Digital security, privacy, data protection and accountability in critical sectors
Among the critical sectors mentioned in the NIS Directive[[NIS directive - Annex II .]], proposals should treat generic aspects for at least two of them, by identifying common threats and attacks, and by developing proof of concepts for managing cybersecurity and privacy risks. In addition, proposals should treat specific aspects for one of the three critical sectors/domains mentioned as sub-topics, i.e. transport, healthcare and finance, by identifying specific vulnerabilities, propagation effects and counter measures, by developing and testing cyber innovation-based solutions and validating them in pilots/demonstrators. During the conception and development steps, critical sectors/domains' specificities, such as complexity of infrastructure and their large scale, should be taken into account. These pilots/demonstrators are encouraged to use relevant transversal cyber infrastructures and capabilities developed in other projects.
Proposals should also include (but should not be limited to) the delivery of specific social aspects of digital security related to training, in particular practical, operational and hands-on training, including: (i) increasing the dynamics of the training and awareness methods, to match/exceed the same rate of evolution of the cyber attackers; that is to say new methods of awareness/training offering more qualification tracks to fully and efficiently integrate ICT security workers and employers in the European e-Skills market; and (ii) integrating awareness into the eco-system of humans, competences, services and solutions which are able to rapidly adapt to the evolutions of cyber attackers or even surpass them.
Participation of SMEs is strongly encouraged.
Proposals are invited against the following sub-topics below, in 2018 and 2019
(a) [2019]: Digital security, privacy and personal data protection in multimodal transport
Proposals under this sub-topic should tackle on at least two of the following items:
(1): Secure access management for citizens to all types of vehicles. A European Single Transport market requires a pan-European, seamless privacy aware solution to access across mass, shared and individual mobility, which will bring added value to citizens while safeguarding data protection and privacy. However the corresponding increased interconnection of smarter systems increases the vulnerability surface and therefore novel tailored solutions should be proposed.
(2): Assurance and protection against specific cyber-attacks in the multimodal transport domain, addressing interconnected threats and propagated vulnerabilities. Feasible solutions in practice should be delivered, shielding the vulnerabilities that have severe impact and catastrophic propagation effects to the multimodal transport operations. Applicants should propose integrated, holistic approaches and tools for dynamically, automatically forecast and manage complex security and privacy incidents, and personal data breaches in the multimodal transport service and operation. Proposals should improve the security intelligence of treating complex multimodal transport security and privacy incidents, notably personal data breaches, vulnerabilities and attacks. Proposals should develop practical solutions for relevant on-line sharing information and distributing real-time security, privacy and data protection warnings to all stakeholders in the multimodal transport ecosystem; collaboration with CERTs/CSIRTs is highly encouraged.
(3): Standardization to allow the quick adoption of cybersecurity best practices in the domain. Proposals should evaluate the feasibility of a security labelling for transport and deliver relevant recommendations and options.
The outcome of the proposal is expected to lead to development up to Technology Readiness level (TRL) 7; please see Annex G of the General Annexes.
The Commission considers that proposals requesting a contribution from the EU of about EUR 5 million would allow this specific challenge to be addressed appropriately. Nonetheless, this does not preclude submission and selection of proposals requesting other amounts.
Type of Action: Innovation action
(b) [2019]: Digital security, privacy and personal data protection in healthcare ecosystem
Proposals responding to this sub-topic should contribute towards the practical implementation of relevant EU legislation (e.g. NIS, eIDAS and GDPR) in the healthcare complex ecosystem involving all stakeholders (e.g. security officers, ICT administrators, operators, auditors, developers, manufactures, integrators, data protection officers) of all entities in the healthcare ecosystem and considering all types of data handled, with special focus on sensitive data as defined by the GDPR.
Proposals under this sub-topic should tackle at least two of the following items:
(1): In collaboration with all stakeholders in the healthcare ecosystem and CERTs/CSIRTs, develop dynamic vulnerability data basis for collecting, uploading, maintaining, and disseminating vulnerabilities of ICT-based medical systems, technologies, applications and services (enhancing the ICT generic ones e.g. NIST, MITRE). Build dynamic taxonomies for medical-related attacks in order to become the basis for building healthcare cybersecurity incident management systems.
(2): Deliver dynamic, evidence-based, sophisticated security, privacy and personal data protection risk assessment frameworks and tools that can deal with cascading effects of threats, and propagated vulnerabilities in interconnected healthcare infrastructures, entities, systems, supply chain services and applications (compliant with appropriate cybersecurity standards e.g. ISO27001, ISO27005, ISO28000).
(3): Provide collaborative privacy-aware tools enabling healthcare stakeholders to access and share information (where its integrity is guaranteed), advise and provide best/good practices about incident handling through appropriate interaction with healthcare participants respecting their privacy and personal data protection.
The outcome of the proposal is expected to lead to development up to Technology Readiness level (TRL) 7; please see Annex G of the General Annexes.
The Commission considers that proposals requesting a contribution from the EU of about EUR 5 million would allow this specific challenge to be addressed appropriately. Nonetheless, this does not preclude submission and selection of proposals requesting other amounts.
Type of Action: Research and Innovation action
(c) [2018]: Digital security, privacy and personal data protection in finance
Proposals under this sub-topic should tackle at least one of the following items:
(1): Development of resilience enhancing technologies. Proposers are expected to develop innovative solutions tailored for the finance domain, ensuring that a proactive preparedness helps financial market participants and infrastructures to share information and better cope with technological shortfalls. Proposals should (i) deliver tools for making the exfiltration of data for attackers unattractive, both for ‘data at rest’ and 'data in transit'; (ii) consider incipient trends (e.g. digital on boarding based on biometric data); and (iii) collaborate with CERTs/CSIRTs.
(2): Development of new/enhanced, parameterized, automated and collaborative ICT tools for insurance companies, which are needed in order to collect security, privacy, personal data protection and accountability requirements from their clients and upgrade their insurance and liability policies respecting the EU legislation on cybersecurity, privacy and personal data protection, as well as cybersecurity standards (e.g. ISO27001, 27005).
(3): Standardization to allow the quick adoption of cybersecurity best practices in the domain. Applicants should propose novel solutions for promoting common standards for conducting stress and resilience testing across systemic financial market infrastructures and institutions or for certifying companies/organizations that can perform accredited conformity tests.
The outcome of the proposal is expected to lead to development up to Technology Readiness level (TRL) 7; please see Annex G of the General Annexes.
The Commission considers that proposals requesting a contribution from the EU of between EUR 3 and 4 million would allow this specific challenge to be addressed appropriately. Nonetheless, this does not preclude submission and selection of proposals requesting other amounts.
Type of Action: Innovation action
Projects should also foresee activities and envisage resources for clustering with other projects funded under this topic and with other relevant projects in the field funded by H2020.
In critical vertical sectors/domains, cybersecurity technologies deployed in several application domains should be aligned to the specific domain needs, linking the demand and supply sides for such cyber technologies. In the context of an increased digitization and also of growing complexity of cyber-attacks, there are certain sectors/subsectors identified as critical from the point of view of cybersecurity needs in the NIS Directive: energy (electricity, oil, gas), transport (air transport, rail transport, water transport, road transport), banking, financial market infrastructures, health sector (health care settings, including hospitals and private clinics), drinking water supply and distribution, and digital infrastructure. These sectors are important customers of cybersecurity solutions; hence it is of outmost importance to facilitate the engagement of end-users towards defining and providing sector-specific common requirements about digital security, privacy and personal data protection. Building security, privacy and personal data protection by design and by default, principles and standards should be clearly defined to protect the critical infrastructures in these sectors and ensure personal data integrity and confidentiality.
For transport domain, security must be managed pro-actively over the system as a whole. This must also extend to include interfaces to critical supporting infrastructures such as communication networks and satellite systems. The complexity of the transport sector finds its roots in the diversity of components that build the solutions in use and the very long lifecycle of these components. The challenge is to migrate these solutions, systems, and infrastructures to a higher level of cybersecurity.
ICT enables the healthcare sector to provide efficient, effective, cross-border top-quality healthcare services improving the public healthcare. Healthcare operations, services and applications are provided via various interconnected infrastructures, systems, entities and people. Personalized medicine is on the brink of becoming a successful approach in treating diseases. This increases the complexity of the pharmaceutical supply chain and raises the importance of achieving a zero error rate in the supply of personalized medications. Cybersecurity in this respect is safety critical and novel approaches are needed to ensure traceability and zero error deliveries. Moreover, requirements related to data protection legislation should also be taken into account, as health is a very sensitive sector from this point of view[[The GDPR in its Article 9 (processing of special categories of personal data) prohibits the processing of personal data concerning health unless one of the conditions set out in Article 9(2) apply.]].
This interconnectivity reveals various threats, making the healthcare ecosystem vulnerable to catastrophic attacks with high impact to healthcare institutions and people's lives. The healthcare industry has seen a major rise in cyber-attacks over the past two years, and data breaches increasingly damage the healthcare industry as well as the privacy and personal data protection of the people. Vulnerable patients’ records management systems can be attacked leading to unauthorised disclosure of and access to personal data concerning health. Connected medical devices are increasingly used, in particular wearables and home health monitoring devices which often transmit sensitive data over unsecure wireless networks from the patients’ home to the hospitals exposing the privacy and personal data of the patients and the resilience of the healthcare infrastructures.
Digital technologies are also profoundly changing the financial sector. Cybersecurity solutions are essential to make possible digital technologies for finance and for the stability of the financial sector which must respond to increasingly sophisticated cyber-attacks.
Short term:
- The technological and operational enablers of co-operation in Response and Recovery will contribute to the development of the CSIRT Network across the EU, which is one of the key targets of the NIS Directive.
- Identified relevant generic and specific aspects related to cybersecurity and digital privacy in the respective critical domains/sectors addressed.
- Advanced holistic systems and innovative proof concepts for managing cybersecurity and privacy risks in the respective critical domains/sectors addressed.
- Advances in the state-of-the-art analysis of specific aspects of the respective critical domains/sectors addressed, such as related cyber threats, attacks and vulnerabilities;
- Sound analysis of cascading effects of specific related cyber threats within the supply chain of the respective critical domains/sectors addressed.
- Improved cybersecurity information sharing and collaboration among stakeholders of the respective critical domains/sectors addressed, and with CERTs/CSIRTs.
- More targeted and acceptable security management solutions addressing specificities of the respective critical domains/sectors addressed.
- Trigger the fast adoption of cybersecurity/privacy/personal data protection best practices in the respective critical domains/sectors addressed.
Medium term:
- Better response and recovery technologies and services that will help organizations in the respective critical domains/sectors addressed to significantly reduce the impact of propagated and cascaded threats, vulnerabilities and breaches.
- Enhanced protection against emerging novel advanced threats in the respective critical sectors/domains addressed.
- Improved security governance of the respective critical domains/sectors addressed.
- Greater and more mature EU cybersecurity market in the respective critical domains/sectors addressed.
- Reduce the impact of breaches with various levels of success in penetrating the defences.
Long term:
- Better cybersecurity for specific standards in the respective critical domains/sectors addressed, that will trigger fast adoption of best practices in the related industry.
- Established trust chains among all entities in the eco-systems of the respective critical domains/sectors addressed.
- Better implementation of the relevant EU legislation (e.g. NIS, eIDAS, GDPR) in the respective critical domains/sectors addressed.
- Companies/organisations in the respective critical domains/sectors addressed are more willing to promote cyber security, privacy and personal data protection in the whole EU specific ecosystem.