Periodic Reporting for period 2 - FISHY (A coordinated framework for cyber resilient supply chain systems over complex ICT infrastructures)
Reporting period: 2022-03-01 to 2023-08-31
FISHY addresses the challenge of building trusted ICT supply chains,which are complex and delicate systems,integrated by heterogeneous and highly distributed components.Supply chains work under demanding requirements,mainly about responsiveness.Social well-being is dependent on their flawless operation.Being critical,their increasing complexity has made the attack surface for cyber criminals to become larger.
FISHY objectives are:1)Implement a functional platform for cyber resilience provisioning for supply chains of complex ICT systems, leveraging trust and security management;2)Develop an evidence-based security assurance and certification methodology identifying security claims and metrics;3)Develop a metrology model and system for supply chains leveraging trust among parties relying on distributed interledger technologies alongside forecasting and estimation concepts basing on AI methods;and 4)Deploy,validate and demonstrate FISHY platform in heterogeneous,real-world pilots.
FISHY considers all the supply chain components,facing the complex problems of the IoT,Edge and Cloud layers.FISHY combines innovative functionalities that cover the whole cycle of cybersecurity,from detection to application of countermeasures.
FISHY deploys diverse data collectors gathering a set of relevant metrics about the activity in the supply chain.These data are used at a higher intelligence layer where diverse monitoring techniques are applied,performing analysis,raising alerts and proposing mitigation actions.We got satisfactory results with enhanced detection capabilities adapted to each single supply chain.FISHY uses this knowledge to conduct a security assurance and certification process involving both auditing and reasoning stages, relying on certifiable evidence.
FISHY covers reaction when incidents arise.FISHY researched on the (semi)automation of responses leveraging intent-based networking techniques.FISHY explored the definition of security policies by means of intents that use close-to-human language and in parallel the project sets the ground for (semi) automatic reconfiguration of the supply chain to mitigate the effects of attacks.Using predefined policies,FISHY can react to detected threats automatically of after user confirmation, and enforce security rules.
FISHY established a solid cornerstone connectivity pattern that copes with a wide range of needs posed by the supply chains while allowing for great flexibility regarding the deployment on a specific client infrastructure.
Finally,FISHY adopted a GDPR-compliant and privacy-centric approach for end-to-end protection of supply chains.
FISHY objectives are:1)Implement a functional platform for cyber resilience provisioning for supply chains of complex ICT systems, leveraging trust and security management;2)Develop an evidence-based security assurance and certification methodology identifying security claims and metrics;3)Develop a metrology model and system for supply chains leveraging trust among parties relying on distributed interledger technologies alongside forecasting and estimation concepts basing on AI methods;and 4)Deploy,validate and demonstrate FISHY platform in heterogeneous,real-world pilots.
FISHY considers all the supply chain components,facing the complex problems of the IoT,Edge and Cloud layers.FISHY combines innovative functionalities that cover the whole cycle of cybersecurity,from detection to application of countermeasures.
FISHY deploys diverse data collectors gathering a set of relevant metrics about the activity in the supply chain.These data are used at a higher intelligence layer where diverse monitoring techniques are applied,performing analysis,raising alerts and proposing mitigation actions.We got satisfactory results with enhanced detection capabilities adapted to each single supply chain.FISHY uses this knowledge to conduct a security assurance and certification process involving both auditing and reasoning stages, relying on certifiable evidence.
FISHY covers reaction when incidents arise.FISHY researched on the (semi)automation of responses leveraging intent-based networking techniques.FISHY explored the definition of security policies by means of intents that use close-to-human language and in parallel the project sets the ground for (semi) automatic reconfiguration of the supply chain to mitigate the effects of attacks.Using predefined policies,FISHY can react to detected threats automatically of after user confirmation, and enforce security rules.
FISHY established a solid cornerstone connectivity pattern that copes with a wide range of needs posed by the supply chains while allowing for great flexibility regarding the deployment on a specific client infrastructure.
Finally,FISHY adopted a GDPR-compliant and privacy-centric approach for end-to-end protection of supply chains.
The work during the 2nd period of the project [M19(03/2022)-M36(08/2023)] was the following:
- Final requirements/constraints for FISHY Platform
- Final FISHY Architecture, with internal workflows
- Final tracking of external efforts, technology evolution and business trends relevant to FISHY
- Delivery models for FISHY
- Final Platform release
- Deploying the 3 use cases
- 2nd iteration of the pilot setup followed by deployment,validation and assessment of the FISHY Platform with specific methodology and KPIs.
- Demos performed and recorded,some of them are published on FISHY Youtube Channels
- Attacks of interest per pilot modelled using ENISA and MITRE ATT&CK Frameworks
- Key messages conveyed upon piloting conclusion
- Performed a series of dissemination/communication actions
- Performed a series of standardization actions
- Enhanced plans for the 7 Key Exploitable Results (KERs) including Lean BMC,MTRL and BOSAT assessments,user roles and stories defining industrial success stories,IPR Management,sustainability strategy, improved pitch materials,Open FISHY and GitHub
- Collaboration with the Horizon Result Booster
- Innovation Radar updated and submitted.
- Final requirements/constraints for FISHY Platform
- Final FISHY Architecture, with internal workflows
- Final tracking of external efforts, technology evolution and business trends relevant to FISHY
- Delivery models for FISHY
- Final Platform release
- Deploying the 3 use cases
- 2nd iteration of the pilot setup followed by deployment,validation and assessment of the FISHY Platform with specific methodology and KPIs.
- Demos performed and recorded,some of them are published on FISHY Youtube Channels
- Attacks of interest per pilot modelled using ENISA and MITRE ATT&CK Frameworks
- Key messages conveyed upon piloting conclusion
- Performed a series of dissemination/communication actions
- Performed a series of standardization actions
- Enhanced plans for the 7 Key Exploitable Results (KERs) including Lean BMC,MTRL and BOSAT assessments,user roles and stories defining industrial success stories,IPR Management,sustainability strategy, improved pitch materials,Open FISHY and GitHub
- Collaboration with the Horizon Result Booster
- Innovation Radar updated and submitted.
Regarding the Trust and Incident Management (TIM):
-The anomaly detection capabilities of Wazuh have been complemented with LOMOS, an ML-based log monitoring solution.
-XL-SIEM: Enhanced detection capabilities in manufacturing and automotive sector leveraging the respective Pilots.
-Predictive Maintenance Monitoring (PMEM) focuses on utilizing the supervised and unsupervised machine learning approaches. In the second half of the project PMEM has evolved to make use of both, rules base and machine learning strategies. Also in this period PMEM has developed a mitigation strategy agreed with the help of the Intent-Based Resilience Orchestrator (IRO) and and the Enforcement and Dynamic Configuration (EDC) for DDoS attacks.
-Adapting Zeek scripting capability for autonomous network traffic anomaly detection in industrial environments.
-RiskAssessment Engine (RAE): Collection of information from Threat Intelligence, optimization of calculation algorithm and enhancements in GUI.
-The Trust Monitor introduces a level of abstraction in the remote attestation process, allowing the possibility to manage different attestation frameworks based on various technologies, hiding all the details about the specific framework used.
As for the Security Assurance and Certification Manager (SACM):
-It is an integrated suite of tools which can provide comprehensive cyber security risk detection and management for enterprise systems.
-Includes automated cyber threat intelligence ingestion and hunting.
-Features penetration testing and support for ingestion of penetration testing reports using third-party tools.
-Reports progress towards leveraging Automated incident response (SOAR) based on CACAO playbooks.
-Brings automated User and Entity Behaviour Analysis (UEBA) based on machine learning and self-adaptive machine learning (auto ML).
-May engage Cyber security training using advanced cyber range (CR) technology.
The Enforcement and Dynamic Configuration (EDC) is paving the way towards networks that autonomously manage security risks including smart and automatic reactions to incidents
with risk management-aware processes and AI-based decisions.
Regarding the Intent-based Resilience Orchestrator (IRO) the innovation streams are the following:
- Studying the Intent-based translation of user security requirements.
- Design and implementation of an intent-based orchestrator.
- Studying the role of Intent-Based Networking (IBN) in ICT supply chains.
- Studying ML-based solutions system for IBN systems
And finally, concerning the Security and Privacy Data Space Infrastructure:
The Data Management component handles cybersecurity data from sensors and logs linked to the ICT infrastructure using numerous detection mechanisms. Most tools used detect specific breaches, but usually with several False Positives or False Negatives; that issue can be effectively addressed via co-relation. SPI leverages such solutions defining:
- Common event cybersecurity format (using CEF), along with a cybersecurity metrics taxonomy aiming to provide specific context meaning to cybersecurity events within the supply-chain/industrial context
- Proper data organization and distribution through a message broker (RabbitMQ), with an extension mechanism to provide privacy, based on the ARX platform
-The anomaly detection capabilities of Wazuh have been complemented with LOMOS, an ML-based log monitoring solution.
-XL-SIEM: Enhanced detection capabilities in manufacturing and automotive sector leveraging the respective Pilots.
-Predictive Maintenance Monitoring (PMEM) focuses on utilizing the supervised and unsupervised machine learning approaches. In the second half of the project PMEM has evolved to make use of both, rules base and machine learning strategies. Also in this period PMEM has developed a mitigation strategy agreed with the help of the Intent-Based Resilience Orchestrator (IRO) and and the Enforcement and Dynamic Configuration (EDC) for DDoS attacks.
-Adapting Zeek scripting capability for autonomous network traffic anomaly detection in industrial environments.
-RiskAssessment Engine (RAE): Collection of information from Threat Intelligence, optimization of calculation algorithm and enhancements in GUI.
-The Trust Monitor introduces a level of abstraction in the remote attestation process, allowing the possibility to manage different attestation frameworks based on various technologies, hiding all the details about the specific framework used.
As for the Security Assurance and Certification Manager (SACM):
-It is an integrated suite of tools which can provide comprehensive cyber security risk detection and management for enterprise systems.
-Includes automated cyber threat intelligence ingestion and hunting.
-Features penetration testing and support for ingestion of penetration testing reports using third-party tools.
-Reports progress towards leveraging Automated incident response (SOAR) based on CACAO playbooks.
-Brings automated User and Entity Behaviour Analysis (UEBA) based on machine learning and self-adaptive machine learning (auto ML).
-May engage Cyber security training using advanced cyber range (CR) technology.
The Enforcement and Dynamic Configuration (EDC) is paving the way towards networks that autonomously manage security risks including smart and automatic reactions to incidents
with risk management-aware processes and AI-based decisions.
Regarding the Intent-based Resilience Orchestrator (IRO) the innovation streams are the following:
- Studying the Intent-based translation of user security requirements.
- Design and implementation of an intent-based orchestrator.
- Studying the role of Intent-Based Networking (IBN) in ICT supply chains.
- Studying ML-based solutions system for IBN systems
And finally, concerning the Security and Privacy Data Space Infrastructure:
The Data Management component handles cybersecurity data from sensors and logs linked to the ICT infrastructure using numerous detection mechanisms. Most tools used detect specific breaches, but usually with several False Positives or False Negatives; that issue can be effectively addressed via co-relation. SPI leverages such solutions defining:
- Common event cybersecurity format (using CEF), along with a cybersecurity metrics taxonomy aiming to provide specific context meaning to cybersecurity events within the supply-chain/industrial context
- Proper data organization and distribution through a message broker (RabbitMQ), with an extension mechanism to provide privacy, based on the ARX platform