Periodic Reporting for period 2 - BIECO (Building Trust in Ecosystems and Ecosystem Components)
Periodo di rendicontazione: 2022-03-01 al 2023-08-31
BIECO aims to deliver a framework for building trust within ICT supply chains, by accounting of different processes, ecosystem participants, technologies and resources. Particularly challenging is the assurance of security and trust in complex interactions opposed to ensuring trust of each individual component in isolation.
BIECO provides an holistic framework including mechanisms that help companies to understand and manage the cybersecurity risks. The BIECO framework, composed by a set of tools and methodologies, addresses the challenges related to vulnerability management, resilience, and auditing of complex systems. The main objectives can be summarized as:
• Providing a framework for building trust in ICT supply chains
• Performing advanced vulnerability assessment over ICT supply chains
• Achieving resilience in ecosystems formed by unreliable components
• Extending auditing process to evaluate interconnected ICT systems
• Provide advanced risk analysis and mitigation strategies that support a view of the complete ICT supply chain
• Perform evidence-based security assurance and a harmonized certification for ICT systems
• Industrial validation of BIECO’s framework within IoT ecosystems
BIECO ecosystem was successfully deployed in three industrial use cases in Energy, Electrical Mobility and Finance. In these use cases, over 350 source code files were analysed across three programming languages (C, Python and Java) with 60 being found to be vulnerable. MUD specifications for the use cases were extended by an average of nearly 200%, with 75 security and privacy claims being defined based on standards, best practices and regulation. Finally, the BIECO security evaluation methodology for complex systems was fully realized as a starting point for certification based on several standards and addressing challenges such as automation, objectivity, dynamicity and labelling.
BIECO provides an holistic framework including mechanisms that help companies to understand and manage the cybersecurity risks. The BIECO framework, composed by a set of tools and methodologies, addresses the challenges related to vulnerability management, resilience, and auditing of complex systems. The main objectives can be summarized as:
• Providing a framework for building trust in ICT supply chains
• Performing advanced vulnerability assessment over ICT supply chains
• Achieving resilience in ecosystems formed by unreliable components
• Extending auditing process to evaluate interconnected ICT systems
• Provide advanced risk analysis and mitigation strategies that support a view of the complete ICT supply chain
• Perform evidence-based security assurance and a harmonized certification for ICT systems
• Industrial validation of BIECO’s framework within IoT ecosystems
BIECO ecosystem was successfully deployed in three industrial use cases in Energy, Electrical Mobility and Finance. In these use cases, over 350 source code files were analysed across three programming languages (C, Python and Java) with 60 being found to be vulnerable. MUD specifications for the use cases were extended by an average of nearly 200%, with 75 security and privacy claims being defined based on standards, best practices and regulation. Finally, the BIECO security evaluation methodology for complex systems was fully realized as a starting point for certification based on several standards and addressing challenges such as automation, objectivity, dynamicity and labelling.
• WP1: Project Management, risk assessment, and data management plan.
• WP2: Architecture, Requirements and Use Case Definition
◦ Requirements of the project together with its Key Performance Indicators (D2.1)
◦ Use cases definition (D2.2)
◦ The architecture that supports all the objectives (D2.3 and D2.4)
◦ Additional pre-demonstration for M18 in a simulated controlled environment.
• WP3: Vulnerabilities Management
◦ State-of-the-art analysis for vulnerability management (D3.1)
◦ Data Collection Tool described in D3.2
◦ Vulnerability Forecasting Tool (D3.3)
◦ Vulnerability Propagation Tool (D3.4)
• WP4: Development of Resilient Systems
◦ A first study of research elements in the area of SafeAI and failure detection (T4.1).
◦ Predictive simulation to be used for a variety of trust concerns (T4.2)
◦ First concept for self-adaptation with the help of predictive simulation - T4.3
• WP5: Methods and Tools for Auditing ICT Ecosystems
◦ The runtime auditing framework (D5.1).
◦ A first version of the domain-specific language for developing digital twin models has been created.
◦ Final version of the Auditing Framework (D5.2) with the refinement and containerization (D5.3).
◦ Strategies and methodologies for elaborating predictions and evidence.
◦ The integration of the Auditing framework with the BIECO orchestrator and BIECO Controlled Environment
• WP6: Risk Analysis and Mitigation Strategies
◦ Full specification of the ResilBlockly tool (D6.1) to perform threat and hazard analysis, model risk-related concepts, and visually match risks to each component while also being able to represent attack paths, interactions, and when attacks are exploited
◦ User guide for the Resilblockly tool in D6.2.
◦ Testing of this tool for the definition of an extended MUD file
◦ Integration of dependability assurance methodology (D6.4)
• WP7: Security and Privacy Claims
◦ Set of security and privacy claims was collected and reported in D7.1
◦ Complete security evaluation methodology defined and documented in D7.2
◦ Implementation, testing and integration of the SecurityScorer tool to calculate a secure score.
◦ Improvement of GraphWalker to automatically generate a test suite from a model.
◦ More than 10 publications in national and regional newspapers, tv and radio.
• WP8: Integration, Pilots, and Validation
◦ Implementation of the BIECO Orchestrator, BIECO UI and development of the BIECO Platform (final release) in concordance with both the BIECO Architecture and the requirements gathered from the participating tools.
◦ Documentation to standardize messages sent to and from the BIECO platform.
◦ Design and execution of the BIECO validation methodology
• WP9: Dissemination, Communication, and Exploitation
◦ Definition of the dissemination strategy (D9.1)
◦ BIECO social media pages (Facebook, Twitter, LinkedIn, Instagram and YouTube) were deployed.
◦ Dissemination material: logo, brochures, templates, other actions that create identity, consistency, and awareness of the BIECO project.
◦ Community building: liaise with related H2020 projects, but also extend the project results dissemination through other channels of the partners e.g. national events or organizations.
◦ Dissemination of project results for the purpose of impact generation in the research community, focusing on submitting research papers for publication at leading conferences and workshops, and in high-visibility journals.
◦ Exploitation Plan (D9.4) and the corresponding report in D9.5.
• WP2: Architecture, Requirements and Use Case Definition
◦ Requirements of the project together with its Key Performance Indicators (D2.1)
◦ Use cases definition (D2.2)
◦ The architecture that supports all the objectives (D2.3 and D2.4)
◦ Additional pre-demonstration for M18 in a simulated controlled environment.
• WP3: Vulnerabilities Management
◦ State-of-the-art analysis for vulnerability management (D3.1)
◦ Data Collection Tool described in D3.2
◦ Vulnerability Forecasting Tool (D3.3)
◦ Vulnerability Propagation Tool (D3.4)
• WP4: Development of Resilient Systems
◦ A first study of research elements in the area of SafeAI and failure detection (T4.1).
◦ Predictive simulation to be used for a variety of trust concerns (T4.2)
◦ First concept for self-adaptation with the help of predictive simulation - T4.3
• WP5: Methods and Tools for Auditing ICT Ecosystems
◦ The runtime auditing framework (D5.1).
◦ A first version of the domain-specific language for developing digital twin models has been created.
◦ Final version of the Auditing Framework (D5.2) with the refinement and containerization (D5.3).
◦ Strategies and methodologies for elaborating predictions and evidence.
◦ The integration of the Auditing framework with the BIECO orchestrator and BIECO Controlled Environment
• WP6: Risk Analysis and Mitigation Strategies
◦ Full specification of the ResilBlockly tool (D6.1) to perform threat and hazard analysis, model risk-related concepts, and visually match risks to each component while also being able to represent attack paths, interactions, and when attacks are exploited
◦ User guide for the Resilblockly tool in D6.2.
◦ Testing of this tool for the definition of an extended MUD file
◦ Integration of dependability assurance methodology (D6.4)
• WP7: Security and Privacy Claims
◦ Set of security and privacy claims was collected and reported in D7.1
◦ Complete security evaluation methodology defined and documented in D7.2
◦ Implementation, testing and integration of the SecurityScorer tool to calculate a secure score.
◦ Improvement of GraphWalker to automatically generate a test suite from a model.
◦ More than 10 publications in national and regional newspapers, tv and radio.
• WP8: Integration, Pilots, and Validation
◦ Implementation of the BIECO Orchestrator, BIECO UI and development of the BIECO Platform (final release) in concordance with both the BIECO Architecture and the requirements gathered from the participating tools.
◦ Documentation to standardize messages sent to and from the BIECO platform.
◦ Design and execution of the BIECO validation methodology
• WP9: Dissemination, Communication, and Exploitation
◦ Definition of the dissemination strategy (D9.1)
◦ BIECO social media pages (Facebook, Twitter, LinkedIn, Instagram and YouTube) were deployed.
◦ Dissemination material: logo, brochures, templates, other actions that create identity, consistency, and awareness of the BIECO project.
◦ Community building: liaise with related H2020 projects, but also extend the project results dissemination through other channels of the partners e.g. national events or organizations.
◦ Dissemination of project results for the purpose of impact generation in the research community, focusing on submitting research papers for publication at leading conferences and workshops, and in high-visibility journals.
◦ Exploitation Plan (D9.4) and the corresponding report in D9.5.
Vulnerability detection, forecasting and propagation
BIECO facilitates the detection and analysis of vulnerabilities at an early stage of the software development process, reducing the chances of these vulnerabilities propagating downstream in the supply chain. Furthermore, forecasting potential vulnerabilities and exploitability horizons can help organizations in assessing the urgency of remediation and better allocating resources to protect against likely attacks.
Development of resilient systems
BIECO’s runtime dynamic evaluation of trust through predictive simulation enables dynamic management and optimization opportunities beyond the assurance of specific critical properties. By combining predictive simulation and runtime monitoring, BIECO can detect anomalous or untrusted behaviour as well as potential security incidents, allowing for rapid response and mitigation.
Auditing based on runtime monitoring
Bieco provides an innovative and integrated environment able to audit interconnected ICT systems (including Cyber-Physical Systems) during their execution through Digital Twin and conformity monitoring. Smart management of knowledge and testing data is also provided.
Security testing and certification
BIECO’s comprehensive security testing tools and certification methodology can help ensure that software components are free of vulnerabilities and meet security standards before they are integrated into the supply chain. BIECO’s security scoring tools can provide a quantitative measure of the security of software components, making it easier to compare and select trustworthy components to integrate into the supply chain.
Protecting ICT systems through behavioural profiles
MUD file is a widely used format for specifying behaviour of a system or component. BIECO project seeks to link certification methodology with specification of policies using MUD file that was extended to provide a higher expressiveness, allowing to specify different types of policies at different layers.
BIECO facilitates the detection and analysis of vulnerabilities at an early stage of the software development process, reducing the chances of these vulnerabilities propagating downstream in the supply chain. Furthermore, forecasting potential vulnerabilities and exploitability horizons can help organizations in assessing the urgency of remediation and better allocating resources to protect against likely attacks.
Development of resilient systems
BIECO’s runtime dynamic evaluation of trust through predictive simulation enables dynamic management and optimization opportunities beyond the assurance of specific critical properties. By combining predictive simulation and runtime monitoring, BIECO can detect anomalous or untrusted behaviour as well as potential security incidents, allowing for rapid response and mitigation.
Auditing based on runtime monitoring
Bieco provides an innovative and integrated environment able to audit interconnected ICT systems (including Cyber-Physical Systems) during their execution through Digital Twin and conformity monitoring. Smart management of knowledge and testing data is also provided.
Security testing and certification
BIECO’s comprehensive security testing tools and certification methodology can help ensure that software components are free of vulnerabilities and meet security standards before they are integrated into the supply chain. BIECO’s security scoring tools can provide a quantitative measure of the security of software components, making it easier to compare and select trustworthy components to integrate into the supply chain.
Protecting ICT systems through behavioural profiles
MUD file is a widely used format for specifying behaviour of a system or component. BIECO project seeks to link certification methodology with specification of policies using MUD file that was extended to provide a higher expressiveness, allowing to specify different types of policies at different layers.