Community Research and Development Information Service - CORDIS


ECOSSIAN Report Summary

Project ID: 607577
Funded under: FP7-SECURITY
Country: Austria

Periodic Report Summary 2 - ECOSSIAN (European Control System Security Incident Analysis Network)

Project Context and Objectives:
Mission of ECOSSIAN is to improve the detection and management of highly sophisticated cyber security incidents and attacks against CIs by implementing a pan-European early warning and situational awareness framework with command and control facilities.
The ECOSSIAN Project aims to:
• Implement an Operator Security Operation Centre (O-SOC) in order to enhance a security-state awareness to support operators of CI.
• Combine O-SOCs of Member States´ identified and designated CI in a National Security Operation Centre (N-SOC).
• Improve the effectiveness of decision-making and incident response capabilities in Member States.
• Connect Member States N-SOC to a European Security Operation Centre (E-SOC); enable collaborative cross-border and cross-sectorial incident management for CI.
• Improve the effectiveness of decision-making and incident response capabilities in Member States.
• Connect Member States N-SOC to a European Security Operation Centre (E-SOC).
• Accomplish a full-scale demonstration of the implemented ECOSSIAN framework and system.
• Build trusted relationships and engage the CI operators at the EU level.
• Ensure trustworthiness, anonymity, privacy and legality of action for all stakeholders and end users as necessary.
• Create an entry point for EU-US collaborative in cyber defense.

The protection of CI increasingly demands solutions which support incident detection and management at the levels of individual CI, among dependent CL, and across borders. The required approach ought to integrate functionalities across all these levels. Collaboration of privately operated CLs and public bodies, such as governments and EU is difficult but mandatory.
In the wake of 10 years of analysis and research on partial effects in CI Protection (CIP) and for individual infrastructure sectors, ECOSSIAN was created to develop this holistic area. One of the key developments is a prototype, facilitating preventive functions like threat monitoring, early indicator and real treat detection, alerting, support of threat mitigation and disaster management. The concept of the project contains analysis, assessment and consideration of societal perception and appreciation, the existing and required legal framework, questions of information security and implications on privacy.

Objectives & Technical Approach:
ECOSSIAN aims to improve the safety of the cyber security via implementation a pan-European early warning and situational conversance framework with command and entity management. In order to achieve its overall goal, the project has a number of important objectives. The tree main objectives are:
• European Programme for Critical Infrastructure Protection (EPCIP).
• Strategy and Action Plan developed by the European Commission.
• Worldwide Initiatives on Cyber Security of Industrial Control Systems and Smart Grids followed by ENISA and Member States.
ECOSSIAN establishes a working and exchange relation to the Security and Defence Agenda, who has already produced useful guidelines on how to improve Europe´s CIP.

Project Results:
A review/assessment of the CI SOTA, with respect to the EU legislative framework, stakeholders, technologies and procedures related to SOCs and CERTs, organisational aspects, secure technologies, best practices for secure information sharing built the basis for the project. Based on the information provided by operators of CIs, scenarios have been defined. Activities led to the identification of architecture requirements, organisational needs and main functionalities. A gap analysis was carried out and the architecture general framework and main components were identified. Risk assessment methodologies we identified and analysed, carrying out a final selection of standards and methodologies most suitable for ECOSSIAN project.
Based on gap analysis, requirements and scenario definition, monitoring and detection sensors/components have been identified, selected and implemented and successfully tested in the ECOSSIAN Integration Network (EIN). In addition, a SOC-design for all SOC level was introduced, including different participation levels for the CI operator.
Having analysed functional building blocks, information flows, data types and interfaces as well as understood the handling of incident reports inside the N-SOC, the system components for incident information collection, sharing, analysis, evaluation and visualization were developed and tested and necessary interfaces for the integration defined.
In addition to the development of a forensic toolset prototype, the secure data storage component was implemented. Realistic mitigation actions for national and European level were identified and discussed in External Stakeholder meetings.
A Business Impact Analysis was made for an example group of ECOSSIAN components to identify critical ECOSSIAN processes supporting activities regarding analysis of Business Continuity Planning (BCP) and Business Continuity Management Systems (BCMS) methodologies.
Subsequently to identifying all technical components, an early integration phase including place-holder interfaces of those components was established. This integration was supported by a common remote accessible environment, the ECOSSIAN Integration Network (EIN), supported by a ticketing system, regular workshops and online tools. A collection of measures of effectiveness/performance were identified and demonstration scenarios were detailed resulting in the definition of three national demonstrations and a Pan-European demonstration.
Draft versions of support materials and demonstration speeches have been initiated assisting the planned national and pan-European demonstrations.
Furthermore, legal and ethical requirements were identified, and protocols for public-private partnerships identified and analysed. Recommendations for the adoption of the Quality Criteria Catalogue are made and evaluated. In addition, special focus was set to ongoing legislative changes, such as the General Data Protection Regulation, the LE Directive and the draft NIS Directive
The established robust IT infrastructure, support material such as web-pages, press releases, flyers, newsletters and presentations and social media presence (Twitter, LinkedIn) were established and maintained. Strategic and common exploitation plan as well as the standardization plans are developed on how to utilize research outputs coming from the ECOSSIAN project. Several internal and external (stakeholders) workshop along with numerous scientific publication attendances to conferences etc, strengthen the ECOSSIAN public/scientific perception.
The overall project management covers all management components on contractual, financial, legal, technical, administrative and ethical topics. Some main tasks are organising meetings and conference calls, monitoring the work plan/progress and acting as help desk for partners in everyday issues.
Finally the planning of the tasks/deliverables is well on track. All WPs produced altogether 30 Deliverables.

Potential Impact:
ECOSSIAN will differ to previously and currently running projects by building up on the results and approaches of these projects by developing a holistic, integrated and user friendly early warning system for all stakeholders on operator, Member State and European side while complying to legal and regulatory requirements. The exchange of data and the sharing of information are commonly understood to improve the attack mitigation or resistance by combining forces. This is a prerequisite for situational awareness cross borders. The ECOSSIAN system explicitly includes a pan-European layer in the E-SOC that connects the national SOCs at the European level; by providing a common situational awareness this will enable the collaboration of all relevant stakeholders in Member States and Associated Countries. The layered approach in the ECOSSIAN architecture improves reaction speed by enabling a first (preliminary) response already on O-SOC level, thus avoiding delays due to more complex decision making on N-SOC or E-SOC level, nevertheless also providing capabilities for consistent and integral response. The basic incident detection technologies developed in the project as well as the analysis, aggregation and correlation methods will enable an improved and more accurate threat detection considering the information shared by all collaborating parties. This provides the capability for an adequate early-warning system. Legal, social and economic aspects will inherently be considered in the ECOSSIAN architecture, the development of threat detection methods, information sharing and exploitation capabilities as well as the design of threat mitigation and incident management components. A full-scale demonstration of the platform is dedicated to the execution of full-scale demonstrations on national and European levels. The necessary preparations and the evaluation of demonstrations will be performed as well.
We can summarize the expected impacts areas as follows:
• Facilitate the emergence of common European solutions in CIP
• Develop a secure cyber environment in CI sectors other than ICT in Europe
• Facilitate the emergence of new cyber security interoperability standards

List of Websites:


Klaus-Michael KOCH, (Scientific Director)
Tel.: +43 4242 233 55 70
Fax: +43 4242 233 55 77


Record Number: 196926 / Last updated on: 2017-04-13