End-to-end Security of the Digital Single Market’s E-commerce and Delivery Service Ecosystem

ENSURESEC is a sociotechnical solution for safeguarding the Digital Single Market's e-commerce operations against cyber and physical threats. It combines an automatic, rigorous, distributed and open-source toolkit for protecting e-commerce, with monitoring of the impact of threats in physical space and a campaign for training SMEs and citizens aimed at creating awareness and trust. ENSURESEC addresses the whole gamut of modern e-commerce, from standard physical products purchased online and delivered via post, to entirely virtual products or services delivered online. It addresses threats ranging from maliciously modifying web e-commerce applications or rendering them unavailable to legitimate customers, to delivery issues or fraud committed by insiders or customers. It achieves this by focusing on the common software and physical sensor interfaces that sit along the e-commerce, payment and delivery ecosystem. At technical level, it integrates proven state-of-the-art inductive (machine learning) with deductive (formal methods) reasoning tools and techniques so that e-commerce operations are protected by design, as well as through continuous monitoring, response, recovery and mitigation measures at run-time. Importantly, trust of the infrastructure’s operations among its users is established, benefiting from distributed ledger technology ensuring transparency of the operations and that information has not been modified. Although ENSURESEC innovations are applicable to any critical infrastructure that relies and is monitored by networked software systems, its design and integration philosophy make it uniquely prepared to protect distributed and evolving e-commerce infrastructures with its various forms of payment and delivery (virtual, online and physical). ENSURESEC also enhances citizens’ resilience to threats and their trust in e-commerce companies, especially SMEs, thus contributing towards the vision of a reliable and trusted digital single market.

ENSURESEC started in June 2020 and ended in May 2022. The consortium successfully concluded the activities, achieved all proposed objectives and demonstrated the developed results.
ENSURESEC carried out an e-commerce ecosystem risk assessment, which generated relevant knowledge for the development activities in the project and for future initiatives concerning e-commerce security. Partners have identified and categorized the most critical cyber and physical assets in e-commerce ecosystems, and analysed the main risks, threats and vulnerabilities potentially affecting the whole ecosystem. In parallel, an ontology was developed for identifying and analysing cascading effects in critical infrastructures. Moreover, partners have also undertaken a thorough analysis of the evolving regulatory landscape, emerging threats and business state of practice with regards to security in e-commerce, which has resulted in relevant technical and policy recommendations for e-commerce SMEs and regulatory bodies at EU level.
At a technical level, after eliciting and defining the main user, legal, ethical and technical requirements, defining relevant use cases, and defining the architecture and the data flow of the toolkit, the ENSURESEC system was developed. This is a cyber-physical security toolkit to protect e-commerce operators, by integrating with the existing complex infrastructure of the companies which are part of the ecosystem. This modular security toolkit is composed of 19 tools, 9 of them working as backend tools (monitoring the interfaces of the ecosystem and detecting incidents), and 10 being user-facing (raising alerts and mitigation measures). The user-facing tools are available to the user through a common dashboard, that provides a continuous situational picture of the e-commerce critical infrastructure. Although the toolkit can assume different configurations depending on the infrastructure and needs, the consortium has also integrated all tools into a unified platform. Furthermore, the tools have been security tested to guarantee that they have no vulnerabilities that can affect the ecosystem.
The toolkit was demonstrated and validated by end-users in 3 complementary pilots, composed of different scenarios: (i) the first pilot was focused on Cyber-attacks to an e-commerce platform; (ii) the second comprised Physical attacks on pharmacy e-commerce operator; and (iii) the third focused on Cyber-physical attacks to a Bank providing online payment services. All pilots have been successfully executed and evaluated, receiving very positive feedback from the project end-users and external stakeholders.
In addition to the technical solution, ENSURESEC also developed and implemented an e-commerce-tailored cybersecurity training and awareness campaign, aimed at customers of digital commerce. The training and awareness campaign aims at educating online consumers on how to identify malicious practices in e-commerce and how to avoid them (https://becyberaware.eu/(s’ouvre dans une nouvelle fenêtre)).
With regards to extending the project impact, partners have undertaken numerous communication and dissemination activities through the project website and social media, and by presenting the project in both physical and virtual events. 12 scientific papers have been published, and 2 non-scientific publications. The joint and individual exploitation plans have been defined, after a market analysis has been carried out to define the main target segments. A joint exploitation framework agreement is currently being discussed among the partners.

ENSURESEC has developed a suite of low-cost tools which were integrated into a unified platform providing multi-layer, end-to-end security for e-commerce, both at design time and runtime. This is the first holistic security toolkit for e-commerce that provides protection solutions not only for the digital part of the ecosystem, but also for the physical operations.
These developments are expected to produce relevant impacts in the protection of the e-commerce ecosystem. One of the core principles in the development of the ENSURESEC solution is to combine security-by-design and privacy-by-design, through the prevention and preparedness module, providing a contribution to the enforcement of data protection policies and supporting e-commerce businesses to ensure prevention against certain classes of threats. Moreover, ENSURESEC’s use of DLTs and the implementation of a complete audit trail of cyber and physical security incidents establishes unprecedented transparency of e-commerce operations to its users and business partners. ENSURESEC also includes response and recovery tools which minimize the impact of incidents, and situational awareness tools that consider cascading effects. The project has also demonstrated an age verification system in an e-commerce interaction that would leverage the self-sovereign decentralised identity concept, which aimed at supporting EU initiatives such as eIDAS and the EU DI Wallet initiative.
Finally, ENSURESEC has developed a cybersecurity training and awareness campaign tailored to the needs of e-commerce users. The campaign focuses on cybersecurity threats targeting customers, but also on unethical, malicious and deceptive e-commerce practices, being the first of its kind in the world. This is one of the main legacies of the project and will improve overall e-commerce security, promoting the inclusion of SMEs, as well as increasing the use of e-commerce by all citizens.