Periodic Reporting for period 2 - IDUNN (A Cognitive Detection System for Cybersecure Operational Technologies)
Période du rapport: 2023-03-01 au 2024-08-31
Traditionally, many systems responsible for managing and controlling physical processes—such as manufacturing equipment, utility services, and infrastructure operations—have functioned in isolated and unconnected environments. These systems, often referred to as Operational Technology (OT), are now increasingly being connected to the Internet to enable new services like remote monitoring and control. However, these systems were not originally designed with secure remote connections in mind. Additionally, organisations have developed, implemented, and supported OT separately from IT. So, whether used in industrial environments or other environments important for the society in general (such as utilities, health, or energy infrastructure, etc.), the new OT environments present specific security challenges in a context of ever accelerating change in terms of the threat landscape, attack surface, ecosystems, solutions and regulation. Cybercriminals have knowledge of this scenario and are seeing industrial environments as a profitable attractive target for their attacks.
To address this, IDUNN project focuses on building trust to any business by making its IT systems resilience to cyber-attacks. IDUNN creates a security shield in the form of tools, methodologies, microservices and initial standards that can integrate into any IT and OT supply chain. The project demonstrates a secure Continuity Plan for IT based organisations by creating and validating a unique Cognitive Detection System for Cybersecure Operational Technologies.
The IDUNN project delivers the following key results:
* Methodology for Traceability and Certification: A methodology centered on the traceability of complex ICT systems, designed to ensure compliance with existing security standards (such as IEC 62443).
* Holistic Threat Model: An threat model based on the MITRE TTP (Tactics, Techniques, and Procedures) framework, tailored to address the specific challenges of interconnected ICT/OT environments.
* Validated Security Framework: A security framework, consisting of tools and microservices, that enables automated and dynamic cybersecurity operations to protect ICT and OT systems.
* Integration Plan for Real-World Scenarios: A integration plan showcasing the application of IDUNN’s solutions across three key project scenarios, demonstrating their versatility and adaptability to general ICT supply chains.
* Co-Creation and Stakeholder Engagement: Activities with stakeholders to implement tools aimed at minimizing human intervention and enhancing system resilience through effective certification practices.
To address this, IDUNN project focuses on building trust to any business by making its IT systems resilience to cyber-attacks. IDUNN creates a security shield in the form of tools, methodologies, microservices and initial standards that can integrate into any IT and OT supply chain. The project demonstrates a secure Continuity Plan for IT based organisations by creating and validating a unique Cognitive Detection System for Cybersecure Operational Technologies.
The IDUNN project delivers the following key results:
* Methodology for Traceability and Certification: A methodology centered on the traceability of complex ICT systems, designed to ensure compliance with existing security standards (such as IEC 62443).
* Holistic Threat Model: An threat model based on the MITRE TTP (Tactics, Techniques, and Procedures) framework, tailored to address the specific challenges of interconnected ICT/OT environments.
* Validated Security Framework: A security framework, consisting of tools and microservices, that enables automated and dynamic cybersecurity operations to protect ICT and OT systems.
* Integration Plan for Real-World Scenarios: A integration plan showcasing the application of IDUNN’s solutions across three key project scenarios, demonstrating their versatility and adaptability to general ICT supply chains.
* Co-Creation and Stakeholder Engagement: Activities with stakeholders to implement tools aimed at minimizing human intervention and enhancing system resilience through effective certification practices.
WP1 - Use Case Scenarios, Requirements, and Building Block Architecture (M1-M9) - finished:
Use cases were defined based on real manufacturing scenarios from IDUNN partners. Misuse cases and risk analyses were performed, and functional and non-functional requirements for the IDUNN toolchain were identified. A high-level architecture was also proposed.
WP2 - Supporting Infrastructure (M4-M24) - finished:
AMORA was developed to simulate device communications and scenarios, focusing on accountability, privacy protection, and traceability. It underwent rigorous testing and integration of misuse cases, resulting in high-quality, repeatable tests.
WP3 - Dynamic Threat Detection Tool (M2-M24) - finished:
HEIMDAL, a vulnerability search engine, was developed to support recurrent vulnerability analysis. A virtual endpoint detection system was designed, and ML models were integrated into IDUNN tools and validated using the Gotham Testbed. The Virtual EDR, based on Federated Learning, now serves as the core of a network-based IDS, interacting with ODIN.
WP4 - Accurate Forecast Tools (M1-M36) - finished:
The THOR data crawling framework extracted over 8 million pages from various sources. ML models trained on 500,000 pages extracted 60,000 IOCs. A GDPR-compliant cloud infrastructure was deployed on AWS, and interoperability was confirmed with WAZUH and FRIDD.
WP5 - Resilience Action Tools (M9-M28) - finished:
ODIN integrates inputs from various tools (AMORA, HEIMDAL, THOR, SIEM) and provides resilience actions through notifications and automated/manual responses. It was successfully integrated and implemented in three use case environments.
WP6 - Self-Diagnosis and Human Interactive Tools (M6-M34) - finished:
FRIGG, built using microservices, supports self-diagnostics with KPIs, KRIs, and KFIs. Seventeen dashboards were created, and ML models generated synthetic cybersecurity incident data. An AI agent optimizes ML models in real time, and FRIGG integrates with OpenSearch for decision-making.
WP7 - Building Blocks Validation in Real Scenarios (M10-M30) - finished:
AMORA, HEIMDAL, THOR, ODIN, and FRIGG were validated in three industrial pilots. The tools were tested for effectiveness and applicability in real-world scenarios, with a validation plan and metrics in place.
WP8 - Dissemination, Standardization, and Exploitation (M1-M36) - finished:
Dissemination included maintaining the communication plan, updating the website, creating content for social media, and distributing newsletters. Standardization workshops led to two papers, while exploitation focused on identifying key results and developing individual and joint exploitation plans.
WP9 - Project, Risk, and Innovation Management (M1-M36) - finished:
The project handbook was followed, and all project deliverables and documentation were stored in the repository. Risks were tracked and recorded according to the risk management plan.
WP10 - Ethics (M1-M3) - finished:
The nature of data handled was assessed, and potential misuse of project results was documented, with mechanisms implemented to reduce risks.
Use cases were defined based on real manufacturing scenarios from IDUNN partners. Misuse cases and risk analyses were performed, and functional and non-functional requirements for the IDUNN toolchain were identified. A high-level architecture was also proposed.
WP2 - Supporting Infrastructure (M4-M24) - finished:
AMORA was developed to simulate device communications and scenarios, focusing on accountability, privacy protection, and traceability. It underwent rigorous testing and integration of misuse cases, resulting in high-quality, repeatable tests.
WP3 - Dynamic Threat Detection Tool (M2-M24) - finished:
HEIMDAL, a vulnerability search engine, was developed to support recurrent vulnerability analysis. A virtual endpoint detection system was designed, and ML models were integrated into IDUNN tools and validated using the Gotham Testbed. The Virtual EDR, based on Federated Learning, now serves as the core of a network-based IDS, interacting with ODIN.
WP4 - Accurate Forecast Tools (M1-M36) - finished:
The THOR data crawling framework extracted over 8 million pages from various sources. ML models trained on 500,000 pages extracted 60,000 IOCs. A GDPR-compliant cloud infrastructure was deployed on AWS, and interoperability was confirmed with WAZUH and FRIDD.
WP5 - Resilience Action Tools (M9-M28) - finished:
ODIN integrates inputs from various tools (AMORA, HEIMDAL, THOR, SIEM) and provides resilience actions through notifications and automated/manual responses. It was successfully integrated and implemented in three use case environments.
WP6 - Self-Diagnosis and Human Interactive Tools (M6-M34) - finished:
FRIGG, built using microservices, supports self-diagnostics with KPIs, KRIs, and KFIs. Seventeen dashboards were created, and ML models generated synthetic cybersecurity incident data. An AI agent optimizes ML models in real time, and FRIGG integrates with OpenSearch for decision-making.
WP7 - Building Blocks Validation in Real Scenarios (M10-M30) - finished:
AMORA, HEIMDAL, THOR, ODIN, and FRIGG were validated in three industrial pilots. The tools were tested for effectiveness and applicability in real-world scenarios, with a validation plan and metrics in place.
WP8 - Dissemination, Standardization, and Exploitation (M1-M36) - finished:
Dissemination included maintaining the communication plan, updating the website, creating content for social media, and distributing newsletters. Standardization workshops led to two papers, while exploitation focused on identifying key results and developing individual and joint exploitation plans.
WP9 - Project, Risk, and Innovation Management (M1-M36) - finished:
The project handbook was followed, and all project deliverables and documentation were stored in the repository. Risks were tracked and recorded according to the risk management plan.
WP10 - Ethics (M1-M3) - finished:
The nature of data handled was assessed, and potential misuse of project results was documented, with mechanisms implemented to reduce risks.
IDUNN aims to go beyond the current state-of-the-art by developing advanced, evidence-based, dynamic methods and tools for more effective forecasting, continuous detection, and automated prevention of propagated vulnerabilities. IDUNN proposes five tools that give a further advance on current cybersecurity products and services for forecasting, detecting, and preventing. These tools are:
* AMORA: Focuses on OT fingerprinting and traceability, enabling comprehensive monitoring.
* HEIMDAL: Provides automated runtime threat detection, allowing real-time identification of threats.
* THOR: Specializes in forecasting potential threats, including previously unknown or zero-day vulnerabilities, leveraging fair AI techniques.
* ODIN: Facilitates resilience actions to mitigate and recover from detected attacks, enhancing system robustness.
* FRIGG: Enables self-diagnosis and system mutation, adapting the cybersecurity framework cyclically to evolving threats.
THOR and FRIGG, in particular, leverage fair Artificial Intelligence to detect “unknown” threats and establish a new level of adaptive cybersecurity operations. This dynamic approach not only strengthens threat response but also introduces a novel mutation mechanism, allowing the system to evolve in tandem with emerging threats.
This IDUNN platform fosters the relationship between different stakeholders more agile, efficient, and secure in terms of preserving cybersecurity and privacy, preventing the financial cost associated with damages by cyberattacks. IDUNN helps to build EU resilience to cyber-attacks and to step up the EU's cybersecurity capacity through the collaboration with ENISA to set up an EU-wide cybersecurity certification framework for ICT systems.
* AMORA: Focuses on OT fingerprinting and traceability, enabling comprehensive monitoring.
* HEIMDAL: Provides automated runtime threat detection, allowing real-time identification of threats.
* THOR: Specializes in forecasting potential threats, including previously unknown or zero-day vulnerabilities, leveraging fair AI techniques.
* ODIN: Facilitates resilience actions to mitigate and recover from detected attacks, enhancing system robustness.
* FRIGG: Enables self-diagnosis and system mutation, adapting the cybersecurity framework cyclically to evolving threats.
THOR and FRIGG, in particular, leverage fair Artificial Intelligence to detect “unknown” threats and establish a new level of adaptive cybersecurity operations. This dynamic approach not only strengthens threat response but also introduces a novel mutation mechanism, allowing the system to evolve in tandem with emerging threats.
This IDUNN platform fosters the relationship between different stakeholders more agile, efficient, and secure in terms of preserving cybersecurity and privacy, preventing the financial cost associated with damages by cyberattacks. IDUNN helps to build EU resilience to cyber-attacks and to step up the EU's cybersecurity capacity through the collaboration with ENISA to set up an EU-wide cybersecurity certification framework for ICT systems.