Periodic Reporting for period 2 - CIPSEC (Enhancing Critical Infrastructure Protection with innovative SECurity framework)
Periodo di rendicontazione: 2017-11-01 al 2019-04-30
CIPSEC pursues these goals:
-Obtain a unified security framework for the CI architecture: The complete CIPSEC Framework has been implemented integrating the envisioned products and services covering different heterogeneous yet complementary features: Endpoint Detection and Response (including in this chapter Intrusion Detection; Malware Detection Blockage; Analysis and Removal; Network and Host Activity Monitoring and Antijamming); Data Encryption; Data Anonymization and Privacy; Anomaly Detection; Identity Access Management; Integrity Management and Forensics Analysis; Vulnerability Analysis; Contingency Planning; Updating and Patching and, last but not least, a complete training platform was put in place with a set of courses covering a wide range of aspects of high interest for critical infrastructure protection, including also face-to-face trainings.
-Obtain a security ecosystem with solutions and services that go beyond the single CI borders: The vulnerability analysis service serves to anticipate likely incidents derived from weaknesses present in the infrastructure under analysis. As for privacy, CIPSEC contributes to fostering the sharing of security information with external entities thanks to anonymization techniques that allow the exchange of relevant information without disclosing delicate data in MISP (Malware Information Sharing Platform) servers. CIPSEC fostered the development of better and more complete contingency plans, encouraging the pilots to move to the next level being engaged with authorities and policy makers and also to keep their current plans monitored searching for ways to improve. The partners have delivered workshops and training courses, making available a training platform with a set of relevant courses. Advanced data visualization techniques have been developed to allow for a better forensic analysis, adding new sources of information to the intelligence layer for the obtention of relevant data. Finally the Consortium has searched for solutions aiming to the automatic updating and patching of different components in CIPSEC.
-Validate the CIPSEC security framework in real CIs: The plans for deployment of the different CIPSEC components in the three pilots have been carried out. The Consortium discovered the peculiarities of the three scenarios and learned that there is no silver bullet when it comes to deploying a security solution for CIs. We tested that the different components act as expected in several simulated risk scenarios and we designed and executed a series of tests to check the performance of the framework. As a side activity, a total cost ownership analysis was conducted to demonstrate that the investment is worthwhile if it mitigates the effects of a major attack or several minor ones.
-Consolidate International and European links and collaborate with standardization bodies: We have continued with the approach adopted in the first half of the project of staying in touch with different working groups following an approach of “monitor, inform and contribute as possible”
-Ready to market solutions and immediate market impact:10 business models have been produced: six for different CIPSEC components such as DoSSensing, XL-SIEM, Secocard, Forensics Visualization Toolkit, GravityZone, and the Vulnerability Assessment; 3 for the different verticals considered in the project (transport, health and environment), and a business case for the joint exploitation of the project results. A cooperation agreement has been signed by the different partners to establish a collaboration framework with terms and conditions to exploit the project outcomes. All partners have further developed their individual exploitation plans.
-Obtain a unified security framework for the CI architecture: The complete CIPSEC Framework has been implemented integrating the envisioned products and services covering different heterogeneous yet complementary features: Endpoint Detection and Response (including in this chapter Intrusion Detection; Malware Detection Blockage; Analysis and Removal; Network and Host Activity Monitoring and Antijamming); Data Encryption; Data Anonymization and Privacy; Anomaly Detection; Identity Access Management; Integrity Management and Forensics Analysis; Vulnerability Analysis; Contingency Planning; Updating and Patching and, last but not least, a complete training platform was put in place with a set of courses covering a wide range of aspects of high interest for critical infrastructure protection, including also face-to-face trainings.
-Obtain a security ecosystem with solutions and services that go beyond the single CI borders: The vulnerability analysis service serves to anticipate likely incidents derived from weaknesses present in the infrastructure under analysis. As for privacy, CIPSEC contributes to fostering the sharing of security information with external entities thanks to anonymization techniques that allow the exchange of relevant information without disclosing delicate data in MISP (Malware Information Sharing Platform) servers. CIPSEC fostered the development of better and more complete contingency plans, encouraging the pilots to move to the next level being engaged with authorities and policy makers and also to keep their current plans monitored searching for ways to improve. The partners have delivered workshops and training courses, making available a training platform with a set of relevant courses. Advanced data visualization techniques have been developed to allow for a better forensic analysis, adding new sources of information to the intelligence layer for the obtention of relevant data. Finally the Consortium has searched for solutions aiming to the automatic updating and patching of different components in CIPSEC.
-Validate the CIPSEC security framework in real CIs: The plans for deployment of the different CIPSEC components in the three pilots have been carried out. The Consortium discovered the peculiarities of the three scenarios and learned that there is no silver bullet when it comes to deploying a security solution for CIs. We tested that the different components act as expected in several simulated risk scenarios and we designed and executed a series of tests to check the performance of the framework. As a side activity, a total cost ownership analysis was conducted to demonstrate that the investment is worthwhile if it mitigates the effects of a major attack or several minor ones.
-Consolidate International and European links and collaborate with standardization bodies: We have continued with the approach adopted in the first half of the project of staying in touch with different working groups following an approach of “monitor, inform and contribute as possible”
-Ready to market solutions and immediate market impact:10 business models have been produced: six for different CIPSEC components such as DoSSensing, XL-SIEM, Secocard, Forensics Visualization Toolkit, GravityZone, and the Vulnerability Assessment; 3 for the different verticals considered in the project (transport, health and environment), and a business case for the joint exploitation of the project results. A cooperation agreement has been signed by the different partners to establish a collaboration framework with terms and conditions to exploit the project outcomes. All partners have further developed their individual exploitation plans.
Upon project kick-off, the Consortium started working to achieve the ambitious goals set for the project. The first step was to identify a series of requirements common to most critical infrastructures, being vertical-agnostic, and then we moved to find those that are dependent on a specific vertical, involving from the very beginning the three CIPSEC pilots, chosen as use cases to validate the solution.
With these requirements elicited, we derived a design of the CIPSEC Framework, with a reference architecture for critical infrastructure protection against cyber incidents. We could find in this architecture the right place for each product and service to be part of CIPSEC. All the pieces fit and the puzzle was assembled. Then it was time to make it real.
We followed a continuous integration approach with a distributed environment in which the interfaces among the different products were studied, designed and implemented, getting to an initial proof-of-concept halfway the project timeline. Then we worked on providing CIPSEC with an appealing and harmonized user interface, intuitive and easy to use. In parallel, we continued to integrate the rest of pieces of the puzzle.
A thorough work was performed to deploy CIPSEC on the three pilot sites. This allowed to confirm that each critical infrastructure is unique and there are not two identical deployments. The optimal approaches were found for an effective operation of CIPSEC in each of the pilot sites.
Once the deployments were working correctly, a thorough testing process was carried out to check that CIPSEC behaves as expected in a wide range of attack scenarios. Also, several tests were made to assess the performance measured from different angles. A total cost ownership (TCO) analysis was conducted to demonstrate that the investment is worthwhile if it mitigates the effects of a major attack or several minor ones.
With these requirements elicited, we derived a design of the CIPSEC Framework, with a reference architecture for critical infrastructure protection against cyber incidents. We could find in this architecture the right place for each product and service to be part of CIPSEC. All the pieces fit and the puzzle was assembled. Then it was time to make it real.
We followed a continuous integration approach with a distributed environment in which the interfaces among the different products were studied, designed and implemented, getting to an initial proof-of-concept halfway the project timeline. Then we worked on providing CIPSEC with an appealing and harmonized user interface, intuitive and easy to use. In parallel, we continued to integrate the rest of pieces of the puzzle.
A thorough work was performed to deploy CIPSEC on the three pilot sites. This allowed to confirm that each critical infrastructure is unique and there are not two identical deployments. The optimal approaches were found for an effective operation of CIPSEC in each of the pilot sites.
Once the deployments were working correctly, a thorough testing process was carried out to check that CIPSEC behaves as expected in a wide range of attack scenarios. Also, several tests were made to assess the performance measured from different angles. A total cost ownership (TCO) analysis was conducted to demonstrate that the investment is worthwhile if it mitigates the effects of a major attack or several minor ones.
The main innovation streams in CIPSEC are enumerated in the following:
* The definition of a reference architecture for CI protection against cyber incidents, ellaborated considering the whole security data-cycle involved in the daily infrastructure operation. This architecture leverages upon the design of the framework using highly valuable data coming from the requirements study across different verticals and with special focus on those of the pilots.
* Showing the feasibility of integrating different heterogeneous security products and making them work together,demonstrating the added value brought by the joint features which are not possible when they work separatedly.
* CIPSEC provides a global solution which addresses the global picture of any crisis scenario a CI may undergo. CIPSEC not only secures network edge services of cloud infrastructures in CI scenarios, but also takes into account existing interdependencies.
* CIPSEC underpins the features provided by the products with a set of services forming a security ecosystem and being orchestrated among themselves and with the products in such a way that the client is offered a global, solid and flexible vision concerning the protection of his most valuable assets.
* Making cybersecurity solutions for CI more affordable, with a two-fold effect: 1) most organizations can access to cybersecurity solutions, which in turn helps raise awareness about how critical is to be ready for more and more sophisticated threats and attacks, and how to react to actual incidents, and 2) if the solutions become more affordable, capital can be invested on actual business development and strengthening, with a direct effect in ledgers.
* Finally, CIPSEC components show a high TRL level (from 7 to 9) which gets really closer the actual introduction of the framework into the market.
* The definition of a reference architecture for CI protection against cyber incidents, ellaborated considering the whole security data-cycle involved in the daily infrastructure operation. This architecture leverages upon the design of the framework using highly valuable data coming from the requirements study across different verticals and with special focus on those of the pilots.
* Showing the feasibility of integrating different heterogeneous security products and making them work together,demonstrating the added value brought by the joint features which are not possible when they work separatedly.
* CIPSEC provides a global solution which addresses the global picture of any crisis scenario a CI may undergo. CIPSEC not only secures network edge services of cloud infrastructures in CI scenarios, but also takes into account existing interdependencies.
* CIPSEC underpins the features provided by the products with a set of services forming a security ecosystem and being orchestrated among themselves and with the products in such a way that the client is offered a global, solid and flexible vision concerning the protection of his most valuable assets.
* Making cybersecurity solutions for CI more affordable, with a two-fold effect: 1) most organizations can access to cybersecurity solutions, which in turn helps raise awareness about how critical is to be ready for more and more sophisticated threats and attacks, and how to react to actual incidents, and 2) if the solutions become more affordable, capital can be invested on actual business development and strengthening, with a direct effect in ledgers.
* Finally, CIPSEC components show a high TRL level (from 7 to 9) which gets really closer the actual introduction of the framework into the market.