European Control System Security Incident Analysis Network

Executive Summary:
Mission of ECOSSIAN is to improve the detection and management of highly sophisticated cyber security incidents and attacks against CIs by implementing a pan-European early warning and situational awareness framework with command and control facilities.
Motivation:
The protection of CI increasingly demands solutions which support incident detection and management at the levels of individual CI, among dependent CL, and across borders. The required approach ought to integrate functionalities across all these levels. Collaboration of privately operated CLs and public bodies, such as governments and EU is difficult but mandatory.
In the wake of 10 years of analysis and research on partial effects in CI Protection (CIP) and for individual infrastructure sectors, ECOSSIAN was created to develop this holistic area. One of the key developments is a prototype, facilitating preventive functions like threat monitoring, early indicator and real treat detection, alerting, support of threat mitigation and disaster management.
Objectives & Technical Approach:
ECOSSIAN aims to improve the safety of the cyber security via implementation a pan-European early warning and situational conversance framework with command and entity management. The tree main objectives are:
• European Programme for Critical Infrastructure Protection (EPCIP).
• Strategy and Action Plan developed by the European Commission.
• Worldwide Initiatives on Cyber Security of Industrial Control Systems and Smart Grids followed by ENISA and Member States.
Final results and their potential impact and use:
ECOSSIAN developed a holistic, integrated and user friendly early warning system for all stakeholders on operator, Member State and European side while complying to legal and regulatory requirements. The exchange of data and the sharing of information are commonly understood to improve the attack mitigation or resistance by combining forces. This is a prerequisite for situational awareness cross borders. The ECOSSIAN system explicitly includes a pan-European layer in the E-SOC that connects the national SOCs at the European level; by providing a common situational awareness this will enable the collaboration of all relevant stakeholders in Member States and Associated Countries. The layered approach in the ECOSSIAN architecture improves reaction speed by enabling a first (preliminary) response already on O-SOC level, thus avoiding delays due to more complex decision making on N-SOC or E-SOC level, nevertheless also providing capabilities for consistent and integral response. The basic incident detection technologies developed in the project as well as the analysis, aggregation and correlation methods will enable an improved and more accurate threat detection considering the information shared by all collaborating parties. This provides the capability for an adequate early-warning system. Legal, social and economic aspects will inherently be considered in the ECOSSIAN architecture, the development of threat detection methods, information sharing and exploitation capabilities as well as the design of threat mitigation and incident management components. A full-scale demonstration of the platform was dedicated to the execution of full-scale demonstrations on national and European levels. The necessary preparations and the evaluation of demonstrations are performed as well.
We can summarize the expected impacts areas as follows:
• Facilitate the emergence of common European solutions in CIP
• Develop a secure cyber environment in CI sectors other than ICT in Europe
• Facilitate the emergence of new cyber security interoperability standards
Project Context and Objectives:
The economy and the welfare of its citizens require that Critical Infrastructures (CI) function properly. Hence, the protection of those increasingly demands solutions were addressed by the ECOSSIAN contribution to the
• European Programme for Critical Infrastructure Protection (EPCIP)
• Strategy and Action Plan developed by the European Commission
• Worldwide Initiatives on Cyber Security of Industrial Control Systems and Smart Grids followed by ENISA and Member States.
In addition, ECOSSIAN established a working and exchange relation to the Security and Defence Agenda, who has already produced useful guidelines on how to improve Europe’s CIP.

ECOSSIAN overall aimed to launch a pan-European early warning framework, in order to address the following 9 main objectives:
• Establish and enhance a security-state awareness to support operators of CI by implementing an Operator Security Operation Centre (O-SOC);
• Combine O-SOCs of Member States’ identified and designated CI in a National Security Operation Centre (N-SOC);
• Improve the effectiveness of decision-making and incident response capabilities in Member States through real-time situational awareness, information sharing and efficient command & control opportunities;
• Support a pan-European early-warning entity through the connection of Member States N-SOC to a European Security Operation Centre (E-SOC), including the required interoper-ability standards;
• Enable consistent and collaborative cross-border and cross-sectorial incident management for CI by utilizing E-SOC capabilities;
• Build trusted relationships and engage the CI operators at the EU level;
• Ensure trustworthiness, anonymity, privacy and legality of action for all stakeholders and end users as necessary;
• Perform a full-scale demonstration of the implemented ECOSSIAN framework and system; and
• Build an entry point for EU-US collaborative information sharing efforts in cyber defense to create readiness to react on a global basis.
WP1 Stock-taking, Requirements & Specification, Architecture Design
The objective of this WP was during the first period to review the state of the art of Critical Infrastructure (CI) security provisions and to define use case and demonstration scenarios in energy, transport and financial sectors. Moreover the ECOSSIAN architecture requirements were defined and an assessment for the lack of devices, workflows and procedures in order to achieve cooperation between CI’s SOC and public authorities has been done. In the following period, the focus was on achieving the following goals:
• To identify needs that are not adequately addressed by currently available SOC technologies, also focusing on such technologies as SIEM to assess functionality and limitations.
• To perform technological and procedure assessment with respect to ECOSSIAN requirements, by means of a market and scientific technology review.
• To finalize the architecture framework and fully develop the architectures of the ESOC and the NSOC with IERs for their mutual interfaces and interfaces with the OSOCs.
• To specify secure gateways between SOCs based on IERs and current standards as well as proposed standards identified during the gap analysis.
• To approach the reference security methodologies, which may have an impact in the implementation of the ECOSSIAN platform in terms of confidentiality and integrity of the information to be exchanged.
• To assess the use-case scenarios and proposed architecture and define a suitable security risk assessment methodology.
• To develop appropriate technical controls.
This WP officially ended in the second period in M18, November 2015.

WP2 Threat Detection Module
WP2 started in M06 with real-time CI monitoring and identifying indicators and artefacts of cyber attacks. Within T2.3 alarms for situational awareness and security state prediction were trigged, so and early warning system can be provided. All this led to the following progress done during the second period:
• Development of a real time monitoring architecture/framework so that appropriate information is provided on both the IP and control network.
• Design of an appropriate ICS/SCADA environment security monitoring architecture and to undertaking sample use cases ICS/SCADA analysis.
• Development of a framework to detect man-in-the-middle, replay attacks and command injections.
• The applicability of existing attack detection mechanisms to stakeholder requirements were extended and attack models for the detection of cyber-attack were developed.
• So, alert mechanisms and intelligent reporting to SOC operators could be provided.
• Finally, the processing of sensor data to ensure provision of intelligent, real time event information up to the different levels of monitoring centres was assured.
During the third period of the project, one of the main results was the design and development of a security operation centre for ICS/SCADA including technical requirement capture (for distributed and aggregated SOC). In addition, necessary data formats for alert handling and communication were defined.

WP3 Analysis, Aggregation, Correlation and Visualisation
Starting in M06, WP3 evaluated and developed Efficient Mechanisms for Information Collection, executed an analysis of Shared Incident Information (e.g. cause of incident, credibility of reported event) and performed an assessment of the results. This groundwork let to the development of efficient mechanisms for information collection in large-scale distributed systems (by adopting existing standards) and protocols for (semi-)automatic incident information exchange. Moreover methodologies for analysis of shared incident information were implemented, in order to verify the actual cause of a cyber incident. Results were taken to identify connections and interdependencies of reported incident, on-going attacks and respective analysis results. During the last period those developed methodologies and mechanisms were tested and evaluated. Finally, one of the main goals was to integrate the developed components within the ECOSSIAN ecosystem and demonstrate their applicability in different attack scenarios targeting European federated Critical Infrastructures.

WP4 Threat Mitigation and Incident Management
The objectives set in this WP were first to evaluate current best practices in threat mitigation and incident management, and based on those define realistic mitigation actions and incident management procedure for different SOC levels of ECOSSIAN system, and also for demonstration purposes. Another aim was also to limit incident propagation through mapping CI interconnections and developing situational awareness tools to study interdependencies. The WP aimed also to identify critical information sources for implementing an appropriate continuity planning process around the ECOSSIAN framework and its associated O-SOC, N-SOC and E-SOC stakeholders as well as an appropriate management system with people, process and technology controls. Last aim was to develop, implement, test and evaluate forensic system for gathering and storing incident logs, enabling attacker identification during the incident and prosecution after incident.

WP5 Integration, Preparation of Demonstration and Evaluation
The aim of the WP was to integrate and validate the ECOSSIAN approach, deploy the ECOSSIAN system within realistic environments and prepare the system for demonstration activities. This was successfully reached by performing the following preliminary works:
• Developing secure gateways (SGW) to ensure data flows appropriately between the various SOC, upwards and downwards, preserving security and anonymity whenever required.
• Refining the use cases and demonstration of expected benefits of ECOSSIAN. Performing an early integration of place-holder interfaces implemented in WP2, WP3 and WP4 aiming at the creation of an interface prototype in lab environment.
• Focusing on the integration of the whole range of technologies that have been developed in WP2, WP3 and WP4 into an integrated system and set of tools that can be used in a coherent way.
• Performing the necessary functional tests to validate the correct integration between the developed systems and tools.
• Prepare methodology for the system evaluation in the national and international demonstrations.

WP6 National and European Demonstration
This work package started towards the end of the second reporting period in M20, where mainly preparatory work for the demonstrations took place (e.g. planning and development of documents; prepare speeches). For the third period, and based on the use-cases defined in WP5. The main achievement was the successful performances of the four demonstrations of the ECOSSIAN project.

WP7 Legal, Ethical and Societal Foundations
Periodically classified, following objectives have been achieved during the ECOSSIAN project:
• Period 1:
o Identification and analysis of the legal issues present in a cross-border and cross-sectorial early warning and incident response framework.
o Identification of legal obstacles on data sharing policies both with regard to privacy and data protection and spatial data and environmental information. Research on the implications of the legal obstacles in data sharing on the efficient disaster prevention and management.
o Introduction of the legal requirements, in a form of guidelines in order to ensure legal compliance of the system.
o Structuring and methodological approach to PPP and of Political/ Societal Factors

• Period 2 and 3
o Implementation of the legal requirements and the subsequent evaluation from the legal compliance perspective.
o Define and develop EELPS evaluation criteria and assessment tool
o Analyse, implement and evaluate ethical and societal issues, including EELPS evaluations in parametric case sessions
o Business analysis.

WP8 Dissemination, Exploitation and Standardization
The objective of this WP was to raise awareness about the project and its vision (visibility of ECOSSIAN), to spread the achieved results (impact of ECOSSIAN), and to perform exploitation activities and prepare the exploitation after ECOSSIAN. Information to understand concepts, potential benefits coming from the adoption of the new paradigm, developed in ECOSSIAN was provided to key industrial and academic groups. The objectives were to launch dissemination, exploitation and standardisation activities through various channels such as website, poster sessions, participation in conferences and workshops or publication in journals. Several project partners are members of national and international working groups related to the major subjects addressed by ECOSSIAN. These working groups were used to spread information on the project outcomes and passed them to standardisation bodies. Furthermore, the objective of this WP was to organize a number of workshops in order to raise the awareness among several different groups of scientific and industrial stakeholders and to collect their feedback.

WP9 Project Management and IPR Framework
The main objectives of WP9 were to ensure the operational management, including EC reporting, and technical life of the project in an administrative sense and to support partners in all administrative issues. In ECOSSIAN the main management of the project is shared by two partners: the coordination of technical challenges was covered by the Technical Leader at EADS and project management was covered by the Coordinator at TEC.
Project Results:
1.3.1 Stock-taking, Requirements & Specification, Architecture Design (M01-M18)
Task 1.1 Review of existing CI security provisions (M01-M06)
All partners involved in WP1 contributed to research activities aimed to define the current status of: CIP/CIIP framework at EU Level; organizations, initiatives and policies; synergies and potential conflicts with ECOSSIAN; data protection and confidentiality processes, detection and response processes situational awareness processes; current technologies for monitoring and prevention activities in critical infrastructures as well as for incident handling.
Work on issues related to “processes and procedures”, and “standards and technologies” was performed and a general overview of N-SOC, E-SOC, O-SOC, also covering specific regulation requiring the institution, operation and maintenance of dedicated SOCs, CIP/CIIP Framework on EU Level, trans-European Critical Infrastructures, organizations, initiatives and policies, synergies and potential conflicts with ECOSSIAN, and several other relevant legal texts were provided. Also an overview of SOCs/CERTs/CSIRTs in France, Germany, Italy and Portugal was given.
Furthermore, work on the inventory of SOCs, N-SOCs, E-SOCs within the countries represented in ECOSSIAN was undertaken. Interrelations between CI SOCs within the same country and cross-national have been conducted, to oversee cross-sector propagating effects of crises, incidents and other security events.
A digital survey was developed by several partners and delivered to relevant actors, and it has also been linked on the project website.
In addition, partners dealt with national SOC providers to create a view of the national situation concerning maturity of SOCs. Furthermore, existing CI provisions have been reviewed. Partners’ contributions also focused on security issues dedicated to automation and energy distribution systems. Specific contributions were provided towards the state-of-the-art analysis on monitoring, situational awareness and analysis in industrial automation and electrical distribution networks. Work regarding intrusion detection systems in the context of IEC 62351-7 was also performed.
T1.1 was led in a way to achieve the expected outcomes timely and to ensure that the interactions with other tasks, as described in the DoW, were respected. The task was successfully closed at the end of M06, as expected and D1.1 was timely submitted.
Task 1.2 Use case definitions (M02-M12)
All partners involved in T1.2 contributed to the use cases and demonstration scenario definition. GAIS and ESPION worked together for the definition of use cases of the Gas sector scenarios. AIT offered support based on its experiences from national research projects also dealing with the use case construction in the domain of security information sharing, provided suggestions and results from previous research results in the domain of industrial control system’s security and information sharing. Furthermore, work on the definition of information-flow use cases, which describes which data is exchanged between the ECOSSIAN SOCs was performed. A unified scenario for D1.5 sub-scenarios for each partner, possible attacks, generic use cases and depicted exemplary use cases for the sub-scenarios was defined. Work on ‘Attacks on Critical Infrastructure Suppliers’ was completed and contributions to the section on ‘Gas Distribution Infrastructures’ were provided. A preliminary analysis of the use case draft was performed in order to ensure a connection with the analysis conducted in WP7 in relation to the legal requirements. Furthermore, existing use cases as well as applicable historic cases meeting a NOC’s action were reviewed. Further contributions also covered the definition of smart grid related scenarios. This work was a basis for defining contents of WP2 and WP3 and contributed to the definition of overall information flow and interface definition.
The WP leader made sure that all the goals of the task were timely achieved and that the interactions with other tasks were in line with the general project plan. PI contributed to the definition of the financial sector scenario construction and to the definition of the relevant use cases which were integrated in the ECOSSIAN scenarios and described in the relevant deliverable.
T1.2 was timely completed in M12 according to the project schedule. Nevertheless, following the rejection of D1.5 “Use case scenario report” by the EC reviewer, T1.2 was “re-opened” in order to investigate in details “blurry” aspects and integrate required clarifications in the D1.5. Main integrations include in the D1.5 revised version mainly concern the use cases / real life scenario description, as relevant “building block” for the project demonstration phase. D1.5 review was carried out in a cooperative manner by main involved partners, especially those directly involved in use cases / real life scenarios.
Particularly: GAIS revised and integrated the gas sector scenario; AIT carried out a revision of the Smart Meter use-case; IFAK drafted a use Case on “Smart Grid” with external stakeholders. PI, as leader of WP1, coordinated and supervised the revision process, making sure that all the requests made by the EC were satisfied on time and acted as a facilitator supporting the job done by the task leader (FHG).
PI, TEC, FHG, PJ and IP contributed to D1.5 revision and improvements from a qualitative perspective, providing feedback and remarks on the work performed. For instance, Rail and Finance scenarios open issues were analyzed and clarified. Importantly, scenarios were also revised in terms of realism, by means of consultation with external stakeholders aimed to clarification and validation of relevant aspects. Thus, each use case / scenario was integrated with a plausibility or validation section at the end. Hence, following the severe internal review process conducted by project partners, a new version of D1.5 was submitted in M15, meeting all the EC requests and remarks, and T1.2 was formally completed.
Task 1.3 Development of requirements (M03-M09)
All partners involved in T1.3 cooperated to define ECOSSIAN system requirements.
Partners contributed to the definition of organizational, operational and functional requirements. Research on requirements engineering with focus on non-functional requirements was performed and special focus herein lay on requirements concerning system security and software licensing. It was ensured that requirements were formulated in a way that they can be understood and addressed by WP3 partners and a review of requirements listed in D1.2 with specific focus on WP3-relevant requirements was performed. Furthermore, several co-operations with T1.3 partners were going on in order to harmonize the functional requirements with the use cases of T1.2.
In addition, focus was put on the asset discovery as well as on threats/vulnerabilities. Security challenges such as CIA, perimeter flaws, common protocol attacks DNP3, MODBUS, SCADA, OPC/DCOM, DB/DMZ attacks, MITM attacks, lack of or inappropriate OS and app patching, updates, insecure Code/OWASP and lack of control systems were analyzed and defined.
Furthermore, input in the form of legal requirements that were derived from the work completed in WP7 was provided.
It was ensured that all the goals of the task were timely achieved and that the interactions with other tasks were in line with the general project plan.
Task 1.4 Gap Analysis of Security Technologies and Procedures (M04-M15)
All partners involved in T1.4 made a relevant effort to develop the gap analysis.
In a first step the state of the art on which the gap analysis builds upon was examined by identifying the outcomes of the survey. Research on state of the art processes and procedures in critical security infrastructures was performed and contributions to the gap analysis were provided. Partners also contributed to the managed security services with respect to software copy protection measures. Furthermore, the state of the art for firewalls, intrusion detection and prevention systems and honeypots were analyzed and general research on the CI sector was carried out.
The WP leader ensured that all the goals of the task were timely achieved and that the interactions with other tasks were in line with the general project plan.
Activities focused on the finalization of the assessment and investigation of the existing technologies and procedures for CI protection, setting the goal to be reached in ECOSSIAN infrastructure in SCADA (industrial) environment and defining gaps towards their achievement. Evidence gathered was illustrated in D1.4 “Gap analysis report”, submitted to the EC in M12. After submission, D1.4 was fine-tuned as it serves as an input to other project activities, with special reference to T1.5 and related D1.7 “Architecture specifications” and T1.6 and related D1.6 “Security Methodologies”.
Activities were carried out thanks to a constant dialogue and cooperation among involved project partners. Specifically, CCG led the Task and the D1.4 drafting, coordinating, gathering and integrating partners contribution. ESP focused its activities on the investigation of technologies on the gap analysis to be described in D1.4. T1.4 activities were formally concluded in M15 according to the envisaged project schedule.
Task 1.5 Architecture Design (M04-M18)
All partners involved in T1.5 contributed to the architecture preliminary definition. The task lead organized the kick-off in order to define the work plan and task assignments. Partners were engaged in discussions on the overall architecture and they contributed to functional description and sub-function description. Architectural concepts, potentially applicable to ECOSSIAN were analyzed and the resulting concept for defining the ECOSSIAN architecture was presented at the face-to-face meeting in Rome. This approach has been adopted by the consortium partners and was enhanced further on.
Furthermore, partners provided input related to processing, aggregation, analysis and reporting functional blocks both on O-SOC and N-SOC level. In cooperation with WP3 partners, the main components and interfaces of the general architecture relevant for WP3 were defined.
A proposal of an integration model for each ECOSSIAN module in the SOC and publish/subscribe model for integration of N-SOCs and E-SOCs was made. Further on, O-SOC Acquisition functional block was integrated and work on the introduction of the Business Process Monitoring sub-function was performed. Also, issues related to processing, aggregation and analysis in O-SOC level were analyzed and contributions to mitigation procedures were provided.
Work on D1.7 “Architecture specifications” (M18) was discussed during an architecture meeting in Paris with WP2/3/4/5 leaders.
Due to the relevance of the task, most of project partners contributed and provided their feedback on T1.5 activities and progress, allowing a continuous revision and improvement of the work performed. For instance, technical partners focused on the design of architecture specific functionalities: PI, as WP leader, monitored the task implementation, contributed to technical activities and to the solution of criticalities; BRT led the task and contributed to the Interconnection Functional Block and Impact Planning Functional Block as well as to the description of Crossing SW Component; INOV presented a first architecture proposal; EADS focused on the description of the following functions: collaboration, management, secure data storage and logging; AIT contributed to the functional blocks and interfaces definition and provided input on WP3 related sections of Deliverable D1.7; CAS-FR was mainly involved in the description of architecture specifications (analysis, evaluation and visualization for O-SOC, N-SOC and E-SOC system architecture); ESP provided input on the data collection function and on the IODEF formats; VTT focused on the mitigation block perspective; IFAK focused on the FBs Aggregation, Visualization and General Architecture; CCG carried out and impact analysis and BroIDS and contributed to functional block design and formalization. Additionally, TEC, FHG provided input and remarks on activities carried out in order to meet D1.7 qualitative required standards.
It is worth mentioning that, although slight delay reported in Y1, activities were then fostered in order to timely meet envisaged objectives. To this aim, a dedicated workshop was held in M16 in Oulu in order to discuss and solve critical aspects with the contribution of all partners and successfully complete the final architecture design.
Thus, D1.7 was finally submitted and T1.5 was completed in M18 as planned.
PI, as leader of WP1, made sure that all the goals of the task were timely achieved and that the interactions with other tasks were in line with the general project plan.
Task 1.6 Reference Security Methodologies (M06-M15)
All partners involved in T1.6 started their work as planned and the task leader was leading activities and co-coordinating partners’ contributions. Analyses of the use-cases were performed and research on security methodologies for D1.6 “Security Methodologies” (M15) contributions was ongoing.
Moreover, research on critical infrastructure is ongoing and input from a legal point of view has been provided. Also, risk assessment methodologies that could be suitable when doing the risk assessment in ECOSSIAN system and researching how security methodologies connect with different risks have been analyzed.
Preliminary input and contribution on security methodologies gathered in Y1 were enhanced with the ultimate goal to select the most appropriate methodologies for the ECOSSIAN system, capable of guaranteeing confidentiality and integrity of the information to be exchanged. Particularly, the analysis focused on the security reference methodologies that relate to Information Security Management (ISMS) and Risk Management (RM) frameworks applicable to both the critical infrastructure and IT environments and led to the definition of recommendations for the project.
The results of the analysis were reported in D1.6 “Security Methodologies” that was submitted to the EC in M15 according to the project schedule.
Involved partners actively contributed to T1.6 activities as follows: ESP led the task and co-ordinated the D1.6 drafting, gathering and integrating contributions from all partners. It examined the various security and risk management methodologies and provided a recommendation for security, risk and governance methodologies; VTT analyzed methods that are applicable to the risk assessment and management of critical infrastructures; TEC, UNIBO and KUL provided further input to D1.6 drafting and review, ensuring the accomplishment of required quality standards.
It was ensured that all the goals of the task were timely achieved and that the interactions with other tasks were in line with the general project plan.
Achievements and results of WP1:
WP1 was led by partner PI and was running from month 1 to month 18. The main results achieved within this WP can be summarized as followed:
The overall goal was to define the requirements and specifications and to design the overall architecture. The definition of the European Critical Infrastructure framework and timely submission of D1.1 "State of the art report" was achieved in M03. The Identification of requirements and functionalities to build the ECOSSIAN system led to the creation of D1.2 “Requirements report” in M09. The preliminary architecture was defined and D1.3 “General Architectural Framework” was finalized and submitted in M09. Identification of shortages in state-of the-art solutions as well as areas where major effort is needed to fulfill ECOSSIAN system requirements was done and D1.4 “Gap analysis report” was created and submitted in time in M12. Further analysis and contribution collection was initiated to define architecture specifications. Further on, the definition of demonstration scenarios and use cases for ECOSSIAN platform validation and D1.5 “Use case scenario report” was finalized in M11. Main results achieved in T1.6 include the drafting of recommendations on security methodology frameworks, risk management methodologies deemed most applicable to ECOSSIAN system and the submission of D1.6 “Security Methodologies”.
The design of the final and specific architecture of ECOSSIAN system, including all necessary building blocks, components and related functions that enable the system to properly perform its operating tasks was finalized and D1.7 “Architecture specifications” was submitted in M18.

1.3.2 WP2 Threat Detection Module (M06-M33)
Task 2.1 Real Time Monitoring (M06-M24)
All partners involved presented their ideas on possible contributions on the first WP2 workshop in Lisbon (26th March 2015), where the contributions were aligned to the partners expertise and the requirements and use-case description from WP1. This identified two major activities within T2.1:
• On the one hand, a Bro IDS-based network sensor including the capabilities of handling a SCADA specific protocol as well as incorporating the Link History Graph approach.
• On the other hand the “ECOSSIAN sensor”, a network sensor capable of providing functions a data acquisition, data processing, data fusion and analysis. The concept of the ECOSSIAN Sensor was further discussed and refined at a joined WP2/3/4 workshop in Vienna, were the information flow between the different SOCs and thus the information flow covering the ECOSSIAN sensor was briefly sketched.
In the second period, all partners involved started to implement their corresponding monitoring technologies and successfully demonstrated and tested the implementation at the ECOSSIAN integration network. The activities can be separated as follows:
VTT and CCG developed two different sensors based on Bro, on the one hand the Bro Link History Graph (LHG), capable of detecting new connections within a network segment. On the other hand, the Bro Network Security Monitor (NSM) was extended to monitor the PROFINET protocol (IO and DCP) with the ability to identify attack on low level (industrial network).
IFAK realized functions for distributed monitoring and script-based analysis of fieldbus traffic. The analysis includes recording of process values, detecting unknown devices and monitoring topology changes. Support for non-ethernet based fieldbus systems such as PROFIBUS and Modbus RTU was added as well, to increase the usability for heterogeneous networks.
Additionally, all partners supported the development of an O-SOC architecture for the architectural design of secure real-time monitoring and attack detection.
Finally, partners involved adopted their developed monitoring solution to fit the desired needs for the national and European demonstration.
Task 2.2 Incident & Attack Detection (M06-M24)
All partners involved presented their ideas on possible contributions on the first WP2 workshop in Lisbon, were the contributions were aligned to the partners expertise and the requirements and use-case description from WP1. This identified several major activities within T2.2 where not only the ICT environment is taken into account but also the enterprise level of a CI operator. Additionally the several tasks make use of different technical approaches for incident and attack detection, such as comparing approaches and self-learning approaches.
The activities also used different data sources for their detection methods, such as network traffic data, log-files, alerts, host- and system monitoring results, etc. A first sketch on information flow WP2 internal as well as covering external interfaces was developed and refined at the joined WP2/3/4 workshop in Vienna (11th – 12th February 2015). The developed technology was monitored and continuously compared to COTS products in order to achieve best results.
Afterwards, all partners involved started to implement their corresponding detection technologies and successfully demonstrated and tested the implementation at the ECOSSIAN integration network.
Different detection technologies/methods were implemented in order to overcome limitation of currently existing products. For that reason behavioral detection capabilities were implemented within the following components:
• The Business Intrusion Detection System (BPIDS), able to detect deviations from a specified business process.
• Also the ICS Monitor uses this technology in the ICS environment to detect changes in devices/control applications behavior.
• Finally the Bro Link history Graph is able to detect changes in network topology.
Next, self-learning approaches were introduced and used on the one hand in the Automatic Event Correlation for Incident Detection and the Data Classification and Correlation components. The Dynamic Honeypot network introduces self-adopting methods, to deploy honeypots in different network segments and reflect the components/services available with the corresponding network segment.
Finally a solution was implemented to enable (I) secure alert transmission and (II) secure data transfer from air-gapped systems. Additionally, all partners supported the development of an O-SOC architecture for the architectural design of secure real-time monitoring and attack detection. At the end, partners involved adopted their developed monitoring solution to fit the desired needs for the national and European demonstration
Task 2.3 Scale up, Processing and transmission of Local Event Information and Alert Handling for the Different SOC levels (M12-M33)

The task has only started at the beginning of M12 by a dedicated kick-off and a first collection of ideas and contributions for each of the three partners.
Thus, the partners within this task performed activities towards common attack vectors in CI environments, supporting online risk assessment based on the link graph approach. In addition, state of the art analysis was performed on how to set up CSIRT functionality to provide SOC architectures for all three SOC levels. The partners in this task also performed work for successfully reaching MS5 by defining stakeholders, participants, constituency, services provided, partners, mission, authority, organizational model, interactions and interfaces for the three different SOC levels.
Thereafter, general information about Security Operation Centers was analyzed, including mission statement, stakeholders, organizational models and corresponding services for each of the three different ECOSSIAN SOC levels (operator, national, European) as well as an analysis of currently existing SOC. This included also the identification of mandatory services for each of ECOSSIAN SOC levels. That information was fed into D2.2 “SOC Design”, where the technical implementation of SOCs is described, including the application of security measures (firewalls, IDS7IPS systems to protect the SOC itself. Additionally, an analysis of currently used standards for data transmission (for intra-SOC and inter-SOC data exchange) was performed including a gap analysis, which data exchange items cannot be implemented by the data exchange standards or where those standards need to be enhanced.
Moreover, an expert System (ES) was developed for demonstration purposes, recommending mitigation actions based on the phase in attack lifecycle, user’s system, observable system behavior and other information. The system is based on a network and computer security ontology. Also, attack vectors are examined and it was analyzed, how to recognize attacks in ICS networks and deepen the experiences by making test attacks against some ICS products.
Achievements and results of WP2:
The main achievement of WP2 was the development of detection solutions, which were successfully implemented and tested at the integration network (EIN). To do so, different activities within network monitoring, BroIDS-based solution and an ECOSSIAN Sensor have been undertaken. Furthermore, several detection approaches/contributions derived from partners’ expertise and analysis of D1.2 "Requirements Report" (M09) and D1.5 "Use case scenario report" (M12) aligned to minimize overlaps while still covering most of the use cases/requirements. In addition, analysis of SOC requirements for the three different SOC levels as well as analysis of attack vectors within CI was performed. Thus, D2.2 “SOC Design” provided an analysis of currently existing SOCs, general requirements for establishing a SOC and a technical guideline, on how to set up a SOC from a security perspective, that includes security measures to protect the SOC mission itself.

1.3.3 WP3 Analysis, aggregation, correlation and visualization (M06-M30)
Task 3.1 Evaluation and Extension of Data Collection Mechanisms (M06-M30)
Within the two WP3 workshops hosted by AIT in Vienna (11th – 12th February 2014 and 29th – 30th April 2015), the communication interlinks between the different SOC levels as well as the internal communication inside the N-SOC has been discussed among the WP3 partners. An overall dataflow/communication scheme between the different SOC levels was established and enriched by four different internal use cases. A common understanding of the system design and defined architecture based on specific use cases and data flows has been obtained and the main data collection requirements, consistent with the data-flows, were derived. The Partners involved studied data fusion systems to determine if such systems can answer requirements about processing of large amount of data coming from sensors and any other source of information.
Afterwards, work started on deliverable D3.1 “Study on data collection, fusion and sharing mechanisms for Pan-European Cyber Defence”. ESPION as responsible partner for this deliverable was leading the draft and collected inputs from contributors. ESPION and IFAK were jointly conducting ontology development work
Furthermore, partners performed a study on the security labels needed in the exchanged messages between SOCs. Also, the task team analyzed several approaches for data fusion regarding applicability to analyze industrial real-time network data.
Based on this and requirements dedicated to distributed data acquisition, concepts for modeling and distributing data have been discussed. Discussion was continued on functions for extending distributed data acquisition components allowing data fusion at ICS level.
After this, existing data collection, data fusion and sharing mechanisms suitable for the ECOSSIAN system have been analyzed and evaluated. Information flows for incident reporting and threat information exchange among the ECOSSIAN SOCs have been defined. Furthermore, several data fusion approaches have been studied in terms of their applicability in real time analysis of network data. Components and interfaces for exporting data at O-SOC level and importing data at N-SOC level have been designed. An acquisition component capable of importing data in different formats, from multiple sources (both internal and external to ECOSSIAN), has been designed, implemented and integrated with the analysis components deployed at N-SOC level. In addition to the conceptual evaluation of distributed acquisition methods, several functions for a data acquisition system have been implemented for experimentation. Data fusion concepts for integration of simulated plant data into real acquired plant data were discussed. Correlation concepts originating from simulated data were extended to meet the needs of existing gas network supervision data as a template for other process industry providers. Algorithms have been implemented and tested. Last but not least, IODEF and STIX format verification modules for SGW have been developed.
Task 3.2 Development of Incident Information Sharing Networks (M06-M30)
AT the beginning, AIT has submitted a survey paper on the dimensions of collective cyber defense through security information sharing. Moreover, a positioning paper describing the ECOSSIAN distributed architecture and collaborative analysis approach has been jointly drafted by the WP team and submitted to the ICS-CSR conference. FHG started to develop an Information Sharing Network based on ‘Attribute Based Encryption’, ‘Searchable Encryption’, ‘Predicate Encryption’, and ‘Proxy re-encryption’. This approach has been discussed at the Technical Meeting in Vienna in February 2015 the WP team outlined WP3 related use cases and described them on a technical layer. The WP team designed a coherent WP3 architecture compatible with the overall ECOSSIAN system.
The most relevant aspects for information sharing were extensively investigated. Different sharing models were analyzed and a hybrid solution including hierarchical and peer to peer models for different SOC levels was proposed for the adoption in the ECOSSIAN ecosystem. Consequently, widely adopted standards for incident and threat information exchange have been identified as suitable to be adopted in ECOSSIAN ecosystem. In addition to that, applicability of methods for managing trust and reputation of the ECOSSIAN sharing entities was investigated. Furthermore, advanced techniques to provide confidentiality of the information exchanged between the ECOSSIAN SOCs were studied.
A tailored Attribute-Based-Encryption (ABE) module has been designed and developed, which provides confidentiality of the data in transit and allows total and partial encryption of the exchanged information. Decryption is allowed to a selected subset of recipients whose attributes respect the encryption policy. The ABE module has been deployed on the ECOSSIAN Integration Network and was integrated with the gateway component.
In addition, development of secure data exchange mechanism for confidential data sharing between the N-SOC components has been done. The implementation of threat information sharing within Cymerius and the development of threat connectors for the Acquisition Module was established. Based on that an application prototype to check anonymity of company based on data of incident report was developed.
Task 3.3 Incident Information Analysis and Correlation Approaches (M06-M30)
During the work on this task, the WP team has developed a better understanding of it and especially its role and meaning in context of the use cases. Thus, AIT has organized two workshops with all work package partners to discuss the contributions the partners intend to provide within the WP activities, define interfaces with other technical WPs (WP2 and WP4), and outline a common view on ECOSSIAN WP3 architecture. During the workshop some of the use cases in the gas distribution scenario have been selected as representative for WP3. Moreover, the architectural blocks relevant for WP3 have been discussed and a joint view on the ECOSSIAN architecture at N-SOC level has been obtained. In addition to that, an incident information correlation and analysis system has been designed and its development has started within the first project period. Aside from that, a paper on incident information clustering has been submitted and was presented at the CyberSA conference. Additionally, a document describing SOC overview and setup and experimental correlation model (with the scenario explanation) was established by the WP team.
In the following period, methods for analysis and correlation of cyber incident reports and threat information have been proposed to fulfill the ECOSSIAN requirements. CAESAIR, a collaborative incident information analysis system for national SOCs has been designed and implemented. CAESAIR imports data acquired from multiple sources, according to the methodologies defined in T3.1 and supports the N-SOC analyst by providing insights on the most relevant information available for the cyber incident being examined. Moreover, diverse methods for correlating security information have been investigated and compared. An approach for incident correlation with the open-source tool SEC (Simple event Correlator) has been proposed and internally tested. SEC correlation is based on incidents meta-data, and aims at identifying relations between incidents occurring within a given time interval, reported by similar critical infrastructures operating on the national territory. Additionally, interfaces have been defined to allow the interconnection between the components for information collection, aggregation, analysis, correlation and visualization.
Towards the last month of the Task, interfaces for exporting detailed analysis reports, to allow CAESAIR to provide Cymerius with the necessary information to generate cyber threat messages in SITX format, were developed. Furthermore, the adoption of the Acquisition Module output interface to acquire every incoming message at N-SOC level took place. An Evaluation and comparison of different correlation methods for cyber threat analysis adopted by CAESAIR was established. Finally, the correlated situations view was reworked within Cymerius-Portal and some updates were made to optimize the performance.
Task 3.4 Incident Information Evaluation and Visualization (M15-M30)
At the beginning IFAK started to discuss suitability of software frameworks for development of visualization applications. For that reason, graph analysis and visualization methods have been investigated to show and evaluate firewall rules. As a result, a prototype was implemented and tested with different data-sets. Furthermore, an experimental network security monitoring visualization solution has been designed. This solution enables presenting the human-user in meaningful ways large amounts of data on network traffic and detected anomalies both in real-time and using recorded historical data. The aim was to visualize data in a way that also non IT-expert can notice the anomalies in network traffic.
Additionally, technologies suitable for mobile visualization solutions supporting personnel on-site operations as well as relevant data and functions to be provided on-site have been studied. Therefore, a frame application for mobile visualization has been developed. The implemented functions were evaluated based on simulated data addressing viewing incidents and threats, receiving mitigation and sending resolved messages, viewing simple real-time data graphs. An interface to create and send incident messages from the field was implemented. Connectors to allow import and visualization of detailed incident information, as well as incident management within Cymerius have been developed. Interfaces between Cymerius visualization platform and the CAESAIR have been established to allow exchange of synchronized incident data. Cymerius Portal, an evaluation and visualization dashboard for establishing national cyber situational awareness has been proposed and integrated with the Cymerius component. Moreover, the definition of specifications, development and evaluation of 3D visualization of firewall rules and demonstration of proof-of-concept was realized. Constant testing and bug-fixing of Cymerius and Cymerius Portal took place. The European dashboards for Cymerius Portal were developed.
Afterwards, the mobile visualization concepts were evaluated regarding usability on tablet devices. Based on the outcomes, several design changes to improve the usability were introduced. The mobile visualization has been prepared for becoming integrated into the review demo video. While the runtime system was created before, the mobile visualization frontend was configured to the needs of the data acquired and correlated in T3.1 (for process industry users).
Achievements and results of WP3:
At the starting point, different information sources for N-SOC layer have been identified. The information flow between SOCs has been outlined and described in the context of several use cases. This led to, types, formats and protocol for the exchange of data among the ECOSSIAN entities have been investigated and recommendations for the ECOSSIAN system have been provided within D3.1 “Study on Data Collection, Fusion and Sharing Mechanisms for Pan-European Cyber Defence”, which was submitted to the EC in M16. During the first period of this task, the prototype of the N-SOC data acquisition component has been developed and integrated into the ECOSSIAN Integration Network. Types, formats and protocol for the exchange of data among the ECOSSIAN entities have been selected for the ECOSSIAN system. The data acquisition component has been integrated and evaluated within the ECOSSIAN architecture at O-SOC, N-SOC and E-SOC level.
Afterwards, the identification of the main requirements for a secure and privacy-preserving cross-organization cyber incident information sharing network has been achieved. Moreover, a survey paper was published in an international scientific journal, which examines the main information sharing aspects and analyses the state of the art and the current efforts towards effective sharing of cyber incident information in critical infrastructures. The sharing model for the ECOSSIAN system has been defined taking into account the predefined requirements and the stakeholders needs. The methodologies and the system components for secure incident information sharing have been comprehensively described in the D3.2 “Incident Information Sharing, Analysis, Correlation, and Visualization System Concept”, which was submitted in M24. The prototypes of the system components, responsible for the transmission and the reception of security information, to be employed at N-SOC and O-SOCs have been developed and implemented on the ECOSSIAN Integration Network. Moreover, the methodologies and the system components for secure incident information sharing have been developed and integrated at each level of the ECOSSIAN architecture.
One of the main achievements was that the prototypes of the system components, responsible for the transmission and the reception of security information, to be employed at O-SOCs, N-SOC and E-SOC, have been implemented and demonstrated in the four ECOSSIAN demonstrations.
In addition to that, the design of the WP3-related system architecture with focus on N-SOC system components and the interfaces with O-SOCs and E-SOC has been finalized. Furthermore, the assignment of the system components to responsible partners and identification of synergies between partners’ contribution was done within the last period of the project. The concepts for incident information sharing, analysis, correlation, evaluation and visualization have been described in D3.2 “Incident Information Sharing, Analysis, Correlation, and Visualization System Concept”, which was submitted to the EC in M24, along with their implementation into the ECOSSIAN system. Additionally, a scientific paper, introducing the collaborative analysis approach developed in this task, has been published and presented at an international conference (International Conference on Information Systems Security and Privacy) obtaining positive feedback from the scientific community and validation from industry stakeholders. Moreover, the system components for incident information analysis (CAESAIR) and correlation (SEC) have been developed and deployed into the ECOSSIAN Integration Network. The deliverable D3.3 (“Incident Information Sharing, Analysis, Correlation, and Visualization System Implementation”) has been completed and submitted to the EC in M30. Finally, the components for incident information correlation and analysis have been integrated and demonstrated in the four application scenarios showcased in the ECOSSIAN demonstrations.

1.3.4 WP4 Threat mitigation and incident management (M06-M36)
Task 4.1: ECOSSIAN Cyber Forensic Toolset Framework and Support (M06-M36)
At the beginning and for starting the design of the cyber forensic toolset framework a state-of-the-art report and gap analysis have been performed in co-operation with WP1, to achieve a common picture of the current state of existing forensic toolsets, and what they are missing. Based on these results, a high-level architecture and goals are being created for the toolkit, and also how it fits the overall architecture of the ECOSSIAN system, and what kind of data it communicates with other modules. First studies of secure logging, and how to store data in a way that it can be trustworthy provided for cyber forensic analysis, have been performed at the starting pint of the task. Same goes for the presentation of the first design of Forensics toolkit.
Three software components were developed in this task to support forensics and situational awareness:
• Once an event is registered by ECOSSIAN at any of the O-SOC, N-SOC or E-SOC layers, the Secure Data Storage will store data in a forensically sound manner so that it can help investigators to fetch and then analyze data with admissible evidence when necessary. The SDS Logging module was described with interfaces and functional and sub-functional mechanisms and requirements, and its implementation took place. The SDS is developed with OpenSGX platform, which is the software platform of Intel SGX technology. The OpenSGX memory protected container receives the log messages captured through the rsyslog server and then stores locally in SDS system.
• A forensics prototype was designed based around a number of existing open-source tools and platforms, including: Sleuthkit/Autopsy, TCPDump, TShark and MySql. The prototype implementation consisted of a number of sets of example forensic data (e.g. File-system, Logs and Network) being processed and stored within a MySql database. The database was accessed via a web interface, which allows an investigator to manually query the data for forensic analysis. The interface provides a uniform platform for viewing multiple types of forensic data, as well as the generation of automated reports based on analyst queries. The prototype will remain standalone from the overall ECOSSIAN platform (except the SDS),for tailoring of the solution dependant on investigation requirements, i.e. toolkit and methodologies.
• The third component is an ELK-stack, which visualizes Bro logs generated at O-SOC level (WP2) to support forensics. Bro network monitoring analyzes the network traffic (e.g. connections, connection types, network and application layer data), and Bro logs are visualized with Kibana for achieving situational awareness of the network with a glance. Also performing searches for more detailed data is possible.
During the last project year, a web-based graphical user interface for the forensic PCAP analysis framework was implemented in order to give the forensic analyst an easy to use tool capable of analysing PCAP files. This includes the generation of an analyst report by electing/collecting evidences out of the PCAP analysis. The development of Forensics Toolkit was successfully finalized by applying a function to include the latest requirements such as raw data download (providing report items as CSV), and adding comments to each report item as well as providing recommendations to the entire report. The forensic toolkit was properly tested and the prototype was integrated in the ECOSSIAN demo platform to be demonstrated in Portuguese and European demos. In addition, the Secure Data Storage technology was extended to fill the needs by the ECOSSIAN system. Also, a python interface was developed allowing access from the forensic toolset graphical user interface. The query mechanism of SDS was updated with integration of database for faster performance and quick output to query requestor without requiring any change in the clients of SDS. This enables all existing clients to query the SDS without any trouble. Moreover, mechanism for deleting information older than 90 days was implemented and integrated in SDS. Now SDS can delete all stored messages older than 90 days every day, and update the database in accordance. Finally, SDS was also prepared for proper integration into the final demonstration. Also important to mention, Deliverable 4.3 of the Forensics Toolset is the prototype itself, but also a report was written to describe the framework, and results of a gap analysis for what is still required from forensics community in general to ensure all elements of forensics incident response in ICS is possible.
Task 4.2: Continuity Planning (M06-M24)
ESPION was the sole consortium member in this task, and they were continually improving the continuity plan report based on project development. Technical use cases and data flows have been combined from the perspective of this task, and on-going research on this topic took place. Afterwards, Continuity planning task has worked towards creating Business Continuity Planning (BCP) and Business Continuity Management Systems (BCMS) methodologies applicable to both ECOSSIAN and individual Critical Infrastructure (CI) environments. An ECOSSIAN business impact analysis (BIA) has been developed and completed by all partners submitting components in ECOSSIAN. This in turn has led to the conclusion of D4.1 “Continuity plan for ECOSSIAN infrastructure” and the ECOSSIAN BCP requirements document.
Task 4.3: Mitigation procedures (M06-M24)
At the starting point, the final outcome of mitigation procedures task has been discussed, as the outcome is a report and not a prototype. For this, the capabilities of expert systems have been studied especially from the perspective of what kind could be a realistic expert system in the ECOSSIAN context. The outcome was to create a light ECOSSIAN expert system that gives support for the end users when making decisions about mitigation actions. Architecture of the mitigation module has been aligned and reviewed from the perspective of data coming from and to other WPs. Research about Service Level Agreements were undertaken and their angle to the ECOSSIAN system has been defined – i.e. EC-SLA’s – developing the specific SLA’s concerning the ECOSSIAN system. Also an analysis on how societal/ethical criteria could be identified from the existing catalogue of qualitative criteria has been established in connection with WP7.
The main outcome of this task was the Incident management process model, and definition of detailed process model for interconnections between different level SOCs and also with external authorities. Based in discussions with External Stakeholders like BSI and BBK in Germany and NSCS-FI and NESA in Finland, and another FP7 funded DRIVER-project, a diagram to define ECOSSIAN in local, national and European environments was developed. Moreover, SLAs for critical infrastructures were studied from standards and some gaps identified. SLAs (called contractual agreements in D4.2 to avoid mix with CI SLAs) for the ECOSSIAN system were defined, based on e.g. interview of CAS-FR’s head of DS SOC. The External Stakeholder discussions also gave basis for defining realistic mitigation actions at national and European level. Current best practices for threat mitigation were evaluated based on this information, and N-&E-SOC relevant practices were picked up. During the evaluation also some best practices for external authorities were identified. Three ECOSSIAN use case sub-scenarios were evaluated and mitigation at N- and E-SOCs levels identified. Based on these, mitigation actions for ECOSSIAN demonstration were suggested. The actions were validated at ECOSSIAN Advisory board meeting and updated based on feedback. Finally, the inputs and outputs for mitigation in ECOSSIAN system were defined, and also development of mitigation software component to the N- or E-SOC level mitigation experts for demonstration purposes was arranged.
Task 4.4: Impact analysis (M12-M36)
At the beginning, a first assessment and workshop of possibilities for an interdependency analysis has been performed. This included defining the scope of interdependency modeling (sector, national, cross-country, etc.) as well as a selection of models/frameworks applicable.
Further on, a draft version of D4.4 “CI incident impacts and interdependencies” with state of the art and definition of what is relevant to Impact Analysis for ECOSSIAN was made, and input and outputs for impact analysis were discussed and defined in D1.7 “Architecture specifications”. Also architecture discussion in order interface Impact analysis to Cymerius for ECOSSIAN demonstrations were ongoing. Development of an Impact analysis form to be completed by the N-SOC/E-SOC was started during the second period. Moreover, an Interdependency model has been developed to give an overview of which dependencies and interdependencies are influenced by a disturbed CI. The tool also helps to calculate a business impact. It uses Systems-of-systems approach, and has both Static and Dynamic approach for visualizing European wide interdependencies. Also a Collaboration platform - enabling connected users to share multiple screens in addition to audio conferencing to enable locally dispersed persons for a straightforward decision making process in terms of incident management, analysis and mitigation was set up.
During the last project year, the task focused on creating an Impact Assessment method in context of ECOSSIAN system, as well as finalizing an Impact Analysis form that would be used and filled by N- & E-SOC operators. As a base for these, information was collected from an operational SOC to find out what is actually done at O-SOC level for impact analysis. Information collected from an operational SOC was also used to create Business Impact Analysis. The results are described in Deliverable 4.4. Also, to find out how critical infrastructures themselves (not using SOCs yet) assess impacts and interdependencies in their actions. For this, a questionnaire was prepared and five Finnish water utilities were interviewed. The interviews were recorded and results analyzed. A very brief summary of the interviews was written to D4.4 and also a longer version in form of conference paper was written and submitted to The World Congress on Industrial Control Systems Security (WCICSS-2017).
In addition, the interdependency model based on system-of-systems approach was already finalized during second project year, but the implementation of the Dynamic Interdependency Model continued during the last year. The Model was examined in a way that possible candidates for providing necessary interfaces and visualization solutions can be selected, based on the requirements from the Cymerius tool, in order to support the impact analysis. For technical integration, a detailed analysis of DSS Vensim (Ventana Systems, Inc.) was performed, which revealed that a license is required to port the functionality from the DSS Vensim Software to Microsoft Office based reports, which could then be attached to Cymerius reports.
Achievements and results of WP4:
One of the main achievements was that the Forensics Toolkit and Secure Data Storage components were finalized, tested, integrated with the demonstration platform and successfully demonstrated in national and European demos. Moreover a Business Continuity Plan for ECOSSIAN infrastructure was established and D4.1 submitted. Additionally, realistic mitigation actions at N- and E-SOC levels and contractual agreements between SOCs in ECOSSIAN were defined. Incident management process model and process model for interactions between SOCs were also set (D4.2). Furthermore, ECOSSIAN was defined in local, national and European environments. Additionally, D4.3 “Cyber forensics toolset” was established and submitted in time. Furthermore an Impact Assessment Method was created in context of ECOSSIAN system and Impact Analysis form was finalized within D4.4 ”CI incident impacts and interdependencies”. Also, a study of how Finnish water utilities assess impacts and interdependencies in their actions was conducted and results were analyzed. Thus, a possible interface and visualization technologies for the Dynamic Interdependency Model was identified and examined towards portability to the Cymerius Hypervisor.

1.3.5 WP5 Integration, Preparation of Demonstration and Evaluation (M10-M36)
Task 5.1: Interfacing to legacy systems (other CIs, other nations, between public and private, external information sources, ...) (M10-M30)
This task started with investigating different automation network protocols as well as component’s interfaces regarding data accessibility and general rules for active and passive interfacing those systems. These analyses were used to define the basics for accessing those legacy systems (for data acquisition and aggregation purpose). Additionally, the development of the Secure Gateway Framework also started during the first project period and the investigation of security labels needed for exchanging messages between SOCs as well.
The Integration of legacy interfaces represented a challenge for ECOSSIAN; consequently investigation of different automation networks was set up. An XML scheme in order to allow all ECOSSIAN modules a unified access to features of legacy devices was developed. An embedded platform was evaluated for integrating data from automation networks as they are used at field and automation level. Special focus was drawn on Modbus/TCP and Profinet. To allow secure communications amongst SOCs (namely between O-SOC and N-SOC and between N-SOC and E-SOC), a SGW was implemented, which the current prototype provides functionalities such as: a web portal for message submission, envelope creation and message signature; a transfer framework with a message queuing system, protocol breaks and envelope management. Finally, an embedded platform for integrating recorded data from fieldbus-communication was evaluated.
Afterwards, the research on how to encrypt XML descriptions of legacy system descriptions in order to incorporate them into the ABE framework and in the Secure Gateway (SGW) was completed. The SGW was extended with functionalities such as authentication, regular expression support for ABE and verification of IODEF and STIX messages. The proposed distributed acquisition system was implemented to run on embedded as well as virtualized platforms. The feasibility of the implemented system was shown. Finally, the system was adopted to the communication protocol that will be used in the demonstrations.
Task 5.2: Evaluation methodology (M10-M24)
At the beginning, the task work plan was discussed and agreed among partners. A meeting was held in Ottobrunn, to come to a draft of how to structure the collection of measures of effectiveness/measures of performance. The result was a three-phase plan of how to proceed with the collection of measures. During the first project period, the first measures of effectiveness and suitability were developed, which were directly contributed into deliverable D5.1 “Evaluation methodology” (M24).
Afterwards, in order to assure the efficient and suitable integration of the ECOSSIAN system requirements, a number of measures of effectiveness were created. A specific workshop was held in Oulu to discuss and agree on the outlook of D5.1 “Evaluation methodology”. On the final outlook a similar structure of the methodology approach followed by the PULSE project (http://www.pulse-fp7.eu) was adopted. Additionally, harmonization between test criteria and evaluation criteria was performed to ensure proper integration with the work in progress in T5.5.
Task 5.3: Preliminary Interface integration, interface lab trials and validation (M10-M24)
This Task started with the definition of the deliverable structure, contents and detail level, and the identification of information gaps. On the first meeting a proposal for D5.2 “Preliminary interface integration report” (M24) interface identification section structure was prepared and further improved using input from partners after the meeting. Partners were assigned to contribute regarding existing interfaces and missing information. A first input regarding the interfaces originating from T2.2 (Threat Detection Module) was integrated into D5.2 and the task of identifying interfaces from WP3 and WP4 was started. Research on the cyber forensics module integration kept going on.
Moreover, this task aimed to integrate place-holder versions of interfaces among the different technological components of the ECOSSIAN system. It started by the analysis of D1.2 “Requirement Report” and D1.3 “General Architectural Framework” and documenting the data collected regarding available components, information regarding technologies and interfaces within D5.2 “Preliminary interface integration report” to support the integration process. A testing procedure for each interface was also defined by the participating partners. Early integration of place-holder interfaces allowed to refine the ECOSSIAN concept and to tackle some of the integration difficulties early in the development process. To achieve this first integrated version, every partner supplying a technical component provided an early version of their software component, functional from the interface point of view. After M18, the final version of D1.7 “Architecture specifications” was used as the reference architecture and all interfaces between components were reviewed and tested in lab environment according to this specification.
Task 5.4: Overall integration (M12-M30)
This task started by collecting information regarding components and technologies used to setup the integration plan and integration environment. Partners carried out work in order to align T3.1 with T5.4. A demonstration module for partner review was performed in Oulu, Finland in September 2015. Moreover, an integration plan was defined aiming to have a first integrated and functional version of an O-SOC, followed by an integrated version of an N/E-SOC technical infrastructure.
To support integration a set of tools was made available to the participating partners:
• ECOSSIAN Integration Network (EIN) – an environment supporting the deployment of a virtual machine for each ECOSSIAN’s technical component was created. This integration environment also allows the partners to connect to the EIN through a VPN to integrate components that require specific hardware (e.g.: SGW);
• a ticketing system was setup to track most important integration issues;
• periodic conference calls and integration workshops were held to solve integration issues;
• a wiki was setup to register configuration information and
• an online UML edition tool was made available to partners providing a common language to describe the system components and their behavior, and iteratively progress to an integrated version of ECOSSIAN platform.
During the second period, partners performed the integration of first functional versions of: AECID, CAESAIR, ICS-Monitor, Cymerios, Mobile Visualization, BPIDS, BroLHG, BroIDS, Honeypot, OSSIM, Cymerius Portal, ABE Module, SecureGW, Interdependency Model (static and dynamic), SecureGW, Acquisition Module and Secure Data Storage.
During the third project period, the first complete version of ECOSSIAN system integrated (O-SOC + N/E-SOC) has become operational on the ECOSSIAN Integration Network. New versions of ECOSSIAN subsystems (from the ongoing work in WP2, 3 and 4) have been installed and tested against previous integrated system baseline. There were several issues raised by new versions of software that were identified and solved with the involved partners. In addition to that, TLS-secured communication was implemented for web accessible components, parsing of BroLHG messages was completed and the previously standalone forensic toolset was integrated into the ECOSSIAN platform. At the end, a final round of integration was performed with updated versions from each component provider and D5.5 was produced.
Task 5.5: Integration testing (M18-M32)
This task started by carefully analyzing each of the 200 requirements described in D1.2 “Requirements report”, and check their testability in lab in the scope of an ECOSSIAN prototype (instead of a full-scale production system) and in field trials during the preparation of the Demonstrations. Hence, about 20 test cases were created and described, that cover the verification of about 160 requirements in the scope of this task. Harmonization with T5.2 was performed in order to avoid duplication of work, since some of the requirements will be subject to specific evaluation in T5.8 during the demonstrations. After the definition of all the test cases (which was divided among all partners participating in the task), test execution was assigned to partners and functional testing was initiated. Functional testing of all components in lab environment was completed. Several conference calls between the tester and the partner supplying the tool were hold to debug issues and achieve the necessary level of compliance with mandatory requirements. Furthermore, specific testing on the SDS and ICS device forensic readiness was performed by ESPION and several updates of the Cymerius system were required to CAS-FR. Finally, the testing on the Italian, Irish and Portuguese demonstration sites was performed in order to validate requirements in an as close to reality as possible setup. IP/IP Telecom, PI, PJ and GAIS coordinated the tests performed in the demonstration environments.
Task 5.6: Demonstration scenarios definition (M12-M24)
First, the input from WP3-specific internal use cases was taken in order to extract those that might be relevant and suitable for demonstration scenario. During the Workshop in Ottobrunn an expert group for the storyboard for the demonstration scenario was setup.
After two initial physical meetings in Munich to discuss possible storyboards, possible attack trees for the demonstration scenario were collected. During the technical f2f meeting in Villach partner inputs to prepare the final version of D5.3 “Demonstration scenario definition” were collected. A set of periodic conference calls were held with GAIS, IP, PJ, PI and each partner that could provide demonstrable components to refine the 4 demonstrations scenarios defined:
• Ireland demonstration – a scenario of attack on a gas provider will be hosted by GAIS;
• Italy demonstration – a scenario of attacks on financial infrastructures will be hosted by PI;
• Portugal demonstration – a scenario of attacks against transportation infrastructure will be hosted by IP and PJ;
• Pan-European demonstration – combining elements from the three National demonstrations scenarios but focused on EU level cooperation (N-SOC to E-SOC) will be hosted by CAS-FR.
Task 5.7: Technical scenarios preparation (M22-M34)
This task started by identifying the questions from the partners hosting the demonstrations regarding the systems that will be demonstrated in order to start the preparation work for the demonstration. Then from the current version of D5.3 a list of which partner will demonstrate their technology in each of the National demonstrations was compiled and the partners addressed to provide the requirements for demonstrating their technology.
Afterwards, the table of Contents of the deliverable was agreed among partners. Comprehensive diagram and descriptions of each of the 3 National demonstrations were created. The objective was to use the deliverable as support documentation for all the configuration and setup activities. For that, demonstration scenarios were refined into a technical level. Moreover, Datasets were prepared for the demonstrations, namely: datasets for AECID, CAESAIR, BPIDS and BroLHG, so that the systems could be trained or configured to the demonstration environment. Furthermore, the definition of the deployment setup for each demonstration was performed. Each of the ECOSSIAN systems hosted in VMs in the EIN was prepared for demonstration, and the corresponding VM images were transferred to CAS-FR (for all demonstrations), GAIS (for Irish demo) and IP (for the Portuguese demo).
• PI coordinated the setup of the Italian national demo in the CI financial sector (held on the 8th November 2016 at PI premises in Rome), with the continuous support of the WP team. These activities included the implementation of a realistic cyber attack on a financial critical infrastructure, the design and the technical set-up of Italian demonstration environment, realized and provided virtual machines simulating a real working environment in a financial critical infrastructure (the environment includes workstations, servers, routed networks, perimeter defense systems and an attack workstation/console) interacting with ECOSSIAN infrastructure (BroLHG Sensor, Honeypot, Secure GWs, Cymerius, Acquisition Module, O-SOC and N-SOC operational environments) in order to implement the planned demonstration scenario.
• GAIS coordinated the setup of the Irish national demo with the support of the WP team, adjusting the demo architecture to the ECOSSIAN deployment. GNI continue to assess that demo options are valid for gas industry. GNI progressing demo AGI & RTU setup. High Level System architecture developed. All design work completed. All communication links established. All hardware procured and demo environment made live and accessible to partners. All demo options completed and threats/events were detected by appropriate sensors. GAIS ensured that demo environment could correctly integrate ECOSSIAN sensors in real SCADA system. For the Irish demonstration components such as Mobile Visualization, Cymerus, OSSIM, Secure GW with attribute based encryption (ABE), BPIDS, ICS monitor, broIDS, CAESAIR, Acquisition Module and Interdependency module were set up.
• IP jointly with PJ coordinated the setup of the Portuguese national demo. This included the provision of the virtual environment for the Portuguese demonstration, with the availability of all necessary machines to the O-SOC, N-SOC and attacker. Configuration of the security rules for the connection to the infrastructure of CAS-FR. Development of a simulator for replication of operational service reports. PJ focused on the coordination of the N-SOC preparation activities. These activities were supported by the WP team.
To support all the National and European demonstration preparation, regular conference calls with all partners supporting each demonstration (mostly the partners where the tools were involved in the demonstration) took place to allow technical activities to proceed smoothly and track down any deployment/configuration issue.
Task 5.8: Evaluation and recommendations (M32-M36)
From the evaluation methodology recommendations initially draft in D5.1 an overall evaluation methodology was adapted and presented to the consortium. Additionally, a first D5.8 table of contents was drafted and discussed with task leader and contributors. In coordination with the demo hosts and remaining partners a set of questionnaires was prepared in order to evaluate the ECOSSIAN platform from the end-user perspective and the way the system answers their needs. The questionnaires contain some common questions to all demos and some specific questions to each demo setup to consider the specific tools and scenarios demonstrated in each site.
Most work performed under this task was focused on analyzing, evaluating and interpreting the feedback provided by the stakeholders during the demonstrations. This included an overall ECOSSIAN system and results evaluation (SWOT), and recommendations for future implementation.
Achievements and results of WP5:
One of the first achievements in this WP was the integration of a first prototype of the SGW with the corresponding first version of the Web Interface into the ECOSSIAN platform. Moreover, during the second project period first versions of the 18 ECOSSIAN different technological components were integrated and basic O-SOC functionality and some N/E-SOC functionality was achieved. Also, in the first integration workshop held in Villach, we achieved the first integrated version of the O-SOC with a representative set of components. Followed by, the second integration workshop held in Dublin, where a first version of the N-SOC was achieved and integrated with the O-SOC. Furthermore a first set of test cases to validate the compliance of the solution with the requirements defined in D1.2 was defined. The main achievement in this WP were successfully reaching MS6 “Architectural design and Interface definition” and MS7 “Demonstration Scenarios definition”. Furthermore, following deliverables were established and submitted accordingly:
• D5.1 describing the ECOSSIAN Evaluation Methodology
• D5.2 describing the interfaces between each ECOSSIAN component
• D5.3 with a detail description of the demonstration scenarios
• D5.4 “Secure Gateways prototype” was deployed
• D5.5 Integrated system prototype of the ECOSSIAN solution ready to deploy in the demonstration environment was produced
• D5.6. has been integrated in the test report
• D5.7 with description of the demonstration layout, through the identification of ECOSSIAN components participating in the demonstration, networks to be involved, the design of the LAN diagram and an initial list of critical elements and operational procedures relevant for the demos. Development of the ECOSSIAN system, to be ready for the demonstrations. its testing procedures and testing results.
• D5.8 Evaluation report and recommendations was established.

1.3.6 WP6 National and European Demonstration (M20-M36)
Task 6.1: Support documents (M20-M36)
In year 2, meetings took place to discuss the content of the support materials that were needed for the national demonstrations and some initial support documents have been provided. Videos were developed showing how ECOSSIAN works so that they could be used in place of real demonstrations for dissemination purposes. Moreover, investigations were carried out regarding the possibility of a joint ECOSSIAN-DRIVER experiment/exercise. In the third project period, demonstration support materials have been elaborated to support the national and European demonstrations of the ECOSSIAN project. Hence, four demonstrations of the ECOSSIAN project have been performed, in Italy, Ireland, Portugal and France. Each of these demonstrations were addressing specific use-cases and targeting a specific audience. That’s why specific support materials have been provided for each demonstration, taking into account the uniqueness of its context. These support materials came into several different formats, such as videos, leaflets, posters, slides, numeric or printed documents (please refer to D6.1 for additional information about the support materials).
Task 6.2: Preparation of demonstration speeches (M22-M36)
This task started in M22 and at this starting point, meetings took place to discuss the content of the demonstration speeches that will be needed for the national demonstrations. The goal of task 6.2 “Preparation of demonstration speeches” was to prepare the speech to be delivered by the ECOSSIAN members during the three national demonstrations of the ECOSSIAN project in Italy, Ireland and Portugal, and for the European demonstration in France. In fact, even if demonstration scenarios have been defined in deliverable D5.3 “Demonstration scenario definition”, it was necessary to precisely write the speech that will be delivered for the demonstrations. The aim of these speeches was to clearly introduce the context of the scenario, ensure the transitions between the different steps of the demonstration scenario (attack, detection, mitigation at O-SOC and at N-SOC levels), and highlight the crucial improvements brought by the ECOSSIAN framework in terms of detection, incident response, information sharing, etc. The goal to prove that the ECOSSIAN framework can be operated to cover day-to-day CI security operations and incident management at O-SOC, N-SOC and E-SOC levels has successfully been achieved.


Task 6.3: Demonstration platform & rehearsals (M24-M36)
This task just started in the last month of the second project year and the planned activities regarding the preparation of the demonstrations have been presented during the plenary workshop in Dublin and discussed with the partners involved on the demonstrations. All activities related to the technical, organizational and logistical preparation of the ECOSSIAN demonstrations were carried out. Regarding the demonstration platforms for the national demonstrations, part of the components were migrated and deployed on a centralized demonstration platform hosted in France (Secure Gateway appliance, Critical Infrastructure simulated environment, sensors, analysis tools etc.). Remote access was put in place to allow a full integration of the demonstrated ECOSSIAN components for each demonstration. Some small features were added to the ECOSSIAN toolset in order to better fit with the demonstrated scenario. Concerning the European demonstration, all the demonstrated components were migrated to the centralized demonstration platform in France. In addition, support documents were elaborated to facilitate the preparation of the demonstration, like step-by-step manuals describing each technical step done by the O-SOC and N-SOC operators (based on screenshots of the ECOSSIAN components) and fine tune checklists to guide the participating partners through the demonstrations. Hence, more than 70 meetings and rehearsals were hold by the WP6 team in order to check the correct integration of the demonstrated ECOSSIAN components, to review the scenario, to rehearse the demonstration speech and to check its alignment with the technical steps of the demonstrations. These rehearsal telcos also provided some guidance for the elaboration of the evaluation methodology. Finally, this task also included all activities related to the organization of the events, including the preparation of the guest lists and the logistical aspects of the event (booking of the room, catering, screens, etc.).
Task 6.4: Demonstrations (M24-M36)
Also these tasks only started in the last month of year 2 and the planned activities regarding the preparation of the demonstrations have been presented during the plenary workshop in Dublin.
During task 6.4 “Demonstrations”, four demonstrations of the ECOSSIAN project were carried out in order to give comprehensive demonstration and explanation of the capabilities of the integrated system deployed in realistic operational contexts. These demonstrations allowed to evaluate ECOSSIAN detection, information sharing and coordination capabilities. There were two main types of demonstration actions:
• at the National level;
• at the European level.
National level demonstrations occurred within a given critical infrastructure context, with scenarios specially developed in order to show how ECOSSIAN sensors and components can be used. They focus on the detection of cyber threats at the selected Critical Infrastructure (CI) sites and on the cooperation activities developed between the CI operator and a simulated National authority. Taking into account that some of partners of the project represent CIs themselves, they provided the means in order to operationalize these demonstrations, going from the financial and energy sectors to the transportation sector. European level demonstration allowed to focus on a more Pan-European integrated environment where information sharing, cooperation, event correlation and situational awareness is essential, with information flowing from the operator, to the National level and then the European. This event also included a technology exhibition of the ECOSSIAN components in order to enable the attendees to ask specific questions on the many products that were integrated in the ECOSSIAN framework. Furthermore, this task also included the preparation and distribution of the questionnaires (in collaboration with task 5.8) to assess the level of satisfaction of the audience with the demonstrated capabilities of the ECOSSIAN framework. Finally, all partners participated to the organization of the demonstrations, e.g. for identifying potential guests for the demonstrations and sending the invitations.
Achievements and results of WP6:
The main achievements of this WP were the preparation, organisation and execution of the Demonstrations, which where the following:
• The Italian demonstration successfully took place on the 8th of November.
• Two demonstrations were carried out in Ireland, the first one was dedicated to an internal audience (November 2016, 30th) and the second to an external audience (March 2017, 1st).
• The Portuguese demonstration successfully took place on the February 16th 2017.
• The European final demonstration successfully took place on April 26th in Elancourt, gathering around 80 participants, including almost 50 external participants.
In order to lead those demonstrations to great success, lots of supporting work has been done beforehand:
• Drafts for the demonstration support materials have been initiated (D6.1 “Demonstration support materials”): presentation slides, leaflets, etc.
• The cost for a centralized translation of the support materials has been estimated.
• The WP team delivered a large set of support materials for each of the national and European demonstrations, described in D6.1 “Demonstration support materials”, and including:
o Presentations’ slides (available on the ECOSSIAN website: http://ecossian.eu/downloads/ )
o Invitation letters
o Leaflets describing the use-case of the national demonstrations
o Posters which have been elaborated by the ECOSSIAN partners in order to present their achievements at the ECOSSIAN technology exhibition that followed the European demonstration.
o Videos of the national demonstrations (http://ecossian.eu/downloads/Ecossian_IRE_demo_final_low-res.mp4 )
o Other type of support materials (agenda, zip-roll, notepad etc.)
• Over 30 support materials have been elaborated for the national and European demonstrations of the ECOSSIAN project. These support materials have highly contributed to the success of the ECOSSIAN demonstrations by providing essential inputs related to:
o Logistics aspects of the organization of the demonstrations (invitations, agendas...)
o Dissemination purposes (posters, leaflets, videos...)
o Support to the speakers (presentations)
• Some of these materials have also been used for other purposes than the ECOSSIAN demonstrations: the ECOSSIAN workshop in Paris (April 25th, 2017), the ITEA Digital Innovation Forum (May 10th & 11th, 2017), internal dissemination for some of the ECOSSIAN partners etc.
• Moreover, for each of the four ECOSSIAN demonstrations, deliverable D6.2 “Demonstration speech” provides, on the one hand, the detailed content of the scenario and, on the other hand, all logistics information designed to help the host through the preparation and the performance of the demonstration (timeline, content to be displayed on each screen etc.). Each scenario addressed through these demonstrations has been elaborated in close collaboration with the end-users of the ECOSSIAN project, in order to ensure the realism of the use-cases and to enhance the relevance of the demonstrations. Additionally, the planning for national demonstrations and demonstration preparation workshops has been established and a summary of the technologies shown in each demonstration has been provided. The high level of implication of the WP team in the technical and logistical preparation of the demonstrations enabled a smooth performance of the national and European demonstrations: the demonstration scenario was revised based on operational constraints of the demonstration, the demonstrated ECOSSIAN components were successfully integrated, the SOC operators knew how to perform all the technical steps of the demonstration, and the speakers were familiar with the speech they had to deliver. Finally, feedback from the external participants was collected through questionnaires that were specifically elaborated for each demonstration. This feedback information was further analyzed in task 5.8 “Evaluation and recommendations”.

1.3.7 WP7 Legal, Ethical and Social Foundations
Task 7.1: Applicable legal framework (M01-M36)
At the beginning the timeframe and task work distribution was defined. The partners in T7.1 studied the European data protection legal framework with a particular focus on the Directive 95/46/EU and the recent Proposal of General Data Protection Regulation. The other frameworks relevant to the security of Critical Infrastructures were also assessed in depth (i.e. Directive 2008/114/EC). Further, an analysis on the methodology for the legal national studies was elaborated and this methodology was used to examine the relevant countries. This analysis resulted in the delivery of D7.1 “Analysis of the applicable legal framework” (M06) and D7.2 “Legal requirements” (M09) which were finalized and submitted on time. For the purposes of D7.2 the partners studied the principle of privacy by design and its strategies and also built upon the work completed in D7.1. As a result, D7.2 provides a list of guidelines for the implementation of the privacy by design principle in the context of threat detection and analysis and information sharing. As such, the relevant legal framework, requirements and guidelines were identified as supplemented by D7.3 “Information sharing policies in disaster situations – Version 1” (M12) (T7.4). Partner TEC successfully preformed/organized the formal, internal and SCC reviews. Hence, the given objectives for the first year were achieved.
Afterwards, starting from the results of D7.1 “Analysis of the applicable legal framework”, D7.2 “Legal requirements” and D7.3 “Information sharing policies in disaster situations- Version 1”, the developers were contacted and exchange has taken place regarding data processing and the implementation of the requirements arising from these deliverables. Furthermore current legal development have been followed (GDPR, LE Directive and NIS Directive, and ongoing court case) and analyzed. T7.1 focused on the applicable legal framework, for which considerable updates were required during the project time, as the GDPR and the NIS Directive were adopted. Therefore in this task in year 3 an analysis of the GDPR was made, including an update of the requirements for ECOSSIAN. Additionally, the NIS Directive was analyzed and an overview of the most important information was sent to the ECOSSIAN partners, and information exchange took place with the WP2 lead, sensor developers and the technical lead regarding data processing within ECOSSIAN. Furthermore, an analysis of ENISA recommendations was made. Moreover, a workshop at the Rome meeting took place in order to further discuss the applicable legal provisions, possible data processing in ECOSSIAN and the implementation of the legal requirements. Further work on D7.6 included an analysis of Data Protection Impact Assessment in the GDPR and a comparison of the general DPIA of the GDPR with specific DPIAs from France and Germany. In the scope of the task were a workshop on identifiability/ anonymization attended as well as an international privacy and data protection conference. Blog posts on the Breyer judgement and on NIS security as legitimate interest for public services have been written. Finally, D7.6 has been finalized and submitted.
Task 7.2: Business Framework Conditions (M01-M36)
At the beginning, the partners had internal discussions and planned the involvement in the task. The partners followed-up the work in progress and put efforts in the identification of stakeholders. Furthermore, the detailed planning beyond the current data gathering phase was discussed. A preliminary internal analysis on possible business exploitation of the ECOSSIAN outcomes has been accomplished and a possible business model identified, with respect to the operational involvement of CERT Poste Italiane in the possible adoption of the ECOSSIAN platform.
In year 2 the task lead has successfully been shifted from partner PJ to partner INOV. A draft structure of the working document has been established and information gathered. The partners worked on privacy by design with specific reference to the business sector, a preliminary internal analysis of possible business exploitation of the ECOSSIAN outcomes and a possible business model.
In the last project period, a general analysis of issues has been done together with T7.3 resulting in a shared chapter 2 in the deliverables. Various partners worked together to identify and discuss relevant issues from different points of view. Telcos were held with all partners to clarify and promote discussion of the perimeter of each issue/gap and recommendation raised. The analysis included research on business framework conditions, legal enablers as well as a SWOT analysis in that context and questionnaires. Finally, D7.9 has been finalized and submitted.
Task 7.3: Public-Private Partnerships (M01-M36)
At the beginning, the partners had internal discussions and planned the involvement in the task. Partners engaged in a discussion of the methodology that may be more adequate to fulfill the objectives and collected relevant information on Public-Private Partnerships, namely cooperation protocols and legal basis and existing PPP policies with a view to contribute to the definition of the future cooperation model. The partners also performed an analysis of the applicable legal provisions to Private and Public Partnerships in Portugal. Further, an analysis of the several existing protocols among public and private entities with relevance for the ECOSSIAN Project was performed. The partners also concentrated on the identification of relevant stakeholders in every field of the CI environment. Further the preliminary work completed and the scheduling of the work to be completed in this task was discussed. Partners also investigated the use of the research that has been accomplished together with members of the European Electronic Crime Task Force which maps existing information sharing policies in a number of initiatives which have been started at EU and international level. CESS provided a first working paper on PPPs which was discussed with KUL and PJ. This served as a main source for drafting D7.10.
In year 2 the task lead has successfully shifted from partner PJ to partner INOV. A first draft of D7.10 has been written. Existing international and national PPP models were analyzed by different partners. It has been agreed that the PPP model for ECOSSIAN will be general and based on a good description of governance principles. The COBIT framework should be a guideline to this approach.
During the last project period, a general analysis of issues has been done together with T7.2 resulting in a shared chapter 2 in the deliverables. Various partners worked together to identify and discuss relevant issues from different points of view. Telcos were held with all partners to clarify and promote discussion of the perimeter of each issue/gap and recommendation raised.
The PPP concept for a system such as ECOSSIAN was identified to present a novel challenge to all stakeholders involved. Role models of PPPs and achievements in other nations, and framework conditions for a PPP to work in joint cooperation of EU, national governments and CI industry have been analyzed. Basic prerequisites and characteristics for an ECOSSIAN-type PPP have been drafted. A workshop was held on 6th July 2016 on PPP approach and several Telcos. Recommendations were specified and discussed for D7.10 ToC and its contents by input to the "issue log" and the dedicated online workshop. Work included amongst others, a description of Austrian national PPP models in the field of cyber security, a legal analysis of public private partnerships with a national analysis of the Netherlands and Portugal, as well as on European principles and related work of ENISA. Another contribution consisted in the description of a PPP success story, the European Electronic Crime Taskforce analysis undertaken on the Public-Private Partnership (PPP), aimed to find out a good and feasible PPP model for ECOSSIAN. The analysis of PPP requirements, state of the art and consequences for an ECOSSIAN PPP model has been included in D7.10 which has been finalized and submitted.
Task 7.4: Information Sharing Policies (M01-M36)
In the first period, a preliminary study of the applicable legal framework at European level and national level as completed in D7.1 provided the starting point of this task. The partners worked on the development of the preliminary work on the identification of the applicable legal framework at EU and national level completed in D7.1 and the requirements and guidelines outlined in D7.2. The work for D7.3 was completed and the deliverable was submitted on time. In addition, partner TEC successfully performed/organized the formal, internal and SCC reviews.
The next project period started from D7.3 “Information sharing policies in disaster situations – Version 1” further research on information sharing policies has been done. The focus was on mandatory information sharing, especially in national IT security legislation and data breach notification requirements. Furthermore, the EU security classification provisions have been analyzed. A first draft of the in-depth analysis of the Italian legislation has been made.
Concerning the third period, work has been done regarding an analysis and overview of information sharing in matters of criminal justice. Furthermore, some changes have been made on the chapter on classification and further information collected for the overview of national notification obligations, and the implementation of the NIS Directive and national implementations of Council Directive 2008/114/EC. In addition to that, the SPARKS workshop and 4th Annual European Cyber Security Conference has been attended. Furthermore, an analysis and overview of alignment with the NIS Directive has been made with the support of INOV. Finally, D7.7 has been finalized. Important to mention, the research of this task has been used to draft a book chapter which is currently in the review process of the publisher and expected to be published at the end of the year.
Task 7.5: Political and Societal Factors (M01-M36)
As a starting point, CESS provided the Quality Criteria Catalogue from the recent ValueSec project and gave recommendations on how to use it in ECOSSIAN. It was recommended to examine the possibility of adapting and using the ValueSec tool QCA in ECOSSIAN. Furthermore the availability of the method, from the ValueSec project, was clarified.
Moreover, an evaluation of the adaptability of the criteria to the ECOSSIAN system and use cases was performed. Feedback was provided to the task lead in relation to the initial analysis and planning that they have suggested and KUL began planning the analysis to be completed by KUL in relation to this task as it is to be supplemented by their work in the other tasks. The input of D7.4 “Report by External Ethical Advisor – Version 1” (M12) has been compiled and the formal, internal and SCC reviews have been successfully organized and performed. The work in year 2 focused on further refinement of D7.11 “Societal and ethical impact analysis” and the underlying catalogue of socio-political criteria and the development and testing of an EXCEL-based methodology and tool for the evaluation of the ECOSSIAN system against the "soft"/ qualitative socio-political & ethical criteria(QCA). The basic methodology approach was taken from the ValueSEc and CIRAS projects. ECOSSIAN exchanged information and joint work on socio-political evaluation criteria including a paper with the PULSE project.
In the last project period, further steps for a completion of the ECOSSIAN EELPS tool have been made: The ECOSSIAN EELPS categories and criteria were implemented in the tool; a first set of all utility functions was created. A set of six different evaluation "Sessions", each consisting of three parametric test cases has been specified. Methodology work performed in WP5 has been substantiated in the tool-based EELPS evaluation efforts by different partners. The role model of evaluation has been set up by CESS. The inclusion of the EEA in this process has been prepared and included in the evaluation. An EELPS-related questionnaire was developed for and applied and evaluated in the demo evaluations. All six scenario session evaluations by different partners were received and analyzed, including one from the EEA. Methodology, tool, session evaluations and results are documented in D7.11 has. The six session evaluation results were compared with demonstrations results, and summarized in D7.11 chapters 5 and 6. The last step was further refinement and documentation of the EELPS methodology and tool, which resulted in a complete refinement and finalization of D7.11.
Achievements and results of WP7:
Successful submission of D7.1 and D7.2 on schedule and thus the identification of the applicable legal framework, the requirements and the implementation guidelines. Furthermore three Reports by External Ethical Advisors have been developed within D7.4 D7.5 and D7.8 and submitted in time. Additionally, D7.6 has also been established and submitted. Moreover, several blog posts were prepared and published – important to mention also the blog posts on the Breyer case regarding the status of dynamic IP addresses as personal data were realized. D7.9 and D7.10 have successfully been established and submitted, as well as D7.3 and its 2nd version D7.7. Based upon the work done for D7.7 a bookchapter has been written. A successful try-out EELPS evaluation has been made and the methodology and results submitted in D7.11. Furthermore, a draft paper for Critis conference was realized. Finally, cooperation activities with the projects PULSE, CIRAS and DOGANA were undertaken and a presentation at ELSI workshop was given.
1.3.8 WP8 Dissemination, Exploitation and Standardization
Task 8.1: Dissemination, Publishing (M01-M36)
In period one, a publication calendar, suitable for planning and monitoring of any kind of publication has been designed and put on SVN to be used by the project partners. It has been continuously used during all the lifetime of the project. To raise the public level of awareness of the project within the scientific and industrial communities, the following achievements and work towards the project goals of the first project year have been performed:
• 4 peer-reviewed scientific publications (another 6 have been submitted)
• the first ECOSSIAN workshop was organized with an international audience and very good feedback
• Partners participated in 21 conferences, work group meetings and other external events including partly presentations
To support these activities, some advertising material has been developed and was constantly updated during the lifecycle of the project. Moreover, an interactive project website has been set-up to support both, external dissemination and interaction between the project partners. It provides an overview of the project including a brief outline of the overall concept as well as up-to-date information on the project’s activities and results. A detailed description of the project website was provided in D8.1 “Web site and information platform” (M03). Furthermore, at the beginning of the project, an Announcement Letter was published in order to communicate the project start and ideas towards the general public. It is available on the project website (http://www.ecossian.eu/downloads/ECOSSIAN_Announcement_Letter_ENG.pdf).
The first project leaflet; (http://www.ecossian.eu/downloads/ECOSSIAN-Leaflet-Web.pdf) and the first two ECOSSIAN newsletters have been released. They have been distributed to all partners and are used to support the promotion of the project at exhibitions, conferences and other public events. The newsletters, which are issued periodically, can be downloaded from the project website: http://www.ecossian.eu/news/press-news.
Furthermore, a project roll-up (http://www.ecossian.eu/downloads/ECOSSIAN-roll-up.pdf) and a poster (http://www.ecossian.eu/downloads/ECOSSIAN_Poster.pdf) have been designed that can be used for promotional activities at conferences, fairs, exhibitions, etc. In addition, the ECOSSIAN project takes advantage of social media (Twitter: https://twitter.com/FP7_ECOSSIAN and LinkedIn: https://www.linkedin.com/groups?home=&gid=8136543&trk=anet_ug_hm) which helps spreading project information to a large audience. As a consequence, they are valuable means to disseminate project ideas and results:
During the second project period, the following achievements and work towards the project goals of second project year have been performed:
• 9 peer-reviewed scientific publications
• 1 ECOSSIAN workshop was organized with an international audience and very good feedback
• 5 (all of them in the second project year) ECOSSIAN stakeholder workshops were organized in Portugal, Finland, Germany (2) and Austria with very good feedback
• Partners participated in 19 conferences, work group meetings and other external events including partly presentations
To support these activities, advertising material has been developed.
• Two more ECOSSIAN newsletters have been issued to support the promotion of the project at exhibitions, conferences and other public events. Furthermore, the Newsletters were distributed to the Advisory Board members and spread via Twitter.
• A set of presentations (“Overall introduction”, “Operational, Organizational and Legal Framework”, “Technical Framework”, “Use Cases and Requirements”) has been prepared for external presentation of ECOSSIAN concepts. These presentations can be used by all project partners whenever talking to external and internal (partner’s organizations) audience. These presentations were updated regularly.
For the third project period the following major achievements and work towards the project goals have been performed:
• 7 peer-reviewed scientific publications, 3 additional papers have been accepted for publication
• Partners participated in 40 other dissemination activities like conferences, work group meetings, other external events including partly presentations,
• 3 ECOSSIAN national demonstrations were organized by WP6 and held in Rome (Italy), Lisbon (Portugal) and Cork (Ireland).
• The final demonstration on “Pan European detection and management of incidents and attacks on critical infrastructures” took place in Elancourt (France).
• Further on ECOSSIAN achievements were presented at the Digital Innovation Forum in Amsterdam, were the project had its own booth.
• The third ECOSSIAN Workshop, which has been an affiliated event to the 2nd IEEE European Symposium on Security and Privacy EuroS&P 2017, and Advisory Board Meeting has been organized in Paris.
To support these activities, advertising material has been developed during the lifecycle of the project.
• Another two ECOSSIAN newsletters have been released.
• Two of the probably most sustainable dissemination activities are the video, presenting how ECOSSIAN addresses the use case “Detection of Attack on Gas Provider” – available for download - as well as the ECOSSIAN brochure, where major ECOSSIAN results are highlighted within 44 pages – available as paper version and as PDF download.
• A set of presentations has been prepared for each of the demonstrations (national and final ones) as well as the final workshop.
Task 8.2: Exploitation planning (M19-M36)
In the second period of the project, work was started to provide exploitation plans on how to utilize research outputs coming from the ECOSSIAN project. The strategic exploitation plans have been established in two directions: a common exploitation plan and individual plans for each partner. Investigations have been carried out on how ECOSSIAN partners will be able to exploit the three following markets: IDS/IPS, SIEM and MSSP/SOC. These investigations rely on detailed markets analysis and evaluation of the consortium strengths and weaknesses to address these markets. The common exploitation plan has been established based on the project value chain and the placement of the ECOSSIAN partners on it. Highlights have been brought on the exploitable achievements of the ECOSSIAN project. This plan has been completed by the description of several business models relevant to ECOSSIAN exploitation strategy: SOC operator, SOC integrator, Security Services and Security Products. As a consequence, exploitation objectives for each partner of the ECOSSIAN project have been updated and are described in detail in D8.5 “Exploitation and Standardization Plan”.
Within WP8 in the third period, exploitable outputs of the ECOSSIAN project have been identified and strategies for exploitation have been defined. Plans cover detailed information on the description of the output, its readiness, its added value, the associated exploitation strategy and the future exploitation activities planned by the partner providing the output. Descriptions of usage scenarios in which these outputs can be used for when they are integrated together, including details on the added value on the integrated solution, the targeted customers and business models, and its social and economic impact were prepared.
Task 8.3: Standardization (M13-M36)
At the beginning of the second project period, work was started to define standardization plans on how to utilize research outputs coming from the ECOSSIAN project. The ECOSSIAN consortium identified the following key knowledge areas to push those into standardization: Architecture which includes ECOSSIAN architecture and the “General Architecture Framework”; Information Sharing regarding technical mechanism, sharing processes and legal; Incident Management which includes processes suitable for CNI and tooling. Four major stakeholder groups have been identified which should be addressed by the ECOSSIAN common standardization strategy: EU Institutes; National Agencies; Major standardization bodies; Others (e.g. SANS). Preliminary contacts with the Committee 4 "Standard & Technologies" Chairman of UPU have been established in order to raise the attention on the ECOSSIAN project. Additionally, contacts to ENISA have been established. Standardization should be seen as a “market potential” and because of that the whole ECOSSIAN consortium tried to push the gathered results into standardization. The Exploitation and Standardization Report (D8.7) shows in detail all activities regarding standardization for each partner. Certain activities are done by partners to push possible results into standardization (Standardization bodies, partners are being active in, e.g. are ETSI and OASIS).
Achievements and results of WP8:
To summarize the main achievements, the following work towards the project goals have been performed within the three project years:
• 22 peer-reviewed scientific publications, 3 additional papers have been accepted for publication
• 3 ECOSSIAN workshops were organized with an international audience and very good feedback
• Partners participated in 109 other dissemination activities like conferences, work group meetings, other external events including partly presentations,
• 3 ECOSSIAN national demonstrations were organized by WP6 and held in Rome (Italy), Lisbon (Portugal) and Cork (Ireland).
• The final demonstration on “Pan European detection and management of incidents and attacks on critical infrastructures” took place in Elancourt (France).
• ECOSSIAN achievements were presented at the Digital Innovation Forum in Amsterdam, where the project had its own booth.
• The third ECOSSIAN Workshop, which has been an affiliated event to the 2nd IEEE European Symposium on Security and Privacy EuroS&P 2017, and Advisory Board Meeting has been organized in Paris.
To support these activities, advertising material has been developed during the lifecycle of the project.
• Six ECOSSIAN newsletters have been released.
• Two of the probably most sustainable dissemination activities are the video, presenting how ECOSSIAN addresses the use case “Detection of Attack on Gas Provider” – available for download - as well as the ECOSSIAN brochure, where major ECOSSIAN results are highlighted within 44 pages – available as paper version and as PDF download.
• Sets of presentations have been prepared for each of the demonstrations (national and final ones) as well as the final workshop.
Furthermore, the ECOSSIAN project takes advantage of social media (Twitter and LinkedIn) which helps spreading project information to a large audience.
• Twitter: https://twitter.com/FP7_ECOSSIAN
By the end of June 2017 the ECOSSIAN project can note 62 tweets and 55 followers.
• LinkedIn: https://www.linkedin.com/groups?home=&gid=8136543&trk=anet_ug_hm
By the end of June 2017 the ECOSSIAN project is connected with 65 professional business partners and interested parties in order to spread project information and stay connected.
In addition to that, an analysis of the market situation in the domain addressed by ECOSSIAN was performed and an updated plan for exploitation activities was developed. Around 18 exploitable outputs have been produced throughout the project, covering the whole ECOSSIAN value chain: attack detection by IT and ICS, secure information sharing between the different levels of SOCs, storage of sensitive data, incident analysis & correlation, incident security supervision & situation awareness, impact analysis etc. Furthermore, a strategy for pushing relevant project results towards external organizations working towards standardization has been developed. Finally, all Deliverables within this work package have been submitted in time.
Potential Impact:
1.4.1 Strategic Impact
The ECOSSIAN approach was different from previously and currently running projects, by developing a holistic, integrated and user friendly early warning system for all stakeholders on operator, Member State and European side while complying to legal and regulatory requirements.
In the fields of technologies, the project built on a number of technologies which are available or under development at the different consortium members. They include:
• Detection and tracking sensors and methodologies
• Vulnerability assessment of SCADA components
• Decision support means
• Enhanced security risk assessment in SCADA environments
• Live forensics
• Monitoring and intrusion detection in SCADA environments
• Situational picture generation and visualization
• Usability and acceptance standards
• Secure communications, confidential information exchange and standards

Generally speaking, the impacts of the ECOSSIAN project can be summarized in three major areas:
• Facilitate the emergence of common European solutions in CIP
• Develop a secure cyber environment in CI sectors other than ICT in Europe
• Facilitate the emergence of new cyber security interoperability standards

To be more specific, hereafter are the impacts within the single WPs of the ECOSSIAN project:
• WP1: raised awareness of the existing heterogeneity of CIP provisions (procedure, technologies) and of gaps which require EU-level improvement; input to and harmonization (if required) with the EPCIP program.
• WP2, 3, 4: availability of dedicated modules / tools which address problems beyond existing standards, e.g. improved information sharing and correlation across Europe, recommendations for more effective and efficient planning and mitigation procedures. Availability of all this to the European CIP market.
• WP5: facilitating the interfacing of overarching solutions with legacy systems and provide secure communications infrastructure.
• WP6: raised awareness and convincing of a number of CI stakeholders across Europe (usually at “Chief Operations Officer’s level) and of policy makers (locally and at EU level) that a system supporting operations across CI providers, across sectors and across borders:
o brings additional trust and confidence for cooperation;
o eases PPPs;
o improves business continuity in case of disruptions;
o reduces the effects of interdependencies;
o increases citizens’ confidence in CI and society at large.
• WP7: impact potential on policy decisions by the systematic assessment of positive and negative political and societal criteria which will be of relevance for introducing improved overarching CIP measures and tools.

1.4.1.1 Impact for project partners
For partners using/developing tools and methodologies in ECOSSIAN project, it was an opportunity to validate functional and technical suitability in a critical infrastructures context, and help to define future research and development directions. Results also include products and toots maturity improvement. Thus, for each partner the ECOSSIAN impact can be described as following:
• For TEC, a significant expansion of security services and collaboration with big industrial companies and Law Enforcement Agencies which allows to broaden future research direction, has taken place.
• For EADS, ECOSSIAN results will strengthen portfolio in protecting critical infrastructures network security and enables EADS to continue research in those fields and to transfer knowledge into several business units.
• For GAIS, ECOSSIAN was the opportunity to benchmark its organizational cybersecurity readiness and contributed to give a clearer awareness of the security level to be achieved. GNI has successfully applied much of the knowledge gained during the project while planning the GNI OT Cybersecurity upgrade projects.
• AIT is engaged in discussion with industry partners and is closely national collaborating with Austrian ministries regarding exploitation of ECOSSIAN results within a real context. A test installation has been deployed within the network infrastructure of the Austrian Ministry of Defense.
• FHG exchanges with external stakeholders and possible customers confirm the relevance of their approach for cryptographic access control for secure information exchange. FHG will provide recommendations for different groups involved in standardization activities, based on ECOSSIAN results.
• ECOSSIAN gave UNIBO the opportunity to conduct applied research in the GDPR (General data protection regulation) context, on the protection on the natural person, regarding personal data processing by competent authorities. Results have been published by one of the most important Italian publishing houses in the legal field.
• For CAS-FR, ECOSSIAN was the opportunity to enhance their cyber-security solutions for incident response and situation awareness. CAS-FR intends to have discussions with the French N-SOC in order to highlight how ECOSSIAN could provide a performant tool for incident correlation and analysis.
• ECOSSIAN enabled INOV to improve maturity of their product BP-IDS for different application fields. INOV is currently discussing with IP and IP Telecom for a deployment in a production environment.
• For IP and IP Telecom, ECOSSIAN was an opportunity to increase knowledge on cyber-security in several sectors such as technical, legal and to be positioned as Portuguese reference on cyber-security regarding Transportation CI. IP is considering deployment of ECOSSIAN sensors in other transportation systems and IP Telecom is considering the deployment of ECOSSIAN sensors as a service.
• ESPION will exploit ECOSSIAN results in a joint project to develop an open source product for use in the CIP/SCADA space by small operators. ESPION has continued its work on standardization and became part of the BSI (British Standard Institution), particularly working in IoT standards for the future.
• VTT has disseminated ECOSSIAN results through national projects for Finnish critical infrastructures, mainly focused on SOC structures, information sharing and updates to standardization activities, particularly to NIS directive. Due to VTT’s internal collaboration in ECOSSIAN between cyber security and risk assessment teams, especially the risk assessment team can now expand their risk assessments to include also cyber related risks for their customers.
• ECOSSIAN gave KUL opportunity to conduct research to examine compliance of new information technology with the European legal framework on data protection and information sharing, in particular on the application of the GDPR and NIS Directive on critical infrastructures and NIS information sharing as well as data protection impact assessments .
• For BRTIT, ECOSSIAN gave opportunity to validate concepts and features of Secure Gateway product line and to progress in understanding the needs on national and international stakeholders of critical infrastructures protection.
• In ECOSSIAN, IFAK has developed experience and algorithms for monitoring and analyzing Profinet based industrial automation systems. IFAK is engaged in discussions with industry partners to support operators of plant and, as a member of different groups, is participating in the definition of Industry specifications that may influence future ways of systems operation.
• PI will exploit ECOSSIAN results in several structures such as CERT (Computer Emergency Response Team), EECTF (European Electronic Crime Task Force), and UPU (Universal Postal Union) to evaluate possible standardization opportunities at the international level.
• For CCG, ECOSSIAN contributed to develop activities in the field of critical infrastructures network anomaly detection sensors, and the integration of the Interdependency model into CAS-FR Cymerius product is the focus of further exploitation of results. ECOSSIAN has strengthened CCG competences in securing critical infrastructures environments.
• For CESS, ECOSSIAN contributed to improvement and extension of competences, further application of developed tools, and extension of customer base like national and international responders and government organizations. It also gave opportunity to create cooperation with other critical infrastructures related projects such as CIRAS and PULSE, with the aim to harmonize application of socio-political evaluation, including psychological, social, ethical and intangible economical, legal and political impact.
• EADS-UK will exploit ECOSSIAN results to identify issues which may require further development in the future.

1.4.1.2 Macro-economic Impact
The European macroeconomic dimension of both, technology and project is significant. While the few European SME companies, working on security solutions, provide highly innovative cutting-edge technology, their impact on the world-wide market is still small, especially compared to the strong U.S. companies. The end-users PI, IP and GAIS are going to promote the findings and best practices of ECOSSIAN in their respective domains of interest, namely finance, railways and energy. Furthermore, the industry partners benefit from business exploitation with clear commercial motives. Hence, the project has strengthened the European presence.

1.4.1.3 Business Impact
Various types of customers or industry segments that will profit from the positive impact have been identified:
• CI and/or ICS Operators, IT Administration and IT Production (targeted sectors: rail, energy, automotive, health and hospital area etc.)
• Critical Infrastructure suppliers, Equipment manufacturers & Machine integrators
• Defense and Security Organizations:
o SOCs: MSSP SOC, CI SOC, governmental SOC and military SOC
o Risk, Security & Business Continuity Management
o ICS and SCADA forensic incident response and analysis.
o Security Solutions Providers
o National Security Agencies, ministries, government/EU institutions
o CERT, CSIRT
• Researchers.
1.4.2 Dissemination Activities
The dissemination activities of the ECOSSIAN project were initiated to ensure the visibility and awareness of the project and to support the widest possible adoption of its results in industry and research. The dissemination activities of the project were organised and coordinated within the project’s WP8 “Dissemination, Exploitation and Standardization”, which was led by the partner IFAK.
The dissemination strategy of the ECOSSIAN project covered 2 aspects, which are described in more detail in the following paragraphs.
• The goal of the first, awareness-oriented aspect was to raise public awareness and interest about the project and its objectives.
• The second, result-oriented aspect aimed to promote the results of the project, in order to allow potential interested parties to get to know the innovation and the related benefits of the ECOSSIAN project.
These two aspects covered different methods and activities, which needed to be initiated in order to achieve the goal of establishing ECOSSIAN as a successful and sustainable project. Further details regarding dissemination activities can be found in the following sections as well as in Chapter 1.3.8 and Chapter 2.

1.4.3 Exploitation of results
1.4.3.1 Exploitation activities in the ECOSSIAN project
Besides the dissemination of the project results, the exploitation of the achievements of ECOSSIAN was of crucial importance. It included all activities which were done to promote and exploit the gained research results during the project period. As the project consortium consisted of major European players in both science and industry, the usage of the results will be exploited in both, the science and commercial sector. A very important impact of the ECOSSIAN project is definitely the business exploitation, i.e. transfer of technology into commercial products. This exploitation supports the economical growth and creates working places. The result of the ECOSSIAN project is a holistic system to facilitate preventive functions like threat monitoring, early indicator and real threat detection, alerting, support of threat mitigation and disaster management. The main exploitation was planned to be carried out through each partner`s own organisation. All these activities carried out, either at the consortium level, or individually, are provided in Table 2 and Table 4.

1.4.3.2 Contribution to standards
Contribution to standards based on fundamental research is substantial in a competitive environment in order to develop the economy in the European field further. Without standards on at least the European level, the risk of fragmented and possibly incomplete and more vulnerable solutions exists that allow local or foreign competitors to offer solutions that are not optimal for the society. ECOSSIAN actively contributed to many relevant standards and working groups, such as “The Open Group Standard for the exchange of Risk Information”. Detailed information on each partner’s contributions to standardization can be found in D8.7 Exploitation and Standardization Report.
List of Websites:
www.ecossian.eu