Periodic Reporting for period 2 - ENSURESEC (End-to-end Security of the Digital Single Market’s E-commerce and Delivery Service Ecosystem)
Berichtszeitraum: 2021-06-01 bis 2022-05-31
ENSURESEC carried out an e-commerce ecosystem risk assessment, which generated relevant knowledge for the development activities in the project and for future initiatives concerning e-commerce security. Partners have identified and categorized the most critical cyber and physical assets in e-commerce ecosystems, and analysed the main risks, threats and vulnerabilities potentially affecting the whole ecosystem. In parallel, an ontology was developed for identifying and analysing cascading effects in critical infrastructures. Moreover, partners have also undertaken a thorough analysis of the evolving regulatory landscape, emerging threats and business state of practice with regards to security in e-commerce, which has resulted in relevant technical and policy recommendations for e-commerce SMEs and regulatory bodies at EU level.
At a technical level, after eliciting and defining the main user, legal, ethical and technical requirements, defining relevant use cases, and defining the architecture and the data flow of the toolkit, the ENSURESEC system was developed. This is a cyber-physical security toolkit to protect e-commerce operators, by integrating with the existing complex infrastructure of the companies which are part of the ecosystem. This modular security toolkit is composed of 19 tools, 9 of them working as backend tools (monitoring the interfaces of the ecosystem and detecting incidents), and 10 being user-facing (raising alerts and mitigation measures). The user-facing tools are available to the user through a common dashboard, that provides a continuous situational picture of the e-commerce critical infrastructure. Although the toolkit can assume different configurations depending on the infrastructure and needs, the consortium has also integrated all tools into a unified platform. Furthermore, the tools have been security tested to guarantee that they have no vulnerabilities that can affect the ecosystem.
The toolkit was demonstrated and validated by end-users in 3 complementary pilots, composed of different scenarios: (i) the first pilot was focused on Cyber-attacks to an e-commerce platform; (ii) the second comprised Physical attacks on pharmacy e-commerce operator; and (iii) the third focused on Cyber-physical attacks to a Bank providing online payment services. All pilots have been successfully executed and evaluated, receiving very positive feedback from the project end-users and external stakeholders.
In addition to the technical solution, ENSURESEC also developed and implemented an e-commerce-tailored cybersecurity training and awareness campaign, aimed at customers of digital commerce. The training and awareness campaign aims at educating online consumers on how to identify malicious practices in e-commerce and how to avoid them (https://becyberaware.eu/).
With regards to extending the project impact, partners have undertaken numerous communication and dissemination activities through the project website and social media, and by presenting the project in both physical and virtual events. 12 scientific papers have been published, and 2 non-scientific publications. The joint and individual exploitation plans have been defined, after a market analysis has been carried out to define the main target segments. A joint exploitation framework agreement is currently being discussed among the partners.
These developments are expected to produce relevant impacts in the protection of the e-commerce ecosystem. One of the core principles in the development of the ENSURESEC solution is to combine security-by-design and privacy-by-design, through the prevention and preparedness module, providing a contribution to the enforcement of data protection policies and supporting e-commerce businesses to ensure prevention against certain classes of threats. Moreover, ENSURESEC’s use of DLTs and the implementation of a complete audit trail of cyber and physical security incidents establishes unprecedented transparency of e-commerce operations to its users and business partners. ENSURESEC also includes response and recovery tools which minimize the impact of incidents, and situational awareness tools that consider cascading effects. The project has also demonstrated an age verification system in an e-commerce interaction that would leverage the self-sovereign decentralised identity concept, which aimed at supporting EU initiatives such as eIDAS and the EU DI Wallet initiative.
Finally, ENSURESEC has developed a cybersecurity training and awareness campaign tailored to the needs of e-commerce users. The campaign focuses on cybersecurity threats targeting customers, but also on unethical, malicious and deceptive e-commerce practices, being the first of its kind in the world. This is one of the main legacies of the project and will improve overall e-commerce security, promoting the inclusion of SMEs, as well as increasing the use of e-commerce by all citizens.