

edn

po

int)

Au

dit

, co

mp

lian

ce a

nd

ce

rifi

cati

on

Ris

k M

anag

eme

nt

Cyb

erse

curi

ty o

per

atio

ns

serv

ices

Research Areas/ Topics

Technology Research


3.1.2 SRIA Preparation Process with broader community

As mentioned before, the initial SRIA has been developed starting from the findings of the NIS WG3 and further elaborated inside the informal cPPP SRIA WG during the 4 months of initial operations. For the future, we do plan to collect input from all the cPPP WGs, interact with the scientific and technology advisory groups (also consisting of the NIS WG3 members and PASAG ones) and follows the governance procedures as set up by the ECSO. We will also consider the practitioners communities including white hat hackers.

The cPPP SRIA is planned to be revised yearly.

3.2 Mechanisms for SRIA implementation

The ECS SRIA will use a coordinated set of mechanisms to implement its research and innovation activities. In doing so, it will also be coherent with the H2020 framework although proposing also mechanisms to overcome some of its limitations.

These mechanisms are common also to other cPPPs (e.g. Big Data Value):

1) Cyber Coordination Projects: mainly devoted to coordination and support activities at several levels

2) Cyber Pillars: socio-technical ecosystems for innovation and experimentation

3) Cyber Technical Projects: mainly devoted to build the basic capabilities, often involving research and innovation actions

4) Cyber Trustworthy Infrastructures (“lighthouse projects”):

Large projects able to develop cyber infrastructures allowing a better protection of the European DSM, while promoting European innovative products and services across several application domains

5) Cyber Pilots: developed to pilot and experiment solutions in specific vertical domains

In principle other kind of instruments could be set up, especially when working at national regional level and by suing structural funding.

Five kinds of mechanisms

In order implement the research and innovation strategy, and to align technical with cooperation and coordination aspects, five major types of mechanisms are recommended:

Cyber Coordination (Coordination and Support Actions): These projects will foster cooperation (also international) for efficient information exchange and coordination of activities. In particular, support could be provided by the following envisaged activities:

o A coordination action for the ECSO operation

o Coordination actions for the KPIs monitoring activities

o Coordination actions for cooperation at national/regional/level (cross border cooperation)

o Coordination actions for international relationships with US/Japan/Worldwide

o Creation of an European Observatory on the cybersecurity market

Cyber Pillars (socio-technical ecosystems for innovation and experimentation/training): Combination of organisational and technical elements – will allow challenges to be addressed in an interdisciplinary way and will serve as a hub for other research, innovation and experimentation activities. We envisage at least Cyber Pillars for:

a. Cyber Pillar for Innovation – Cyber Trustworthy Innovation Ecosystem

b. Cyber Pillar for training/education/cyber experimentation facilities – Cyber experimentation and training Ecosystem


Technical projects: Small or large scale technical projects, often R&I activities for developing new cybersecurity capabilities. We should ensure that these projects contribute to develop the technical competences and contribute to the KPIs of the cPPP. These projects would be based on the technical priorities defined in the later sections.

Trustworthy Cyber Infrastructures (“lighthouse projects”): Large projects that will help to develop large

infrastructure in the cyberspace, mainly crossing several domains that may lead to a direct competitive advantage to industry and or of strategic relevance for European countries. It includes large scale projects which could be funded through a number of different channels, including Horizon 2020 and structural funds. They are specifically designed to raise awareness of the Partnership and give it increased visibility.

a. Cyber Infrastructure for information sharing and analytics:

- for CERTs and ISACs

b. Cyber Infrastructure for digital citizenships (including identity management)

c. Cyber Infrastructure for risk management

d. Cyber infrastructure for Secure ICT:

- Secure and Trusted Routers, Trusted Network IDS, Secure Operating Systems, Secure Integration Services.

These large demonstration actions could would have a sufficient budget (between 20 and 40 M€ of overall total budget) to provide significant results and impact. Specific subject would be chosen each year following primary criteria of proximity to the market (that is, high marketable readiness level or high investment readiness level). On this respect, a significant number of those final customers, end-users (or investors) should be present and involved in the project as active part of the consortium. They should participate in the backbone of the project conception from the beginning. The lighthouse projects should respond to a consistent business case and, subsequently, they should provide a robust business plan to be implemented in a relative short-term time-scale (i.e., less than 3 years to market). This philosophy should be one of the main drivers for the election of the annual priority for this action. Because the magnitude of their impact, the lighthouse projects have also to clearly demonstrate how the sector, subsector or application domain will be substantially influenced, not only because the technological step forward but also on other aspects

Five mechanisms for ECS cPPP implementation in the H2020 programme


such regulations and policy recommendations, customer behaviour and attitude, new business models (i.e., cyber-insurance market…), etc. Given the large expected impact of the lighthouse projects not only at European level but abroad, the proposal of the annual focus theme would be also agreed and coordinated with the Member States and the other countries participating in the cPPP.

Cyber Pilots: These projects, mainly innovation based, are devoted to the piloting of solutions, in specific vertical domains. These pilots will use the cyber infrastructures previously described and capabilities developed in the technical projects to demonstrate how the developed innovations can satisfy specific requirements in key vertical sectors, gathering attention and commitment of users and potential procurement bodies.

These projects (in particular the cyber infrastructure ones) are triggered and guided by the platform’s feedback and put in place by stakeholders and members of the Partnership. They can be funded by private, local, regional or structural funds coming from cities, regions, banks, etc. and make up a significant and crucial contribution in working towards the smart urban systems of tomorrow.

3.2.1 Interaction among instruments for implementation

The following picture highlights the role of the different kind of projects in the cPPP. In particular, technical projects are used to deliver the basic capabilities (building blocks) on top of which both large cyber infrastructures (cross domains) and domain specific pilots can leverage.

One of the main goals of the cPPP is the achievement of pilot solutions for cyber infrastructures. Such cyber infrastructures should address core aspects of ICT. The number and size of the pilot projects will depend also on the relevance of the sector for the cPPP members as well as the avoidance of duplication of efforts with other European initiatives.

Interaction among instruments (focus on infrastructures, technical projects and pilots).

3.3 Relationships with other cPPPs

Cybersecurity pervades several application domains as previously evidenced. While the cPPP cyber would support, in an industry led approach, the definition of requirements and main research challenges, still, in many application domains, it is crucial to check the existing efforts done/planned with respect to other cPPPs (or European initiatives). We can mention here some of the European initiatives that could be relevant for the cPPP in cybersecurity.


Existing PPPs with the European Commission are:

Factories of the Future (FoF)

Energy-efficient Buildings (EeB)

Sustainable Process Industry (SPIRE)

Big Data Value (BDVA)

European Green Vehicles Initiative (EGVI)

Photonics

Robotics

High Performance Computing (HPC)

Advanced 5G networks for the Future Internet (5G)

Other Research Public-Private Partnerships in FP7:

Future Internet PPP (FI-PPP)

A 3D printed key to the Factory of the Future

Nanotech sun block for your home

Modular, flexible, sustainable: the future of chemical manufacturing

Other important initiatives which could be linked to the ECS cPPP are:

The AIOTI (Alliance for Internet of Things Innovation)

The EIP AHA (European Innovation Partnership on Active and Healthy Aging)

The EIP SCC (Smart Cities and Communities)

Sesar JU (for a Single European Sky – Air Traffic Management)

Shift2Rail JU

ECSEL JU (Electronic Components and Systems for European Leadership)

Several envisaged members of the cPPP cybersecurity are active members in these initiatives. It will be of particular relevance to create explicit flow of information with those, as 5G, BDV, FoF, EeB, HPC that definitely immediately overlaps with some of the research challenges we plan to address here. As part of the cPPP SRIA definition, these stakeholders will be contacted and the cybersecurity cPPP could also provide a sort of overall cooperation, trying to ensure that the main security concepts are developed inside the cyber cPPP, thus avoiding the creation of duplications or technological silos in specific domains that would not allow proper interoperable evolution of the technologies.

In the following picture we show some potential relationships.


4 Estimated budget

Given the current time frame we analyse the budget for 2017-2020 also considering that most of the topics have been also fixed already in the appropriate committees for 2016 (and mostly 2017).

We tried to balance among the different instruments, including the ratio between research and innovation activities, providing slightly more relevance to the latter.

It is estimated that for an entire programme of 4 years, and where projects will of course continue to run several years beyond, an investment of approximately €850M (with an hypothesis of €450M from the European Commission – note that following H2020 reimbursement rule, the EC contribution of €450M is roughly balanced by a contribution from project partners of about €400M) would be required to be allocated between 2017 and 2020. Given the current trend and the significant role of innovation in the cPPP Cyber, a tentative budget sharing has been developed:

- 40% of the budget will be allocated to research and innovation or related activities,

- 51% in Cyber Infrastructures (integration and demonstration) to bring innovation close to market

- 6% to projects developing the ecosystem

- 3% to coordination and support activities.

The estimated budget initially depicted by the cPPP SRIA WG is presented below. It is currently given in a coarse grain format.

The rationale for the following simulation of budget distribution is based upon the following elements.

The budget distribution over the 4 years (EC contribution + contribution from project partners) is considering in 2017 the amount presently envisaged in the ongoing call for proposal (ending August 2016). Also the distribution of the budget allocated in 2017 among the different priorities is following (as much as possible) the existing work programme. The budget in the following 3 years is more or less stable, for an average annual overall amount of roughly €250M.


Looking at the budget distribution in the different actions, the 6% budget (i.e. about € 50M over 4 years) for the development of the ecosystem, is roughly constant over the years, with a slight increase after 2017, for a possible better support to testing tools and education activities.

The distribution of 3% in coordination and support actions (i.e. almost € 30M over 4 years) is constant over the years.

The two main areas where the budget is distributed are the R&I actions (i.e. the technical projects based on technical priorities) with 40% (i.e. € 340M budget) and the Cyber Infrastructure actions (i.e. products / services for different applications) with 51% (i.e. € 433M budget).

While research activities will increase and peak in the middle of the programme, the innovation actions of novel applications and technologies (the “cyber infrastructure”) will start with an offset.

Indeed, after the relatively limited value for R&I activities in 2017, the budget will (at least) double to provide strong support to new technologies and services.

The distribution of the €340M among the different topics (according to the provided product / services segmentation) has been divided in the 5 main areas:

Assurance, security and privacy by design: 12% of the R&I actions budget

Identity, access and trust management: 11% of the R&I actions budget

Data security: 19% of the R&I actions budget

Protecting the ICT Infrastructure and enabling secure execution: 44% of the R&I actions budget

Cybersecurity services: 14% of the R&I actions budget

The budget for “Assurance, security and privacy by design” could look relatively high from an industry / economy point of view, but is considering the priorities imposed by the “societal security” approach.

The budget for “cybersecurity services” could look relatively low, when considering the high expected growth of the service sector. Likely this value, initially estimated by the SRIA technical experts, will be updated in the future when better leveraging upon marketing / industrial experts.

The budget for “Protecting the ICT Infrastructure and enabling secure execution” could look quite high (also 50% of the overall R&I actions), but we estimate that this is the core area where there will be strategic market evolutions in the future, and where European solutions will be needed, for instance of threat identification and management, for overall system security including IoT, 5G and other mobile devices, for cloud security etc. The D priority in Cyber Infrastructures (Secure Networks) is actually gathering several high priority elements. For this reason, its budget is considerably higher than the other priorities.

The budget for “Cyber Infrastructure” of €433M is divided in three areas:

• Integration Projects (for validation of existing technologies): 52% of the “cyber infrastructure” budget

• Demonstration / pilot projects (solutions implemented in different applications) : 38% of the “cyber infrastructure” budget

• Bottom up track on innovation (a new instrument to reduce the time from idea to market, stimulate private sector investment and to take best-in-class-innovations on a fast track to outpace international competition) : 10% of the “cyber infrastructure” budget

The budget for “Demonstration / pilot projects” is more or less equally spread across the different main vertical applications, with some priority given to those applications where Europe is leader.

The budget for the “bottom up track on innovation” is quite limited, as considered for the moment as a “tentative approach”.

The budget for the integration projects is quite important and is divided into the main areas for transversal validation of innovative technologies and services. Particular emphasis is given to the area of secure networks and ICT, as considered fundamental and strategic for Europe and the possibility to develop solutions in sensitive / strategic areas where an increased Digital Autonomy is needed.


5 Cyber Pillars

Cyber pillars are a combination of organisational and technical elements – will allow challenges to be addressed in an interdisciplinary way and will serve as a hub for other research, innovation and experimentation activities.

The envisaged priorities consider the development of a trustworthy innovation ecosystem and a technical experimentation ecosystem.

These priorities are closely linked to the “non-technical priorities” presented later in this document.

2017 2018 2019 2020 TOTAL %

CYBER PILLARS 10 13 14 14 51 6.0%

Trustworthy Innovation Ecosystem 15

Technical Experimentation Ecosystem 36

RESEARCH & INNOVATION ACTIONS (technical projects based on technical

priorities 44 107 98 90 339 39.9%

3.1.1 Priority “Fostering assurance and security and privacy by design” 42

identity, access and trust management 36

3.1.2 Priority “Identity and Access Management”

3.1.3 Priority “Trust Management”

data protection, including encryption 63

3.1.4 Priority “Data security”

Protecting the ICT Infrastructure and enabling secure execution: 150

3.1.5 Priority “Cyber Threats Management”

3.1.6 Priority “Network Security”

3.1.7 Priority “System Security”

3.1.8 Priority Cloud Security”

3.1.9 Priority “Trusted hardware/ end point security/ mobile security”

Security services 48

3.1.10 Priority “Auditing, compliance and certification”

3.1.11 Priority “Risk Management”

3.1.12 Priority “Managed/management security services”

3.1.13 Priority “Security training services”

CYBER INFRASTRUCTURE (produts / services used in different applications) 50.9%

Integration Projects (validation of existing technology solutions) 20 63 71 70 224

A) digital citizenships (including identity management) 22

B) risk management for managing SOC, increasing cyber risk preparadness

plans for NIS etc. 45

C) information sharing and analytics For CERTs and ISACs (includes possibly

trusted SIEM, cyber intelligence) 40

D) Secure Networks and ICT (Secure and trusted Routers, Secure and

Trusted Network IDS, Secure Integration, Open source OS) 117

Demonstration / Pilot projects (solutions in different applications) 20 45 50 50 165

Energy, including smart grids 18

Transport 22

Finance 18

Healthcare 22

Smart & Secure Cities 22

Public Services / eGovernment 31

Industrial Critical Systems / Industry 4.0 32

Bottom up track on innovation 0 13 14 17 44

COORDINATION (Stakeholder cooperation for Roadmapping Dissemination

& Communication; KPI monitoring activities; MS cooperation; International

Relationship; EU observatory; Governance, …) 6 7 7 7 27 3.2%

100 248 254 248 850 100.0%


5.1 Cyber Pillar for cybersecurity trustworthy Innovation

Background

The proposed pillar will support the convergence of actors required to strengthen European cybersecurity market, convergence of innovators, academic entrepreneurs, industry, venture capitalists and educators focused on impact of technology rather than development of technology is critical to the market maturation.

Cybersecurity innovation embodies process, service, organisational, people, administrative and marketing dimensions. Stakeholders recognise the requirement activities identified the need for supports innovation across the entire lifecycle. Funding supports and intervention and initiatives aimed at core R&I, networking, customer engagement and commercialisation are warranted. Innovation drives new product realisation and development. Significant opportunities exist for innovation in the cybersecurity technology space, yet complex market, regulatory, policy, commercial, and economic considerations create several barriers to transforming research outputs into market-centric product and service applications.

Cybersecurity products and services still diverge quite a lot from traditional goods, as they are public goods (non-excludable and non-rival), theoretically not scarce, opportunity costs of their use are not as high as for traditional goods and there are strong externalities in their production and use. Moreover, their technical complexity increases information asymmetries and renders competition dynamics that are quite different from the traditional brick-and-mortar industries (e.g. there is a strong monopolisation tendency).

Innovation processes in cybersecurity and privacy industries require higher security standards compared to other industries and it can be expected that some of the open innovation models will not be applied here in order to serve the security of the innovation process. This trustworthiness factor greatly influences and a Cyber Pillar provides opportunities to address this in Europe.

Cybersecurity is a risk mitigation measure rather than providing any direct return on investment value itself making value propositioning and justification arguments more difficult for cybersecurity suppliers. Moreover, the difficulty of estimating tangible benefits leads to a problem of making a business case for spending on cybersecurity. Often, companies only react with increased spending on IT security after a large-scale data breach has occurred. In such a situation, it is relatively easy for IT staff to make a business case. So timing is important for showing the value proposition of innovative cybersecurity products and services. Furthermore, as firms act under budget constraints, the option of spending more funds on improving IT security competes with other options that might improve revenues (such as spending more on marketing). Support to vendors on financial prioritisation is essential.

A Cyber hub for cybersecurity can support organisations to invest and transform their ideas into their products, services and systems that are informed by the market conditions thereby increasing feasibility of success by considering the market and business aspects as a major part of their technology offering. This pioneering market lens serves to promote and ensure technology developments are aligned to market, regulatory and economic standards and underpinned by sound market segmentation and demand considerations to enable commercialisation of innovation. In addition, it is crucial to link inter-disciplinary research in the area of innovation with other European Horizon 2020 initiatives, on the concept, process and actuation of knowledge and solution co-creation and co-implementation (see for example H2020-INSO-2015, New Forms of Innovation).

A European Cyber hub for trustworthy innovation should be considered as essential element of the ecosystem that enables the growth of cybersecurity industry and strengthen Europe’s cybersecurity capacity by enabling process, service, organisational, people, administrative and marketing dimensions. The goal is to provide ecosystem that resembles to real-life business environment for product and service market release.

A key enabler of this hub is the innovation network and knowledgebase delivery from an impartial source (national and Pan-European cybersecurity clusters would be strong candidates), could form a strong approach that would greatly assist cybersecurity innovators. In addition, influencers can educate society of the consequences for neglecting cybersecurity or the violations of privacy.

The fragmentation of the cybersecurity market and community in Europe, split between business and technical expertise, and platforms in their current set-up need many modifications to enable bigger scalability (e.g. data analytics development, market definition, competitor analysis.


Assess existing economic and procedural barriers to innovation and identify appropriate incentives needed

to increase security product and service adoption;

Focus on trustworthiness; Reputation and value chain analysis at European level

Cybersecurity network analysis; trends on global alliances and partnering strategies

Facilitate financing management of up-scaling and spin-outs.

Challenges

The nuances and difficult aspects of innovation reside in the market domain in which it is situated, as innovators need to know where they fit, what the demand is, what are the regulations, who are their customers, and is there room for them in the market. The value of great technology innovation is not realized if there isn’t demand or a market for it. No innovator or funding body wants a situation where technology innovation is chasing a market application. For cybersecurity technology innovation to have a commercial relevance and societal impact there has to be an integration of technology push and market demand. Nonetheless, it is also the responsibility of innovators to create that demand within the market, if it is not immediately explicit.

The approach to cybersecurity business innovation is fragmented across domains, technology, accelerators and Incubators

There is a tendency to adopt competitor innovation models, whereas customised innovation practices based upon requirements are essential. Training can address this.

There is conflict in collaborative research in relation to process (knowledge) and product (economic benefit), incentives to harmonise basic research and disruptive innovation are required.

There is limited support for stakeholders to prioritise sustainability of research beyond initial funding, paths to market delivery are immature

There are no open hubs to involve more participants to the product and service realisation, training, investment, modification, market alignment etc.

Reputation based innovation is dispersed, alliances are one dimensional

Cybersecurity trustworthy innovation has difficulty testing its inter-operational capacity and shifting between pillars should be facilitated

Envisaged actions (with links to KPIs)

Research, development and implementation of a cybersecurity trustworthy innovation hub environment that enables stakeholders to increase their innovative capacity in a European context

New and upcoming SME’s and innovative enterprises to adopt and exploit research outputs in order to embed these within the market place and compete effectively.

Transparency of cybersecurity markets toward competition policy enhancement

Increase innovation productivity, pursue formalized innovation procedures.

o align incentivisation within existing innovation ecosystem and culture in Europe.

o implement an analytical approach to innovation incentivisation.

o conduct evidence-based implementation of incentivisation.

o monitor incentivisation of innovation.

o tailor incentive schemes to risk associated with the innovation (incremental or greenfield).

o evaluate successes and failures.

The cybersecurity domain is highly trust-based, hence prior reputation and credibility


is necessary in order to successfully sell products and services in the domain. Cybersecurity innovators need to manage their trustworthiness formally for market credibility.

Innovators should consider alliances and partnerships with other organisations to enter the market.

Developing and piloting the open-hub concept to widen the range of beneficiaries, including universities, SMEs, tradesmen etc.

Development of sustainable business models.

Development and piloting of analytics modules to enhance market management.

Researching, development and piloting of modules to support innovation KPIs.

Research and development to use cybersecurity innovation gurus.

Defining and maintaining reference architectures, frameworks and interface standards, and encourage and co-ordinate the creation of ecosystems of compatible and interoperable products and services across a cluster of research and innovation projects. These architectures, frameworks and standards should be defined in such a way as to promote competitive innovation, and should themselves be designed for evolution.

5.2 Cyber Pillar for a technical cybersecurity experimentation and training ecosystem

Background

According to the holistic approach in cybersecurity, the level of skills and awareness of different stakeholders plays a crucial role in efficient cyber defence. Also, since countries borders do not exist in the cyber domain, collaboration, experience exchange and networking between different specialist, experts, researchers, policymakers, large companies and SMEs, critical service providers, products developers etc. cross borders and cross domains is important to ensure that everyone’s digital resources are well protected, that tools are up to date and in accordance with the changing cyber threats.

Cyber range environments should be considered as basic and crucial elements of the ecosystem that enables the growth of cybersecurity industry and strengthen Europe’s cybersecurity capacity by enabling practical hands-on training, testing, exercising, evaluating, education, experimentation and validation activities. The goal of these environments is to provide ecosystem that resembles to real-life operational environments for practicing, as many activities cannot be simulated in the real environments.

Many cyber ranges have been created in Europe and we have several years of practical experience with organizing international as well as national cyber exercises using these platform. Largest international cyber exercises are organized using Estonian infrastructure since 2010 – for example 16 countries have been involved in 2015 Locked Shields exercises (organized in cooperation with NATO CCDCOE in Tallinn), more than 400 specialists were participating in that serious game session.

There is a growing demand for providing training and exercise services to even wider range of parties, the number of players in existing formats is increasing year by year. Also, there are many ways to develop the ecosystems further in order to create value for many other stakeholders including researchers, experimenters, SMEs, policy makers, universities and students etc. Federating existing platforms would enable to create even more complex simulation, testing, exercises and training environments that would even more resemble to the complexity of the situation in real life where almost everything is somehow connected.

The platforms in their current set-up need many modifications to enable bigger scalability (e.g. automation of manual preparatory work, data analytics development to automate analysis of exercise results etc.). They also need technical upgrading as the technological realities change fast.

There are two main development directions:


Black-box cyber range to provide organisations their own closed testing environment;

Open Range to expand the organisations that can benefit from using the environment. Open range is an environment that enables many additional stakeholders to harvest the benefits of hands-on practicing in complex simulation environments, to test out tools, conduct penetration testing, malware detection or other thematic exercises etc.

Challenges

There is lack of training ranges to satisfy the needs for cybersecurity exercises. Needs for trainings exceed the availability of the environments.

The exercise ranges are often government funded, and since the government agencies do not have business intentions, there is a lack of sustainable business models to scale the systems to meet the needs of other interest groups (start-ups, vital service providers, universities, large companies etc.).

Preparation work to prepare for one large scale training typically involves a lot of manual work that could be automated.

There is limited availability for many stakeholders to benefit from cyber range environments as they have not been expanded to meet their needs yet (e.g. SMEs, researchers, universities etc.), only limited piloting has been conducted.

Strategic serious games are usually not supported by technical environments that would enable to log the necessary data that can later be used for developing new strategies, products, frameworks etc.

Analytics of environments needs more automation to enable better analysis, e.g. automate analysis of situational awareness, risks and competences profiling etc. The serious games environments are also environments that can provide input to new products development – these benefits are today not sufficiently harvested, stronger collaboration with the industry is needed.

There are no open ranges to involve more participants to the exercises, trainings, testing, experimenting etc.

There is a lack of offering of closed black box ranges for parties that need a closed environment to conduct trainings (e.g. vital service providers that want to exercise domain specific or secret scenarios).

There is a lack of cooperation between different existing environments. Integrating / federation solutions would enable trainees to get more versatile experiences and knowledge. It would also enable to involve ranges that have very specific configurations that are difficult to recreate due to some domain specific components (e.g. specific SCADA system ranges etc.).

The educational potential is not fully harvested - cyber ranges / serious games environments are rarely used in educational programs to build practical, hands-on competences of students. In Tallinn Technical University, first steps have been takes but there is a huge potential to use the range in much wider scale. Product development and automation is needed to scale these capabilities.

The potential for introducing new technical tools and services within the exercise frameworks in rarely done. So the start-ups and SMEs are not taking advantage of the opportunity to test and market their solutions in the complex attack-defence simulation games.

The actions here envisaged should also be considered in the light of the activities foreseen later (§ 4.1) on non-technical priorities concerning “Education, training and skills development”.


Development of scalable exercises environments that enable to multiply the capacity of hands-on technical exercises, trainings, simulations, experimenting, product testing and serious strategic games.

Developing and piloting the open-range concept to widen the range of beneficiaries, including cybersecurity specialists, universities, SMEs, policy makers etc. (KPI 7)


Creating standards for integrating different cyber ranges and federating existing ranges to enable large scale cross-border cyber trainings and exercises and to provide more versatile experiences to trainees, researchers etc. (KPI 7)

Developing and piloting of black box ranges to provide closed exercise environments for domain or company specific trainings.

Development of sustainable business models for both, open and black box ranges.

Creating automation modules to reduce the manual work necessary for preparing each exercise, training etc. session.

Development and piloting of analytics modules to enhance game session analysis (situational awareness, profiling of competences, weaknesses etc.).

Development and piloting of wider scale use of technical games environments by cybersecurity students as well as students of other relevant domains (e.g. law students, policy and governance students etc.), including preparing necessary training scenarios.

Development and piloting of using cyber ranges to conduct strategic (table-top) trainings for policy makers, lawyers, vital service providers etc., including preparing necessary training scenarios. Researching, development and piloting of modules to support using cyber range environments to test new products and solutions in complex simulation situations to enable start-ups and SMEs to beta-test and market their tools. Research and development to use technical ecosystems to profiling and certifying cybersecurity experts. (KPI 7)

Because the important on-the-field-experience in this pillar, the cPPP should consider the possibility to get some funding as part of H2020 projects and to coordinate with other existing programmes such as:

The ones managed by DG-Education and Culture, aiming to support permanent tools for continuous learning and skills development in specific domains (i.e., cybersecurity skills development addressed to non-cybersecurity sectors or workers).

The ones provided though theH2020 Excellent Science Pillar such as the networks of excellence or the industrial PhD, etc.

To conclude, below are listed the potential beneficiaries and their main benefits:

Potential beneficiaries and their benefits

Technical ecosystem for training, testing, exercising,

evaluating, education,

experimentation and validation

activities

Policy makers Defence forces

strategic trainings

testing policies and laws

testing international collaboration frameworks

raising awareness among public sector

strategic trainings technical exercises

testing international collaboration frameworks

relationship building with colleagues

Start-ups, SMEs, innovative products creators

Universities, R&D organisations

Critical infrastructure providers, Large companies

beta-testing products

testing tools in complex environment

marketing platform to specialists

selling products

input: new ideas for product development

R&D platform resource development

teaching platform

awareness rising among other fields (politics, law, etc.)

research (master’s thesis, doctoral studies)

collaboration platform

training specialists, profiling specialists

profiling weaknesses, input to risks & business continuity management

testing tools

finding specialists to hire

federating own testing environment with larger ranges

Horizontal benefits Challenges

National & international collaboration exercises (federated network of ranges)

certification platform

ideas for new products development

Business model development Trust building (testing teams)

sustainable funding mechanisms marketing, network building


6 Cyber technical projects / technical priority areas

6.1 Identification and analysis of technical priority areas.

Based on these previous considerations we have taken a solutions oriented approach when defining the technical priorities, focusing on those needs that have to be fulfilled to support citizens and organisations alike, reinforcing the “close to market” dimension of the cPPP.

In particular, when identifying the research priorities, the members of the cPPP SRIA WG have been driven by the main goals of the cPPP and were asked to identify those research and innovation challenges that would maximize the impact of their solution.

This process has led to focus on the 5 key technical areas below, further split in several research challenges4.

In particular, we consider the following classification and grouping for the cybersecurity Products & Services:

Assurance / risk management and security / privacy by design

Identity, access and trust management (including Identity and Access Management, Trust Management)

Data security

Protecting the ICT Infrastructure (including Cyber Threats Management, Network Security, System Security, Cloud Security, Trusted hardware/ end point security/ mobile security)

Security services (including Auditing, compliance and certification, risk Management, cybersecurity operation, security training services)

6.1.1 Assurance / risk management and security/privacy by design

6.1.1.1 Scope

The “quest for assurance” in cybersecurity is a long-standing issue with many facets and related aspects. It is commonly agreed that, in order to be effective security, privacy and trust considerations should be integrated from the very beginning in the design of systems and processes (i.e. security/privacy/trust by design). This entails a whole series of activities, including social and human aspects in the engineering process all the way to a certification that the developed systems and processes address the planned security/privacy/trust properties.

In addition to the aim of building a secure system, we often need to prove (through evidence) that the system is secure. This is also necessary when considering systems of systems, whose security depend not only on the individual security of subcomponents but also on the security of the integration of these subcomponents. The engineering process of the systems should thus take into account those security/privacy/trust/compliance requirements and should consider, in addition, costs and risks in the development process and in the system’s lifetime.

Indeed, cost and risk constitute two relevant factors in building and operating (security-sensitive) systems. The cost of developing security countermeasure should be related to the value of assets to be protected (and often in the digital world these are less tangible). Therefore the issue in this respect is not only cost, but also how a value can be assigned to one or more assets, used by an organisation in its own economic sector of activity. On the other hand, risk is linked to the capability to predict the current strength of the system. Thus security and corresponding risk metrics are crucial (as other quantitative aspects of security).

This process of encouraging assurance techniques and processes can also be addressed by regulators. Indeed, the introduction of regulatory actions could ease and support the adoption of assurance techniques (delivering benefits to the overall security level of the infrastructures, systems and products).

4 See the Appendix for a more detailed description.


Starting from these considerations, risk should be managed with respect to the assets to be protected, and investment in security should be aligned to the value of the assets. In this context, the residual risk could then be managed with other approaches beyond security countermeasures.

6.1.1.2 Research challenges

We suggest to structure along the dimensions of security / privacy by design, security / privacy validation, and processes.

Security / Privacy by Design. . By “security / privacy by design” we understand all methods, techniques and tools that aim at enforcing security and privacy properties at software and system level from the conception and guaranteeing the validity of these properties. Since the required security and privacy properties depend on the system context and the application domain, understanding these requirements and being able to precisely define them is a prerequisite. Hence, security requirements engineering, is part of this discipline. In order to come up with practical, feasible techniques, emphasis should be on close integration with existing software requirements engineering approaches (like, for instance, those based on UML, but with a stronger focus on automation and modularisation) and the inclusion of risk assessments and needs. The identified requirements need to be formally traceable to security features and policies throughout all phases of the secure development lifecycle, considering the complete system view (which might include assumptions about the context that need to be enforced upon deployment).

Secure (programming) languages and frameworks. Secure programming fulfil a set of requirements “by default” via enforcing secure architectures and coding. While there is an existing body of research in the field, there are typically good reasons why developers prefer potentially insecure approaches: performance, interoperability, ease of use, ease of testability etc. The challenge is to provide secure development and execution environments that are identical to traditional environments with respect to these qualities, but still allow the flexibility and expressiveness developers are used to (e.g., including higher order language constructs).

Open Source Security. A significant share of today’s security vulnerabilities stems from the fact that typical software applications are no more monolithic but composed of hundreds, sometimes thousands of open-source components, whereby each component’s life-cycle is disconnected from that of the application and beyond the control of the application developer. A prerequisite for effective and efficient response processes is, on the one hand, complete transparency of an application’s supply chain (with the ability to track & trace every single application dependency) and, on the other hand, accurate and comprehensive vulnerability intelligence, e.g., with regard to affected component functionality, code and versions. Based thereon, application developers must assess the impact of a given open-source vulnerability in the context of a specific application, and contrast it with alternative mitigations and related costs.

Security validation. Security validation comprises all activities that aim at demonstrating the security qualities of (specified, implemented or deployed) software and systems. Hence, it includes formal verification, static code analysis, dynamic code analysis, testing, security runtime monitoring, and more. Since all of these methods have particular strengths and weaknesses, emphasis should not only be on their individual advancement (which includes increase of automation, coverage analysis, modularisation, soundness, efficiency), but also on understanding their complementarity. For instance, promising results have been achieved by combining static and dynamic code analysis, and further combination and interaction of different techniques are seen as a valuable approach towards managing complexity and increasing the quality of results.

Metrics. Metrics are key to understanding the security level of a system under development as well as in operation. Hundreds of metrics have been proposed, but they still lack a mapping to the actual risks that relate to a particular measurement. Hence, metrics should be derived from risk models and assessments, taking technical and business context into account and adapting to system and context evolution. This contributes to the quantification of security and privacy risks, as an ingredient of balancing the cost of security measures and their potential risk reduction. The cost typically can refer to several aspects of the system, including performance, or the accuracy, correctness and utility of the protected data. One major challenge in this context is to ensure that metrics are meaningful to market players in their own sector of economic activities, yet are comparable across sectors.


Methods for development of functionally correct and error free security protocols and interfaces. Security protocols and interfaces appear everywhere in secure system designs and their functional correctness and security properties are key to guarantee the overall security of a system. To enable efficient development and verification of security protocols and interfaces tools and mechanism for reliable and systematic protocol verification is needed. Academic efforts in this area include e.g. formal methods for protocol analysis based on model checking, epistemic logics and other formalisms. However, existing tools and mechanisms are limited and would need to be extended and made more efficient to be able to handle the complex real life protocols used in current security solutions where security features are deeply intertwined with low level details of the system functionality. Furthermore, there is a gap between languages and descriptions used by security engineers and those used by existing tools. This gap needs to be closed to bring the benefits of the academic work to the market.

Combination of functional safety and security. There is a great interest on developing engineering methods that can tackle in a single approach functional and non-functional aspects. Security and safety are crucial, for instance in the interplay of real time aspects (e.g. delays introduced by crypto operations). Additionally, degraded modes due to safety or security issues, should be taken into account with the aim of the role of cybersecurity on avoiding them and dealing with them.

Methods for developing resilient systems out of potentially insecure components. Building on research performed in the context of composing (secure) service oriented systems and system assurance and verification, models for specifying security and trust attributes of hard- and software components, that can be formally validated and verified, provide a baseline for system development methodologies which must guarantee a minimum (defined) level of resiliency for complex (cyber-physical) systems.

6.1.1.3 Expected outcome

Integrated assurance frameworks (in a risk management approach) including the management of cost, efficiency and risks, able to merge security and safety aspects

End-to-end adaptive security engineering frameworks

Adaptation to specific operating context and related risk exposure (and their evolution)

Support of diverse deployment models (cloud, mobile, platform, platform services)

Increasingly resilient systems

User-friendliness, i.e. easy to comprehend and evaluate evidence

Link to cyber-insurance policy elaboration and dynamic management

6.1.2 Identity, Access and Trust Management

6.1.2.1 Scope

Despite being a well-established market in its own right, the Identity and Access Management (IAM) marketplace is still a dynamic and growing one. Notions of extended enterprises and more advanced B2B interactions based on Internet services become more commonplace, driven by e.g. cloud services, new hosting models and diversifying partners and relationships. Developments such as the Internet of Things (IoT) trigger diversity of form factors and capabilities of authentication tokens. Hence, current IAM approaches do not cater to the full range of needs created by the increasing mix of devices brought on by IoT, machine-machine and man-machine interactions and similar developments. Core challenges exist around cross-domain authentication, authorisation in new distributed contexts and the need to avoid monopoly situations and single points of failure, when users are authenticated and their authorisations are being checked. For end users to trust the digital society, they need to be able to not only understand but also manage the actual level of security delivered by different providers and control the degree of identification.

Indeed individuals need to be empowered to develop trust into digital services and/or apps for them to make informed decision. This calls for methodologies and tools to not only focus on Security and Privacy by design but also Trustworthiness by design. This calls also for proper lifecycles to be covered from development to management (monitoring) going through important steps such as certification, distribution and deployment. It also calls for


innovation in managing the dynamic dimension of authentication, when a user’s identity needs to be re-assessed after an initial approval.


Usability of authentication. Overcoming the dangers caused by the often careless use and management of passwords will only succeed if alternatives are user-friendly and strongly embedded into applications.

Flexibility of authentication and authorisation. To support the appropriate degree of identification during authentication and authorisation, identity service providers need to offer a complete range of choices, so users and providers can agree on a mutually acceptable way of authentication. This includes also the different levels of authentication in terms of the sensitiveness of the service delivered by the provider, and in some cases the need to manage the dynamic dimension of an authenticated user (re-authentication during usage of a service).

Partial identities. Research is needed to build technologies that allow users to separate their identities for different aspects of life.

Certificate and signature sustainability. Identity certificates and other digital signatures need to survive the test of time, i.e. their integrity needs to sustain the whole period of commercial relevance and/or legal validity.

Scalability of authentication. Scalability has several facets. It refers to the number of transactions that need to be supported as well as to the abilities of the respective devices. It also needs to cover the management of sensitive authentication data.

Interoperability of authentication. As interoperability via intermediaries is creating major overheads and security risks, more direct approaches to interoperability need to be researched and tested through pilots, so that the relevant information can be accessed by those who need it, be it users, who want to qualify towards providers or the providers themselves.

Computational trust models. There is the need to define sound computational trust models able to cope with the heterogeneity of modern ICT infrastructures, ranging from IoT to cloud services.

Decentralized trust frameworks (e.g. blockchain). When dealing with trust it is always relevant to be able not to rely on a single authority but also considering decentralized trust models. This also extends to operations across several application domains.

Trust and big data. Big data heavily interplays with trust. On the one hand, we need to trust the collected data, i.e. who are the providers, who accessed the data etc., on the other hand data helps to define proper trust and reputation systems, often based on recorded evidence by several parties.

Credential personalisation. Initial security credential provisioning is a critical step within the chain of trust that must be ensured no matter independently of which security technologies are used.


Best practices in authentication are supported by usable technologies embedded seamlessly into applications, including management of different levels of authentication and dynamicity.

Users and relying parties are provided with a range of authentication options that they can choose from to agree on a mutually acceptable way of authentication avoiding over-identification, delivering the degree of assurance and liability appropriate for the respective service.

Citizens can enjoy the privileges of services needing strong authentication, focusing on those specific attributes that require this level of authentication

Certificates and signatures remain valid for at least a long as the corresponding documents and trust relations are commercially relevant and/or legally valid.

Authentication operates in a distributed fashion without single points of failure on critical paths and considering small scale devices as used in the Internet of Things.

Authentication operates in an interoperable fashion without overheads and additional security risks


Increased trust in the cyber world;

Requirements for trusted security credential provisioning (e.g. trusted secure elements)

More efficient on-line Business

6.1.3 Data security

6.1.3.1 Scope

A major characteristic of current and future systems and applications is the ever-increasing amount of valuable data that needs to be properly managed, stored, and processed. Data can be produced by systems as a consequence, for example, of interconnected devices, machines and objects in the Internet of Things, and by individuals as a consequence, for example, of business, social and private life moving on-line, thus including data resulting from observations (e.g., profiling) and data intentionally provided (e.g., the prosumer role of individuals). As the value of data increases, opportunities based on their exploitation and the demand to access, distribute, share, and process them grows. Highly connected systems and emerging computing infrastructures (including cloud infrastructures) as well as efficient real-time processing of large amounts of data (including Big Data methods and applications) facilitate meeting these demands, leading to a new data-driven society and economy.

The collected data is often of a highly sensitive nature (e.g. medical data, consumer profiles, and location data) and need to be properly protected. With data being stored and processed in the cloud, and exchanged and shared between many previously unknown and unpredictable parties, this protection cannot stop at a single system’s border, but needs to be applied to data over its full lifecycle, independent of which system is processing the data, which access channels are used and what entity is controlling the data. Hence, a system-centric view on security and privacy, including, among others, secure devices and infrastructures (cf. sections below), needs to be complemented by a data-centric view, focusing on data lifecycle aspects.

Providing transparency on where data resides, who has access to it, and for which purposes it is being used, together with mechanisms that allow the data owner to control the usage of his/her data, have been identified by all areas of interest (AoIs) as essential aspects of a data-centric view and a prerequisite of a secure and privacy-preserving digital life. While research has already produced a number of relevant contributions (e.g., sticky policies, privacy policies, and techniques for protecting data at rest), many challenges remain open, including enforcement and usability. These challenges are not only of a technical nature: for example, lack of awareness of the value of data (and what data is actually produced when engaging in digital life) has been mentioned as an inhibitor of trust and growth of digital services.


A variety of challenges need to be addressed to take advantage from the availability of large amounts of data in a secure and privacy compliant way. These challenges should cover issues related to the protection of data as well as the use of data for security.

Data protection techniques. The size and complexity of collected data in most cases leads to the use of cloud technology and to their storage at external cloud-based repositories using cloud-based services, which offer flexibility and efficiency for accessing data. While appealing with respect to the availability of a universal access to data and scalable resources on demand, and to the reduction in hardware, software, and power costs, the outsourced storage can potentially increase the risk of exposing sensitive information to privacy & security breaches and also links back to the trust issue highlighted earlier. The ensuing security and privacy requirements create the need for scalable and well-performing techniques allowing the secure storage and management of data at external cloud providers, protecting their confidentiality from the cloud providers themselves. However, protecting data means ensuring not only confidentiality but also integrity and availability. Integrity and availability of data in storage means providing users and data owners with techniques that allow them to verify that data has not been improperly modified or tampered with, and that its management at the provider side complies with availability constraints specified by the data owner. The variety of data formats (i.e., structured, unstructured, and semi-structured) makes the definition and enforcement of such techniques a challenging issue.

Privacy-aware Big Data analytics. We are in the era of Big Data where the analysis, processing, and sharing of massive quantities of heterogeneous data brings many benefits in several application domains. For


instance, in the health care domain the data accumulating in health records can be used as the basis of predictive models that can lower the overall cost and significantly improve the quality of care, or can be used to develop personalized medicine. The application of Big Data analytics, however, can increase the risks of inferences that can put the privacy of users at risk. Anonymizing the sensitive data as a prior step can be of help, even though it diminishes the utility of the data for the latter analysis. We therefore need to develop techniques addressing issues related to data linkage, the knowledge of external information, and the exploitation of analysis results.

Secure data processing. Distributed frameworks are often used for processing large amounts of data. In these frameworks, cloud providers processing data might not be trusted or trustworthy. There is therefore the need of solutions providing guarantees on the correct and proper working of the cloud providers. This requires the design of efficient and scalable techniques able to verify the integrity of data computations (in terms of correctness, completeness, and freshness of the computation results), also when the processing of the data is done in real-time, and to ensure that data is distributed, accessed and elaborated only by authorized parties.

User empowerment. For users or organisations there is great convenience in relying on a cloud infrastructure for storing, accessing, or sharing data, due to the greater availability, robustness, and flexibility, associated with significantly lower costs than those incurred by managing data locally. Unfortunately, this convenience comes at the price of a certain loss of control over data. Although cloud providers implement data protection features, in some cases linked to legislation and regulations, this protection typically consists in applying basic security functionalities and does not move beyond this security to actually provide the data owner with effective control over his/her data. This situation has a strong impact on the adoption and acceptability of cloud services. In fact, users and organisations placing data in the cloud need to put complete trust that the providers will correctly manage the outsourced information. There is therefore the need to re-empower users with full control over their data, enabling them to a) wrap data with a protection layer that offers protection against potential misuse, created by a cyber-breach or an incidental access and b) manage data across its complete lifecycle.

Operations on encrypted data. The confidentiality of data externally stored and managed is often ensured by an encryption layer, which prevents exposure of sensitive information even to the provider storing the data. Encryption can increase the complexity of accessing and retrieving data. The research community has increased its efforts to supporting efficient fine-grained data retrieval and has developed solutions based on specific encryption schemas or on the use of indexes (metadata) that support query functionality. With respect to the use of specific encryption schemas, any function can, in theory, be executed over encrypted data using (expensive) fully homomorphic encryption constructions. In practice, however, efficient encryption schemas need to be adopted. An interesting problem is then how to select encryption schemas that maximize query performance while protecting data according to defined security requirements (e.g., data should be encrypted in a way that the frequency of values is protected). With respect to the use of indexes, we note that indexes should be clearly related to the underlying data (to support precise and effective query execution) and, at the same time, should not leak information on the data to observers, including the storage provider. Another important dimension is that when indexes are combined with other protection techniques (e.g., access control restrictions), these combinations should not facilitate / increase the risk of privacy breaches. The design of inference-free indexes that can be combined with other protection techniques without causing privacy violations are key aspects that require further investigation.

Provenance and quality of data. The impact of data in our daily lives is growing. For instance, it is possible to collect medical data from individuals via smartphones or medical “self-tracking” devices. New “intelligent” meters installed in personal homes give greater control to home owners on their overall energy consumption. The collection, analysis, and use of data allow individuals to take preventive actions, make healthier choices, manage their ecological impact etc. Across all these scenarios, it is important to establish an agreed and understood level of trust on the data – without this, potential cyber-intrusions can create a huge backlash and completely block the pro-activeness of citizens in acting to improve their own quality of life. In this context, tracking data provenance is key to: i) verify whether data originates from trusted sources and has been generated and used appropriately; and ii) evaluating the quality of the data. The definition of a formal model and mechanisms supporting the collection, persistence and transparency of information about the creation, access, and transfer of data is therefore of paramount importance.


Query privacy. In several scenarios neither the data nor the requesting user have specific privacy requirements but what is to be preserved is the privacy of the query itself (e.g., a query that aims at retrieving information about the treatments for a given illness discloses the fact that the user submitting the query is interested in this illness). It is therefore important to design efficient and practical solutions (possibly exploiting the presence of multiple providers to increase the level of protection) that enable users to query data while ensuring access confidentiality (i.e., protecting the user query) with respect to the provider storing the data. Effective protection of query confidentiality requires not only protecting confidentiality of individual queries, but also protecting confidentiality of access patterns.

Big data secure storage Protection and security of data, especially those of public interest (data relevant to CII and IIS) are crucial. The amount of data processed in both the public and private sectors is growing and so is the need for its storage, leading to an ever increasing uptake of cloud base solutions. However, when combined with the increasing use of online services, the security of the storage solutions has to be implemented, but it also has to be credible and demonstrable to expert and non-expert users.


Secure and privacy aware data processing and storage

Advanced mechanisms that protect effectively users’ privacy and guarantee the integrity and confidentiality of their sensitive data

Efficient management and increased deployment of data-encrypted processing and storage solutions

User friendly (i.e. also for non-expert users) transparency and control options incorporated as “standard features” across all storage solutions

Increased and efficient uptake by users of the transparency and control options

6.1.4 Protecting the ICT Infrastructure

6.1.4.1 Scope

The increased interconnections created within the Internet as well as between the Internet and critical infrastructures have made our society vulnerable to attacks that spread across hundreds of thousands of computers, mobile devices or even intelligent connected objects at lightning speeds. This is one of the most challenging dimensions of cybersecurity, the speed and scope of cyber-attacks or incidents.

Furthermore, the ability to remotely compromise intelligence devices coupled with the potential value that can be created by stealing information or modifying operations through a device under attack has created a completely new environment for cyber-criminals.

Society, businesses and governments have become increasingly dependent on the correct and uninterrupted operation of networks, both at global and local levels. On the other hand, cyber criminals and terrorists are becoming increasingly skilled at compromising networks through sophisticated attacks. Therefore, all networks constitute, in one or more dimensions, a Critical Information Infrastructure – CII.

Unfortunately, contrary to the physical world where barriers can in some case limit negative impacts, cyber-space is effectively without frontiers at least across the democratic regions. In this context, cyber-space has to inherit from the physical world a concept of “barriers”, through a pro-active approach to protect critical information infrastructures. Strategic management of CIIs has to balance the benefits created through “ease of connection and remote control” versus the increased level of risks.

The protection of the infrastructure therefore requires a holistic approach pervasive across all the communication dimensions, including also the software and hardware involved in the network and connected to the network.

For instance, secure execution environments can be used by the software across solutions and services. These secure execution environments not only encompass the execution platforms and the operative systems, but also the mechanisms (e.g. security supporting services, control and intrusion prevention systems) that ensure a pre-defined level of security in the execution of all processes.


Another dimension is the hardware level, covering a broad range of fixed and mobile devices. Also important is the increasing use of IoT devices, and the set of pre-requisites to be fulfilled prior to trusting a connected device whether this device is used in the field of Critical infrastructure, Industry 4.0, Automotive (ADAS, V2V, V2X), Smart City, Smart Home, Building Automation, Healthcare, Wearables or any other connected system.


Secure network design, usage and management. At the network level, research on security topics is especially required for security-by-design, risk assessment, privacy and data leakage, attack/ malware/ misuse detection and mitigation, across all layers. This includes both network usage and network management. On the usage side, network security research needs to take into account the move towards network virtualisation. On the management side, network security research needs to take into account network deployment and management, connectivity, resilience of network operations under malicious and accidental faults.

Control and intrusion prevention systems. Just as a body needs an immune system, it is essential to provide control and intrusion prevention systems to effectively monitor the state of the environment and rapidly react against a wide range of (potential) threats - from short lived threats to severe and continuous ones. This challenge also addresses the need to share information across operators to speed up the detection of developing incidents.

Secure integration. As multiple systems and paradigms increasingly interact with each other in distributed and dynamic environments, it is crucial to achieve a fully secure integration across these systems. Not only do we need to allow novel technologies to cooperate with each other, but we also need to consider the migration of legacy systems, whose components and protocols are not usually able to cope with the latest and upcoming security and privacy risks. One key dimension also includes managing the (future) integration of unknown systems, reflecting the reality that infrastructures are in constant evolution in terms of breadth of connected devices and level of interconnection with other networks. This is further developed also in a next priority.

Network Intrusion Detection Systems. Network Intrusion Detection Systems are currently often based on the “perimeter security” paradigm. The externalisation of IT resources to outside providers and new approaches to hardware, such as BYOD (bring your own device), make the notion of perimeter obsolete. Intrusion Detection Systems need to adapt in order to be able to work in an environment where there is no perimeter.

Secure execution platforms. In order to provide a secure execution environment, the platforms themselves (e.g. cloud servers, mobile devices, processors in cars, IoT devices) must guarantee the secure execution of all operating systems and services. However, this is not a trivial task. In current paradigms, like cloud computing, the attack surface has expanded, and new risks and threats have appeared, without a structured management of the expansion. This also extends beyond the technical challenge to incorporate who is actually in charge of controlling and managing this expansion. The technical solutions have to ensure that they provide the teams in charge with appropriate tools to implement these controls.

Bring Your Own Device (BYOD). BYOD is a major trend in organisations, with trends of well over 50% of workers will be mobile by 2020. Research challenges therefore have to address both the complexity of dynamic networks, as already addressed, but also of flexible and secure connectivity of the devices across networks while making them part of the security management operations at network level.

Security-supporting services. Secure execution environments require several security-supporting services, such as data protection and secure communication protocols. Software services can be complemented by the use of security-supporting devices, such as specific cryptographic hardware (Hardware Secure Modules).

Operating systems (OS) security. Each application is only as secure as the OS it runs on. As a result, the isolation of applications and the minimisation of the attack surface becomes a necessity. The benefits from component-oriented design (i.e. reusability, adaptability) can be brought to operating systems by defining standards to which operating systems components must adhere.


SIEM. The Security information and event management (SIEM) market is defined by the customer's need to understand, prioritise and analyse security event data in real time for internal and external threat management, and to collect, store, analyse and report on log data for incident response, forensics and regulatory compliance. Forensics of mobile computing platform and fraud protection also constitute research challenges.

Legacy management support. The Internet of Things increasingly connects novel objects to infrastructures. In this context, the handling of how legacy network systems can adequately manage and guarantee security and resilience when allowing interaction with totally new devices has to be addressed.


A larger base and range of data is available for a comprehensive and precise security analysis

New threats are detected more rapidly through the increased collaboration and available information – solutions are deployed more rapidly, new security practices are routinely incorporated to the security assessment of system managers.

Security control and intrusion prevention systems become more efficient and adapted to new and dynamic environments

Network operations become more resilient

Design guidelines and products implementing secure execution platforms, including secure boot, remote attestation, and secure virtualized environments

Operating systems designed according to new security guidelines

Security supporting services allow data protection and device protection

Best practices for integration of secure components in a secure system with interoperability and management in distributed systems

Secure virtualisation environments ensuring isolation for different architecture paradigms (e.g., virtual machines, containers, etc.)

Trusted cloud operational environment based on dynamic root of trust and anti-tamper security hardware

Incorporation of mobile device owners in the overall security policy of a network (at technical and at collaborative levels)

6.1.5 Cybersecurity Services

6.1.5.1 Scope

This topic focuses on the processes (and their constituent elements) required to provide, manage and measure privacy and security, and the tools required to support them. The issues apply to formal and informal socio-technical organisations of all types and scales from individuals and families, through SMEs, to large businesses and governmental departments, multi-national corporations, nation states, the European and the society at large.

Cybersecurity services can be delivered through a wide diversity of models, ranging from internal services (hosted within the customer organisation) to external (used from external hosted resources) and consultancy based approaches. The choice between these models is done based on a wide variety of reasons, from economic to sensitiveness of operations, from internal capability at technological level to ease of use and flexibility of external approaches.

For instance, large organisations (and ones for which security is a core business function) may elect to perform security processes using only internal resources, but increasingly, the complexity and wide coverage of the required skills and tools make outsourcing a more attractive option. For smaller organisations, affordability issues often make automated security-as-a-service (SaaS) offerings more attractive. Micro-businesses and individuals are likely to want fully holistic solutions.

But across all these dimensions, cybersecurity services increasingly have to address an end-to-end approach, and have to start from the values (and therefore assets) that are important to the business in which customers operate.


How many man-hours will be lost if a process stops? If an asset stops operating? What will be the cost of reputation damage created if data is leaked to the outside world?

One increased complexity is the notion of responsibility –outsourcing some or all security functions does not absolve a customer organisation of its actual responsibility with respect to the outside world of customers, partners and society as a whole.

Temple model of security processes

Cyber-security services can be analysed through a ‘temple’ model, used to categorize security processes and the services used to deliver them. The pillars of the temple are the five core functions of the NIST cybersecurity framework5:

Identify: maintain a complete and accurate model of the organisation being protected and its business context;

Protect: Develop, implement and operate the appropriate safeguards to ensure continued delivery of the organisations key services;

Detect: Develop, implement operate the appropriate activities to identify the occurrence of cybersecurity threats, attacks, breaches, etc.

Respond: Develop, implement and operate the appropriate activities to take action regarding a detected cybersecurity event.

Recover: Develop, implement and operate the appropriate activities to restore any capabilities or services that were impaired due to a cybersecurity incident.

The temple pediment represents Governance, Risk and Compliance (GRC):

Governance: the strategic management of security processes, including setting policies and defining a prioritised approach to risks;

Risk: modelling, analysis, assessment, treatment, etc. of security risk

Compliance (including certification): Measuring/assessing/auditing/certifying the extent to which internally and externally set security policies and standards are a) followed, and b) effective.

6.1.5.2 Research Challenges

Research challenges include the following:

Security-supporting services. Definition and reference implementation of a full range of composable security-supporting services to allow construction of security solutions for all types and scales of

5 ‘Framework for Improving Critical Infrastructure Cybersecurity’, Version 1.0, National Institute of Standards and Technology, February 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

Iden

tify

Pro

tect

Det

ect

Res

po

nd

Rec

ove

r

Governance, Risk and Compliance


organisations. This also extends to managing the evolution of organisations, in terms of dimensions, operations, change in prioritised assets, new business contexts etc.

Practical Certification Schemes. Means of certifying compliance that are practical and affordable to apply, and meaningful to customers and other stakeholders. Automated means of assessing compliance against multiple external and internal standards, including compositional methods.

Methods to reduce and manage systems complexity. GRC methods and tools taking into account the full complexity of organisations and the security context, but making this complexity manageable via a visual interface.

Quantification of Risk. Improved means of modelling, analysing, assessing and quantifying risk.

Dynamic Risk assessment and management. Development of real-time risk-assessment and management tools taking into account the dynamic status of the organisation, its systems, and its threat environment. Tools and services for real-time situation assessment and decision support, response and remediation planning and supervised enactment, autonomous response with safeguards and supervision. Enabling security policies and processes that adapt in the face of an evolving threat environment

Cyber Insurance. Innovative services to provide affordable and trusted means of transferring security risk to an external party, including the definition of policies through a collaboration between the customer and the insurance providers and the dynamic management of the policy in relation to the environment of the customer, external threat intelligence and other sources of intelligence.

Security validation. Improved, automated auditing and testing tools and services.

Down-scaling and Up-scaling. Making enterprise-level security available to, usable by, and affordable for SMEs, micro-business and individuals; developing security process models and institutions for composite and de-centralised organisations (federations, dynamic virtual organisations, business and social ecosystems, etc.).

6.1.5.3 Expected Outcomes

Definition of a cybersecurity strategy by each individual organisation, building on concrete and quantified prioritisation of assets most at risk linked to the business sector in which the organisation operates

Inclusion of cybersecurity policy as a strategic decision at executive / board level of organisations

Cyber-insurance policies becoming the norm across organisations, building on a common definition of “level of cyber-risks”, but an adaptation / personalisation to how this level is selected by an organisation based on its own operating context

European organisations and individuals have access to comprehensive security management solutions in line with their contexts, affordable, and evolvable to keep pace with escalating threats and innovations in technology and practice.

European organisations and individuals provided with support and processes that help detect and respond to internal and external threats and failures, enable them to function under adverse conditions, and self-repair in order to resume normal operations as soon as possible.

Creation of a dynamic and innovative European market in cybersecurity services, which will itself yield significant economic benefit, as well as serving the needs of European organisations.

7 Innovation deployment and validation

The budget for the integration projects is quite important and is divided into the main areas for transversal validation of innovative technologies and services. Particular emphasis is given to the area of secure networks and ICT, as considered fundamental and strategic for Europe and the possibility to develop solutions in sensitive / strategic areas where an increased Digital Autonomy is needed.


7.1 Cyber trustworthy infrastructures

These projects would see the use and validation of existing or newly developed technologies / services bringing innovative solutions to trustworthy infrastructure.

These projects are an extension (and effective application) of what presented in the technical priorities for R&I actions.

7.1.1 Digital citizenships (including identity management)

The Digital Citizenship with all aspects related to Digital Identity Management and secure access to all Public Administration services is rapidly proceeding in all European nations, and this requires an adequate protection of the related platforms, so also the Cyber Infrastructure for digital citizenship is a priority.

More details on this topic are given in section 5.1.2 and 10.1.2.

7.1.2 Risk management for managing SOC, increasing cyber risk preparedness plans for NIS etc.

More details on this topic are given in section 5.1.1 and 10.1.5.2.

7.1.3 Information sharing and analytics for CERTs and ISACs (includes possibly trusted SIEM, cyber intelligence

New services are more and more based on information sharing and data analytics, with data gathered from the web, from sensors, from information providers. Data must be protected and trusted if we want to generate value from them, especially if we think at applications as Health, Finance, Critical Infrastructures. Therefore we have also to consider as a priority the related Cyber Infrastructures for Information sharing, storage and analytics, with a relevant support given by the Cyber Infrastructures for Intelligence, Threat and Risk Management, relying on technologies as Artificial Intelligence, High Performance Computing, Advanced Visualization. Probably the budget related to these two last cyber infrastructures can be lower, but the activities cannot be delayed in time.

More details on this topic are given in section 10.1.4.

7.1.4 Secure Networks and ICT (Secure and trusted Routers, Secure and Trusted Network IDS, Secure Integration, Open source OS)

Europe needs priority investments for R&I and deployment in market leading / sensitive sectors with strategic solutions and services.

For instance, the evolution of communication networks towards 5G is ongoing, and also linked with 3GPP and ETSI standards new releases. The 5G goal of providing an ecosystem for reducing costs and favouring new services on top is directly related to solutions considering multiple bearers, network slicing, network functions virtualization with provision via Cloud, … All these solutions need increased protection from Cyberattacks, and also a way to validate the guaranteed reliability and level of protection of each component within the ecosystem. Therefore Cyber Infrastructure for Secure ICT is necessarily a top priority in the budget.

In the strategic market segments of operating systems, computer and mobile phones manufacturing, routers, processors, components and other various software, Europe suffers from a technological dependence in information technology vis-à-vis the foreign providers.

We should reduce the weakness of the EU supply chain by developing European ICT / cybersecurity technologies / solutions for increased digital autonomy, like routers, SIEM, IDS etc.

The European industry needs an investment effort for R&I and deployment in these areas that can only be supported at a European level. An investment of this scale cannot reasonably be undertaken by one Member State alone. In cybersecurity, when “national products and services” exist, they often correspond to specific “national sovereign


needs” and are not usually capable to compete on a global scale. Although Europe has some positive examples of cybersecurity industry their number and size in other sectors remain limited on the global scale.

We can identify a few major projects that should take place at European level due to the complexity and the amount of budget involved. These projects should allow the development of competence and competitiveness in strategic NIS elements and global leadership.

Member States administrations could help to identify specific cybersecurity capacity needs and flag them in their priorities for EU funding or other kind of private funding for further market implementation of the developed / tested solutions, hence driving the development for an effective final use.

We have identified, for instance, a group of urgent concrete projects that would further allow the development of strategic components and national capacity building.

o European trusted and secure router (such development requires significant investments which no country

and private company can afford alone, though it is one of the most strategic elements in the network)

o European Trusted Intrusion Detection System (IDS) host terminal and network based, to ensure detection

rules can be trusted: design should be adapted also to cloud architecture

o Open source operating system for trusted services

o …

7.2 Demonstration/ cyber pilots projects

As mentioned, the hyperconnected infrastructures (the Area of Interest 3 of the NIS WG3 SRIA) represent the set of vertical sector where secure ICT is deployed and used. Each of these vertical sectors (also named application domains) demands for specific aspects for cybersecurity. These needs will be analysed and projects in research products, services and capabilities that in turn needs new research and innovations. We list here the main elements of these vertical sectors, knowing that they have a special role in the cPPP where specific WGs are planned for those sectors.

We describe hereafter the main issues (for a full account see the NIS WG3 SRIA):

Smart Grids (Energy)

Transportation (including Automotive / Electrical Vehicles / Logistics/ Aeronautics/ Maritime)

Smart Buildings and Smart Cities

Industrial Control Systems (Industry 4.0)

Public Administration and Open Government

Healthcare

Finance and Insurance


Smart Grid (Energy)

A Smart Grid can be defined as a process, rather than a product. It is the digitalisation of the electricity infrastructure and it is the transition from a closed, centralized, analogue infrastructure to an open, largely decentralized, digital infrastructure. A Smart Grid is the transition from a system where generation, based on fossil fuel, adapts to users consumption, to a system where user consumption must be flexible enough to adapt to the fluctuations of the renewable based generation. Finally, a Smart Grid is a system where electricity is traded as a commodity on international marketplaces. The benefits of the Smart Grid are envisioned to be a more economic, sustainable and reliable supply of energy. However, significant security concerns have to be addressed for this scenario, due to the possible dangers of missing availability of energy for customers, as well as threats to the integrity and confidentiality of customer's data. These concerns are of particular relevance, because energy grids have a significantly longer lifespan than telecommunication networks. In addition, privacy concerns have risen, such as the possibility of creating behavioural profiles of customers if their energy consumption is transmitted over the Smart Grid in small time intervals. In particular, the attack surface is increasing over time in the Smart Grid for two reasons. Firstly, an increased amount of private sensitive customer data is available to service providers, utility-, and third party partners. Secondly, new data interfaces such as new and improved meters, collectors, and other smart devices cause new entry points for attackers. Resilience has always been the prime goal for the operators in charge of the generation, transmission and distribution infrastructures. In Europe, these operators have a long track record of success in containing accidents, avoiding black outs, and mitigating the effects of natural disasters. With the Smart Grid, cybersecurity is now at the core of their efforts to provide a resilient infrastructure. The issues linked to cybersecurity follow from the very nature of the Smart Grid transition. It should be assumed that all software components could be compromised either because they are exposed to the Internet, or because physical security can be bypassed. It should be assumed that all components of the Smart Grid, from smart meters, to power plants, or relays could be targets for cyber-attacks, as well as the SCADA systems used to monitor these software components. As mentioned earlier, user’s privacy should be enforced, and the mechanisms of trading marketplaces should be resilient. The fact that any components might be compromised is commonplace on the Internet. The obvious solution is to rely on encryption whenever data is transmitted or stored. The problem then is (i) to secure encryption keys, (ii) to secure encryption and decryption and (iii) to secure the computation that takes place on decrypted data. The existing hardware protection techniques (e.g., trusted execution environments or hardware secure modules) can be used to guarantee confidentiality and integrity (as the sensitive data is protected in hardware that can provide tamper-resistance and tamper-evidence), but the availability can depend on the level of protection of the software that accesses to the secure hardware. Sandboxing techniques can be used to contain the computations on decrypted data. Note that these techniques address the issues linked to cybersecurity as well as privacy. The challenges thus are the following. First, the use of hardware protection techniques must be integrated in the software development processes that shape the Smart Grid. Second, it is crucial to devise denial of service defence methods that do not disrupt the Smart Grid. Third, the Smart Grid architecture and governance must be such that compromised components are detected and isolated in a way that minimizes the impact on the rest of the infrastructure. Finally, disaster recovery testing techniques.

Transport Transportation systems are becoming increasingly complex, incorporating numerous, intricate control systems and sub-systems working in parallel; also, they interoperate in an environment composed by a large number of diverse service providers, across several countries. A wider use of communications and information technology will increase the efficiency and functionality of transportation systems. The increase in complexity, functionality and connectivity comes at the price of an increased vulnerability. These complex infrastructures will be highly distributed and thus difficult to protect; besides, it is also important to consider that every country has its own networks and every transport operator has its own strategy regarding


the protection of its infrastructure. Vehicles and other means of transport will be connected to communication networks to support infotainment, safety and emergency functionalities. Transport support systems will be more easily accessible by nomadic users – this is a truly indispensable factor in the transport sector. This new scenario will introduce new threats and risks, and more critical dependencies with risk management, prevention, infrastructures monitoring, collaboration and crisis management, user data privacy. Some challenges in security and resilience will be common factors across the different types of transport: assess and manage risks, prevent attacks, monitoring and protection, unauthorized data access, modification or destruction, manage incidents, privacy of users data, secure and precise positioning of transport means and goods.

Smart cities

The term “Smart City” provides an umbrella that integrates various types of infrastructure, including traffic light management, smart factories with industrial control systems (ICS) (covered by an own section), power plants (also covered by an own section), public transportation (covered by an own section as well), and smart buildings. Smart buildings can be considered a key component of today’s infrastructure and today’s smart cities as they are also a surrounding element for other infrastructure. For instance, a smart factory can be located inside a smart building, which provides physical access control (PAC) and other functionality for the industrial control system (ICS). Being not always a critical infrastructure, a smart building can be basically everything from a small smart home to an international airport, including all its automated components, such as baggage transfer, air-conditioning, smoke removal systems, or heating. Addressing side channels and covert communications in smart cities is an essential challenge as the feasibility to observe inhabitants, citizens, or employees working or living in buildings as well as elders in Ambient Assisted Living (AAL) is linked to serious threats (e.g. selling electronic healthcare sensor data at the black market). Data leakage protection of sensor data must thus be achieved, what can be done by securing wireless sensor networks (WSN) and other technology used in smart cities, and especially in smart buildings. One challenge in this regard is the increasing inter-connectivity of smart systems (“systems of systems” within the Internet of Things, IoT) that leads to additional security threats previously not foreseen by the design of these systems. In an extended scenario, so-called smart building botnets or cyber physical botnets (CPS botnets) are thinkable and feasible, i.e. botnets consisting of a high number of CPS like buildings and utilize their sensors and actuators to perform malicious activities. Some of the thinkable activities performable by such botnets are mass surveillance as well as complex scenarios. For instance, a (regional) oil/gas seller might use a smart building botnet to slightly increase the heating levels in his customer’s homes each night in order to force them to order oil/gas sooner as they actually were required. To achieve a stealthy mass-surveillance (which can be used for data leakage as well), it is expected that “network steganography” can serve as an enabling technology.

Industrial Control Systems Industrial Control Systems, as used in Water, Food, Nuclear and Chemical operations, form a diverse ecosystem with varying components and protection goals. A shared feature of those – as well as similar system in transport, electricity and manufacturing – is that the security maturity level is largely rather low, and many deployed systems have no security whatsoever. In the past, this was argued to be acceptable, as these systems where operated as separate islands with no connection to the outside world. With the increasing use of off-the-shelf components, remote maintenance and system integration, as well as increasing realisation that air-gapping rarely works in a practical system deployment, those systems are now increasingly exposed to external attacks, and data gathered from commercial companies and national CERTS show a massively increased number of targeted attacks in this domain. So far, in the industrial control system domain, great emphasis has been taken on safety issues, while security in many systems plays a minor role. While this does give some starting point – the safety culture already accepts investments on product feature that do not add functionality in this sense, and require strict procedures and documentation. At the same time, safety and security often conflict – a firewall or encryption on a communication layer add security, but also add an additional point of failure from a safety perspective. This – and the need for


easy maintenance - is also one of the reasons why many systems lack any meaningful access control, which is one of the primary security controls in IT systems. As opposed to normal IT components, ICS components usually have a very long lifetime, sometimes remaining in the field for decades. Thus, any security concept needs to be prepared to integrate legacy systems and architectures, and new systems need to be ready for requirements for an extensive period, without resulting in excessive pricing. An additional problem from this long lifetime is the availability of the suppliers; few suppliers are willing to commit to provide maintenance and security patches for such a long time, and there is a high probability that some suppliers or their subcontractors may be outlived by their devices. One recent example is Windows XP, which is still widely used in the ICS domain, but which is being phased out by the supplier and will have very limited support in the future. Consequently, a number of ICS systems have been hit by classical botnets, i.e., attack programs that had no intention to sabotage a control system, but scan the internet for outdated systems and turn them into spam-bots. Due to their nature, many components in ICS systems are constrained in a number of ways, such as available memory, computation power, or user interfaces (This can be very case specific – while some components are essentially full PCs, others are highly optimized for cost and extremely constraint). This restricts the number of available security controls, and further complicates future-proofness. In addition, constrained memory forces programmers to cut corners, while secure code usually includes additional checks, controls, and error handling routines that eat up memory (lack of proper input validation is a common issue in ICS components). Furthermore, many ICS components have little hardware (such as execute-bits) or operating system support for security, making it even harder to produce secure code. This issue is enlarged by the generally low security maturity in the ICS component domain – ICS security rarely got attention comparable to IT security, and few suppliers had a need to implement security coding competence and policies. This is matched with a low maturity level on the procurement side; just as some suppliers struggle to implement secure devices, so do buyers struggle to clearly define requirements for the procurement process. With ICS systems being increasingly connected, there is also an increasing level of dependencies, many of which are not well defined. A number of control systems, for example, require precise time, which is acquired from the GPS system, which creates a common point of failure over numerous systems. Furthermore, many manufacturers require a remote maintenance possibility, which will massively complicate any security architecture. ICS systems can reach an enormous level of complexity – the biggest example, the smart grid, covers an entire continent with a system that has literally 100s of millions of components. It is well known that software services of this level of complexity are difficult to execute6, and therefore execute those in a way that results in a secure system. Digitizing an already complex control system is therefore something that requires a high level of skill in planning and execution, which may not always be available. Furthermore, increasing complexity and reliance on digital components make it harder to revert to a manual backup plan. For the time being, it is still possible in many systems to at least safely shut them down manually, which is a property that is increasingly disappearing.

eGovernment

Public services are at the core of modern societies, and their availability and trustworthiness is a key enabler for economic growth and social innovation. Innovation in Public Administration is influenced by different drivers, such as the necessity to cut costs and to “do more with less”, the rising expectations of citizens with respect to participation and openness of public processes and data, the pervasive availability of mobile devices which represent an ubiquitous entry point to services, the mass usage of social media, and the obsolescence of old legacy systems versus the growing trend toward cloud-based ICT infrastructures for Governments. All in all, governments must engage with the wider public and follow the open government principles in order to “make the services more user-friendly and effective, improve the quality of decision-making, promote greater trust in public institutions and thus enhance public value” [EC13], but at the same time they have to cope with strong economic constraints, which require the conception of new sustainability strategies and the reuse of best practices and solutions across all governmental levels. The key role played by ICTs in such transformation is both a fundamental enabler and a source of issues. Indeed, for example, digitalisation of public services and mobile government (mGovernment can be seen as the extension

6 http://www.iag.biz/images/resources/iag%20business%20analysis%20benchmark%20-%20full%20report.pdf

http://www.iag.biz/images/resources/iag%20business%20analysis%20benchmark%20-%20full%20report.pdf


of eGovernment to mobile platforms) on the one hand help improving efficiency of the back-office and provide users with better and ubiquitous services, and on the other hand increase the attack surface and causes new security issues and privacy concerns, including distributed denial of service, identity thefts and information leakage.

eHealth

The massive trend towards seamless system and data interconnection, mobile services, smart devices and data analytics has already started and will lead to revolutionary changes in health care and nursing. Healthcare systems have been evolving during the last years to address the new challenges deriving from the new social and economic conditions Europe is experiencing: citizen aging, more and more increase of chronic disease, overlap between health and social problems, new family models and the request for a rationalisation of healthcare costs. The following factors can contribute to meeting these challenges:

Citizens empowerment easing the adoption of healthy lifestyles to prevent chronic diseases and, as a consequence, leading to a reduction of healthcare costs

Reinforcing community care and its integration with hospital care (integrated care) are enablers to put the patient at the centre of the healthcare system and benefit in this way of a better management, for instance, of chronicity, physical inabilities and new family compositions.

In this scenario, the ICT will play a relevant role enabling eHealth for citizens’ empowerment and eHealth for integrated care. Specifically, to address these two aspects which are strictly related to each other, it will be necessary to move towards a digitalisation of all the healthcare levels which is a precondition to put the citizens / patients in the position to exploit and use all the information – shared also with the healthcare and social institutions – necessary to enable the self-management of care and prevention. As this information is extremely sensitive, it will be necessary to enable mechanisms that preserve the privacy of the citizens and the confidentiality of their data. All this will be possible thanks to infrastructures enabling the hosting and sharing of an increasing amount of clinical data following standards of reliability and security.

Finance and insurance Insurers, over the next years, will deal with new personal data coming from sensors, increase the usage of cloud solutions and look after an emergent cyber insurance market. The cybersecurity, privacy and trust consequences of the aforementioned technology driven developments are also relevant. Core insurance processes (i.e. risk pricing, reserving7 and claims handling) are the focus, while asset management, finance, marketing and sales are not considered enough. Ordinary cybersecurity management is not well considered either. Insurers have traditionally priced risks based on risk factors. For example, Motor Third Party Liability (MTPL) coverage is traditionally rated according to variables such as age, territory, vehicle type and previous claims history. Health insurance rates may depend on age, gender and medical history. There is a growing consensus [PWC12] that the increasing use of mobile sensors will improve the way certain risks are priced by insurers, making insurance rates closer to the underlying risk drivers. Data coming from so-called black boxes are already being used within MTPL tariffs, which in some countries start to be based on vehicle usage and driving style. “Mobile health” is also expected to make health insurance rates more and more based on lifestyles. The shift towards more risk sensitive prices, driven by increased data availability, means that insurers will collect and analyse a larger amount of data, mainly personal. Previous examples refer specifically to individual risks, even if there is evidence that mobile data may improve commercial insurance pricing as well. The use of new data by insurers brings about challenges, among which people awareness, technology user friendliness, assurance of security and privacy, and discrimination of people based on technology skills and privacy preferences.

7 Reserving is the process of setting aside the amount to fulfil insurance obligations and settle all commitments to policyholders and other beneficiaries arising over the lifetime of the portfolio (source: www.iaisweb.org).


Another important topic rapidly gaining attention is insurance of cyber risks. The insurability of the network and information security itself has been debated by institutions and scholars. Measurability is necessary for a risk to be insurable, since rates are built upon loss frequency and cost. However, existing actuarial models cannot rely on historical loss data, since the quantity of historical data is scarce and its homogeneity is compromised by continuous technological advances. The lack of reliable models to estimate the value of loss / stolen data also prevents the reliable evaluation of losses. Cyber risks are highly correlated because of the monoculture of used technologies, i.e., the same attack surface, which can be exploited in a similar way (e.g., by worms). Models for computation of correct premiums and coverage must consider this correlation. Moreover, outbreaks of the correlated breaches impose heavy burden on an insurer. In other insurance markets such problem is solved with geographical distribution of insured organisations (e.g., in case of earthquake insurance) or with re-insurance of high losses. Note that in cyber-insurance case, technologies are similar in different geographical regions, and most worms are equally dangerous for US as well as for China or Germany. Re-insurers for cyber risks do not exist yet at all. This leads to the policies with large amount of exclusions and high prices. More accurate models, e.g., which use diversity in technology, may help to solve some of these problems.

7.3 Bottom-up Track for Cybersecurity Innovation

The European Union is determined to strengthen the cybersecurity industry to transform new ideas into commercially attractive products, processes and services while taking the necessary action to define a framework build on minimum requirements to security and privacy.

A specific funding mechanism is crucial for the competitiveness of European cybersecurity industry to fuel trusted innovations. The “Bottom-up Track for Cybersecurity Innovation” aims at reducing the time from idea to market, stimulate private sector investment and to take best-in-class-innovations on a fast track to outpace international competition. For cybersecurity and privacy innovations industry can propose any R&I topic related to any sector. This track aims at complementing the pre-defined pillars as well as set priority R&I topics. This gives maximum flexibility to push emerging and disruptive ideas of any kind forward, which is a necessity in increasingly challenging changing IoT world. It supports quick deployment and market take-up of innovations while reducing the vulnerability risks.

Scope: The Bottom-up Track supports projects related to any topic, sector or challenge undertaking innovation from the demonstration stage through to market uptake, including stages such as piloting, test-beds, systems validation in real world/working conditions, validation of business models, pre-normative research, and standard-setting. It targets relatively mature new technologies, concepts, processes and business models that need a last development step to reach the market and achieve wider deployment. To this end, if a proposal involves technological innovation, the consortium must declare that the technology or the technologies concerned are at least at Technology Readiness Level (TRL) 6, where appropriate.

Impact:

Fast development, commercial take-up and/or wide deployment of sustainable trustworthy innovative solutions (products, processes, services, business models etc.) in enabling and industrial technologies and/or for tackling societal challenges.

Increased industry participation, including SMEs, and more industry first-time applicants to Horizon 2020.

Proposed Budget: 50 M€

Call schedule: 1 per year



A specific funding mechanism is crucial for the competitiveness of European cybersecurity industry to fuel trusted innovations. The “Bottom-up Track for Cybersecurity Innovation” aims at reducing the time from idea to market, stimulate private sector investment and to take best-in-class-innovations on a fast track to outpace international competition. It supports projects related to any topic, sector or challenge and aims at complementing the cPPP’s pre-defined pillars as well as set priority R&I topics.

8 Non-Technical Aspects

8.1 Education, training, and skills development

There is a need for re-thinking education at different levels. It is not a matter of standard recycling, but a real multidisciplinary, coordinated and coherent approach is needed. The customers of the education, training and skills development can be segmented as:

General population – individuals that are not cybersecurity experts but users or ICT technologies and services.

Students of all ages under an education curriculum. Targeting the education in primary and secondary schools as well as at university level.

Experts - addressing the needs of continuous learning for professionals of different sectors that have high ICT dependency, in order to raise awareness and enhancing their skills.

In order to reach those segments, many tools need to be set up:

At general population, ICTs have changed our lives as they have penetrated almost all domains and majority of the people are highly dependent of well-working ICT tools to conduct their daily business.

At education level, there is a big awareness gap and lack of integrated training modules on cybersecurity related aspects an all school levels, starting from low awareness and skills of teachers themselves. The same is true for professional training on university level, including lack of cybersecurity modules in higher education training programs for vital service domains etc. Furthermore, there are only few existing cybersecurity higher education programs in Europe.

At professional level, there is a lack of accessible tools for continuous awareness, training and skills development on cybersecurity aspects. Cybersecurity skills are more and more a prerequisite by employers in a multi-faceted approach (i.e. law, insurance, testing facilities from many ICT and non ICT sectors, critical infrastructures, etc.) and, at the moment, there are more jobs than qualified candidates, while the unemployment rate stays very high in some European countries. On the other hand, professional training programs are very fragmented and leaded by specific international companies that develop them for specific purposes or under request (usually also very costly).

It is clear that to reach these target segments, it is necessary to set up new training models (i.e., massive open online courses, etc.) and accessible tools to facilitate the access to knowledge and raise general awareness. Also efforts need to be made to enable career re-orientation to support entering the cybersecurity field in later stages of the career.

The benefits are obvious:

Cybersecurity will produce new innovation paths and market niches such as cybersecurity insurance, cybersecurity risks and practices, security engineering, security management, and many more.

Having a coordinated view will encourage Member States and the other countries participating in the cPPP to agree upon a baseline of cybersecurity indicators.


In addition, there is a social aspect of cybersecurity as tool for awareness in human values (particularly among the youngest people) through, for instance, the user empowerment and control of personal data, the digital legal education (right to be forgotten, freedom of speech, anonymity versus trust and security, crowdsourcing versus legacy manufacturing etc.).

The common educational needs of the target segments identified above should have:

Multi-disciplinary focus

Responsiveness to changes in technology and societal environment

End-to-end skill development

Alignment of curricula and training with demand for skills

Using appropriate methodologies for teaching cybersecurity at all levels, from awareness to focused expertise

Among others, one of the goals to be developed within the frame of the cPPP would be to set up a cyber College/Academia8 (or network of academia and colleges) with the goal to:

Collaborate in preparing training materials and modules for professional training as well as training on lower educational levels.

Generate a consensus on a core of European higher education curricula for cybersecurity studies at university level (both traditional and virtual education) as well as propose a plan for integrating cybersecurity studies modules to professional education of vital service providers and public servants. For that purpose, synergies with DG-Education programmes and funds have to be found. At the moment, there is a fairly sparse collection of courses and competences but not a unified approach.

Coordinate a network of PhD studies on cybersecurity, deeply connected with the industry, i.e., under the format of industrial PhDs already existing in the H2020 Excellence Science Pillar.

To promote creativity and innovation in young students and young researchers by proposing challenges, prizes, cyber-campus activities, etc., in order to connect them with the needs of the citizens and of the industry.

Finally, the scope of education, training and skills development can provide an opportunity for a close collaboration with other European bodies (i.e., NATO, especially NATO CCDCOE and other decentralised European agencies).


Establishment of a European Cybersecurity Academy and a Network of national Cybersecurity “academies” in order to provide multi-disciplinary curricula and training recognized at European level. The network/-s may reach several of the next segments:

o Graduate students, in order to develop their skills as future cybersecurity specialists. Also specific modules for non-ICT students will be deployed for basic knowledge and awareness making. Cyber-camps and cyber-challenges will be organized to test their abilities.

o Teachers either from primary school and graduate, in order to expand the number of students and centres connected with the Cybersecurity Academy. Advanced contents and a knowledge base should be available to facilitate cybersecurity skills widespread.

o Industry (including SMEs), industry associations and service providers all ICT and non-ICT related.

8 This could be done with similar initiatives lead by NATO and other organizations in order to maximize synergies.


o Cybersecurity specialists and researchers, aiming to improve and update their skills, sharing experiences, best practices exchange, etc. Testbeds and hands on labs should be available at European level. Policy makers and public sector in general.

To reach the biggest number of customers, a combination of both the traditional (classroom) education with training activities using innovative and accessible tools will be used (i.e., cyber range platforms , distant learning platforms, VTC, …).

Close collaboration with private actors already providing this short of education under demand level should be stablish in order to reach an homogenous “quality level”. (KPI 7)

Establishment of a European Cybersecurity teachers and doctoral Network connecting university to industry needs at highest level. Hands-on labs, Cyber-camps and cyber-challenges will be organized to test their proficiency and innovation capabilities. (KPI 7)

Establishment of a European primary school level education programme. (KPI 7)

Organisation of a number of cross-border exercises and trainings not only for awareness raising but also for products testing by researchers in order to improve European products and services resilience (e.g. European bug bounty programme). Advanced trainings like Bootcamps could improve specific needs at European level. The themes of the bootcamps, exercises and challenges will be selected each year and they may cover the industry needs but also advanced or next coming threats. A number of significant countries should collaborate each year in an incremental way in order to reach wider consensus and common scenarios by 2020. Coordination and collaboration with European external bodies of the Commission (i.e., external agencies such as ENISA and others) as well with NATO facilities are also envisioned. (KPI 7)

Organisation of annual cycles of large scale international exercises with participation of a significant number of experts from abroad Europe. The exercises will aim to create a consensus al global level, to exchange best practices and knowledge and to provide the policy makers of recommendations for better protection and other cybersecurity aspects. Under a fixed theme each year, a number of advanced trainings sessions (e.g. cyber exercises, bootcamps) will be deployed annually. Coordination and collaboration with European external bodies of the Commission (i.e., external agencies such as ENISA and others) as well with NATO facilities are also envisioned. (KPI 7)

8.2 Fostering innovation in cybersecurity

Innovation models have evolved from insular, linear, and reactive models of innovation towards the more contemporary models that are fluid and adaptable processes that aim to raise development efficiency and speed to market through inter-organisational cooperation and strategic alliances. The Cybersecurity Innovation value chain is enacted by an open ecosystem of small and large enterprises, individual inventors, research institutes and universities. Large enterprises are experimenting with a variety of schemes to stimulate and benefit from entrepreneurial activities outside their organisations. Similarly, national and European research programmes are trying out new instruments designed to encourage participation by small companies and to grow this sector of the market. Information gathering and analysis is still in progress, but it appears that while the general philosophy of


Open Innovation is shared, there is considerable variation in how it is interpreted and applied, and a consensus on best practice has yet to emerge.

8.2.1 Develop a cybersecurity ecosystem

The breadth of cybersecurity and privacy challenges within wider technology, policy, and economic perspectives is vast in scope. In aiming to build systems with as few security flaws as possible, strong demands are placed on many stakeholder types, how best to introduce the right economic incentives that fairly balance those costs across the various actors in the security value chain is critical. In tandem, many cybersecurity clusters and accelerators have been created in Europe in recent years and we have several years of practical experience with organizing international as well as national cyber strategy.

There are many ways to develop the cybersecurity ecosystem further in order to create value for many other stakeholders including researchers, experimenters, SMEs, policy makers, universities and students etc. Innovation clustering initiatives are viewed as a key abstraction for creating the appropriate ecosystem, however these are often characterised and constrained by their regional nature, a European-wide initiative is recommended.

Collaborating and competing

Geographically dispersed across Europe but linked to other global initiatives

Specialized in a special field, linked by common technologies and skills

Of a critical mass (this refers to fact that a cluster should include actors, which together have a certain weight in their sector in order to be able to build momentum, i.e. to be able to establish self-supporting processes.)

Either institutionalised (having a proper cluster management) or non-institutionalised.

While clusters are usually created and thought of in terms of driving competitiveness and growth, particularly with regards to innovation, their definition may also be focussed on other primary objectives, such as providing a legal framework or similar umbrella to support funding or marketing initiatives, or in some cases to provide a supporting reference model for statistical measurement. The notion of clusters it is often used interchangeably with other terms such as innovation or technology “hubs”, “districts”, “milieu” etc. While some academic literature has suggested nuanced differences when comparing such terms, consensus on similarities and differences has been difficult to establish.

8.2.1.1 Key Cluster Characteristics.

Clusters of specific firms within a specialist industrial or technological domain are viewed as an increasingly important source of economic development across the advanced industrial economies, and a central focus of technology policy. By composition, there are generally accepted to be four cluster types:

1. Geographical cluster

2. Sectoral clusters (businesses operating together from within the same commercial sector)

3. Horizontal cluster (interconnections between businesses at a sharing of resources level)

4. Vertical cluster (i.e. a supply chain cluster).

Researchers have also attempted to decompose the structural topology and characteristics of clusters, noting several approaches such as:

1. “Hub and spoke” approach that is typically led by a few dominant anchor firms, usually large firms

2. “Satellite” approaches whereby organisations co-locate branch facilities of a similar nature in near proximity to one another - R&D divisions are often clustered in such a manner in a location away from corporate headquarters to achieve such benefits for example

3. State-centred clusters are another approach, led and dominated by the presence of one or a few large public or non-profit entities, such as universities, RTOs, or military/national security institutes (the latter particularly evident for PACs).


Broadly, it is agreed that the initial formation of the most successful clusters has resulted from accidental or serendipitous events, and is often driven initially by key anchor individuals with a vested interest in harnessing local networks in a given area, more so than top-down policy drivers. However, it is agreed that once a cluster reaches a certain point of scale, policy intervention can achieve significant impact and is indeed necessary for the cluster to be sustainable. Despite this, within the cybersecurity spectrum some key emerging ecosystem initiatives on a global level are strongly premised on a top-down policy approach, the emerging shift of cybersecurity emphasis in Israel from Tel Aviv and Haifa towards Be’er Sheva being a strong case in point.

8.2.1.2 Key Characteristics of High-Performing cybersecurity Ecosystems

A broad range of complementary ingredients are necessary in order for innovation environment settings to flourish:

1. Sustained proximity to cybersecurity challenges

2. Provision of sustained talent flow

3. Strong ecosystem planning and oversight

4. Multi-faceted support from academia and research institutes

5. Appropriate funding supports

8.2.1.3 Funding of cybersecurity innovation

In a cybersecurity context more explicit funding supporting cybersecurity -based start-ups in Europe are emerging. For example, in June 2014 London-based C5 Capital became the first focused cybersecurity investment fund in Europe, providing a $125m fund for cybersecurity start-ups. So far two investments have been made, an $8m investment in monitoring provider Balabit, as well as investment in Qinetiq spinout Metrasens9. Managers of the fund now believe that European ICT and cybersecurity companies are now at an increased competitive advantage in Europe as a result of recent NSA surveillance scandals in the US, as such firms are not subjected to the same levels of data collection as their US counterparts. Traditionally, European cybersecurity companies have sought expansion funding to expand into US markets by default, but other markets such as the Middle East and Asia are now also seen as attractive alternatives10. Local European vendors will also always benefit from understanding the local needs of the region, often giving them a competitive advantage over US and other non-European vendors over others, but there is now increased demand for Europeans to provide alternative services to protect citizens and their embodied data in their own markets.

8.2.1.4 Areas for opportunity

European funded projects should include market studies for their technologies and consider lifecycle costs to ensure market-viability of their technology.

Business cases for disruptively innovative products need to take into account the difficulty of displacing incumbent solutions arising from dependency networks, regulations (which can either promote or inhibit innovation) and other potentially inhibitory factors.

Research is needed to look at market dynamics aspects of innovation in cybersecurity.

Exploitation of cybersecurity innovation from research is challenging, often the stakeholders involved in the realisation of research are unable to commit to driving it from research into the market. Facilitation of a repository of research output could link entrepreneurs with researchers.

Further analysis of implementation of research results into successful cybersecurity products and services could improve the development of success indicators to monitor exploitation during the research lifecycle and beyond.

Research into the origins of successful cybersecurity products and services could further our knowledge of early intervention and supporting instruments.

9 http://www.c5capital.com/ 10 http://www.scmagazineuk.com/vc-funding-for-european-cybersecurity-firms/article/356360/2/


Most research projects solve problems of the future and the first results are available in 3-4 years, whereas customer needs and expectations, especially in cybersecurity, are close to immediate. This problem deserves special support and treatment, maybe through the open calls managed by individual projects or dedicated platform.

8.2.2 Define the cybersecurity value chain

Definition of “Cybersecurity” commonly refers to the safeguards and actions that can be used to protect the cyber domain, both in the civilian and military fields, from those threats that are associated with or that may harm its interdependent networks and information infrastructure. Cyber-security strives to preserve the availability and integrity of the networks and infrastructure and the confidentiality of the information contained therein.

Cybersecurity value chain challenges are shared between all pure players. Pure players are those who either have a cybersecurity product or a cybersecurity business unit. Other ICT players who are competing in other sectors, however their ICT solutions should be secure, are competing in other different sectors than cybersecurity, so their challenges ae usually different.

European pure players in cybersecurity share:

A common strategic market segment (cybersecurity),

Same type of customers,

Same trends,

Same strategic challenges to overcome in the future

European companies which are competing globally, could benefit from a Digital Single Market, not only reducing market barriers inside European market but also it can be a tremendous opportunity to facilitate joint offering, mergers and acquisitions for having a more competitive offer from Europe as well as more competitive pure players and innovation chain.

As a first step, it is recommended to create and maintain an interactive catalogue of European Cybersecurity pure players as well as European clusters in cybersecurity to facilitate easy access to European products and services by any customer but also networking between all different actors inside the value chain to facilitate competitive advantage initiatives through joint offering, mergers or acquisitions.

It is also recommended to make a periodic (at least one per year) European cybersecurity market analysis in order to monitor revenue and growth (CAGR) indicators for European industries. Market analysis also allows the identification of different type of customers and their principal concerns while buying cybersecurity products. Individuals, governments (local, regional, national), SMEs, large enterprises, CIP operators, Defence, Home affairs are usually cybersecurity customers. Sophisticated demand concept is introduced as a catalyst for European cybersecurity industry by sharing ideas and opportunities as market challenges. For example finance, energy, CERTs, could be considered sophisticated demand in the way they probably know if a solution is available for a current or potential need. A good connection and intervention of sophisticated demand inside the innovation chain, could benefit the entire ecosystem ranging from researchers to pure players.

Market segments today range from ICS (industrial control systems) and CIP to monitoring and intelligence.

Common challenges for European pure players in cybersecurity might be:

Market knowledge

Sharing intelligence

Local/regional/national market development

International market (DSM and beyond)

Activities at European level along above axis could benefit the entire European value chain competiveness.

The market is fragmented with at national and international level, with big players moving to lead different segments and product types (ranging from basic to corporate, or even industrial).


Key factors for CISOs are interoperability with legacy infrastructure and usability of each solution.

Public procurement, instruments definition to boost local procurement, incubators, accelerators, investors and venture capital dissemination as well as the promotion of cybersecurity talent are key differences from global leaders like US and Israel.

The definition and support by this cPPP of collective actions, either direct or indirect projects, could benefit the positioning and competiveness of European Value Chain.

The value chain of pure players in cybersecurity arena includes:

Manufacturers (SW, HW and mixed)

Channel (wholesale and distributors)

Services (integrators, consulting, managed security service providers (MSSP), value added resellers (VAR) and specialized services providers.

End users or customers represent the last mille of the value chain ranging from sophisticated demand to individuals.

Governments, clusters, forums and other IT related associations play a major role in the cybersecurity value chain.

In addition, there are also research and innovation providers, training providers, funding or venture capital events for entrepreneurship and start-ups initiatives.

The cybersecurity industry may keep a balanced representation of each type of entities along the whole value chain.

Today, manufacturers, MSSP and specialized service providers represent most of the industry representation today.

Cybersecurity Value Chain (source: INCIBE))

A differentiator of the cybersecurity industry is that we see far deeper integration in value chains of companies than traditionally the case. Delivering spare parts for an automobile producer does not require utterly deep integration into business procedures and operations of that producer. However, implementation of an early warning and threat


detection system that scans all of the producer’s communication traffic in order to identify anomalies is a rather deep integration into the company inner workings.

The cybersecurity market is deeply influenced from various themes driven by technical, human, societal, organisational, economic, legal, and regulatory concerns among others; these factors combine to create marketplace and innovation ecosystem with complex value chain relationships.

Value chain positioning in the cybersecurity domain impacts on innovation focus and capacities: much of the innovation in the domain can be characterised as incremental (e.g. integrating components of technology from suppliers, tech plug-ins for a platform or providing a service wrap around technology delivery), as opposed to radical new developments that forces businesses to re-organize or leading to the emergence of wholly new markets.

A supply chain connects inputs to outputs by representing different stages of production. Supply chain analysis offers insights into the production of cybersecurity and privacy-enhancing goods and services. It allows the description of vertical relationships that exist between market players and their integration at different levels of the production process. Interrelations in the production of cybersecurity products and services are becoming more important the more functions are outsourced to partner firms.

Note that in today’s digital markets, it is not sufficient to speak about vertical relationships, as is done here for exposition reasons, networks of suppliers and buyers characterize these markets. Through increased integration, cybersecurity risks are shared between ever more partners in the supply network.

The supply chain analysis facilitates also a better understanding of the incentive structures inherent in vertical relations, because the firms’ contracts state rules on:

The allocation of value added (and revenues extracted) in the production process between the different actors in the supply chain; and

The allocation of risks and liabilities related to the production and provision of the security goods and services.

Firms may vertically integrate in order to internalize mark-ups or to offer a broader product portfolio. At this stage, there are a number of open questions. For example, it is an open question whether in cybersecurity markets, firms also vertically integrate hardware, software and services in order to obtain full control over the security of their supply chain. It is also not clear, if greater disintegration increases cyber-risks (i.e. through linkage attacks) and therefore negatively affects the resilience of ICT systems.11

While many still see the supply chain as a physical entity, digital services and product provision allows companies to deeply integrate into each other’s supply chains. One example is the outsourcing of real-time surveillance of networks to IT-companies. Another are e-forensics and e-discovery, where the contracted consultant scans vast amounts of diverse internal and sensitive documents (PDFs, e-mails, Word documents) and therefore obtains deep insights into a firm’s business dealings and secrecies. As stated above, in order to deliver secure cybersecurity products and services, the supply chain needs to be secure. Some interview partners put forth that in Europe there is an over-reliance on products developed outside of Europe.

The management of secure supply chains is a critical question not only for firms active in the cybersecurity business, but also for critical infrastructure industries. In the former, however, industry stakeholders often describe cybersecurity as part of their company’s DNA: In order to develop secure products, product development and production must be based upon secure processes and inputs.12 And the same must holds for the idea development stage. Some companies therefore establish an extra monitoring department that ensures whether security products have been developed securely. In the ICT business and the ICT security business, secure supply chain management includes software, hardware, business procedures and overall system architecture. Vulnerable software aside,

11 An example of a linkage attack is the recent Target Stores incidence in the U.S. (The interested reader is referred to Vijayan, J. (2014). Target Attack shows danger of remotely accessible HVAC Systems, http://www.computerworld.com/article/2487452/cybercrime-hacking/target-attack-shows-danger-of-remotely-accessible-hvac-systems.html) 12 The same holds for services.


hardware is also exploitable (e.g. by containing manipulated microchips). Further, hardware and software interact and both depends on each other.

The management of cyber-secure supply chains is also important in critical infrastructure organisations including banking and finance, water and utilities, and the health sector. These are – as end-users of products and services – at the final stage of the chain that needs to be secure in order to allow a secure operation of critical infrastructure.

Synonymous with ICT markets in general, cybersecurity firm-level innovation challenges transcend infrastructural, market, knowledge, cost and regulatory/legal domains. Typically, cybersecurity innovators’ competencies and investments are predominantly directed in the early phases of the innovation lifecycle (ideation through to concept development); whereas significant scope and requirements occur in the latter stages (test and implementation. Accordingly, the cybersecurity stakeholders surveyed identified a broad scope for innovation supports across the entire innovation value chain and ecosystem (i.e. strategy, business intelligence, ideation, portfolio management, resource management development, and launch).

Resonant of the ‘crossing the chasm’ debate, there are strong levels disconnect between ICT security researchers technology innovation and accompanying business development/diffusion innovation skills and acumen. While the imperative of underpinning innovation development activities with sound commercial business cases is recognised, competency and proficiency in this area is severely deficient.

Highly commoditised mass-market PACs product segments, with low levels of differentiation at the commercial level, and differentiation that is difficult to validate at the technical level. This makes it harder for PACs end-users to select and evaluate products, and for PACs innovators to differentiate themselves in the marketplace.

Very high market barriers to entry in established supply-side market segments, namely those serving (1) Larger Enterprise, (2) Government, and (3)Military/Defence.

Difficulty in creating ROI arguments and compelling value propositions around cybersecurity products, especially as next generation PACs products become more complex and expensive. This is being offset to some extent by growth in demand for Managed Security Services (MSS) and similar forms out outsourced security solutions.

Extending research into the behavioural aspects of legitimate stakeholders and malicious actors within the cybersecurity environment could further our understanding of underground markets and the threat landscape.


Encourage all stakeholders in the value chain to produce an annual market analysis. This analysis may also include new products, technologies, new growing segments or niches in order European pure players could develop new strategies aligned with the international market. (KPIs 1, 3, 4, 5, 6)

Encourage all stakeholders to facilitate intelligence sharing at European level in order SMEs and start-ups could also have access to zero day or up to date vulnerability databases, so their products could be fine-tuned. A Testbed could be a good instrument to facilitate high quality of any European product but also high quality European research as a first step of any new product or startups. (KPIs 1, 5, 9)

Develop testbeds in which any European product could benefit either from interoperability tests at least between European products (to facilitate adoption by CISOs of new products – as it is one of their main concerns) or vulnerability tests (for example by developing an European bug bounty programme) in order European products could be under stress test continuously to reduce risk of vulnerabilities and zero-days while in production. (KPIs 1, 4, 5, 8, 9)

Encourage all value chain to share experiences and opportunities of cybersecurity by organizing coordinated events at European level. This is as of much relevance while considering innovation and research. Research need to be focused on customer and pure players’ needs. It is also


recommended to organize cross-sectorial events to identify new niche opportunities as well as to involving clusters at European level. CS applied to other sectors could benefit ROI calculations as of economy of scale. (KPIs 3, 4)

Encourage Member States and the other countries participating in the cPPP to boost national markets as well as DSM by specific public procurement actions. (KPI 1)

Develop joint international business development actions, like business missions (both ways) to facilitate DSM and beyond. Sophisticated demand could be a good partner for this type of missions. (KPI 1)

Develop and support along the time, cybersecurity specialized incubators and accelerators either focused on niche products but also on essential services which today come from outside Europe. These instruments should count with European and National support as well as private funding as any of these startups could be a competitive advantage of any large company via acquisition. Venture capital and investment funds must be available either at national and European level. This type of companies’ business really depends on the available talent, so specific actions to promote, identify and retain talent in cybersecurity must be developed. (KPIs 1, 4, 5, 6)

8.2.3 Boosting SMEs

Europe is 95% SME market, in the cyber domain SMEs are even more dominant. Therefore, SMEs should be the backbone of the European economy by developing R&D that enhances global competitiveness and plays a relevant role in raising the level of cybersecurity solutions for market demand. Yet recent statistics show that the number of European SMEs innovating in-house or collaborating with other companies on innovation or market-oriented projects is still too small. They often lack organisational resources, capacities and knowledge.

SMEs need practical, hands-on support to overcome this challenge, particularly as new value chains develop that cut across transversal industrial sectors demanding cybersecurity products.

Essential barriers that avoid penetration of SME’s into European cybersecurity market have been classified in the following categories:

a. Difficulty accessing to European cybersecurity market consumers

Scalability is a challenge for SMEs that usually initiates their activities in their own country market, finding serious obstacles for internationalisation. The European Cybersecurity market is taken by a reduced number of global brands, mainly non-European-based companies.

So European SME’s are usually forced to compete in a hostile environment and export efforts become too challenging, as big IT security players protect their niches from newer and outer menaces and competitors benefiting from their strong market presence and adjusting of costs to enhance competitiveness. Smaller companies are confined in local markets and still dependent on public procurement in their home country.


Common procurement calls made by public authorities and companies, to allow cybersecurity SMEs selling their niche products at larger scale. In order to ease start up and SME participation, specific communication actions should be envisaged.

Link cybersecurity SMEs with their innovative products to concrete needs identified by a wider platform also for opening new and wider market together and have easier access.


Strength the linkage between research and innovation, including the support of University and research programs for start-up creation.

Explore the possibility of a European Cybersecurity Small Business Act to facilitate oriented procurement oriented towards SMEs.

Develop a certification program for cybersecurity SMEs (in the image of PCI-DSS), vetting SMEs for products and services, beyond ISO 27000 to protect and facilitate SME business (avoiding high certification costs and dull procedures).

b. Difficulty accessing finance for innovation

Shortage of the SME’s own financial resources is a seemingly perennial problem, but one that has certainly been exacerbated by the recent global financial crisis and current economic slowdown. Innovation is costly, and companies face investment choices regarding scarce resources. Innovation is often in competition with other business functions for this investment.


Further promote specific Research & Innovation mechanisms for SMEs in the cybersecurity sector with adequate financial support: e.g. the H2020 SME Instrument of the European Commission and COSME. An extension of this approach, better linking SMEs with other companies, even large to reach the market and have easier access to funds, could be provided by the creation of a European programme similar to the French RAPID for civilian applications. Specific support for the use of these instruments, helping cybersecurity SMEs as well as SMEs cybersecurity users, could be provided with the creation of a specialised cybersecurity officer position.

Similarly to the Future Internet PPP, funding instruments for accelerators and SME associations need to be in place which creates the situation where the reporting obligations towards the Commission are handled by the accelerators, associations etc., who in turn distribute the funds to the start-ups and SMEs who by themselves are unable to cope with the administrative burdens of these financial instruments or even just being present in the working formats. At least 30% of the funds should be committed to such instruments.

c. Lack of innovation and market-oriented management skills in SME’s

Market processes need to be managed from the generation of innovative ideas to the generation of profits with new products/services. Moreover, an increasingly complex innovation system combining ‘open innovation’ approaches with closed ones requires more sophisticated management skills.


Help SMEs (as suppliers and users of cybersecurity solutions) to find skilled expert resources (registry of cybersecurity experts) – e.g. accreditation by ENISA or by another organisation. Help users’ SMEs to better define their cybersecurity needs.

Measures for improvement of professional conditions to mitigate the outflow of qualified experts, who leave Europe to look for better research


opportunities.

Set up a European accelerator for cybersecurity start-ups to support development of excellence and reduce risks of failure in the first years of operation. An accelerator for European cybersecurity start-ups could provide mentoring, entrepreneurial support, innovation management and funding capabilities with the support of academic centers, universities, governments, private sector and European Commission, to foster technology development for the European market and to share these results among the companies in Europe.

Information flow and exchange of ideas are needed to create impactful innovations. cPPP needs to support mobility of cybersecurity experts between SMEs, larger companies, research organisations and universities. This will help in growing and diversifying the competence resource pool.

d. Weaknesses in networking and cooperation with clusters, research communities and external partners

Successful innovation is highly dependent on the identification, cultivation and maintenance of good linkages between the different components of the global value-chain, and as ‘open innovation’ becomes more embedded in SME business strategies.


Use sectoral SME clusters and Networks of Innovation intermediaries as mechanism at local level and beyond (Regional / National) to develop the market, support cybersecurity SMEs and as multiplier of European initiatives.

Foster the dialog among local and regional cybersecurity supplier hubs as an effective way to organise transnational networking events, in conjunction with government bodies or other interested parties (insurers, academia) to the benefit of both buy- and sell-side.

Establish a representative group of cybersecurity SMEs or a representative body to serve as a communication channel to SMEs in Europe to suggest solutions for SMEs and small market players.

Develop regional / local Security Operations Centers (SOCs) to help cybersecurity SMEs and clusters (public or privately owned, depending on the business model, also with support of regional funds).

Budgetary strong support to SMEs in co-operation initiatives with research organisations. The goal is technical innovation and rapid technology transfer from research to business.

8.3 Standardisation, regulation and certification

8.3.1 Standardisation

As a common enabler for cybersecurity activities the standardisation process should evolve into a coherent, proactive, transparent, inclusive (open to all stakeholders) process.

As an example, the near future of Smart Infrastructures may need processes and resources more adaptive, decentralized, transparently collaborative and efficiently controlled. The more pervasive usage of ICT to comply with such requisites the more interoperable and hyper-connected it must be.


Due to the dynamic nature of cybersecurity and its threats, new products and services may need to be deployed continuously at the same time they should co-exist with other legacy systems still under depreciation, so interoperability is a major challenge. An equal level playing field for security and privacy in the EU and its 28 Member States and the other countries participating in the cPPP is key for creating trust in the Cybersecurity market.

The exponential explosion and availability of new ICT solution based on products and services as well as the diversity of components, applications and services, created, integrated and deployed from anywhere in the world, may need an extra effort of standardisation if we want any end-user to trust cross-boundary interoperable and privacy guaranteed communications as an example. First, better political and regulatory support is needed for a cross-border effective approach, and secondly, an industrial transparency of hardware and software components and functionalities used may happen. It should guarantee an appropriate balance between harmonisation through standardisation and innovation for standards. Regulations shall give guidance to standardisation by

Establishing minimum requirements for security and privacy,

Ensuring high degree of interoperability and openness to innovation.

Following this guidance and in order to prevent too divergent practical implementations, these standards could develop respective profiles which offer practical implementation guidelines regarding specific technologies. Besides, the European Standardisation body should receive the mandate to elaborate new security and privacy standards earliest possible, e.g. not waiting until the ICT rolling plan is validated by the Multi-stake holder platform (MSP).

Cybersecurity must be considered as industry-transversal impacting many markets. As such, it needs to take into consideration the different markets where cybersecurity is critical. Moreover, the introduction of smart and connected objects is creating new and increasingly more security considerations on new markets. It is important to assess if the standardisation and certification schemes in place are effective toward those new problematic. The European standardisation bodies shall be commissioned to conduct a full assessment if and in which form standardisation and ICT related standards shall be updated.

There is a business opportunity for the European Industry to be the blueprint in privacy and security-by design to end users with crypto standardisation, its interoperability and usability is still being a challenge currently hindering a widespread adoption. Pre-standards can drive a faster adoption of R&I results by the Industry. But at the same time policy makers shall enable a more effective policy creating an equal level playing field for security and privacy. Instead of plugging holes and fighting hazards (hacks, leaks, spying) regulation shall define minimum requirements as guidance and give trust to end users and planning certainty for industry.


European Standardisation Body to conduct study if and in which form standardisation and ICT related standards shall be updated. We should foster the adoption of existing standards when these fit the needs. (KPI 2)

All contributions and proposals shall recommend how the proposed solutions or innovations can be taken up from standardisation and propose how standardisation shall be updated. (KPI 2)

Leverage smartcard-related standards as well as other international standards in which European companies are involved (e.g. Global Platform, Trusted Computing Group (TCG), FIDO ("Fast IDentity Online") Alliance). (KPI 2)

Request to have a permanent set at the Multi-Skate-Holder Platform (MSP). (KPI 2)

Create liaison with the European Standardisation Organisation & international ones (ISO, ITU, W3C). (KPI 2)

8.3.1.1 Regulation

Standards may play an important role in the elaboration of legislation and regulations dealing with technical matters, such is the case of cybersecurity. In this an area the European legislation has at least four main horizontal


instruments in force or close to be adopted (NIS, GDPR, eIDAS, CIP) that need to be transposed and implemented at national level, and may require the adoption of more detailed secondary legislation at European level (i.e. implementing or delegated acts). Additionally cybersecurity aspects are more and more frequently considered in specific sectorial legislations, which may also need to rely on standards to define technical requirements.

A well-established tradition of cooperation between the European Institutions and the ESOs (in particular via standardisation mandates) allows timely availability of the standards needed in legislation, and facilitates the contribution of the technical expertise from NSOs to the legislative process. Furthermore, Member States and the other countries participating in the cPPP may be easily involved in the standardisation process through its representation in NSOs. For all these reasons European Standards shall be taken as the default option for any technical requirement to be included in legislation or in its implementation.

This is particularly important in case of mandatory features of technical characteristics that may be imposed as “essential requirements” for specific products or systems. The New Legislative Framework (NLF) together with the CE marking system, which guarantees compliance with the relevant European Standards, has proved to be an efficient mechanism for the definition and supervision of those requirements while promoting the internal market in many areas, including highly sensitive areas13. It should be then the reference for the adoption of any mandatory technical requirement and its conformity assessment in the areas of cybersecurity.

Finally, technical specification also play an important role in public procurement processes, which on the other hand may be used as a driver for the adoption or promotion of specific facilities or technologies. Special attention should be paid to the influence of the technical specifications for cybersecurity requirements in public procurement processes, which should be based as much as possible in European Standards, while fully respecting the relevant European legislation on public procurement (in particular Directive 2014/24/UE).

8.3.2 European Cybersecurity quality/ trust label

There is a recognized need for a European Certification for cybersecurity products and services and corresponding Trust Labels. As suggested in topic 110 of the EP resolution of March 12th 2014). A European trust label for cybersecurity and secure ICT products, services, and mutual certification, respecting European values and empowering the national CERT (complement to national trust labels) shall be created to help identify trusted European products and services and be a seal of trustworthiness: it could use existing labelling procedures such as the CE Mark14, Ecodesign or Energy Label. Support of lightweight labels such as “IT security made in Germany”, “France Cybersecurity” can be raised in addition as needed.

The creation and operation of European Cybersecurity Labels plus a transparent certification mechanism shall follow a defined set of criteria – based on minimum requirements (these should be selected in order not to unnecessarily hinder product development). This would benefit label holders as a seal of guarantee of security as well as privacy in products or services, and can help corporates and consumers to identify secure providers. Labels shall be built on best practices and internationally recognised existing certifications, based on industry requirements. The benefit of this European label resides in its European-wide recognition and acceptance, thus helping to fight the defragmentation of the European market, and creating competitive advantages with the creation of stronger market positions for trustworthy companies. Besides, a label will define the basis for a European equal level playing field and international products will have to follow the defined quality and trust level to stay competitive.

Different levels for the label can be devised, corresponding to increasing levels of security and privacy in the products and services (e.g. from G to A+++). Citizens, customers or companies of these products shall not be obliged in any way by law or regulation to buy higher labelled products. But with a defined level of basic security and privacy, they will choose better quality over time as transparency as well as awareness help them to make better buying decisions. Where labels have been used, compliance to the label requirements must be monitored and regularly

13 E.g. civil explosives, lifts or measurement instruments, and will be soon applied in pyrotechnic articles medical devices, gas appliances or personal protective equipment, among other area 14 European Regulation 765/2008, Dec 768/2008 provides for CE Marking a sign of conformity and forbid other markings/labels that overlap with the CE Marking.


checked and made fully transparent to consumers and buying industries. The set of requirements, methodology and process for the certification of trusted solutions, ought to be defined at the European level, coordinated by an European-level agency in agreement with national security agencies of Member States and the other countries participating in the cPPP (CERT), while enforcement can be delegated to national agencies in charge of cybersecurity practices. The set of requirements will be a single one for the whole of Europe (baseline) but the implementation will be under the responsibility of the national CERT. The National CERT can decide to sub-contract the Label award to some non-profit association.

Some critical infrastructures at the national level might require some specific local criteria. In this case, additional local criteria will come on top of the baseline criteria. Compliance validation shall be conducted in the same manner by any national agency, and shall be recognised European-wide. The setting up and operation of this label mechanism will imply costs, so resources must be allocated to put this mechanism in place. The requirements for the basic level of label shall be defined at European-level. Higher levels shall be in the realm of sectoral stakeholders (Automotive, Health, Energy, etc.) in accordance with their respective regulatory authorities.


Set-up of a real-world labelling pilot, e.g. for an electronic, connected device with several security (privacy) building blocks such hardware, software, communication. This pilot will include pre-specification of the building blocks / components – if not certified already – user involvement in the specification, e.g. ease of use, transparency and in the implementation phase. Accompanying research will make sure neutrality and that best practices can be identified. (KPI 2)

Multi-Stakeholder dialogues with industry and society to define minimum requirements for security and privacy to derive the label definition. (KPI 2)

Strengthen cybersecurity and privacy by design through the establishment of a European security certification / European trust label (also following European regulations / standards) for sensitive IT components. (KPI 2)

Support European / National procurement for sensitive applications and use European cybersecurity trust labelled products for instance, in European bids and first of all for in European infrastructure (space, transport, energy, communication etc.) and as a tool to support emerging tools and services. (KPI 2)

8.3.2.1 New certification processes

The current European certification process for security products is a worldwide reference and it is used in most of the countries in world that want to have a resistant product against potentials attacks. It is even reference by the major payment brands for their security certification.

The new European certification process shall be based on this long-term experience and follow the provisions of Regulation765/2008 and Decision 768/2008. It should be extended to following the new cybersecurity eco-system. Certainly, the proposed approaches not only are related to critical infrastructures, also to any (hyper-) connected infrastructure and even applicable for SMEs and private consumers.

8.3.2.1.1 Evolution of the Mutual Recognition Agreement in the European Cybersecurity landscape

Common Criteria evaluation scheme and European SOGIS MRA shall be leveraged and extended. A sector approach – energy, automotive, health, …- should be developed further together with the active participation of private stakeholders: the deployment of a security certification scheme supported by advanced Technical Communities (aTCs) can be considered. SOGIS MRA members and private stakeholders - suppliers and evaluation labs – will work jointly in advanced Technical Communities to run per-sector security certification schemes.

An advanced Technical Community (aTC) should:

Reference Common Criteria standard as the basis for security evaluations


Reference Common Criteria Levels of Assurance (EAL) as minimum security levels, or determine and standardize specific Assurance packages suiting the specific products, objects, and applications to have a fair competition approach

SOG IS MRA and CCRA certificates should be considered, with their corresponding EAL levels

Write collaborative Protection Profiles, without a-priori restrictions on security levels nor evaluation methods.

Above generic aTC governance rules should be defined by the WG on Standardisation, Certification and European Label.

In addition to the sectoral approach, new efforts are needed to define security and privacy building blocks / components to be certified. ICT devices related to various or converging sectors, e.g. mobile payment could be certified easier and faster if they comprise already certified building blocks / components. Alternatively, the component certification can be used to prove a label for security and privacy (see chapter 4.3.2).

Within the cPPP, the WG on Standardisation, Certification and European Label should be mandated to define all the points above.

Have clear definition of Evaluation Assurance Level

The EAL (existing or to be specifically defined) provides an increasing scale that balances the level of assurance obtained with the cost and feasibility of acquiring that degree of assurance.

Establishment of European certified trademark is a key marketing / positioning issue. This could be supported by ENISA as the general umbrella and using in the operational mode the nationally licensed laboratories and qualified certification bodies following common agreed procedures agreed by the national cybersecurity Agencies (National CERT)– which will be developed in all European countries as requested by the NIS Directive) for test, validation and certification of European cybersecurity solutions.

The European certified trademark should be compliant with existing SOGIS MRA rules & with its extension proposed in the chapter here below “new certification process”.

The platforms and the related marketing activities, developed with the support of European funds (e.g. structural, scientific infrastructure) should be used for static and dynamic code analysis, security validation, proof of concepts and demonstrations.

A testbed will allow to test security solutions and this will be especially profitable to SMEs which do not always have the resources to pay the necessary hardware to test and validate concepts and innovative solutions. Moreover, SMEs have a lack of demonstration platforms because it requires space. It will be increase collaboration within European cybersecurity industry and interoperability of European solutions. In addition, it can also be a vitrine to showcase European solutions and could thereby increase market visibility.

The mentioned independent platforms could also provide assessment of non-European components / equipment / services / software that cannot be mastered (developed or produced) in Europe (for whatever reason) but that are used in critical European / national systems (validation of all links of the security chain). This assessment infrastructure should guarantee that the components used in our systems are secure (secure certification / quality label and respective of European values).


Creation of a European validation and certification infrastructure for providing assessment on cybersecurity and secure ICT products. (KPI 2)

Definition of the generic aTC governance rules, and applicable standards for the certification methodology (ISO CC). This task should be handled in the WG on Standardisation, Certification and European Label. (KPI 2)

Accreditation of any new aTC creation should be put in place with the cPPP at the WG on Standardisation, Certification and European Label (KPI 2)


8.4 Societal aspects

As pointed out in the NIS Platform WG3 SRA, the development and implementation of raising awareness campaigns on cybersecurity for society at large, including companies (large and especially SMEs) and citizens, is of major importance, as ICT and its applications are changing so rapidly, alongside with their subsequent risks. While it is currently unclear who is best placed to take responsibility for these activities and would have the resources needed, national initiatives exist. For instance, in Portugal, public and private organisations have joined forces in the recently announced prevention seminars targeted to businesses and residents 15. While this focus is often focused more on the concept of safer communities as a whole, the joint model is highly relevant to the cybersecurity domain as a whole.

Therefore, cPPP members could spearhead, along with the support of ENISA and relevant Member States and the other countries participating in the cPPP actors, and H2020 projects expertise, and undertake a new paradigm shift towards raising awareness campaigns in relation to cybersecurity to a wider variety of public and private stakeholders.

The cPPP could act as a catalyst in this awareness raising activity as they could be responsible for centrally collecting information that could be used from various sources, from projects, Member States, other countries participating in the cPPP, trans-European bodies (ENISA) and they would be well placed to assist in the planning and implementing of raising awareness activities, if given proper resources.

The benefit of having the cPPP carrying out a central role in this activity would be their close proximity and awareness to the stakeholders that would gain maximum benefit, if given the right information within a reasonable time frame to attain maximum benefit.


Encourage Member-States and the European Institutions to organise trans-European awareness campaigns around cybersecurity particularly dedicated to SMEs and citizens. ENISA could play a role in these communication actions. This could take the form of regular (at least quarterly) information provision of tangible examples about how cybersecurity solutions contribute to the day to day live of European citizens and the economic sector by using various communication channels like social media, web, video, etc. (KPI 14)

Develop, possibly with the support of ENISA and in coordination with public and private companies, material for market awareness and board room “education “ better suited for European businesses (large and small), while also supporting Member States and the other countries participating in the cPPP with less developed capabilities in cybersecurity through European training and awareness programmes. This could take the form of awareness and information actions for promoting the PPP activities to a broad range of stakeholders: events with European and National Institutions, targeted Newsletters, targeted use of social media, etc. At least quarterly events, provision of information via media outlets, email and/or other social media postings (without being too intrusive) to raise continuously awareness of cybersecurity starting from 2017. This should include adequate dissemination of cyberthreat and vulnerability information (as a major awareness building element) along target group oriented channels ranging from CERT newsgroups and trust circle exchange groups for corporates down to simple, easy-to-understand and appealing social media or mobile app distribution of information to consumers. (KPI 14)

1515 http://www.theportugalnews.com/news/new-initiatives-aimed-at-tackling-cybercrime-announced-at-cascais-seminar/37356


Provide and regularly update a review of European cybersecurity companies and their services to ensure that European companies have an overview over interesting start-ups all over Europe: visibility to European companies and their products, in particular for SMEs but also for larger companies. This could be carried out in a more strategic way, with the holding of an annual cPPP conference, which can be used to highlight these issues and solutions being offered and researched. (KPI 14)

Use urban communities’ initiatives to involve citizens in cybersecurity exercises, with a focus on linking cyber-exposure and risks levels to citizens’ actions. This element is key in increasing the understanding of citizens of their own role in increasing cybersecurity. (KPI 14)

9 Key Performance Indicators KPIs

The European Cybersecurity cPPP has three main strategic objectives:

The protection from cyber threats of the growth of the European Digital Single Market

The creation of a strong European-based offering and an equal level playing field to meet the needs of the emerging digital market with trustworthy and privacy aware solutions

The growth and the presence of European cybersecurity industry in the global market.

To reach these objectives, the Cybersecurity cPPP should leverage complementary work:

The coordination of R&I in the frame of H2020 characterized by a cross-sectoral, technology-neutral, interoperable, and holistic approach

The development of industrial policy activities to support the growth of the cybersecurity and ICT industry in Europe and broadly deploy innovative solutions and services for the most economically important and growing end markets as well as for security sensitive applications

To achieve maximum leverage for impact all proposed cPPP activities will:

be designed and deployed to be technology-neutral, interoperable and transparent;

combine security and privacy improvements – not only partially but with positive, measurable impact for the system solution all along the value chain;

elaborate and indicate a reasonable level of security and give a workable guideline for supportive policy activities such as certification and labelling;

provide evidence how the approach enhances trust and acceptance by citizens, consumers and businesses.

To better follow these objectives and the activities of these work streams, we introduce hereafter Key Performance Indicators (KPIs).

They are defined for all stakeholders engaged in the cPPP from industry, SMEs, associations, research organisation, to Member States, other countries participating in the cPPP and the European Commission. The KPIs are used to give guidance to any planned contribution or proposal and they can be used as evaluation criteria to select the best initiatives spurring Europe to become leader in creating and using secure and privacy respecting solutions.

Starting from the approach of the NIS-P WG3, the SRIA has defined a number of technical and non-technical priorities in a bottom up approach considering the inputs of experts from different sectors and using existing material produced from several communities (including the NIS WG3 SRIA as planned). These priorities will be regularly reviewed by the cPPP members to better adapt to the evolution of needs.


Moving to the cPPP industry driven context, these priorities have been analysed in a top down view, in order to provide a consistent and sustainable strategy for the protection of the DSM and the increase of European digital autonomy to secure sensitive applications.

The proposed KPIs structure therefore reflects the way in which an industry driven cPPP will be implemented.

KPIs are not always suggesting quantitative objectives, but looking for identification of the evolution of certain parameters (the “indicators”) which could show, year by year, the evolution of the market and of the cyber / ICT security ecosystem.

The KPIs are divided into 3 main categories:

Industrial Competitiveness;

Socio-Economic Security;

Implementation and operational aspects of the cPPP.

Certain KPIs are directly related to funding and activities foreseen in the cPPP and, as such, they can be more easily measured. Yet, they have a real impact on the main cPPP objectives only when H2020 funded projects are showing results. Thus, it could take a few years before planes actions will start to generate significant value and some of the objectives mentioned for the following KPIs could be reached only at the end of the initial cPPP period (i.e. 2020).

Other KPIs, in the first years of the cPPP, are closer to present market values and will only progressively be affected by the industrial policy actions envisaged in the cPPP approach. These KPIs have an indirect impact to the cPPP but are important to provide the status and evolution of the market, to better track progress in the implementation of the cPPP and the uptake of the innovations created through the R&I work stream.

The KPIs here presented are considering the main topics that will allow tracking the objectives of the cPPP.

Industrial Competitiveness

KPI 1: MARKET DEVELOPMENT

Description: Evolution of cybersecurity revenues in the European and global market, including positioning and market share of the European industry

KPI 2: FROM INNOVATION TO MARKET: STANDARDS, TESTING, CERTIFICATION AND TRUST LABELS

Description: Contribution to standards, use of testing, validation, certification infrastructures as well as European trust labelling procedures, best practices and pilots for innovative elements of the supply chain

KPI 3: USERS AND APPLICATIONS

Description: Increased use of cybersecurity solutions in the different markets / applications, implementing Europe-wide strategic projects for specific deployments of existing or near-to-market technologies that demonstrate the potential impact of cybersecurity products across sectors.

KPI 4: PRODUCTS and SERVICES SUPPLY CHAIN

Description: development of the European cybersecurity industry and of the European cybersecurity capacities.

KPI 5: SMEs

Description: support the creation and development of start-ups having products and services that effectively reach the market.

Socio-Economic Security


KPI 6: EMPLOYMENT

Description: Develop employment in cybersecurity sectors (supply and users / operators)

KPI 7: ECOSYSTEM: EDUCATION, TRAINING, EXERCISES

Description: Development of cybersecurity education and training for citizens and professionals to enhance the awareness of threats and needed skills for safe use of IT tools.

KPI 8: PRIVACY & SECURITY BY DESIGN

Description: Development and implementation of European approaches for cybersecurity, trust and privacy by design.

KPI 9: DATA AND INFORMATION EXCHANGE & RISK MANAGEMENT

Description: Facilitate process for information sharing between national administrations, CERTs and Users to increase monitoring and advising on threats; better understanding risk management and metrics.

KPI 10: IMPLEMENTATION OF LEGISLATIONS

Description: Implementation of the NIS Directive and market driving Regulations / Guidelines

Implementation and operational aspects of the cPPP

KPI 11: INVESTMENTS / LEVERAGE

Description: Investments (R&I, capability, competence and capacity building) in the cybersecurity sector defined by the ECS cPPP objectives and strategy.

KPI 12: cPPP IMPLEMENTATION MONITORING

Description: Efficiency, openness and transparency of the cybersecurity cPPP implementation process.

KPI 13: COORDINATION WITH EUROPEAN and THIRD COUNTRIES

Description: Coordination of the cPPP implementation with EU Member States, Regions, other countries participating in the cPPP and Third Countries.

KPI 14: DISSEMINATION & AWARENESS

Description: Dissemination and Awareness rising making the cybersecurity cPPP action and results visible in Europe and globally, to a broad range of public and private stakeholders.

10 Contributors

This document has been based on several previous documents prepared by NIS WG3 and other organisations as EOS, thus the credit goes also to those. Below there is the list of experts that directly contributed in the cPPP SRIA WG coordinated by Fabio Martinelli.

Hendrik Abma [email protected]

Luis Antunes [email protected]

Eric Armengaud [email protected]

Juan Arraiza [email protected]

Ana Ayerbe [email protected]

Pascal Bisson [email protected]


Thomas Bleier [email protected]

Rolf Blom [email protected]

Menouer Boubekeur [email protected]

Geraud Canet [email protected]

Alexis Caurette [email protected]

Jim Clarke [email protected]

Fabio Cocurulo [email protected]

Piero Corte [email protected]

Alexandru Cătălin Coşoi [email protected]

Christian Derler [email protected]

Zeta Dooly [email protected]

Jürgen Eckel [email protected]

Andreas Eckel [email protected]

Thomas Fitzek [email protected]

Matthias Fisher [email protected]

David Ginard Pariente [email protected]

Detlef Houdeau [email protected]

Paul Kearney [email protected]

Klaus-Michael Koch [email protected]

Artur Krukowski [email protected]

Jacques kruse-brandao [email protected]

Peter Leitner [email protected]

Helmut Leopold [email protected]

Johan Lindberg [email protected]

Salvador Llopis [email protected]

Irene Lopez de Vallejo [email protected]

Jorge López Hernández-Ardieta [email protected]

Volkmar Lotz [email protected]

Stefan Marksteiner [email protected]

Fabio Martinelli [email protected]

Marina Martinez [email protected]

Gisela Meister [email protected]

Alessandro Menna [email protected]

Stefane Mouille [email protected]

Gerd Muller [email protected]

Mats Nilsson [email protected]

Victor Paggio [email protected]

Veronique Pevtschin [email protected]

Carlos Prietos [email protected]

Aet Rahe [email protected]

Kai Rannenberg [email protected]

Luigi Rebuffi [email protected]

Raul Riesco Granadino [email protected]

Erkuden Rios [email protected]

Stephen Rhodes [email protected]

Martin Ruubel [email protected]

Eva Schultz-Kamm [email protected]

George Sharkov [email protected]

Pauli Stigell [email protected]

Thomas Stubbings [email protected]

Franck Thomas [email protected]

Miroslavas Tribockis [email protected]

Javier Valero [email protected]


Edgar Weippl [email protected]

Artsiom Yautsiukhin [email protected]

Arvydas Zvirblis [email protected]


11 Annexes

11.1 Detailed technical topics with timeline

11.1.1 Assurance and security and privacy by design

11.1.1.1 Scope

The “quest for assurance” in cybersecurity is a long-standing issue with many facets and related aspects. It is commonly agreed that, in order to be effective security, privacy and trust considerations should be involved from the very beginning in the design of systems and processes (i.e. security/privacy/trust by design). This entails a whole series of activities, including social and human aspects in the engineering process until the certification that the developed systems and processes address the planned security/privacy/trust properties.

In addition to the aim of building a secure system, we often need to prove (through evidence) that the system is secure. This is also necessary when considering systems of systems, whose security could depend on the security of subcomponents. The engineering process of the systems should thus take into account those security/privacy/trust/compliance requirements and should consider, in addition, notions of cost and risk in the development process and well as in the system lifetime.

This process of enabling assurance techniques and processes can be addressed by regulators. Indeed, the introduction of regulatory actions could ease the adoption of assurance techniques (having a benefit on the overall security level of the infrastructures, systems and products). It has been noticed that cost and risk are two relevant factors in building and operating security-sensitive systems. The cost of developing security countermeasure should be related to be assets to be protected (and often in the digital world these are less tangible). A strong component of any risk management is the capability to predict the current strength of the system. Thus security and corresponding risk metrics are crucial (as other quantitative aspects of security).

For the sake of design and security evaluation complexity, the assurance techniques and processes as well as the technological countermeasures are often focused on critical areas of the system, which are therefore partitioned from less critical functions.

Starting from these considerations, residual risk could be managed with other approaches rather than just security countermeasures.


We suggest to structure along the dimensions of security / privacy by design, security / privacy validation, and processes.

Security / Privacy by Design. By “security / privacy by design” we understand all methods, techniques and tools that aim at enforcing security and privacy properties on software and system level and providing guarantees for the validity of these properties. Since the required security and privacy properties depend on the system context and the application domain, understanding these requirements and being able to precisely define them is a prerequisite. Hence, security requirements engineering, is part of this discipline. In order to come up with practical, feasible techniques, emphasis should be on close integration with existing software requirements engineering approaches (like, for instance, those based on UML, but with a stronger focus on automation and modularisation) and the inclusion of risk considerations. The identified requirements need to be formally traceable to security features and policies throughout all phases of the secure development lifecycle, considering the complete system view (which might include assumptions about the context that need to be enforced upon deployment). Research into secure engineering principles supports this approach.

Secure (programming) languages and frameworks establish some requirements by default via enforcing secure architectures and coding. While there is an existing body of research in the field, there are typically good reasons why developers prefer potentially insecure approaches: performance, interoperability, ease of use, etc. The challenge is to provide secure development and execution environments that are up to the traditional environments with respect to these qualities, and still allow the flexibility and expressiveness developers are used to (e.g., including higher order language constructs).


Security validation Security validation comprises all activities that aim at demonstrating the security qualities of (specified, implemented or deployed) software and systems. Hence, it includes formal verification, static code analysis, dynamic code analysis, testing, security runtime monitoring, and more. Since all of these methods have particular strengths and weaknesses, emphasis should not only be on their individual advancement (which includes increase of automation, coverage analysis, modularisation, soundness, efficiency), but also on the understanding of their complementarity. For instance, promising results have been achieved by combining static and dynamic code analysis, and further combination and interaction of different techniques is seen as a valuable approach towards managing complexity and increasing the quality of results.

Metrics are key to understand the security status of a system under development or in operation. Hundreds of metrics have been proposed, but they still lack a mapping to the actual risks that relate to a particular measurement. Hence, metrics should be derived from risk models and assessments, taking technical and business context into account and adapting to system and context evolution. This contributes to the quantification of security and privacy risks, as an ingredient of balancing the cost of security measures and their potential risk reduction.

Open Source Security. A significant share of today’s security vulnerabilities stems from the fact that typical software applications are no more monolithic but composed of hundreds, sometimes thousands of open-source components, whereby each component’s life-cycle is disconnected from that of the application and beyond the control of the application developer. A prerequisite for effective and efficient response processes is, on the one hand, complete transparency of an application’s supply chain (with the ability to track & trace every single application dependency) and, on the other hand, accurate and comprehensive vulnerability intelligence, e.g., with regard to affected component functionality, code and versions. Based thereon, application developers must assess the impact of a given open-source vulnerability in the context of a specific application, and contrast it with alternative mitigations and related costs.

Methods for development of functional correct and error free security protocols and interfaces. Security protocols and interfaces appear everywhere in secure system designs and their functional correctness and security properties are key to guarantee the overall security of a system. To enable efficient development and verification of security protocols and interfaces tools and mechanism for reliable and systematic protocol verification is needed. Academic efforts in this area include e.g. formal methods for protocol analysis based on model checking, epistemic logics and other formalisms. However, existing tools and mechanisms are limited and would need to be extended and made more efficient to be able to handle the complex real life protocols used in current security solutions where security features are deeply intertwined with low level details of the system functionality. Further, there is a gap between languages and descriptions used by typical security engineers and those used by existing tools. This gap needs to be closed to bring the benefits of the academic work into industrial use.

Combination of functional safety and security. There is a great interest on developing engineering methods that can tackle and the same moment functional and non-functional aspects. Security and safety are crucial, for instance in the interplay of real time aspects (e.g. delays introduced by crypto operations). Safety critical systems and applications increase the demands for dependability of systems and components; this extends to Functional Safety (a.o. ISO26262 certification), Security and QoS. Fault detection and handling techniques for functional safety purposes can be applied to security and vice-versa; same for error propagation analysis, failure notification, safe state handling etc. etc. In other cases these techniques interfere with each other. To understand the synergy and mutual reinforcement opportunities is key to offer cost effective secure and safe solutions. Additionally, degraded modes due to safety or security issues, should be taken into account with the aim of the role of cybersecurity on avoiding them and dealing with them.

Methods for developing resilient systems out of potentially insecure components. Building on research performed in the context of composing (secure) service oriented systems and system assurance and verification, models for specifying security and trust attributes of hard- and software components, that can be formally validated and verified, provide a baseline for system development methodologies which must guarantee a minimum (defined) level of resiliency for complex (cyber-physical) systems.

Cybersecurity architecture for application, network and subsystem levels. A cybersecurity and privacy architecture is the result of unified and cohesive design principles, which are used to describe and model


how security services and countermeasures are adopted, provided and implemented considering the overall system infrastructure and design, as well as running applications and processes. A cybersecurity and privacy architecture should be structured as a modular composition of interconnected, possibly depending and cooperating, security and privacy components and should specify how security components are structured, arranged, interconnected and managed to maintain system quality attributes, fulfil security and privacy requirements, and limit the impact on performance and service availability. It should result in an architecture which efficiently and effectively addresses vulnerabilities and cyber threats, counteracts the effects of cyberattacks, and maintains system security throughout a system's life cycle, from its design, deployment, operation and maintenance, to its final decommissioning. A stronger level of security should be applied to critical areas partitioned within the system: depending on the context, hardware-based roots of trust (technology similar to the one used in smartcards or in eSE/HSM/TPM) should be used to ensure the expected security. Such hardware-based roots of trust can conveniently be evaluated and certified and these steps should in particular be done by European companies or entities. The work in this area should develop methods, design principles, design patterns, mechanisms and technologies to enhance current frameworks and mechanize the design process to yield repeatable designs of trusted architectures.


Integrated assurance frameworks with risk and cost notions, able to merge security and safety aspects

End-2-end adaptive security engineering frameworks

Consideration of individual operating context and related risk exposure (and their evolution)

Security partitioning guidelines including the concepts of hardware-based roots of trust

Support of diverse deployment models (cloud, mobile, platform, platform services)

User-friendliness, i.e. easy to comprehend and evaluate evidence

11.1.1.4 Time line

Topic / Timeframe Short (1-3) Medium (3-5) Long (5-8)

Security / Privacy by Design Schemes for focused problem areas

Generic theories and frameworks

Security Requirements Engineering

Requirements specification and elicitation languages for security, privacy and trust

Tool support Fully integrated security requirements engineering

Secure Engineering Principles Security Guidelines, focused tool support

Comprehensive methodology and tools, Security IDE

Theoretical foundations and supporting methods and tools

Secure Languages and Frameworks

Secure Programming languages, type systems

Integrated secure development and operation frameworks

Security Validation Static and dynamic analysis Integrated analysis Integrated analysis based on formal semantic models

Metrics Security Process KPIs Security Quality KPIs

Open Source Security Software supply chain transparency, vulnerability intelligence

impact assessment and mitigation

Combination of functional safety and security

Analysis of how Functional Safety measures positive and adversely affect Security and QoS requirements

Analysis of options and trade-offs focus on optimizing overall cost and avoid over-dimensioning at component level

Secure and safe architectural framework



Methods for developing resilient systems out of potentially insecure components

Assurance and verification model for component-attributes

Generic system-development methodology for guaranteeing defined resiliency levels

Tool support

Cybersecurity and privacy architecture

Security partitioning guidelines featuring in particular hardware-based roots of trust

Hardware-based roots of trust integration within end-device connected to the cloud

11.1.2 Identity, Access and Trust Management

11.1.2.1 Identity and Access Management

11.1.2.1.1 Scope Identity and access management (IAM) has gained in importance with every new personalized service on the Internet. While Identity management and access management are often mentioned together there are subtle differences as e.g., the development for access control solutions shows. Several access control solutions have been proposed over the years, including variations on the “classical” mandatory, discretionary, and role-based access control models. In the last years, particular attention has been given to solutions departing from user authentication and supporting credential-based and attribute-based authorisation. Credentials represent statements certified by given entities (e.g., certification authorities), which can be used to establish properties of their holder. Credential-based and attribute-based access control solutions make the access decision of whether or not a party may access a resource or service dependent on properties that the party may have and can prove by presenting one or more certificates, and/or on properties associated with the resource/service. The basic idea behind these solutions is that not all access control decisions are identity-based. For instance, information about a user's current role (e.g., doctor) or a user's date of birth may be more important for deciding whether an access request should be granted than the user's name as given on an ID card.

Several areas within IAM have developed and can be taken as basis for further research and innovation.

Identity Governance and Administration (IGA). Solutions provide a set of processes to manage identity and access information across systems. This can include (1) creation, maintenance and deletion of user’s (partial) identities (2) governance of access requests – including approval, certification, risk scoring and segregation of duties enforcement. IGA solutions support provisioning of accounts among heterogeneous systems, access requests (either IT administered or via user self-service), and access to critical systems. Other typical IGA capabilities include role management, role and entitlements mining, and identity analytics and reporting. An IGA solution is typically tightly integrated with one or more user authentication (UA) solutions in the target deployment scenario.

User Authentication (UA) UA vendors deliver software/hardware that makes real-time decisions for users using an arbitrary end-point device to access one or multiple applications, systems or services across multiple possible use cases. Vendors also deliver client-side software or hardware allowing end-users to make real-time authentication decisions. While password methods are still most widely used, other authentication methods providing higher trust levels have also been developed and adopted by the market. Broad methods include (1) password-based approaches, (2) “out of band” techniques leveraging SMS, voice, push and email factors among others, (3) hardware and software tokens, (4) biometrics, and (5) emerging contextual authentication approaches among others. Like many other segments, mobile and IoT trends in particular are creating new UA challenges and market opportunities, as well as providing new authentication delivery options.

Identity as a Service (IDaaS) IDaaS has emerged as a cross-cutting market sub segment within IAM that supports delivery of cloud-based services in a multi-tenant or dedicated/hosted delivery model that supports IGA brokering, as well as access and intelligence functions to target systems on both customer’s premises and in the cloud. IDaaS originally focused on web-application use cases, supporting SMEs with most of their key applications in the cloud and with a preference for buying rather than building IAM infrastructure. IDaaS providers typically create one-off connections to SaaS providers to support authentication, single-sign on


(SSO) and account management, with SaaS providers typically enabling API support. They then reuse these APIs for multiple clients, relieving SaaS clients of the need to build their own client connections, and by extension offer increased IAM automation.

eIDAS implementation: While the eIDAS regulation is giving an advanced framework for the trustworthy European interoperability of user authentication there are still many implementation challenges. While some areas are already being standardized trust levels need to be synchronized and the respective risk assessments need to be made. This includes the long-term stability of digital signatures, credentials and other crypto based mechanism and the applicability towards the respective applications, e.g. in e-government. Existing national applications like e.g. the Estonian applications for e-Voting, e-cabinet, e-residency could be assessed for the applicability and trustworthiness in other countries.

Industry standardisation for multi-factor authentication: Industry groups such as the FIDO Alliance16 are developing technical specifications towards an open, scalable, and interoperable set of mechanisms to reduce the reliance on passwords to authenticate users. They are also operating industry programs to foster the successful worldwide adoption of their specifications and manage a consortium standardisation process to prepare technical specification and upon maturity submit them to recognized standards development organisations.

Despite being a well-established market in its own right the IAM marketplace is still a dynamic and growing one: notions of extended enterprises and more advanced B2B interactions based on Internet services become more commonplace, driven by e.g. cloud services, new hosting models and diversifying partners and relationships. Developments as the Internet of things trigger diversity of form factors and capabilities of authentication tokens. Hence, legacy IAM approaches are no longer sufficient. Core challenges exist around cross-domain authentication, authorisation in new distributed contexts and the need to avoid monopoly situations and single points of failure, when users are authenticated and their authorisations are being checked. For end users being able to build trust into the digital society they need to be able to understand the level of security they get by each provider and to control the degree of identification they support.

11.1.2.1.2 Research challenges The complexity of identity and access management infrastructures is often underestimated. Therefore currently only very primitive solutions scale easily, but they ignore relevant stakeholder requirements and security concerns, e.g. by transferring too much information for authentication, which can later be misused for e.g. identity fraud. Therefore the complexity of the advanced solutions needs to be overcome.

Usability of authentication: Overcoming the dangers caused by the sloppy use and management of passwords will only succeed, if the alternatives are usable and reasonably embedded into applications. Strong authentications systems based on multiple factors can be implemented technically; however, the more authentication steps are needed, the harder it is for users to comply with them and to accept and not circumvent the systems. Therefore more specific research is needed for increasing the usability aspects of

authentication schemeslike choosing the appropriate degree of authentication (which factors in which situation?), embedding authentication schemes into applications, and secure use of easy-to-sense but sensitive information (such as biometric or location information).

Flexibility of authentication and authorisation: To support the appropriate degree of identification during authentication and authorisation the respective identity service providers need to offer enough choices, so that users and relying parties can agree on a mutually acceptable way of authentication. This means e.g. upgrading towards privacy-respecting technologies for authentication. Scenarios with e.g. differing requirements are consumer cloud storage services on the one side and tax declarations on the other side. Protocols that allow the authentication and authorisation of users based on attributes (e.g., attribute-based credentials) need to be fully developed and combined with electronic identities to provide a flexible framework.

Partial identities: Research is needed to build technologies that allow users to separate their identities for different aspects of life. While the basic concepts have been understood and are partly standardized in e.g. ISO/IEC 24760 “A framework for Identity management” they need to be implemented at both the

16 https://fidoalliance.org/


application and physical levels enabling users to keep their partial identities partial and unconnected. The respective innovations through anonymisation, pseudonymisation, tokenisation or use of purely ephemeral data need to be progressed including guidance on their degree of protection, so that they can be integrated with standard consumer devices such as smartphones. Furthermore, research is needed on authentication in services that do not require a persistent identity.

Certificate and signature sustainability: Identity certificates and other digital signatures need to survive the test of time, i.e. their integrity needs to sustain the whole period of commercial relevance and/or legal validity. Currently there are neither European wide standard criteria nor easy-to-use technical solutions in place. The solutions that national archives are developing are only used for a very small part of all the digital documents. Solutions for mainstream everyday use still need to be developed and trialled. The approaches of member state committees advising on the sustainability of cryptographic operations (e.g. hash functions) and key lengths need to be synchronised.

Scalability of authentication: Scalability has several facets. It refers to the number of transactions that need to be supported as well as to and to the abilities of the respective devices. It also needs to cover the management of sensitive authentication data. To be able to support the number of transactions expected a thorough decentralisation strategy is needed. Research needs to establish ways to offer equivalent degrees of authorisation via different and separate paths avoiding single points of failure. The abilities of devices need to be considered especially in the context of the Internet of Things, where often very primitive devices are sensing and processing very sensitive data, e.g. biometric data on user behaviour or body functions.

Interoperability of authentication: As interoperability via intermediaries is creating major overheads and security risks more direct approaches to interoperability need to be researched and trialled, e.g. by establishing flexible interfaces on the side of identity service providers, so that the relevant information can be accessed by those who need it, be it users, who want to qualify towards relying parties or relying parties themselves.

11.1.2.1.3 Expected outcome Best practices in authentication are supported by usable technologies embedded seamlessly into

applications. Users don’t need to “help themselves” with passwords noted on post-its or similar media.

Users and relying parties are provided with the authentication choices thy need to agree on a mutually acceptable way of authentication avoiding over-identification delivering the degree of assurance and liability appropriate for the respective service.

Citizens can enjoy the privileges of services needing strong authentication for exactly those of their attributed that need to be assured.

Certificates and signatures sustain for at least a long as the corresponding documents and trust relations are commercially relevant and/or legally valid.

Authentication operates in a distributed fashion without single points of failure on critical paths and considering small scale devices as uses in the Internet of Things.

Authentication operates in an interoperable fashion without overheads and additional security risks

11.1.2.2 Time line


Usability of authentication

Proposed extensions to existing standards with regards to usability and seamless embedding into applications.

New standard architectures, tools and processes available.

User-friendly client apps match the usability of physical wallets for 50% of application cases.

User-friendly client apps match the usability of physical wallets for 95% of application cases.

Flexibility of authentication and authorisation

In typical authentication and authorisation

For all authentication and authorisation scenarios there is more than one choice for a

In all authentication and authorisation scenarios, where legally allowed, users


scenarios, e.g. access to Internet or cloud services, users and relying parties have more than one choice for a way of authentication.

way of authentication.

In typical authentication and authorisation scenarios users and relying parties can choose the attributes they would like to be used for authentication and authorisation within limits of e.g. consumer protection.

and relying parties can choose the attributes they would like to be used for authentication and authorisation within limits of e.g. consumer protection.

Partial identities Efficient protocols for unconstrained devices

Interoperable protocols for constrained devices (e.g., smart cards and IoT devices)

Efficient protocols for constrained devices (e.g., smart cards and IoT devices)

Certificate and signature sustainability:

Solutions for mainstream everyday use have are tested for sustainability based on basic European wide criteria.

European wide assessment of mainstream cryptographic mechanisms for typical authentication scenarios. At least two different solutions are assessed to sustain for at least 15 years.

European wide assessment of mainstream cryptographic mechanisms for 95% of authentication scenarios. At least four different solutions are assessed to sustain for at least 15 years.

Scalability of authentication

In typical authentication and authorisation scenarios, e.g. access to Internet or cloud services there is an option to avoid single points of failure.

At least 3 different IoT compatible authentication solutions are available.

In typical authentication and authorisation scenarios including IoT scenarios avoiding single points of failure does not create extra effort compared to the standard solution.

Scalable privacy-preserving authentication solutions are in the market.

In typical authentication and authorisation scenarios including IoT scenarios avoiding single points of failure and using privacy preserving authentication is affordable as standard solution.

Interoperability of authentication

For typical authentication and authorisation scenarios, e.g. access to Internet or cloud services. Identity service providers offer flexible interfaces so that the relevant information can be requested for certification.

In typical authentication and authorisation scenarios including IoT scenarios identity service providers offer flexible interfaces so that the relevant information can be requested for certification.

Interoperable privacy-preserving authentication solutions are in the market.

In typical authentication and authorisation scenarios including IoT scenarios interoperable and privacy preserving authentication is affordable as standard solution.

11.1.2.3 Trust Management

11.1.2.3.1 Scope Indeed individuals need to be empowered to develop trust into digital services and/or apps for them to make informed decision. This calls for methodologies and tools to not only focus on Security and Privacy by design but also Trustworthiness by design. This calls also for proper lifecycles to be covered from development to management (monitoring) going through important steps such as certification, distribution and deployment. This part has been also highlighted in other focus areas.

When it comes to AoI 2 focusing on Digital Interconnected society, Trust management has also been advocated in many places since seen as key to fully embrace the Digital Society. As such researches on models for fostering Trust at the collective layer have been called for together with trust assurance, trust accountability and trust metrics. Among others what is expected here by AoI 2 is to enable Trusted (Cloud) Services to be developed in any layer (IaaS, PaaS, SaaS) in order to reduce the consequences of the vulnerabilities at each layer; Trust models for the


digital civilisations (Trust areas for the “cyber world”); Security engineering embedding properties as security, privacy and trust, compliance in the very early phases of system and services design to increase trustworthiness of systems.

Looking at AoI3 concentrating on trustworthy (hyperconnected) infrastructures (and especially critical infrastructures due to their importance for the European Cyberspace and the European Economy) research and development on trust and trustworthiness management the way needed is seen as a gap to be covered to achieve the Vision. If AoI3 share a number of research actions with other AoIs it also puts additional emphasize or even bring some new ones. Indeed AoI3 calls as others for measurable indicators of trustworthiness but here in the combination of safety and security means for infrastructure. At such it puts additional emphasize on research needed on security architecture for Trust and Trustworthiness measurement and management (calling for not only reactive measures but also and most importantly proactive measures). As other AoIs, AoI 3 calls also for users to be provided with access to information that allows the confirmation of the trustworthiness of the infrastructure and its services (even if partly) but also calls for increase trust in information sharing and some more freedom of information legislation.

On a very specific aspect, cyber physical security and IoT security systems relate to physical objects that are physically manufactured in various locations around the world before being shipped and distributed within their area of usage, and in particular in Europe. Hence, manufacturing can be done outside of Europe while usage is eventually in Europe. Initial security credential provisioning (personalisation) is a critical step within the system and the chain of trust that must be ensured in a trusted manner no matter the security technologies employed.

11.1.2.3.2 Research challenges We envisage the following research areas to be further investigated:

Computational trust models. There is the need to define sound computational trust models able to cope with the heterogeneity of modern ICT infrastructures, ranging from IoT to cloud services. The computational trust models should be robust enough to resist to attacks as defame and collusion. New aggregation and filtering approaches should be identified. Overall unified trust and reputation models/principles should be also investigated.

Decentralized trust frameworks (e.g. blockchain). When dealing with trust it is always relevant to be able not to rely on single authorities but also considering decentralized trust models, also in several application domains. Such models should be reliable, accurate and robust to attacks. Recently methods as blockchain emerged as a practical framework of interest. Methods for assessing trust in decentralized networks, including distributed consensuses making should be investigated. Also the applicability of blockchain to several other trust services, both in the public and private domains should be analysed.

Trust and big data. Big data heavily interplay with trust. On the one hand, we need to trust on the collected data, i.e. who are the providers, who manipulated etc., on the other hand data helps to define proper trust and reputation systems, often based on recorded evidence by several parties. In particular, we need to develop and monitor techniques for trusted information sharing (including several incentives schemas).

Trusted security credential provisioning and personalisation. Initial security credential provisioning is a critical step within the chain of trust that must be ensured in a trusted manner no matter the security technologies employed. In particular, if the manufacturing of the device cannot be done within an environment that guarantees sufficient trust for security credential provisioning (e.g. subcontracting factories outside of Europe), alternative systems and schemes must be envisaged, designed and implemented. These can include in particular secure elements, which act as hardware-based root of trust on devices: they are highly secure to remain integer no matter the devices’ logistic processes and are manufactured and personalised within trusted environments.

11.1.2.3.3 Expected outcome Increased trust in the cyber world;

Wide adoption of blockchain technologies in several fields

Requirements for trusted security credential provisioning (e.g. trusted secure elements)

More efficient on-line Business


11.1.2.3.4 Time line Topic / Timeframe Short (1-3) Medium (3-5) Long (5-8)

Computational and distributed models of trust

Methods to define, compute, and aggregated trust in complex domains

Unified computational trust models able to cope with several scenarios

Decentralized trust frameworks (blockchain)

Improved theoretical foundations should be investigated.

Applicability of decentralized trust models to several application domains

Trust and big data Credibility and integrity of big data sources

Trusted security credential provisioning and personalisation

System architecture design enabling trusted credential provisioning

Integration of secure hardware-based roots of trust within systems from the application segments

11.1.3 Data security

11.1.3.1 Scope

A major characteristic of current and future systems and applications, which has been recognised by all different viewpoints as represented by the AoIs, is the ever-increasing amount of valuable data that needs to be properly managed, stored, and processed. Data can be produced by systems as a consequence, for example, of interconnected devices, machines and objects in the Internet of Things, and by individuals as a consequence, for example, of business, social and private life moving on-line, thus including data resulting from observations (e.g., profiling) and data intentionally provided (e.g., the prosumer role of individuals). As the value of data increases, opportunities based on their exploitation and the demand to access, distribute, share, and process them grows. Highly connected systems and emerging computing infrastructures (including cloud infrastructures) as well as efficient real-time processing of large amounts of data (including Big Data methods and applications) facilitate meeting these demands, leading to a new data-driven society and economy.

The collected data often are of a highly sensitive nature (e.g., medical data, consumer profiles, and location data) and need to be properly protected. With data being stored and processed in the cloud, and being exchanged and shared between many previously unknown and unpredictable parties, this protection cannot stop at a single system’s border, but need to be applied to the data over their full lifecycle, independent of what system is processing the data, what access channels are used and what entity is controlling the data. Hence, a system-centric view on security and privacy, including, among others, secure devices and infrastructures (cf. sections below), needs to be complemented with a data-centric view, focusing on data lifecycle aspects.

Providing transparency on where data resides, who has access to them, and for which purposes they are being used, together with mechanisms that allow the data owner to control the usage of their data, have been identified by all AoIs as essential aspects of a data-centric view and a prerequisite of a secure and privacy-preserving digital life. While research has already produced a number of relevant contributions (e.g., sticky policies, privacy policies, and techniques for protecting data at rest), many challenges are still open, including enforcement and usability. These challenges are not only of a technical nature: for example, lack of awareness of the value of data (and what data are actually produced when engaging in digital life) has been mentioned as an inhibitor.


A variety of challenges need to be addressed to take advantage from the availability of large amounts of data in a secure and privacy compliant way. These challenges should include at least the ones from AoIs and Landscape, and cover issues related to the protection of data as well as the use of data for security.

Data protection techniques. The size and complexity of collected data in most cases leads to the use of cloud technology and to their storage at external cloud-based repositories using cloud-based services, which offer flexibility and efficiency for accessing data. While appealing with respect to the availability of a universal access to data and scalable resources on demand, and to the reduction in hardware, software, and


power costs, the outsourced storage may produce the side effect of exposing sensitive information to privacy breaches. The security and privacy requirements then create the need for scalable and well-performing techniques allowing the secure storage and management of data at external cloud providers, protecting their confidentiality from the cloud providers themselves. However, protecting data means ensuring not only confidentiality but also integrity and availability. Integrity and availability of data in storage means providing users and data owners with techniques that allow them to verify that data have not been improperly modified or tampered with, and that their management at the provider side complies with possible availability constraints specified by the data owner. The variety of data formats (i.e., structured, unstructured, and semi-structured) makes the definition and enforcement of such techniques a challenging issue.

Privacy-aware Big Data analytics. We are in the era of Big Data where the analysis, processing, and sharing of massive quantities of heterogeneous data can bring many benefits in several application domains. For instance, in the health care domain the data accumulating in health records can be at the basis of predictive models that can lower the overall cost and significantly improve the quality of care, or can be used to develop personalized medicine. The application of Big Data analytics, however, can increase the risks of inferences that can put the privacy of users at risk. Anonymizing the sensitive data as a prior step can be of help, even though it diminishes the utility of the data for the latter analysis. We then need to develop techniques addressing issues related to data linkage, the knowledge of external information, and the exploitation of analysis results.

Secure data processing. Distributed frameworks (e.g., MapReduce) are often used for processing large amounts of data. In these frameworks, cloud providers processing data might not be trusted or trustworthy. There is therefore the need of solutions providing guarantees on the correct and proper working of the cloud providers. This requires the design of efficient and scalable techniques able to verify the integrity of data computations (in terms of correctness, completeness, and freshness of the computation results), also when the processing of the data is real-time, and to ensure that data are distributed, accessed and elaborated only by authorized parties.

User empowerment. For users or organisations there is great convenience in relying on a cloud infrastructure for storing, accessing, or sharing their data, due to the greater availability, robustness, and flexibility, associated with significantly lower costs than those deriving by locally managing the data. Unfortunately, such convenience of resources and services comes at the price of losing control over the data. Although cloud providers implement some data protection features, possibly demanded by legislation and regulations, such protection typically consists in the application of basic security functionality and does not provide the data owner with effective control over her data. This situation has a strong impact on the adoption and acceptability of cloud services. In fact, users and organisations placing data in the cloud need to put complete trust that the providers will correctly manage the outsourced information. There is therefore the need to re-empower users with full control over their data, enabling them to wrap the data with a protection layer that offers protection against misuse by the cloud provider.

Operations on encrypted data. The confidentiality of data externally stored and managed is often ensured by an encryption layer, which prevents exposure of sensitive information even to the provider storing the data. Encryption makes however data access and retrieval a difficult task. The problem of supporting efficient fine-grained data retrieval has recently received the attention of the research community and led to the development of solutions based on specific encryption schemas or on the use of indexes (metadata) that support query functionality. With respect to the use of specific encryption schemas, any function can be, in theory, executed over encrypted data using (expensive) fully homomorphic encryption constructions. In practice, however, efficient encryption schemas need to be adopted. An interesting problem is then how to select the encryption schemas that maximize query performance while protecting data according to possible security requirements imposed over them (e.g., data should be encrypted in a way that the frequency of values is protected). With respect to the use of indexes, we note that indexes should be clearly related to the data behind them (to support precise and effective query execution) and, at the same time, should not leak information on such data to observers, including the storing provider. Also, there may exist the need of combining indexes with other protection techniques (e.g., access control restrictions) and such combinations should not introduce privacy breaches. The design of inference-free indexes that can be combined with


other protection techniques without causing privacy violations are all aspects that still require further investigation.

Provenance of data. The impact of data in our daily lives is growing. For instance, it is possible to collect medical data from individuals via smartphones or medical “self-tracking” devices. The collection, analysis, and use of these data allow people to take preventive actions or to take healthy choices. In this and other scenarios, it is important to establish a given level of trust on the data. Tracking data provenance can then be useful for: i) verifying whether data come from trusted sources and have been generated and used appropriately; and ii) evaluating the quality of the data. The definition of a formal model and mechanisms supporting the collection and persistence of information about the creation, access, and transfer of data is therefore of paramount importance.

Query privacy. In several scenarios neither the data nor the requesting user have particular privacy requirements but what is to be preserved is the privacy of the query itself (e.g., a query that aims at retrieving information about the treatments for a given illness discloses the fact that the user submitting the query is interested in this illness). It is therefore important to design efficient and practical solutions (possibly exploiting the presence of multiple providers for increasing the protection offered) that enable users to query data while ensuring the access confidentiality (i.e., protecting the data the users are looking for) to the provider holding the data. Effective protection of query confidentiality requires not only protecting confidentiality of individual queries, but also protecting confidentiality of access patterns.

Data-centric policies. When data are stored and managed by external cloud providers, they can be subject to possible migrations from one provider to another one to balance the system load or to perform distributed computations. This migration introduces many challenges with respect to the proper protection of data confidentiality. In fact, each provider can use different security mechanisms and may be subject to different security requirements (e.g., providers operating in different countries may be subject to different law regulations). When therefore data are migrated from a provider to another it is important to guarantee that the protection requirements characterizing the data are still satisfied. The fully distributed cloud architecture introduces however a lack of traceability on the data and makes the correct enforcement of such requirements complicated. To this purpose, we need to define: i) a model and language for easily expressing the requirements on the data usage and for regulating information flows among different servers/cloud domains; and ii) data-centric policies (i.e., policies attached to the data) that aim at facilitating the enforcement procedure by allowing the access of the security policies anywhere in the cloud.

Economic value of personal and business data. The large amount of data collected, processed, and shared range from personal data (e.g., user-generated content, social data, location data, and medical data) to business data. The economic value of these large collections of data is increasing rapidly as technological innovations are introduced. In this context, both users and organisations should be able to estimate the economy-wide benefits achievable through the analysis of such large amounts of data to find the right balance between the required information and the desired insight.

Big data storage Protection and security of data, especially of those of public interest (data relevant to CII and IIS) are crucial. The amount of data processed in both public and private sectors is growing and so is the need for their storage. New forms of data storage such as cloud storage have thus appeared. Nevertheless, the use of online services and clouds often leads to non-transparent security solutions of doubtful credibility.


Secure and privacy aware data processing and storage

Advanced mechanisms that protect effectively users’ privacy and guarantee the confidentiality of their sensitive data

Users have more control over their data

11.1.3.4 Time line


Data protection (confidentiality)

Models expressing (overall and flow) data confidentiality

Efficient techniques for enforcing the secure data storage and management

Continuous Monitoring and Certification of data confidentiality


constraints

Data protection (integrity and availability)

Model expressing (overall and flow) data integrity and availability constraints

Techniques enforcing integrity and availability constraints and verifying compliance

Continuous Monitoring and Certification of Data Integrity

Provenance of data

Model and mechanisms supporting the life-cycle of provenance information

Secure data processing

Efficient probabilistic techniques for assessing the integrity of query results

Access control model regulating access and distribution of data and computations

Operations on encrypted data

Design of inference-free indexes supporting efficient and fine-grained access to encrypted data

Physical design of encrypted data according to operations to be supported and possible requirements on the needed protection

Query privacy

Practical solutions exploiting multiple providers for protecting access and pattern privacy

Data-centric policies Requirements on data usage and data flows

Static data-centric policies Adaptable data-centric policies

User empowerment Models expressing user control constraints

Self-protecting solutions

Privacy-aware Big Data analytics

Models expressing privacy properties and policies suitable for big data

Inference-free data analytics techniques

Economic value of personal and business data

Model and metrics for evaluating the economic gain obtained from the analysis of large collections of data

Big Data Security

Specification of usable security properties and policies suitable for big data

Verified enforcement of security properties of big data

Privacy-friendly and secure big-data management

11.1.4 Protecting the ICT Infrastructure

11.1.4.1 Cyber Threats Management

11.1.4.1.1 Scope Before the era of the Internet, computer attacks used to spread in the form of viruses on floppy disks. However, the advent of the Internet clearly demonstrated that attacks can compromise hundreds of thousands of computers in a few hours or so. The ability to remotely compromise a computer coupled with the value that a compromised computer may bring quickly moved organized crime into the cyber world completely changing the motives and dynamics of the cybersecurity scene. Although the cyber attacker of yesterday was often seeking fame and peer recognition through a massive cyberattack that would demonstrate his/her computer skills, the modern day attacker


prefers to stay below the radar, move around the Internet undetected secretly seeking financial and/or political rewards.

Organisations today face what is commonly called "advanced persistent threats" or "APT", programs particularly pernicious used by an attacker to obtain an illegitimate network access and to remain unnoticed. The objective of the APT mainly is sabotage or recovery of sensitive data and targets organisations with a high informational and financial value, such as R&D centers, financial or defence industries.

To achieve their goals cyber attackers employ a number of offensive mechanisms including:

Malware: Malicious software is usually the most common mechanism to remotely control a computer. Being installed immediately after a computer is compromised, malware is used to communicate with the attacker, receive instructions and perform malicious and illegal tasks

Botnets: Compromised computers, also called bots (from robots), are usually organized into networks called botnets. These networks may grow as large as tens of thousands of machines having a significant firepower than cannot be easily mitigated.

Buffer Overflows: In order to compromise a remote computer an attacker usually triggers some bug that diverts the flow of control from its usual legitimate path to a path favourable to the attacker. Buffer overflows are the most common such bug. They enable the attacker to write arbitrary data in the stack (or heap) of a vulnerable process and even divert the flow of control to the attacker’s code. Although safe programming languages and non executable stacks have limited the effectiveness of software exploitations, buffer overflows have not been eliminated and can still be used coupled with new programming styles such as return-oriented programming.

Exploit packs: attackers may use readily available exploit tools on the Internet that are available for free or even for a small fee.

SPAM: Users have been and are still lured by attackers via unsolicited email messages. Such messages may contain malware, may trick users to provide private information (such as passwords and credit card numbers)

There are several research challenges related to cyber threats management.

11.1.4.1.2 Research challenges Advance threat modelling, focusing on complex attack scenarios mixing physical, logical, social-engineering

based attack steps, to feed system security toolset

Threat analysis/cyber intelligence. Threat Intelligence is about collecting data, semantic analysis, correlating and deduce security actions and implement (e.g. in SIEM …). Threat intelligence is the process of generating intelligence on threats from multiple sources, thus improving results of an investigation. Threat intelligence is often presented in the form of Indicators of Compromise (IoCs) or threat feeds. Threat intelligence requires organisations to understand themselves first and then understand the adversary. If an organisation does not understand its assets, infrastructure, personnel and business operations – it cannot understand if it is presenting opportunity to malicious actors. If an organisation does not and identify what malicious actors might be interested in they own activity – then it cannot properly recognize the intent of actors. Threat intelligence is analysed information about the intent, opportunity and capability of malicious actors. As a type of intelligence, it is still performed through the intelligence lifecycle: plan, collect, process, produce and disseminate information. The key difference is that it is focused on identifying threats. This information must be matched against an organisation to determine if the threat intelligence is valuable to that organisation. This is where the planning phase becomes vital. If the organisation that is receiving threat, intelligence does not know how to identify what information is applicable to them – the threat intelligence will be mostly useless. At some point, someone has to make the decision on whether the intelligence is applicable. It can be the vendor tailored to your needs, it can be the customer and ideally, it will be both. However, if no one is tailoring threat intelligence it is just an inapplicable mass of data. The ability to produce or consume tailored threat intelligence to the organisation can provide actionable strategic and tactical choices that impact security. One way to share tactical level threat intelligence, and in return help identify the bigger picture for strategic choices, is through the use of Indicators of Compromise. Even if the environment is properly secured, it is not realistic to assume that no successful attacks will ever take place. The amalgam of


interconnected, dynamic systems will not only affect the situational awareness of all entities, but also will open new avenues of attacks, such as cloud-based and IoT-based targeted malware. Just as a body needs an immune system, it is essential to provide control and intrusion prevention systems to effectively monitor the state of the environment and react against all kind of (potential) threats - from punctual to severe and continued. The challenge is to create such systems taking into consideration various factors such as the massive amount of event sources, the interaction with related subsystems (e.g. trust management systems, autonomous response systems), and the development of intelligent, adaptable, and interoperable detection and mitigation mechanisms, among others. All of this while aiming to maintain several properties such as scalability, autonomy, usability, fault tolerance, and responsiveness.

SIEM Security information and event management (SIEM) market is defined by the customer's need to analyse security event data in real time for internal and external threat management, and to collect, store, analyse and report on log data for incident response, forensics and regulatory compliance. While larger enterprises and government organisations will typically staff and maintain their own SOC, small and mid-sized players are increasingly looking to MSSPs (Managed Security Service Provider) to provide SIEM-based support. The delivery spectrum between MSS and SIEM going through SIEM as a Service (aaS) need to be further investigated as well as the driving requirements. Further research need also to be spent on additional features such SIEM can provide in cooperation with other cybersecurity tools. Research should especially target here: 1) the outputs of SIEM to feed wider correlation capabilities through other tools such log management system, 2) SIEM distribution, 3) capacity of next generation SIEM to deal with new detection capabilities (e.g. log abnormal behaviours and data flows). Overarching goal could be here to research and deliver an advance SIEM at European level embracing needs of Cybersecurity market and able to support IoT, industrial control systems (ICS), 5G, … .

o Indeed Internet of Things and or (Critical) Infrastructure comprises various aspects, such as wearables, smart homes and smart buildings and suffers from a fierce competition with a number of proprietary apps, OS and/or protocols while waiting for the dominating ones to come.

Big Data analytics for Security In the domain of big data analytics for security intelligence, big data capabilities are envisioned to add predictive and proactive capabilities to existing security tools and systems. With the inclusion of correct data sources and types and the application of adequate correlation functions the threat environment and the attack surface can be analysed in real time and appropriate countermeasures could be applied to prevent attacks, rather than responding to them. This would be a major change and breakthrough from the current information security practice where attackers seem to be one step ahead of the defenders. The underlying challenge in this respect is to be able to create a data set that includes the correct inputs, then to correlate these inputs in the right context using the correct analytical tools.

11.1.4.1.3 Expected outcome New threats are rapidly handled, solutions are found and the corresponding security practices are added to

the assessment routine of security system managers.

Wider range of data is available for a more comprehensive and precise security analysis

Security control and intrusion prevention systems become more efficient and adapted to new environments


Advance threat modelling

Proactive and effective detection

Effective and efficient detection of persistent malicious activity

Automated mitigation of malicious activity

Threat analysis/cyber intelligence

Automated security management based on assets awareness

Actionable and adaptive threat intelligence for to date & to come cybersecurity tools

Anti-tampering threat intelligence

SIEM Improve solutions for remote security information and event

Develop new approaches for holistic SIEM

Incentivise collaboration between SIEMs.


management

Big Data analytics for Security

Determine the areas where big data can be used for improving security, possible data providers and required data analysis

Develop privacy-preserving methods for providing sensitive data.

Implement security solutions for security data collection and analysis.

11.1.4.2 Network Security

11.1.4.2.1 Scope The society, business and government more and more depend on the correct operation of networks, both global ones (e.g., the Internet) and local: businesses shift to clouds, government provides its services on-line, industrial systems become interconnected (IoT) and have access to the Internet, people become attracted by endless utilities proposed by social networks. On the other hand, cyber criminals and terrorists also put more and more effort to improve their capabilities and skills to compromise the networks developing more sophisticated and targeted. These tendencies increase the need for advanced means of attack detection and prevention, which also will take into account the changes ongoing in the networks and adjust its functionality for increased complexity, speed and heterogeneity. The advanced attack detection and prevention systems are required as for local networks, as well as for the global ones, to detect and eliminate global threats, such as botnets.

11.1.4.2.2 Research challenges At the network level, research on security topics is especially required for security-by-design, risk

assessment, privacy and data leakage, attack/malware/misuse detection and mitigation, at all layers. This includes both network usage and network management. On the usage side, network security research needs to take into account the move towards network virtualisation, ubiquitous though heterogeneous connectivity, and the general move towards Ethernet/IP as a unique transport over physical media for all applications and services. On the management side, network security research needs to take into account network deployment and management, connectivity, resilience of network operations under malicious and accidental faults.

As the networking elements evolve on several dimensions (for example number of deployed units, capabilities, and cryptographic operations required to implement secure communication) there is a need of continuous transition on some of these dimensions. An immediate and well understood example is the necessary transition from IPv4 to IPv6 protocol which brings about new cybersecurity risks. Similarly, SSL/TLS protocols widely used in accessing securely web sites have been demonstrated to have vulnerabilities at certain versions and require transition in the entire infrastructure. These risks must be minimized in order to successfully implement and secure these protocols both at the public administration level and in private entities

Botnets and DDoS/DoS attacks protection. Botnets, used for the very common DDoS/DoS attacks, are gaining on robustness, resilience and stealth. It is therefore necessary to raise awareness of defence possibilities with regard to DDoS/DoS attacks. More generally, the detection of the activities of other types of botnets on local and global network infrastructures should be developed.

Network IDS. Intrusion Detection Systems are based on the “perimeter security” paradigm. That is, each organisation has a clearly defined perimeter: everything outside it is not trusted and everything inside it is trusted. The IDS monitors this perimeter to make sure that it detects any breaches. Unfortunately, this security model is rapidly changing. The externalisation of IT resources to outside providers and new approaches to hardware, such as BYOD (bring your own device), make the notion of the perimeter obsolete. IDSes need to adapt in order to be able to work in an environment where there is no perimeter or where the perimeter is assumed to have already been breached.

Complexity in modelling attack patterns: rules have evolved from memoryless simple string matching to stateful automata (such as regular expressions). Yet, this is sometimes insufficient to capture the attack mechanism and describe it in a generic manner that will detect all the possible ways of carrying out the attack exploiting a specific vulnerability. Also, the increase in the complexity of protocols makes modelling their normal behaviour increasingly difficult. Speed: over the past few years network speeds have been rapidly increasing. At the same time, IDSes need to invest more computing cycles per packet either checking


against more elaborate rules, or trying to detect sophisticated anomalous behaviours. These effects combined put significant stress to the computing resources needed. Whole System Image: Although traditional IDSes monitor only network events (such as incoming network packets), their efficiency and accuracy can be significantly increased when they monitor the whole system image and correlate events happening at several different points, such as correlating network packets with system calls and buffer overflows. Collecting and correlating such data can be challenging, but it may be the only way forward.

11.1.4.2.3 Expected outcome More dependable and secure networks

Safer transition from IPv4 to IPv6 protocol, and, in general, from obsolete protocols to new ones.

Timely detection and destruction of Botnets

Intrusion detection systems adapted to new (highly demanding) conditions, in order to efficiently provide protection to modern networks.


Network virtualisation and management

Security of existing market trends and standards (SDN, NFV, 5G)

Virtual isolated networks with guaranteed independence of security properties

Privacy-friendly and secure by design virtual network overlays for all applications and services

Security risks related to or requiring transition to new protocols (e.g. IPv4 to IPv6)

Identify possible risks Propose security solutions for these cyber risks

Find best model for implementing the most appropriate solutions world-wide.

Botnets and DDos/DoS attacks protection

Improve existing tools for preventing seizing control over nodes (e.g., anti-viruses, scanners, etc.)

Develop new methods for botnet detection on global scale

Prepare legal foundation and business models for fighting botnets and deploy the botnet detection and prevention mechanisms across the Internet

Novel Malware/ Steganography in the Network/Novel Data Leakage

Provide anti-steganography countermeasures for real-world environments

Provide line-speed detection and prevention of information leakage in complex documents formats (streaming, multi-layer embedding, etc.)

Network IDS

Develop new models for network-wide IDSes.

Improve the capabilities in detection of attacks and in processing larger amount and higher diversity of information.

Add the capability of automatic information sharing and search for solution.

11.1.4.3 System Security

11.1.4.3.1 Scope All areas of interest identified and their ICT based instruments for gaining trust depend on a secure execution environment and systems. Such secure execution environments not only includes the execution platforms themselves plus the operative systems, but also the mechanisms (e.g. security supporting services, control and intrusion prevention systems) that ensure an adequate level of security in the execution of all processes. Moreover, it is also essential to approach this topic from a holistic point of view, where multiple execution environments interact with each other due to the delegation and distribution of tasks. If these execution environments cannot be secured, then major problems will arise.

For example, individuals cannot really control the data flows out of their domain, e.g. their mobile phone data, as the mobile phone device platform can be manipulated by other parties. The same holds for anybody and any institution that works towards a resilient digital civilisation: institutions in a civilisation need to provide reliable and


stable behaviour, e.g. when documenting facts (such as a crime scene or the ownership of real estate), making decisions (on any kind of applications) and archiving the respective records for accountability. Any loss of integrity in these processes is an opportunity for manipulation and possibly corruption. If it is easy to manipulate an institution’s information processing, the institution’s integrity and reputation are at risk. With more and more information being processed outside of secured premises (e.g. by a police patrol using a laptop or smaller device) the need for secure execution environments and corresponding devices is rising. Last but not least many of the trustworthy (hyperconnected) infrastructures depend on secure execution environments. This holds for institutions in the public administration as well as for other critical infrastructures such as the health care sector, smart grids, and industrial control systems for water, food/agriculture, nuclear, and chemical operation. Secure execution environments are then even a critical factor for public safety.

11.1.4.3.2 Research challenges Secure execution platforms. In order to provide a secure execution environment, the platforms themselves

(e.g. cloud servers, mobile devices, processors in cars, IoT devices) must guarantee the secure execution of all operating systems and services. However, this is not a trivial task. In current paradigms, like cloud computing, the attack surface has expanded, and new risks and threats have appeared. We need to overcome challenges such as malware exploiting and bypassing virtualized environments. Therefore, novel methods for virtualisation and compartmentalisation need to be investigated including but not limited to the hardware acceleration required to implement them efficiently, thus supporting the advanced research performed in leading European providers of cores and system-on-chips. Moreover, personal devices (mobile phones, tablets, etc.) will become key players. Thus, the platforms where the mobile devices will be running should be trustworthy. For example, such devices might be based on a secure core that could help the trustworthy engineering process and can also be used for monitoring trustworthiness at runtime.

Operating systems security. Each application is only as secure as the OS it runs on. As a result, the isolation of applications and the minimisation of the attack surface becomes a necessity. The benefits from component-oriented design (i.e. reusability, adaptability) can be brought to operating systems by defining standards to which operating systems components must adhere. This requires integrating the minimum TCB (Trusted Computing Base) mindset with this software engineering approach, such as only running a small subset of components in privileged CPU modes and running legacy OS components in virtualized or restricted environments. As we estimate that the usage of open source solutions as operating systems and applications will increase in critical security devices, the defined principles and design guidelines will have to be promoted, contributed, and supported to the open source software community, including, if needed, the spin-off of secure versions of open source operating systems in cases where the respective communities do not share the outlined vision.

From an implementation standpoint, it is also necessary to find a balance between low-level close-to-the-hardware languages and safe languages that do not suffer well-known vulnerabilities such as buffer overflows. The research has to find the blend of technologies that allow both protection against vulnerabilities and limited performance degradation while allowing the huge base of legacy programs to continue to be used, technologies that span across hardware assistance, compiler assistance, and run-time assistance for a given programming language. Also, it is important to extend the secure boot and remote attestation techniques to component-based OSs that can be updated at runtime. New patching strategies must cover the upcoming scenarios of highly dynamic, resource-constrained embedded devices such as sensors and control units. Finally, as a transversal concern, it is important to keep HCI (human-computer interface) security and usability in mind.

A secure execution environment requires several security-supporting services, such as data protection and secure communication protocols. Software services can be complemented by the use of security-supporting devices, such as specific cryptographic hardware (Hardware Secure Modules). There are, however, several issues that need further research in this particular topic. For example, the emergence of cloud services calls for enhanced cryptographic techniques that enable encrypted processing, attribute-based cryptography and policy-based decryption techniques, since they are the only way to ensure that data remains opaque in transit, at rest, and during processing and accessible only to those with legitimate access. It is also of paramount importance to address information leaking, side channels and covert communications together with off-the-record properties to encrypted channels, such as forward secrecy and plausible deniability. Another issue is the implementation, in personal devices, of secure elements on top of the operating system.


The goal of these secure elements is to protect devices and allow them to protect themselves. For example, devices such as assurance tokens and wallets could verify their respective controllers by an extra communication channel, which demands a portfolio of communication and redundancy mechanisms. Also, secure elements on mobile devices could allow the holder to influence the type of identification information to be displayed.

Even if the environment is properly secured, it is not realistic to assume that no successful attacks will ever take place. The amalgam of interconnected, dynamic systems will not only affect the situational awareness of all entities, but also will open new avenues of attacks, such as cloud-based and IoT-based targeted malware. Just as a body needs an immune system, it is essential to provide control and intrusion prevention systems to effectively monitor the state of the environment and react against all kind of (potential) threats - from punctual to severe and continued. The challenge is to create such systems taking into consideration various factors such as the massive amount of event sources, the interaction with related subsystems (e.g. trust management systems, autonomous response systems), and the development of intelligent, adaptable, and interoperable detection and mitigation mechanisms, among others. All of this while aiming to maintain several properties such as scalability, autonomy, usability, fault tolerance, and responsiveness.

Secure Integration. As multiple systems and paradigms will interact with each other in a distributed and dynamic environment, it is crucial to achieve a full secure integration of all of them. On this topic, several areas need further research. Not only do we need to allow novel technologies to cooperate with each other (using strategies such as compatible protocols or intelligent gateways), but also we need to consider the migration of legacy systems, whose components and protocols are not usually up to the security and privacy risks. Other issues, such as the security and privacy implications of scaling (up & down) storage systems, need further investigation. The complexity integration with untrusted services and devices must also be carefully considered guaranteeing (formally proven) the E2E trust & security requirements through the chaining of services. Of special interest will be the case of the BYOD (Bring your own device) paradigm. Another important area is the interaction with mobile applications (Apps). They must guarantee privacy and integrity of the information they handle in order to protect the data of their users. Hence, their integrity and compliance need to be protected and they will potentially require dedicated evaluation methodologies - as the number of these Apps is huge, and their life cycle pretty short - to allow verify they do not harm the security level of the platforms, by imposing for example the use of specific path to a third-party, or requesting services (localisation, specific rights…) in contradiction with the security policy of the platform.

Internet of Things and (Critical) Infrastructure comprises various aspects, such as wearables, smart homes and smart buildings. Infrastructure (but not limited to critical infrastructure) is also central for this area. As major aspects, security-enhancing technology standards (e.g. for communication protocols) and the handling of legacy systems (e.g. old industry infrastructure or old building automation components which are now connected to the Internet) must be addressed. Another aspect to be addressed is the monitoring of IoT/infrastructures and the detection of attacks linked to the monitoring. In addition to this passive (monitoring/detection) approach, research is required to further improve especially network level security (e.g. secure routing, cryptography, network-level privacy).

Secure update in the field. Many information systems cannot be stopped or halted for implementing critical security updates. At the same time, these systems are also vulnerable to possible attacks. There is a need for models, methods or approaches to install the required updates while the system still provides its functions. Moreover, the update should be safely reverted if an unknown error occurs during the installation. In particular, special attention needs the topic of upgradeable cryptographic engines for the new devices that will be produced to ensure the long product lifetime expectancy in industries like automotive and industrial.

11.1.4.3.3 Expected outcome Design guidelines and products implementing secure execution platforms, including secure boot, remote

attestation, and virtualized environments

Operating systems designed according to new security guidelines

Security supporting services that allow data protection and device protection


Control and Intrusion Prevention Systems that react intelligently and autonomous on input from multiple sensing points

best practices for integration of secure components in a secure system with interoperability and management in distributed systems

wide deployment of systems allowing secure updates in the field

definitions, criteria, and organisations that implement security certification and labelling program plus supporting database for monitoring and notifications

industry adoption of upgradeable cryptographic engines


Secure Execution Platforms

Protection mechanisms for existing virtualisation ecosystems.

Novel approaches for secure HW/SW virtualisation.

Development of trustworthy mobile platforms.

Operating Systems Security

Secure component-based OS approach.

HCI security. Low-level, safe languages. Secure boot, remote attestation.

Dynamic, resource-constrained patching.

Security-supporting Services

Effective protection of IPv6 and other communication protocols.

Feasible crypto for cloud. Effective protection against side channels and data leakage.

Secure core and self-protective devices.

Control and Intrusion Prevention Systems

Effective monitoring and threat prevention on specific systems.

Integration of diverse control and intrusion prevention systems, interaction with other subsystems, intelligent threat analysis.

Intelligent, holistic, autonomous defence systems against insiders and Advanced Persistent Threats.

Secure integration

Identification of major hurdles. Definition of integration best practices.

Integration of several ecosystems, including apps and BYOD.

Full interoperability and management of dynamicity in distributed environments.

Handling of Legacy Systems

Provide better monitoring for legacy systems

Provide security solutions which protect but do not break legacy environments

Replace legacy systems; make them upgradable

Secure update in the field (including of crypto engines)

Develop new approaches for updating IT systems in the field

Implement new prototypes of “updatable” systems.

Substitute the existing IT systems with new “updatable” ones.

11.1.4.4 Cloud Security

11.1.4.4.1 Scope Cloud Computing is an approach in which infrastructure and software resources are provided by an external vendor or by an internal IT department over the Internet. These resources are highly scalable and at competitive costs, which make cloud services highly attractive for organisations that need to reduce their IT costs as well as improve flexibility of their IT service delivery. These benefits and the rapid acceptance of popular consumer Cloud enabled services have led to increasing levels of interest in Cloud Computing. Normally, in such approaches, management of the infrastructures, applications, data in the cloud are managed by the Cloud Service Provider (CSP).

As Cloud computing is increasingly used by citizens and organisations such as banks, hospitals, universities (e.g. to storage data), the security of cloud computing becomes ever more important. Cloud computing is a completely internet dependent technology where client data is stored and maintained in the data center of a cloud provider and the limited control over the data may lead to security issues and threats such as data leakage, insecure interfaces and inside attacks. Cloud computing consists of segments which perform different operations and offer different


products such as software as a service, utility computing, web services and platform as a service. As cloud computing involves many technologies (e.g. networks, databases, operating systems) it faces a broad variety of security challenges.

Building trust and confidence in Cloud Computing services is, nowadays, one of the main challenges for organisations, as well as other open issues such as the concern over maintaining data privacy, integrity and security, how to handle regulatory compliance in a cloud environment, unproven service level agreements, the difficulty of integration of existing applications and data, and so on. Voiced concerns are mainly related to the effectiveness and efficiency of traditional governance and protection mechanisms, for example the collection of events by security event and information management tools or forensics in the cloud, and maintaining the security and integrity of data retained in the cloud, potentially where retained over many years.

Even though the security issues in the current cloud computing models are getting better, the fast evolution of cloud models is already threatening with new challenges. The second generation, also known as “Future Cloud”, will be move from federated clouds to multi-cloud provisioning through broker with lower trust levels.

The introduction of identity as a service (IaaS) is also making cloud service chain more complex. Authentication and authorisation in the cloud involves trust certificates and identity data spread across different trust silos.

The Future Cloud delivery model will likely be based on a wide range of trust agreements, identity management options, and compliance mechanisms to ensure that other parties are adequately enforcing privacy and security. In the Future Cloud computing scenarios, security will not rely solely on a set of static system configurations defined by a human administrator, but an ongoing adaptive process in which policy based techniques are used to provide automated configurations to dynamically handle security events. The security management will follow the same feedback loop encountered in network and systems management, which includes monitor, analyse, plan, execute. On the other hand, mutability of identity attributes introduces the need to execute the usage decision process continuously in time. One of the main problems in the Future Clouds is not assurance of an individual service, but rather end-to-end (E2E) assurance, where we have to deal with services that offer their security assurances as well as assess the security of their sub-services (including storage or computing services). Therefore, we first need to define a common framework that enables providers to advertise their security events and allows customers to monitor the actual security of a service.

The cloud paradigm also introduces a change in lifecycle aspects, characterised by the term “DevOps” – a seamless integration of development and operation of systems, leading to continuous system updates (for instance, daily software releases). In a DevOps environment, product security activities (development processes, testing, security mechanisms) and operational security activities (configuration, system monitoring, alerting) need to go hand in hand, asking for novel approaches to security management extending to the development phases, novel KPIs considering the overall security posture of a dynamically evolving system, higher degree of automation of security related development activities, security analysis as a continuous process, and more. There is also a big opportunity in serving the DevOps model, since – if adequately addresses – it facilitates faster reaction to incidents and changing threat landscapes as well as a continuous improvement of the security posture.

11.1.4.4.2 Research challenges Secure middleware. Security of public clouds, especially the ones that are reluctant to reveal the internal

details about implemented security protection, must be assured. The client must know that the service acquired is protected enough for processing sensitive data. This can be achieved both through secure software mechanisms or cryptographic hardware devices. Especial attention should be devoted to assurance that novel vulnerabilities are timely patched and appropriate countermeasures for new threats are installed (e.g., placement algorithms).

Secure Virtualisation. Cloud providers organise their services using virtual machine. This organisation raises the risk of contagion of malware infections across virtual instances. Virtualisation techniques allow to securely compartmentalize operating systems and applications of different criticality or owners and to retain a level of control in case of an attack by accessing the host and isolating the infected virtual machine. Thus, virtualisation architectures should enable full security/performance isolation at all levels. In addition, Container technologies are gaining momentum over hypervisors, especially in constrained environments, as it is the case for embedded systems. There is a need to analyse the data flow in hypervisors applying statistical machine learning to detect attacks to efficiently detect possible contagion.


Cloud integrity and remote attestation. Service providers in most cases do not have access to the physical security system of data centres: they must rely on the security measures taken by the infrastructure provider. An important research question related to this is how a situation can be reached in which service providers and other parties involved can assess and evaluate the security measures taken by the infrastructure provider. Trust mechanisms should be built on every architectural layer of the cloud.

Multi-tier architectures. In the development of multi-cloud scenarios, trust, risks, self-healing and legal compliance will be aspects to be considered. Secure cloud interoperability: the ability of separate clouds to exchange and use each other’s data in a secure way. Many public cloud networks are configured as closed systems which makes it difficult for organisations to benefit from shared data. A research challenge is the development of industry standards that help cloud service providers to develop secure interoperable platforms.

Security levels negotiation. In the Future Cloud, the combination of multitude of cloud services of different nature for the provision of a composite service will ask for the dynamic negotiation of the Service Level Agreements with the providers. Dynamic in the sense that the selected combination may evolve depending on the customer needs or the Cloud providers’ performance. There is the need for clear specification of the required security measures and security levels in the contracts with the providers, as well as mechanisms and tools that enable the automation of the negotiation, computation and control of the offered overall security in the composite service.

Continuous monitoring of cloud security. The empowerment of the user for controlling overall service security in multi-cloud environments will need that understandable evidences are defined for each of the cloud layers, and evidence (measures) tracking and aggregating systems are offered. The trust building systems should rely on continuous monitoring mechanisms that are able to provide transparency of the security behaviour of the cloud providers in use, while at the same time do not overwhelm the user with information and permission requests.

Security in the DevOps paradigm. Advanced security management covering both development and operational lifecycle path of the system; continuous, seamless and transparent improvement of security and privacy posture, real-time adaptation of systems and services to changes in risk assessment and threat exposure.

11.1.4.4.3 Expected outcome Concepts for secure multi-cloud environments, including security monitoring

Secure virtualisation environments ensuring isolation for different architecture paradigms (e.g., virtual machines, containers, etc.)

Trusted cloud operational environment based on dynamic root of trust and anti-tamper security hardware

Integrated security management frameworks for development and cloud operations


Secure Middleware

Incentives for public clouds to improve their security

Compliance (with a security standard) checking schemas for cloud

Liability of cloud providers for providing weak security


Secure Virtualisation

Methods for detection of contagion of malware infections across virtual instances (e.g., by hypervisor)

Analysis of implications of container technologies on system security in comparison to virtualisation

Models and implementations of fine-grained virtualisation

Different virtualisation options for mobile devices

More secure methods of virtualisation

Analysis of performance penalties of container technologies and the comparison against hypervisor technologies. Secure deployment options for applications using containers and/or virtualisation.

Improved usability in virtualisation for mobile devices

Machine learning techniques for detection of contagion across virtual instances by hypervisor

Virtualisation and container technologies for low-power devices

Cloud Integrity and remote attestation

TPM based assurance methods for verification of basic security level

Remote (trusted) attestation of a cloud infrastructure by any external party.

Dynamic remote attestation tests, which allow modification of tested parameters (i.e., with up-to-date security requirements, standards, etc.)

Multi-tier architectures Methods to express and specify security level by a provider

Methods for aggregation of security levels for a multi-tier architecture

Dynamic ways to aggregate security levels for a multi-tier architecture

Continuous monitoring of cloud security

Models of standard cloud security controls and metrics

Seamless monitoring of cloud security levels across layers

Continuous monitoring of the security level in multi-cloud orchestration

Security levels negotiation

Models for the specification of security levels in multi-cloud environments

Mechanism for automatic negotiation and combination of security levels with cloud providers

Risk-driven mechanisms for automatic negotiation and combination of security levels with cloud providers

Security in the DevOps paradigm

Security metrics and KPIs for development and operations

Secure software development for continuous delivery models: security controls, testing, patching

Integrated standards, concepts and tools covering application security and security management

11.1.4.5 Trusted hardware/ end point security/ mobile security

11.1.4.5.1 Scope Trusted hardware addresses a broad range of components, including IoT devices (which could be stationary and mobile) and secure crypto-processors (e.g., HSM or TPM). All these trusted hardware are connected to a network like the web or mobile network (GSM, UMTS, LTE, 5G). There are some pre-requisites to trust a connected device in the field whether it is used in the field of Critical infrastructure, Industry 4.0, Automotive (ADAS, V2V, V2X), Smart City, Smart Home, Building Automation, Healthcare, Wearables or any other connected system.

Trusted hardware could be having different form factors such as: vehicle: connected card (V-2-V, V-2-I), machine: industry 4.0, mobile device: smartphone, tablet, others stationary device: PC, server, data bank, others, energy: energy network train transportation, finance: finance network, governments: government 2.0

Trust into IoT devices and nodes like Gateways, Routers, Connectors, Actuators, Sensors and End Nodes require trust into the components used and the related implementation of those into the device. Starting with the trust into the hardware, meaning the semiconductor components like application microcontrollers, secure elements and sensor ICs, they need to fulfil basic security requirements and minimum standards which might defer on sectors like Industry 4.0 or Automotive.


The root of trust and the secure boot loaded from end nodes to the back end system is based on components with secure key storage to offer security for deviceID and encryption. Securing keys in software-only has never been proven as being secure, therefore keys need to be stored into a certified tamper resistant storage. Key security features like mutual authentication of IoT devices (or strong authentication in critical infrastructures) or authentication against backend systems, Secure Boot, Secure Firmware Update and secure authorized access to the device and its generated data are essential functionalities to gain trust an IoT device and are part of the implementation.

All devices which are connected could be defined as cyber physical systems (CPS). It needs to be taken into account that the definition of security for a complete system cannot be higher than the definition of security for the storage of keys for cryptographic operations on IC level (e.g. in Common Criteria EAL4+). Raising the use of certified components in IoT devices will therefore raise the general security level and should be a common objective.

Interoperability with other IoT devices within the infrastructure is a desirable objective.

IoT devices should be marked with security labels to generate trust into connected IoT devices towards citizens, end users and businesses.

One of the main strategically axis for Mobile security is to protect the access of the future 5G European network. It is strategic cybersecurity issue and a strong authentication protocol should be invented in Europe.

11.1.4.5.2 Research challenges Establish whether a peer review for device, network, or system is trustworthy even if the domain is

unknown or appears to be trusted, the peer review is already use for the eIDAS regulation related to the eID notification, the Cooperation Network running under the Commission responsibility should use a reference implementation for the future Cybersecurity peer review for Cybersecurity product & certification

Establish the threat posture to assume toward any peer entity in the heterogeneous environment. Currently, the level of trust afforded during interactions is defined as a dichotomy of trusting or not trusting the other party or parties. Identifying more nuanced approaches and determining whether those alternatives have practical value is an open problem.

Dynamically measure the degree of trustworthiness in devices and systems as their software and operational environments change. Current approaches and implementations don’t work across domains; require significant investment in infrastructure for deployment; and suffer from a variety of other challenges.

Discover trustworthy devices, systems, and networks, to ensure optimal risk levels of the common electronic processes. Currently, there are no viable approaches to optimizing processes based on trust establishment with other participants in the process (devices, networks, applications, or users).

In order to work towards new approaches for trust, we need to determine what parameters could constitute the evidence of trust. Elements of trust evidence are known by many different names and have been defined for specific domain, e.g., mobile telephony. For example, the proof that a device or platform is running a good configuration, or acquisition, path, and origin for data are important. Most environments are dynamic, with entities (e.g., devices) joining and leaving during a process. Cross-domain processes are common (see a simple illustration of the issue in figure below).

Tamper protection technologies. Anticipating new potential attack on hardware and software is key topic to prepare the future cybersecurity products and services. The JHAS has created a unique forum for hardware potential attack method and now we envisage how to create the community for the pure software potential attacks.

Cybox crypto certification. The challenge that white-box cryptography aims to address is to implement a cryptographic algorithm in software in such a way that cryptographic assets remain secure even when subject to white-box attacks. The certification of this new technology is also a key cybersecurity issue.

Hardware protection. The increasing number of technology users and providers carries the risk of ‘backdoors’ intentionally planted into the hardware. Those may subsequently be misused e.g. for strategic, personal, or sensitive data tracking and mining.


Mobile Computing. Mobile computing comprises various domains, ranging from mobile telecommunications via cell phones to on-board computers in cars. The security of smart devices/smart phones, especially in the bring-your-own-device (BYOD) scenario is a crucial research topic in this area. Another topic highlighted in the WG3 deliverables is the protection from malware and data leakage (also in the cloud computing area). Forensics of mobile computing platforms and fraud protection are also research gaps here. BYOD is a main trend in organisations, several solutions have been depicted, still this is a very relevant research challenge, mixing several of the topics previously mentioned.

Sophisticated malware protection. The growing sophistication of malware and of attackers themselves significantly limits the options for attack source tracing, i.e. reverse engineering and forensic analysis (backtracking). These analytical procedures shall form part of training of cybersecurity experts

Embedded security anchor for long lifetime devices. Overworked Secure element which allows field-updates of SW, security functions and protocols. Specify HSE which allows re-programming hardware in FPGA. The field updates of SW and re-programming of hardware can be done along Trusted Execution Environment, a White-Box-cryptography or other approaches.

5G authentication to the Mobile operator network. A European standard should be created to harmonize the Authentication of the future 5G network. This standardised authentication protocol should guarantee the highest level of security has it will be technology lock to the Mobile network security

Intrusion detection/prevention systems (IDS/IPS). There are several approaches to detect and further prevent the malware intrusions on smartphones that resemble the approaches in the PC, still with specific features, being the features of mobile phones peculiar (as sensor presence):

o prevention-based approaches: using cryptographic algorithms, digital signatures, hash functions, important properties such as confidentiality, authentication or integrity can be assured; in this scenario, IDSs have to be running online and in real-time;

o detection-based approaches: IDSs serve as a first line of defence by effectively identifying malicious activities. Intrusion can be detected with two main approaches, anomaly detection and signature based, i.e.

anomaly-based (anomaly detection, behaviour-based), which compares the “normal” behaviour with the “real” one;

signature-based (code-signature detection, knowledge based, detection by appearance), based upon patterns recognition of specific features. Most of the actual approaches are currently on signature based mechanisms. For anomaly detection, there are also some approaches mainly focussed at specific levels of observation. We can summarise as follows these layers: user; application; virtual machine or guest OS; hypervisor; physical. Recently, also multi-layers approaches have been developed.

Application security frameworks. There are several existing frameworks for the protection of applications for mobile devices:

o Static mechanisms: These allow classifying applications on mobile device through code inspection at load time. Techniques as control/data flow, model checking and related activities have been adopted. Proof carrying code techniques are also investigated for embedding proofs of properties of application code in the downloaded package. Multi-criteria analysis methods have also exploited to rank and classify the risks related to applications running on the devices (mainly based on static factors).

o Application Policy Run-time Enforcement: The basic idea of these activities is to impose policies on specific applications and enforce those at run-time trough application monitoring. Several policy models can be enforced. Recently usage control policies have been enforced on such devices, using rich authorisation and obligation languages (as variant of XACML).

o Hybrid approaches: Rich approaches in security merge static and dynamic approach as security-by-contract that merges proof carrying code with run-time policy enforcement.


11.1.4.5.3 Expected outcome Built a trustworthy IoT frameworks

Develop secure execution devices able to work in untrusted environments

Being able to build and operate long living secure evolving devices / systems Cope with system vulnerabilities


Cyber physical system with long lifetime

New standard on HSE/TPM/eSE, feasibility test

Product availability & certified

Standard plug-in of secure anchor

Establish whether a peer review

Establish the rules for the peer review using the eIDAS peer review group

Extend this concept of peer review in all security related topic

5G authentication protocol

New European standard for 5G authentication protocol

Certification of the Protocol

Deployment in Europe

Smart Phones / BYOD

Embedded device protection (firewall, application-level firewall)

Operating system and application vetting and validation

Secure-by-design operating systems for secure and privacy-friendly enforcement of applications behaviour

Handling vulnerable IoT devices

Definition of vulnerable devices, related system vulnerability levels and related actions

verification measures to link certified and deployed products; first tests of defined actions

Defined procedural and technical handling process of vulnerable IoT devices

Authentication for IoT Devices

Definition of minimum requirements with regards to security and privacy features; ideally find related common framework on components level

Successful tests on interoperability and scalability

Fully interoperable and scalable

Big Data Privacy

Definition of privacy in Big Data (e.g. in V2X) and related measurements

Definition of technical solution to handle privacy issues ideally based on a generic framework

Management and technical solution to handle privacy issues

11.1.5 Cybersecurity Services

11.1.5.1 Auditing, compliance and certification

11.1.5.1.1 Scope Auditing techniques (penetration and intrusion testing). A security audit is a systematic evaluation of the security of a company's information system by measuring how well it conforms to a set of established criteria. A thorough audit typically assesses the security of the system's physical configuration and environment, software, information handling processes, and user practices. Security audits are often used to determine regulatory compliance, in the wake of legislation that specifies how organisations must deal with information.

Evaluation Laboratory accreditation: For the security evaluation of IT products/solutions, the Common Criteria Evaluation Methodology describes the minimum work needed for evaluation, but it also provides guidance for Certification Bodies. One of these matters that schemes may choose to specify is related to specific requirements in


ensuring that an evaluation was done sufficiently, so that every scheme has a means of verifying the technical competence of its evaluators. The main goal for this is to provide evidence to the certification body that all ITSEFs are adequate and comparable, through the licensing process, as defined by the SOG-IS MRA. The Evaluation Facilities to be accredited according to the requirements of ISO 17025 only covers a part of this licensing process.

Compliance Checking: The next step, after the creation of the policies, is to compare the current status of the system in terms of configuration when compared to the defined policies. Compliance checking can be applied to many different administrative domains and operating systems though a central console. An example of compliance checking is the checking the password requirements as drawn from the defined policies (e.g., checking if the passwords are strong in terms of number of characters and symbols, or checking whether the passwords are periodically changed).

Security certification: It is of primary importance to have mechanisms to be able to certify the security and the correctness of the complex ICT services that Future Internet offers. Security is an inherently difficult problem. We need new certification technologies especially for complex systems that can evolve with the system evolution in order to avoid re-certification needs. These certification approaches and procedures should be made automatic as much as possible, including the simple automation of the data shared. In this ambit, there is a great need of mechanism for studying asserting and certifying the security of cloud infrastructures as well as of complex services built on top of those. The sharing of information, the trust among the involved stakeholders are also elements to be considered. All the certification should be standardized in order to maximize the impact of the results.

Mutual recognition: The first certification recognition agreement was established in March 1998 for the security evaluation of IT solutions/products, and is designated as the Senior Official Group for Information Security of the European Commission. This agreement covers CC certificates up to the highest level of assurance EAL7 (since April 1999). On the worldwide basis (27 countries) the CCRA agreement covers CC certificates from EAL1 to EAL4, renewed in 2012, the CCRA agreement now allows recognition until EAL2 and therefore concentrates international efforts on establishing a mutual basis for general purpose security products covering a basic level attacker. The differences between these two agreements reside mostly 1) in the level of verification of the evaluation labs and certification bodies’ technical expertise: in addition to the CCRA audit requirements, the SOG-IS agreement requires further verifications of the resources and tools of certification bodies, and of the technical expertise of individual evaluation labs. 2) the achievable trust level you can mutually recognize, the SOG-IS recognition allowing for a higher mutual trust level amongst its members covering therefore the protection of EU sensitive information and contributing to a better EU digital autonomy.

11.1.5.1.2 Research challenges A penetration test, or the short form pentest, is an attack on a computer system with the intention of

finding security weaknesses, potentially gaining access to it, its functionality and data. The process involves identifying the target systems and the goal, then reviewing the information available and undertaking available means to attain the goal. A penetration test target may be a white box (where all background and system information is provided) or black box (where only basic or no information is provided except the company name). A penetration test can help determine whether a system is vulnerable to attack, if the defences were sufficient and which defences (if any) were defeated in the penetration test. Penetration tests are a component of a full security audit. Penetration testing goes beyond vulnerability scanning to use multistep and multisector attack scenarios that first find vulnerabilities and then attempt to exploit them to move deeper into the enterprise infrastructure. Since this is how advanced targeted attacks work, penetration testing provides visibility into aggregations of misconfigurations or vulnerabilities that could lead to an attack that could cause serious business impact. As a minimum, penetration testing provides a means for prioritizing the highest risk vulnerabilities

Vulnerability and intrusion analysis. Vulnerability analysis, also known as vulnerability assessment, is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure. In addition, vulnerability analysis can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use. Vulnerability analysis consists of several steps:

a. Defining and classifying network or system resources

b. Assigning relative levels of importance to the resources


c. Identifying potential threats to each resource

d. Developing a strategy to deal with the most serious potential problems first

e. Defining and implementing ways to minimize the consequences if an attack occurs.

Multi-standards compliance: For products under security constraints, many standards and regulations may need to be complied, originating both from the wide range of trustworthiness facets that need to be addressed (security, privacy, risk management, software quality, etc.), and also from the number of countries and jurisdictions where a product may be used. This poses specific challenges regarding how to meet the requirements of different, heterogeneous standards and regulations, and how to identify and manage commonalities, variabilities, and conflicts in them. The key difficulty appears when trying to reuse products from one application domain in another, because they are constrained by different security standards and the full assurance process is applied as for a new product, thus reducing the return on investment of such reuse decision.

Quantification of Risk for cybersecurity. Most of the cases, good enough security is exactly what one needs to ensure, i.e. that the security mechanisms are appropriate for the protection of the assets. This requires security mechanisms that fit the purpose and are able to allow security managers to trade-off between cost and risk. New security metrics frameworks able to be easily computed should be envisaged. These security metrics could be merged with risk analysis methods to decide the appropriate security controls to be put in place. This is in relation to risk management aspects.

Cyber Insurance. In the long term, such concepts can lead to a viable business model for cyber insurance. Insurance models and prices need to be established and trialled within the market. This on the one hand needs to measure the security level of a system assessing the current security level and considering how this evolve with the time as well as the capability to prove cyber incidents responsibilities (that connects this area with forensic etc.). Formalisation of liability of system produced and service deployed is also a relevant are where investments should be made. The way Cyber Insurance can benefit from certified products and services is also to define for the EU.

Certification Schemes based on Common Criteria standard. We can split the system in two parts: Products (hardware and/or software) & Services. Product certification should be based on schemes like Common Criteria ISO 15480, where evaluations are performed by independent laboratories and then certified by certification bodies. To ensure an equivalent level of confidence between laboratories, laboratory audits must be performed on both quality and technical aspects. Theses audits should comply with international standards whenever possible (current technical licensing audits, as put in place by the SOG-IS MRA, do not solely rely on a standard but on Certification Bodies expertise). In the same way, audit according international standards should be done for certification bodies. These principles are in place for mutual recognition agreements such as CCRA or SOGIS-MRA in the case of Common Criteria. For services, some well-identified sectors such as Incident Response, Incident Detection in cybersecurity or Certificate Delivery, Electronic Signature can be certified using, once again audits based on international standards such as the ISO 27000, but will necessitate the control of additional service specific requirements, as already put in place in some MS schemes.

Product & Systems ICT certification, Certification composition. An ICT system is composed by several items that can be product, sub-product and integration services. These items can be provided by different companies and the final customer should trust the complete chain. Taking into account the different development timing & business model (hardware product design timing is between 12 to 24 months with integration services is using agile development mythology). It is important to segregate the Product certification to the integration services certification. To do so Certification composition between different products is key element. The ISO 27000 ICT certification process should be used to Certifying the complete solution and its should reference all product certification that composed the complete solution. Different sector need security certification. The SOGIS MRA is covering the mutual recognition for some products/solutions used in multiple systems, including critical infrastructures and is a key assets for the Cyber security industry. But Cyber security is also impacting most of the connected devices, and these devices are manufacturers by commercial devices companies where the time to market is extremely short: therefore, they will necessitate an update of the current certification practises, to better reflect the use of the “security by design” principle. An important consideration is that security certification demands a


systems perspective, in which the software is viewed as one component of many, working in concert with other components (be they physical devices, human operators, or other computer systems) to achieve the desired effect. Hence, a long term solution can only be found by taking a product-centred, composable/modular system view of the certification problem. This would imply that certification approaches should be extended to use certification data in terms of the component/system interface only. A common approach that follows this principle is contract-based assurance and certification.

Verification & Maintenance measures to link certified and deployed products. Product certification is a picture at a given moment of the level of the security of a given product. Making sure that the product is still having the right level of security when the level of potential attack is increasing is a key issue. Today few process are existing to cover this potential risk, only ANSSI & BSI CERT have put in place a surveillance/reassessment process that can guarantee that the product is still at the right level of product security.

11.1.5.1.3 Expected outcome Definition of the Generic aTC governance rules and applicable standard for certification methodology (ISO

CC) should be defined within the WG on Standardisation, Certification and European Label.

Definition of the any aTC creation should be put in place with the cPPP at the WG on Standardisation, Certification and European Label Composite certification

Certification maintenance

Define new attack method for pure software products

Extended the SOGIS MRA with a sector oriented approach


Quantification of Risk Risk metrics Risk assessment frameworks based on publicly available data

Cyber Insurance Operational insurance schemes

Multi-standards compliance

Identification of commonalities and variabilities between security standards. Tools for multi-standard compliance.

Automation of compliance management activities against multiple standards.

Reuse methods and tools of secure products assured against multiple-standards

Certification Schemes based on Common Criteria standard

aTC common rules

Define the Common aTC rules hosted into the cPPP, ISO standardisation activities

Create aTC per strategic market sector in line with the NIS directive and new threat coming come from the commercial market

Preparer cross mutual recognition between aTC

Penetration test :Define Attack method for Hardware and Software

Leverage on the JHAS expertise

Leverage Security engineering to create European context for ethic hacking

Add Software attack method & potential into the JHAS


Product & Systems ICT certification, Certification composition

Identification of component properties related to compositional security (e.g. resilience in case of attacks).

Guaranteeing security properties of contemporary systems that are built up from smaller components, when each component is secure in isolation

Scalable analysis of large, complex systems by constructing their security proofs from separately constructed proofs of properties of the simpler components from which they are built.

Vulnerability and intrusion analysis

Methodology for intrusion analysis

Create a European standard

Verification & Maintenance measures to link certified and deployed products

Methodology for product surveillance over the time

Maintenance metrics

11.1.5.2 Risk Management

11.1.5.2.1 Scope There is a common understanding across the AoIs that the new developments in ICT technology and its applications are increasing the complexity of system and provide a challenge for managing this complexity and the related cyber risks.

On the other hand, the state of play today, as contributed by NIS WG1 “Risk Management” to NIS WG3, indicates that however several approaches and frameworks to risk management exists, the lack of awareness of decision makers, the lack of interoperability and standardized metrics, the costs-benefit ratio (especially for SMEs), the lack of statistical information for predictive approaches, the existing frameworks’ outdated status, their static assessment model, as well as the perception of weakness and coverage not sufficient for the complex business and cybersecurity risks of today, it is becoming a real and important disincentive and barrier for adoption either by larger or smaller organisations.

The complexity has been increased during recent years as threats also evolve along the time. Their very nature as well as their motivations, techniques and tactics are becoming polymorphic and more sophisticated day after day, making them unpredictable for any risk analyst. Vulnerabilities in technology are found at a rate that renders current cybersecurity solutions and strategies rapidly obsolete. In addition, there are threats, such as APT, state-sponsored attacks or governmental surveillance programmes, for which no effective solution exists, leaving our organisations and society dramatically exposed.

This ever changing and unpredictable nature of the threats and the technology on which the organisation depends makes expert judgment for risk assessment incomplete and inaccurate. As a consequence, this assessment should be continuously reviewed and verified against the updated state of the system under observation.

The system under observation has to be expanded, especially in the supply chain model, where organisations need to incorporate the risk level of their suppliers into their global picture. The security paradigm has changed, although traditional security approaches are based on the existence of a perimeter that needs to be protected, this paradigm does not hold anymore. We need to operate in a world where a perimeter is not there or has already been breached.

Another important factor it is the ability to decide and execute effective courses of action in timely fashion in order to mitigate and remediate the impact of attacks, when occurring on real time.

Historically, technical security controls (anti-malware, firewalls, IDS/IPS, etc.) have focused on prevention of compromise. However, it is now widely recognised that no matter how good your preventive controls are, they can only reduce the number of and severity of security breaches and not eliminate them. The emphasis has now shifted to augmenting preventive controls with detection and remediation measures. Clearly, the time taken for detection, diagnosis, remediation planning, and action is critical in limiting the impact of an attack. In the future, we can expect the sophistication and speed of execution of attacks to increase, and the difficulty of formulating a timely response


to become correspondingly more challenging. A capability for autonomous response will become essential, because there will simply not be enough time to have a man in the loop. However, an inappropriate response may be more damaging than the original attack, so that the controls need not only to be speedy, but also trustworthy. This implies that they must understand the limits of their authority and the consequences of their actions. To be trusted as well as trustworthy, they must be able to explain and justify their actions in retrospect. Of course, the attackers will attempt to evade the defences, so that the defensive technology must be able to adapt dynamically to the attackers’ tactics. Despite the automation, people must remain in ultimate control, being able to set and modify policies that govern the actions of the autonomous agents. Establishing effective means of man-machine co-operation will be a research challenge in itself.

Current frameworks and methodologies, in the way they were conceived, cannot provide a solution for all these problems. We need novel / modern, simpler, disruptive, dynamic, multi-stakeholder, interoperable (based on formal sustainable models), standardized, predictive, reactive and holistic approaches capable of estimating and reducing the risk in real-time, feeding from real-time operational information and threat intelligence sources, and automating the risk assessment and management activities (especially detection and remediation ones) for a new perimeter paradigm as never before.

At the same time the cyber risk surface increased at all levels, especially in Critical Infrastructure Protection, where the solution is too complex and significant to be left to an ad hoc collection of volunteers. On the other hand this opens to Europe the opportunity to address this by an executive and collaborative approach between European countries in order to keep a permanent and standardized protection of European essential services.

That is to say, Europe needs and has the opportunity to harnessing barriers to become enablers and opportunities.

11.1.5.2.2 Research challenges Translating the above findings into research priorities in detail, especially those coming from NIS WG1 (“Risk management”), as well as those emerging from each of the AoIs and the research landscape document, we suggest to structure along the dimensions of the following research priorities:

Methods to reduce and manage systems complexity. The limitations of existing risk management methodologies in terms of addressing the cascading effects from the interdependent threats, the change of the security perimeter paradigm, the increasing complexity and nature of threats and the need to manage a multi-stakeholder supply chain inside a global risk management picture between other different facts, justify the need of more research in reducing complexity, improving accuracy of impact calculations at the same time the availability of simpler tools, simpler interfaces supporting these processes allow cost-effective solutions in order to avoid more barriers to adoption.

Dynamic risk assessment and management. In order to achieve a comprehensive and continuous situational awareness, we need novel, disruptive approaches capable of estimating the risk in real-time, feeding from real-time operational information and threat intelligence sources, and automating the risk assessment and management activities as much as possible. Dynamic risk management should take care about systems evolution for a sustainable assurance. Dynamic discovering, the way the system inference new topologies as well as the usage of new advanced multi-dimensional sensors of different nature (such as environmental sensors) as inputs to the risk analysis could improve the accuracy and efficiency of the management process. For a broader impact, information sharing and the effective and automatic use of exchanged data tampering of field devices, roadside and infrastructure equipment along the value chain, should be considered.

Formal interoperable models to enable comparisons and compatibility between multi-disciplinary environments. Interoperability and standardisation of the way the risks are calculated. Without this, comparing and interpreting results of two different approaches is not possible, undermining the objective evaluation of the performance and effectiveness of new solutions. This is especially relevant in the supply chain model, where organisations need to incorporate the risk level of their suppliers (including physical, human, the cyber layer, processes and services) into their global picture. There is a need to progress toward comparability of risk assessment results, whatever method is used. As we go to ever large scale interconnected systems, and the development of new risk management models and systems for cyber societies is necessary wide activities towards a holistic risk management framework.

Statistical and predictive risk analysis. Considering that statistical risk methods do not work well with intentioned threats, new methods should be researched. Furthermore acknowledging that most common


risk assessments models depend on past information to picture the current risk scenario, additional data models that helps to predict probabilities and impacts of threats in Europe could be extremely useful for example as a tool for remedial actions, investment prioritisation or even for a risk externalisation. For Cyber Insurance, the capability to predict the current strength of the system is considered to be a strong component of any calculation. Thus security and corresponding risk metrics (as explained below) are crucial (as other quantitative aspects of security). The way this data can be shared effectively and re-used at scale it is a key factor to provide organisational and shared benefit in Europe.

Autonomous detection and remediation by a man-machine effective cooperation. A capability for autonomous response will become essential to fight against cyber-attacks, because there will simply not be enough time to have a man in the loop. However, an inappropriate response may be more damaging than the original attack, so that the controls need not only to be speedy, but also trustworthy. This implies that they must understand the limits of their authority and the consequences of their actions. To be trusted as well as trustworthy, they must be able to explain and justify their actions in retrospect. Of course, the attackers will attempt to evade the defences, so that the defensive technology must be able to adapt dynamically to the attackers’ tactics not only as an active defence but also to know more about the attacker while in the attack. Despite the automation, people must remain in ultimate control, being able to set and modify policies that govern the actions of the autonomous agents. Establishing effective means of man-machine co-operation will be a research challenge in itself.

Integrated risk metrics and indicators. In order to evaluate to what extent current metrics can be incorporated (and enhanced) into new solutions, there is a need to have a better comprehension of the metrics currently being used in traditional frameworks and methodologies. They are usually said to be based on the 'experience' of the designer, but this doesn't mean anything if the method is not justified based on solid criteria. Calculation methods should at least be auditable. Current metrics tend to focus on individual organisations and not take into account supply chains or dependencies across sectors and borders. It is also easy to focus on those things that are easy to measure and possibly ignore the real indicators of success or failure. The increasing scale and connectivity of cybersecurity issues means that organisations can no longer live in their own silos (and measures things that only affect them) and new approaches to identifying and setting realistic metrics should be considered. i.e. that the security mechanisms are appropriate for the protection of the assets. This requires security mechanisms that fit the purpose and are able to allow security managers to trade-off between cost and risk. New security metrics frameworks able to be easily computed should be envisaged. These security metrics could be merged with risk analysis methods to decide the appropriate security controls to be put in place or even facilitate the risk externalisation (i.e. Cyber Insurance).

Visual decision making governance frameworks. The increasing complexity force simpler interfaces for an effective man-machine governance framework. We lack of a coherent framework that puts all these pieces together and helps to identify gaps that need to be filled with further research. For example, with the aforementioned solutions it is not possible to effectively translate the risk level into business impact, moving the analysis from the operational/technical layer to the business layer. This achievement would significantly support and ease the decision-making process for risk owners. New techniques are also needed to enable more consistent and appropriate security decision making as well as allowing aggregation and composition of different pieces (Software and Hardware) without losing the control of risks either including all the value chain sensors or other factors like legal and economics.

Legal risk assessment and management. For a holistic and complete approach, legal risks should be integrated in the organisations decision making process. It may enable the evaluation and comparison of alternative regulatory and non-regulatory responses to complex and interdependent risks and selecting among them. This process requires knowledge of the legal, economic and social factors, as well as knowledge of the business world in which legal teams operate. Risk-preventive, reactive and mitigation services, including process identification, empirical analysis, quantitative evaluation, cost analysis and dynamic support. The system’s basic concept is to solve enterprise legal risk problems by means of management, and the basic principle is to describe the enterprise legal risks in the language of economics although its value should be added to the enterprise risk decision making. Research should provide medium and long-term, holistic and dynamic legal risk management solutions compatible and interoperable with other technical and business risks. At the same time, legal and contractual obligations could also facilitate


the adoption of risks management practices by “hard to reach” organisations as an enabler as noted by NIS WG1.

Incentives for adoption of risk management best practices and reducing barriers (especially for SMEs). As noted by NIS WG1, there is a strong belief, backed by feedback, that SMEs are not applying even basic cyber risk management methods or best practices. A research is needed to establish how to communicate with ‘hard to reach’ organisations and to incentivise the adoption of best practices due to the fact that still most damaged cyber-attacks against this kind of organisations are considered basic (social engineering, phishing, default passwords, patching) however all the efforts being done in awareness raising. Of specific interest is further research into the use and take-up of risk management methods and practices by SMEs. Barriers already identified by NIS WG1 include the lack of awareness, the complexity of risk assessments, the imbalance between resources devoted to analysis and the benefits for the organisation (usually seen as one-off static exercise rather than part of on-going activity within a governance framework that is maintained). In addition to this, the executive and decision makers’ perception is all about cost and expense rather than preventing financial and material loss. Usually in smaller organisations, the lack of expertise, training, dedicated staff are also barriers. There is a need to look and research about potential incentives for take-up and maintenance, both within an organisation and across supply chains.

11.1.5.2.3 Expected outcome Develop agile risk management framework for companies and SMEs

Develop reliable risk metrics

Enable decisions makers to develop risk prediction models for cyber threats


Methods to reduce and manage systems complexity

Methods and process for managing risk interdependencies

Simpler tools and interfaces available to support these processes

Dynamic risk assessment and management

Automation of risk analysis

Advanced real time multi-dimensional sensing capabilities

Significant improvements on real time risk estimation

Statistical and predictive risk analysis

Theoretical foundations and supporting methods and tools for intentioned threats prediction

Statistical methods to estimate the current strength of the system against current and predictive risks

Autonomous detection and remediation by a man-machine effective cooperation

Effective means of man-machine co-operation

Pseudo-autonomous real-time reasoning systems for detection and remediation

Integrated risk metrics and indicators

Auditable calculation methods for risk metrics

Integrated KPI

Visual decision making governance frameworks

New techniques for appropriate risk decision making

Integrated visual decision frameworks to support this new techniques

Legal risk assessment and management

Legal risk semantic formal models

Comprehensive legal risk guidelines and interoperable standards approved and established in practice

Incentives for adoption of risk management best practices and

Research into the use and take-up of risk management methods

Lightweight certification and other effective models


reducing barriers and practices by SMEs

11.1.5.3 Cybersecurity operations

11.1.5.3.1 Scope It is widely recognised that even organisations with state-of-the-art cybersecurity are vulnerable to attack. It is not enough to deploy protective security appliances and software, these measure need to be actively monitored, managed and maintained. Furthermore, organisations need to be vigilant in detecting emerging threats, attacks in progress and actual security breaches, and be able to respond in appropriate and timely manner. This is the role of Cybersecurity Operations (CSO).

Managed security services (MSS) are around-the-clock remote management or monitoring services of IT security functions delivered via strategically positioned security operations centres17, often outsourced to a service provider (managed security service provider (MSSP)). Here we use the term MSS to denote either in-house or outsourced provision of operational security functions.

According to recent industry research, the majority of organisations (74%) manage IT security in-house, but an even bigger part (82%) have either already partnered with, or plan to partner with, a managed security service provider18.

Traditionally, organisations have been reluctant to outsource security functions. But the sheer complexity and extent of cybersecurity makes managed security services increasingly desirable, even a necessity. Many privacy and cybersecurity technologies traditionally installed and managed internally by end-users are now provided and managed directly by third parties on a pay as you use basis across Infrastructure, Systems, Content and Governance solution types in PACS. Such providers are viewed as being crucial to allowing organisations to reduce capital spending on security technology and in allowing them to increase bandwidth for handling security issues within corporate IT teams. For many SMEs, managed security services will be the only way to become fully secure, and many such services will be adopted via cloud solutions.

Businesses turn to managed security services providers to alleviate the various pressures they face on a daily basis in relation to information security, such as targeted malware, customer data theft and resource constraints19. Functions of a managed security service include real-time monitoring, intrusion detection systems and firewalls, incident response and emergencies handling, security assessments and infrastructures’ security audits, post compromising forensics. A holistic, enterprise wide security posture that is proactive and predictive versus reactive is recommended. This would mean a better interaction and strengthened intertwining between cyber core expert functions (security operators, analysts, incident response experts, security architects).

Security services may be conducted in-house through the in-house Security Operations Centre or outsourced to a service provider that oversees other companies' network and information system security. Businesses will increasingly resort to trusted European products and partners, in order to be fully compliant to new regulatory rules and constraints.

Typical services provided include: APT detection and remediation, Distributed Denial of Service (DDoS), email filtering, emergency response services, endpoint AV, endpoint patch management, firewall management, host and network IDS/IPS management, IAM services, log management and monitoring, server patch management, SIEM managed services, threat intelligence, vulnerability testing, web application firewall, and web application monitoring.

Key characteristics of leading MSSP providers include significant breadth of security technology skills, effective cost structures, strong customer services, experienced and trained staff, and strong operational flexibility depending on client needs.20

17 IDC MarketScape: Worldwide Managed Security Services 2014 Vendor Assessment (http://www.idc.com/getdoc.jsp?containerId=248646)) 18 2014 Security Pressures report, TrustWave (http://www2.trustwave.com/rs/trustwave/images/2014%20Trustwave%20Security%20Pressures%20Report.pdf) 19 http://www.csoonline.com/article/2134337/employee-protection/study-shows-those-responsible-for-security-face-mounting-pressures.html 20 IPACSO Market Study p 92

http://www.idc.com/getdoc.jsp?containerId=248646

http://www2.trustwave.com/rs/trustwave/images/2014%20Trustwave%20Security%20Pressures%20Report.pdf

http://www.csoonline.com/article/2134337/employee-protection/study-shows-those-responsible-for-security-face-mounting-pressures.html

http://www.csoonline.com/article/2134337/employee-protection/study-shows-those-responsible-for-security-face-mounting-pressures.html


Markets and Markets forecasts the Managed Security Services Market is expected to grow from $14.32 Billion in 2014 to $31.86 Billion in 2019, at a Compound Annual Growth Rate (CAGR) of 17.3% from 2014 to 2019. Europe is one of the growing market and is expected to experience increased market traction with high CAGR’s, during the forecast period.

11.1.5.3.2 Research challenges The attacker already has the advantage in the cybersecurity battle; highly-damaging security breaches appear in the press on a regular basis, many security compromises are not detected until long after the initial penetration, it is often difficult to identify and prosecute the people responsible, and so on. Threat agents are many and diverse, but include sophisticated criminal organisations and nation-state proxies with significant technical skills and financial resources as well as ideologically-motivated groups. Current challenges include:

Early detection of attacks in preparation or in progress; characterisation of the attack and identification of the attacker; accurate, prioritised, informative and timely alerting with low false-positive and negative rates;

Assessing the situation, planning and effecting an appropriate and timely response;

Recovering to normal business operations, while cleaning up remaining effects of the breach and removing vulnerabilities exploited in the attack, and preserving evidence for forensic investigations;

Simultaneous and retrospective investigation to examine in detail how the breach came about, attribute responsibility and gather evidence for disciplinary action or criminal prosecution (those research challenges also concern the law enforcement sector as the same forensic methods and tools might be developed and used).

These challenges will be exacerbated as threat agents and automated attack software become even more sophisticated, organisations become even more dependent on complex ICT infrastructure and on each other, and innovation in technology and business practices.

Preceding sections have considered specific threats and countermeasures. However, it is also important to develop processes, platforms, market-places and standards that enable holistic security solutions appropriate to an organisation’s circumstances to be assembled from constituent services, operated and maintained. Furthermore, it should be possible to select from a service and deployment models, from fully internally hosted and resourced solutions to completely outsourced, cloud-based integrated services, with intermediate options including partially outsourced, partially in-house best-of breed solutions. While security conscious organisations may currently prefer security operations solutions to be retained in-house or to use dedicated/segregated facilities, use of cloud-based multi-tenant services will become the norm in the future allowing service providers and their customers to benefit from collective analysis and intelligence sharing. For this to happen, safe-guards will need to be developed to prevent leakage of sensitive information.

Currently, security operations involves use of a number of largely independent software tools, with co-ordination, decision making and integration being the result of human co-operative activity. Timely detection and response are already problematic under this arrangement, and time available will decrease further as attacks are automated. Ever-increasing automation and integration of security operations processes will be necessary to keep pace. Furthermore, more of the decision making authority will need to be devolved to intelligent software, with human analysts taking on a goal-setting, supervisory role and working in co-operation with autonomous software agents. Maintaining an audit log, with explanations that are understandable by humans will be important in establishing trust in automated systems.

These challenges can be grouped under three main headings:

Security operations platforms: development of ICT infrastructure allowing flexible integration of disparate security products and services to form the technical element of the system and to provide interface allowing synergistic man-machine co-operation.

Security operations processes and institutions: defining the organisational and behavioural aspects of CSO

Security solution design: devising processes and tools by which security operations systems appropriate to the circumstances of a given organisations utilising the two other ingredients are brought about and maintained.


11.1.5.3.3 Expected outcome The desired outcome is to give all European organisations access to comprehensive security operations

solutions that are appropriate to their circumstances, are affordable, and are evolvable to keep pace with escalating threats and innovations in technology and practice.

Such solutions are socio-technical systems on a range of size scales.

They will possess institutions and processes that can detect and respond to internal and external threats and failures, enable them to function under adverse conditions, and to self-repair in order to resume normal operations as soon as possible.

This outcome both enables and requires the existence of a dynamic and innovative European market in cybersecurity products and services, which will itself yield significant economic benefit.


Security operations platforms

Baseline multi-tenant platform reference architecture, integration APIs and interoperability standards defined.

Platform reference implementation available.

2nd generation with increased flexibility, integration and provision for end-end supervised automation using machine learning.

Federation of platforms possible.

Highly dynamic platform capable of continuous evolution and adaptive response to threat activities.

Significant self-learning capability. Close co-operation between software agents and human operatives.

Security operations processes and institutions

Definition of security business processes that are customisable to the circumstances of a wide variety of organisational contexts. Use cases exemplifying best practices.

Add a time dimension allowing for the planned and re-active evolution of processes and institutions over time. Increased integration with platform and design processes.

Highly adaptive processes and institutions with decentralised co-operative decision-making and autonomous action. Extensive inter-organisational co-operation.

Security solution design

Scalable processes for selecting and combining solution elements to meet the security needs of an organisation

Selection and combination processes acquire a time dimension, allowing frequent in-service updates of the system without disruption.

Guided/autonomous and continuous evolution of the architecture and make-up of security solutions in order to keep pace with changing requirements and take advantage of innovations.

11.1.5.4 Security training services

11.1.5.4.1 Scope Traditional training approaches, namely class-room sessions, e-learning and b-learning (as we know them today) do not suffice to keep our workforce up-to-date and ready to respond in such an overwhelming changing scenario. Punctual training sessions, however they are provided, continue to lag behind the rapid rate of change of technology and cyber threats. But, worst of all, current approaches cannot accommodate, in a cost-effective and timely manner, the particularities of a customer's security problem, neither the technologies nor networks they use in their operational environments. In other words, the effectiveness of the training is very limited.

Even though training is currently considered a fundamental prerequisite for the adequate protection of cyberspace, there is still a need for innovative technology capable of providing realistic, flexible, evolutionary and tailored training services able to reach a large-scale audience in a cost-effective way. As of today this remains a great challenge both for the academy and the industry.

In recent years, the training concept has been reshaped with the introduction of cyber ranges. A cyber range is a virtual environment typically built on top of standard hardware and used for multi-tenant hands-on training, experimentation, test and research in cybersecurity, as well as supporting cyber defence exercises (i.e. cyber-


exercises). Due to their benefits, cyber range solutions are gaining attention as a key ally to support training programmes in different civil and military contexts.

Some of the aforementioned required properties (realism, flexibility, etc.) are already met by current cyber range solutions. For example, a standard cyber range is usually designed to provide realistic settings where the user interacts with real (virtual) systems and networks that may, to some extent, reproduce real-world scenarios with real-time feedback and operation.

However, much research and innovation is still needed to accommodate and combine in a single solution all of the properties above.

11.1.5.4.2 Research challenges The next challenges have been identified as a priority to implement and provide innovative cybersecurity training services for the community at large.

Tailored training for large-scale audiences. Combining the capability to tailor a hands-on training course for a specific customer is, considering current cyber range solutions, impractical if large-scale and cost-effective properties also need to be provided. With this regard, a smart and automated trainee supervision and assessment system that guided them through the exercise, providing automated hints when needed, would permit to deploy the solution for thousands of trainees concurrently without the need of a single instructor. Also, a cyber range capable of easily deploying on-demand configurations of new tailored exercises would provide a significant improvement to better tackle with particular needs, specific situations, and representing new and emerging threats. This capability, however, requires a powerful, flexible and intuitive course and exercise design tool that could even be used by the customers themselves.

As can be seen, automation is fundamental if a cost-effective training service is to be provided for large scale audiences. This includes the capability to replicate and simulate users and applications behaviours in the training scenario, as well as the adversary (defensive, offensive) and allies function inside the training activity.

Pedagogical foundations by design. If there is one common limitation in current cyber ranges is that, even when commercialised under the label of training platforms, they support test, experimentation and research activities (even capture-the-flag competitions) but without any pedagogical features. Current solutions hardly incorporate metrics and functionality to measure the actual performance of the trainee and manage their progress along the time. At the most, we observe that some solutions incentivize and motivate the trainee using quantitative scoring systems or gamification approaches. A more comprehensive and systematic view is needed. The foundations underlying the learning process should be considered by design. This may imply implementing different and complementary approaches, such as formal learning, observational learning, trial and error approach, etc.

All-levels covered. The complexity of the training exercises should be scaled to the trainee’s level, customising the level of automated guidance and support in each exercise. This is particularly important when targeting individuals at introductory level. A significant break-through innovation would be that this adaptation – including the difficulty of the training – is automatically readjusted along the lifespan of the training, an even dynamically during an exercise, according to the trainee's performance. The system could, for example, propose new challenges/objectives, reinforce certain attitudes or improve the adversary skills for highly proficient trainees.

11.1.5.4.3 Expected outcome Improved knowledge, skills and abilities of technical staff to detect and respond to cyber attacks.

Increase overall society's awareness and preparedness to cyber threats.

Progress in technologies and processes needed to improve organisations' capabilities to detect and respond to advanced attacks.


Tailored training for large scale audiences

Automated supervision of trainees and state of the exercise, being able

Development of powerful tools to automate the design and

Smart adversary/ally played automatically by the cyber range. The adversary can take


to detect deadlocks and variations in the trainee performance and take actions accordingly.

implementation of new training activities.

on either a defensive role, an offensive role, or both.

This requires research on many areas that would contribute not only to advanced training services but also to some cornerstones of cybersecurity, such as artificial intelligence and self-healing systems, dynamic risk management, or kits and tools for automated multi-step attacks (at tactical and operational level).

Pedagogical foundations by design

Integrate pedagogical approaches, metrics and measures to evaluate the trainee performance and evolution.

Integrate biometric-based stress detection systems to measure and correlate the level of performance and stress of the trainee during the activity.

All-levels covered

Develop tools for assisting in the design of tailored training curricula/path (training activities and the sequence to follow) for each individual/organisation, depending on particular needs (desired output) and the level of the participant (input).

Develop and integrate powerful network traffic analysis and generation tools that can be controlled during the training activity so that realism is enhanced and the level of difficulty can be adjusted dynamically.

Research on adaptive systems for training purposes, combining dynamic adjustments of the activity setting (objectives, hints, etc.) as well as dynamic adaptation of the behaviour of the automated elements in the activity (network traffic generator, adversary, ally, stochastic elements)

Documents

European Cybersecurity Strategic Research and Innovation Agenda