20170629 ANASTACIA-D1.1-Final · 2017. 6. 30. · Title: 20170629_ANASTACIA-D1.1-Final Author:...

ANASTACIAhasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnovationprogrammeunderGrantAgreementN°731558

andfromtheSwissStateSecretariatforEducation,ResearchandInnovation.ThisdocumentonlyreflectstheANASTACIAConsortium’sview.

TheEuropeanCommissionisnotresponsibleforanyusethatmaybemadeoftheinformationitcontains.

D1.1HolisticSecurityContextAnalysisThisdeliverablepresentstheresultsofANASTACIATask1.1.TheaimofthetaskistoperformaholisticanalysisofANASTACIAcybersecurityapproach,byanalysingthevariousrisksfromalifecycleperspective,acrossthewholedeploymentfromtheedgetothecore,combiningvariousexpertiseandstakeholderperspectives.

Distributionlevel [PU]

Contractualdate <30.06.2017>[M06]

Deliverydate <30.06.2017>[M06]

WP/Task WP1/T1.1

WPLeader CNR

Authors E.Cambiaso(CNR),M.Mongelli(CNR),I.Vaccari(CNR),R.TraperoBurgos(ATOS),M.AlieEl-din(UTRC),D.Belabed(THALES),T.Taleb(AALTO),I.Farris(AALTO),M.A.BouHanana(AALTO),A.MolinaZarca(UMU),D.Rivera(MONT),K.Eunah(DG),L.Scudiero(AS).

ECProjectOfficer [email protected]

ProjectCoordinator SoftecoSismatSpAStefanoBianchiViaDeMarini1,16149Genova–[email protected]

Projectwebsite www.anastacia-h2020.eu

of58

TableofcontentsPUBLICSUMMARY.............................................................................................................................................21 Introduction..............................................................................................................................................3

TechnicalAspectsofANASTACIA.......................................................................................................3

ReasonsandAimsoftheProject.......................................................................................................3

IntroductiontoHolisticSecurityapproach........................................................................................3

RevisionHistory.................................................................................................................................4

2 Holisticcybersecurityapproach................................................................................................................5

HolisticCybersecurityApproachFormalization................................................................................6

HCS-IF................................................................................................................................................8

3 UserPerspectiveAnalysis........................................................................................................................12

BuildingEnergyManagementSystem(BEMS)................................................................................12

Multi-accessEdgeComputing(MEC)..............................................................................................12

InternetofThings(IoT)....................................................................................................................13

4 BusinessPerspectiveAnalysis.................................................................................................................15

5 TechnicalPerspectiveAnalysis................................................................................................................17

SecurityPolicyModelProposalsUnderConsideration...................................................................17

SecurityPoliciesSolutionsunderconsideration..............................................................................22 OverviewofSoftware-basedNetworkSecurityEnablers................................................................24

NewsecurityandprivacythreatsinIoT..........................................................................................29

6 LegislativeandSociologicalPerspectiveAnalysis....................................................................................36

7 SecurityinANASTACIA............................................................................................................................40

ANASTACIAProtectionLayers.........................................................................................................40

CurrentANASTACIAProgress..........................................................................................................41

8 Conclusions.............................................................................................................................................44

9 AppendixI:Securityrelatedterminology................................................................................................45

10 References...............................................................................................................................................57

of58

PUBLICSUMMARYANASTACIAisaframeworkforthemanagementofcomplexnetworksandsystems.Followingtechnologiesand scenarios are in particular addressed: Internet of Things (IoT), Software Defined Networks (SDN),Building Energy Management System (BEMS), Multi-access Edge Computing (MEC), also consideringNetworkFunctionVirtualization(NFV)andPolicyBasedManagementaspects.

Themain aimsof theANASTACIAplatformare to guarantee secure data transmissions, considering thatinformationsharedonthenetworkaresensitivebynature.Suchgoalrequiresthedesign,implementationanddeployofinnovativeandefficientprotectionsystems,technologiesandalgorithms.

Thisdeliverableprovidesananalysisofthetechnicalapproachesadoptedtoimplementtheframework,theinnovativeholisticsecuritymodel,alsofocusingonthreatsandrelativedetectionandmitigationactivitiesand methodologies. Moreover, security policies definition approaches will be discussed, analysing thestructural and decisive aspects, by making a deep study on ANASTACIA users and their activities andbehaviour.

Theseconceptsarethekerneloftheholisticsecurityapproach,an innovative implementationofsecuritysystems that in the last yearsbecomeextremelypopulardue to thedetectionofnovel threats insideofcomputernetworksthrough,e.g.,behaviouraluseranalysis,abletoprovideinformationaboutthesourceof network attacks. In this context, behavioural user analysis brings to innovative protection systemsincludingnovelandunexpectedcategoriesofattacks.

of58

1 INTRODUCTIONIn this initial chapter we will introduce the main functionalities and characteristics of the ANASTACIAproject,mainly focusingontheapproachadoptedto implement thesystem/framework,onthetechnicalaspectsandonsecurityaspectstobeconsideredduringthedevelopmentoftheplatform.

TECHNICALASPECTSOFANASTACIATheANASTACIA project analyses different technological aspects considered particularly important in thecyber-security field. In this initial sectionwewill briefly introduce the technologies and notions used inANASTACIA:

• Cybersecurity: field of the computer science working on threat analysis, vulnerabilitiesidentification andmanagement and to the risk associated to ICT assets,with the aim of protectsuchsystemsfrom(internalorexternal)cyber-attackspotentiallyabletocreate(directorindirect)damageswithimpacthigherthanapre-definedthreshold(e.g.economic,reputation,socio-politicsdamages,etc.).

• Cyber-physicalsystems: ICTsystemabletointeractincontinuouswaywiththephysicalsystemitoperates in. The system is composed of physical elements equipped with computationalcapabilities and it presents three characteristics (“the three C”): computational capabilities,communicationandcontrolcapabilities.

• Internet of Things (IoT): common life objects (e.g. fridge, TV, door sensor, video-cameras, lightbulbs, weather stations, etc.) are able to communicate among themselves and with theenvironmentbyexploitinganInternetconnectiontoexchangedatainrealtime,withoutrequiringexternaldevicesdemandedtomanagethecommunication.

• Software-defined networking (SDN): approach used in the computer network fields to providenetworkadministratorstheabilityto initialize,control,updateandmanage inadynamicwaythenetwork configuration through apposite interfaces and protocols and by abstracting low levelfunctionalitiesofthenetworknodes.

• Network function virtualization (NFV): network architecture concept using IT virtualizationtechnologies to virtualize entire classes of functions in order to design, deploy and managenetworkingservices.

REASONSANDAIMSOFTHEPROJECTThemainANASTACIAobjective is toprovidesecurityand truston ICTsystemsbyproperlymanaging theconstantandcontinuousdiscoveryof vulnerabilities.ANASTACIAwill adoptaholistic security frameworkaddressingallthestagesoftheICTsystemsdevelopmentlifecycle.TheANASTACIAplatformconsiderstheevolutionof ICTaspectssuchas informationsecurity,technologiesanddiscoveryofnovelevolvingcyber-attacks.Theseconceptsareextremelyimportantinthecyber-securityfield.Inparticular,consideringnovelthreats, incaseanICTsystemistargetedbya0-dayattackandit isnotpossibletoproperlycounterandmitigatethethreat,theeffectsoftheattackmaybecatastrophic.Becauseofthis,theANASTACIAprojectaimstocreateanelasticanddynamicprotectionsystembasedonan innovativeapproachimplementing,deploying,andprovidingsecurityondatatransmissionandconnecteddevices.

INTRODUCTIONTOHOLISTICSECURITYAPPROACHInthelastyears,holisticapproacheshavebeenwidelyincludedinthesystem/platformdevelopmentlife-cycle. Such approach focuses on analysing the entire network infrastructure, without excluding any

of58

variable. In this document,webetterdescribehowaholistic approach “works” andwe report themaincharacteristicsofit.

Cyber-security can be seen as a purely ICT related issue or as a legislative and regulation complianceproblem. Nevertheless, it needs a new approach able to consider all the components of the system, inordertodefineasecurityplanabletoeffectivelyprotectthecommercial interests, the immaterialassetsandtheinfrastructureoftheorganization,byprotectingthemfromrisksandthreatsthatmaypotentiallytargetthesystem.

REVISIONHISTORY

Version Date Author Description

0.1 April19th,2017 E.Cambiaso Firstversionofthedocument

0.2 May23th,2017 E.Cambiaso Integratedcontributionsfromotherpartners

0.3 May26th,2017 M.Mongelli Internalreviewofthedocument

0.4 June7th,2017 I.Vaccari RC1production

0.5 June28th,2017 I.Vaccari RC2production

0.6 June29th,2017 I.Vaccari

E.Cambiaso

Finalversionproduction

of58

2 HOLISTICCYBERSECURITYAPPROACHTechnology is alwaysunderdevelopmentand innovation, everydaynewdevicesandnovel technologiesareintroducedintothemarketandproposedtotheworld.Themainaimoftechnologicaldevelopmentistooptimize thedaily livesofpeople, e.g.monitoring their homeusingamobile deviceor to access intotheirbankaccountusingasmartphone.

Technology has also attractedmalicious userswho exploit this development to gain fame or to recoverimportantinformationthatcansubsequentlysell.Cybersecurityisanessentialelementoftechnologysinceisnecessary toprotectdevices frompossibleattacksbyhackers.Organizationsare theprimary targetofhackers since most of them use and exchange sensitive data every day. This realization is driven bydifferent factors: the wide range of cyber-attacks available, the potential victims, the use of socialengineering,andtheroleoftheinsider,becomingmoreandmoreimportanteveryday.

Anorganizationcanimplementitsdefencesystemusingdifferentapproaches,suchasdecidingtodefenditselffromaparticularsuiteofattacksorlimitedaccesstosensitivedata,butinrecentstudies,ithasbeenverifiedthatthesystemsarevulnerable.Averyusedapproachwithgreatresultstopreventandmanagecyber-attacks is the holistic approach. A holistic approach incorporates technical, human and physicalfactorsrelevanttodetection,prevention,andcorrectionofcyber-securityvulnerabilities1.Themainfeatureof this approach is to expanddefenceover technologymainly for two reasons:who runs theattack is apersonandtheattacker'sgoalisveryoftenattackingapersontoaccessthenetwork.Thisapproachseekstoachieveabalancebetweenefficiencyandsecurity.Agrowingsetofcasestudiesaredemonstratingthateventhebesttechnologicalsolutionscanberenderedineffectivebyimproperhumanaction.Nevertheless,properhumanbehaviourenhancesthecapabilityofthesesametechnologicaldefences.

Aholisticsystemusescollaborationbetweenpeople, technologyandphysicaldefencestomakeasecuresystemandprotectfromcyber-attacks.Initially,anorganization'ssecuritystudyisconducted,themainaimisfindingvulnerabilitiestodefineageneraldefencestructure.

Mostevaluationsfocusmainlyonthetechnicalaspects,performingpenetrationtestingtoensurenetworksecurityfortheorganization,thehumanandphysicalfactorsarearguablyjustasimportant.Organizationmustbeconsideratesuchasanassociationofpeopleandprocessesintoaphysicaldomainratherthanjustaseriesofdevicesonanetwork,inthiswayispossibletogainanaccurateperspectiveofanorganization’ssystems and the collaboration between the entities in order to understand functionality of theorganization.Todothis,itmustbeperformedastudyofstrengthsandweaknessesofallaspectspresentinanorganization’s securitybyanalyzing internal staff,physicaldefencesand thecyber securityawarenessandaccountabilityof thestaff.The initialstepofthisprocedure is to identifycritical information, that is,informationthatifstolen,modified,orinaccessible,canleadtoseriouslossestotheorganization.Thedatausedwithinanorganizationcontainsverydelicateinformationaboutactivitiescarriedout,personaldataofemployeesor transactions carriedoutwithexternal identitiesas customersor suppliers. Thedecision toprotectdataiscrucialasdefendingalltypesofdataisverycomplexandevenifthereisasystemcapableofprotecting all data, it would be a unsafe system. The decision-making phase of which types of data toprotect is very delicate and needs to be carried out accurately. Once the definition of the data to beprotectedhasbeencompleted,thenextstepinvolvesdecidingwhocanphysicallyaccesstheareaswheredata or network devices are contained. If everyone had access to these devices, amalicious user coulddamageaccesstodatabyphysicallyattackingtheserverornetworkinfrastructure.

A very important step to creating a solid and compact defence system is to spread rules and roles toemployees.Organizationalemployeesneedtoknowwhattheycanandwhattheycannotdo,andwhataretheconsequencesforincorrectorunacceptablebehaviours.Cybersecuritygovernancerepresentsthebest

1 http://www.securitymagazine.com/blogs/14-security-blog/post/87239-the-argument-for-holistic-cybersecurity

of58

approach to do this, since governance is a critical element of cyber security awareness. A particularsituation may arise when a user inflicts a cyber breach through involuntary action. Since most of thedamageiscausedbythesesituations,organizationsneedtoinformemployeesindetailabouttheactionstobetaken,asinvoluntarydamagecanleadtoseriouslosses.

In recent years, it has been noted thatmost of cyber security problems detected on computer systemshavebeen initiatedbyhumanactivities.Asolutionto thisproblemwassought, thebestwaytomitigatethisriskisthroughcybersecuritytrainingthatcreatesawarenessandhardenspersonneltoattack.Withoutinformingusersofmaliciousactionsthatattackerscanmaketoaccessthenetwork,employeesareatriskof manipulation and exploitation through spear-phishing or social engineering efforts aimed at stealingnetworkcredentials.Oneofthefirstthingstounderstandabouttheinsiderthreatisthatitcanbesomeoneactingintentionallyorunintentionally.Often,aninsiderisseenasanexternaluserwhowantstoseverelydamage the organization's IT system, but most of the time users are providing involuntary access tomalicious users. That is to say, the insiders cause themost of the damages by accessing sensitive datacreating seriousdamage to the system.Extendedaccess todatacanallow insiders tocreatedevastatingdamagesforthesystemandatthesametimecoveruptheirtracksfornotbeingdiscovered.

Eveninthesecases,thesolutioncaninstructusersnottobeexploitedbyexternaluserstoprovidenetworkaccesscredentials.Thedetectionofmaliciousinsiderscanbedonebyanalysingonlineactivity,downloadedortransferredfiles,andbadgerecords.Theanalysismustbemadetomonitorusersandpreventanykindof attack from inside the system. An important consideration regarding the insider threat issue is thebalance between security and employee privacy: it is generally known that there is no expectation ofprivacywhenusinganorganization’snetworkanddevices,nevertheless,employeemonitoring isanareathatmanyorganizationsprefer toavoid.Nowadays,anycomputersystemisattackedbymalicioususers,then it isnecessaryto implementanattackdetectionsystemandaresponseplantoavoiddamagingthesystem.Thebestway is torecognize the impact,owntherisk,educateshareholdersandpartnersof therisk,haveavalidatedincidentresponseplan,andexecutethatplanimmediately.

The lastbutnot the least important factor tobe considered in theholistic approach is themoral aspectwithin theorganization. If users are allwith apositivemindset, loyal to their colleagues and theirwork,they are definitely less motivated to do damage to the business or to colleagues. Accordingly,organizational culture both creates and reinforces a security culture. The interrelationship andinterdependenceoforganizationalandsecuritycultures,ofpeopleanddevices,anddevicesandphysicaldefencesunderlinestheneedforaholisticapproachtocybersecurity.

HOLISTICCYBERSECURITYAPPROACHFORMALIZATIONIn order to define the structure of the holistic approach, the first step involves the study of a possibleimplementation of this interesting defense system by cyberattacks. An interesting holistic framework isdevelopedby IssaAtoum,AhmedOtoomandAmerAbuAli for cyber securityenvironment. Everyentitytriestoprotecttheirsystemdefiningacybersecuritystrategies(CSSs).Thesestrategiesarebasedonthreemainprocesses:formulation,strategyimplementationandstrategyevaluation.[Atoum,2014]proposedaframeworkthatimplementsastrategyimplementationprocess.

Theholisticapproachhasthreemainaims:first istoensureearlydetectionof likelythreatsandmitigaterisksrelatedtoinformationsystemsandcriticalinfrastructures,secondistoenabledecision-makerstotakenecessaryactionsonceneededandthelastistobeabletoimplementsecuritysolutionsthatinvolvevastnumbersofstakeholders,includingprivateentities,governmententitiesandcitizens.

The holistic cyber-security implementation framework (HCS-IF) aims to provide a core structure for ageneral approach to implement CSSs. HCS-IF is implemented by several processes sequentially executedoneaftertheother,canbecollectedinfivemainsteps(seeFigure1):

of58

Figure1-Asampleholisticapproachforcyber-security

Accordinglytothefigure,followingstepsareinvolved:

1. The initial phase conducts a study of the current state of defense systems in cyber security innationalororganizationalenvironments,focusingonguidelinesandstrategiesused.

2. Elicit common security components: in this phase, common cyber security components areextracted. High-level security features are extracted, not analyzing the technical details of theimplementation.Theresultofthisphaseisaseriesoffeaturesinherentinthedefensefromcyber-attacksthatthesystemmusthave.

3. Generalize components: the data collected in the previous steps are processed by eliminatingduplicatesandgeneratingcommonsolutionstodifferentproblems.

4. At this stage, the framework is implemented using the holistic approach to achieve the aimsrequiredinthepreviousphasesandtoensuretherequiredsecurityfeatures.

5. Inthelastphase,theHCS-IFiscomparedwithrelatedframeworks.

of58

HCS-IF

Figure2-HCS-IFcomponents

The HCS-IF, shown in Figure 2, has the following major core components: CSS, requirement elicitation,strategicmoves,controls,securityobjectivesandimplementationframeworkrepository.ThemaingoaloftheHCS-IFistoanalyzetheCSS,extrapolatetherequirementsandturnthemintostrategicmoves.Thesestrategic moves are executed under the defined framework in order to reach the defined securityobjectives.

2.2.1 CSSCSSs are based on assessments to the current information security status. These CSSs recognize themaliciousthreatsandmayincludesomeguidelinesofhowtodealwithcybersecuritythreats.

2.2.2 RequirementelicitationRequirementelicitation(RE)isawell-knownsectorofthesoftwareengineeringfieldanditisusedinHCS-IFto convert the CSS into a set of security requirements. The aim is to broken the CSS into manageablerequirements.

2.2.3 CybersecuritystrategicmovesCybersecuritystrategicmovesareactions takento reachoneormorecybersecurityaims.Thestrategicmoves identify the actions to be taken to achieve a security objective of interest. This component issubdividedintodifferentparts,asshowninFigure3.

of58

Figure3-Cyber-securitystrategicmoves

Accordinglytothefigure,followingactivitiesareexecuted:

• ConvertrequirementstogoalsRequirementsareconvertedtoSMARTgoalstofacilitatemeasuringachievements,CSSsareoftenwritteninnaturallanguagebecauseitcanhelptoidentifypotentialgoals.

• PrioritizegoalsAt this stage,prioritiesareassigned to thevariousgoals.Thereare severalways toprioritize,anefficientwaycanbetoevaluatetheimportanceandweightofthetargetontheoverallsystem.

• SecurityvaluationThegoalsareoftenimplementedbyoneormoreprojects,thepurposeofthisphaseistoapproveprojectinitialization.

2.2.3.1 Build/updateprojectroadmap

Builda roadmapofprojects tooptimizethedevelopmentphaseandget thebest results in theshortestpossibletime.

of58

2.2.4 ControlsControls are used to manage and monitor implementation of an organization's behaviour to achievesecurity targets. They allow for predictive, corrective and decision-making actions. The various types ofcontrolsarereported:

• Governance: Governance controls govern the CSS implementation that required a governanceentity called Cyber Security Agency (CSA). The CSA manages and monitors implementation.Governancecontrolsarecomposedby:

o CS Performance Management Control: Manages the chain of command between theentitiesinvolved.

o Regulation Regime Control: it allows enforcing security policies and application-relatedlegislations.

o International Cooperation Control: Allows you to monitor different aspects of securityacrosscontinents

• Strategic controls: they should allowdecision-makers todeterminewhether theCSA is achievingobjectives and enable them to make any necessary actions as early as possible during theimplementationprocess.

• Audit controls: Aremainly used for two purposes: check themature security level and find thedifferencebetweentheoriginalCSSandtheactualimplementation.

• Framework controls: the HCS-IF controls are presented to provide a means to manage theframeworkitself.

2.2.4.1 BusinessControlThis type of controls is mainly used to ensure the correct execution of operational activities bycollaboratingwithothers.

2.2.5 ValidatingtheHCS-IFAlthough several frameworks have been implemented to increase cyber security [Soomro, 2016; James,2016],mostofthemfocusonspecificdomainsorentities,whileHCS-IFisatypeofapproachthataimstoincreaseoverallcybersecurity.

Anumberof featureshavebeendefined,extracted frompreviousstudies,withwhichtocompareFCS-IFwithprevioussecuritysystemdeployments.

• Resilience: it represents the ability of the framework to be agile, flexible and able to deal withunpredictablechangesintechnology,environment,attackmethods,etc.

• Measureperformance:itistheabilitytomeasureperformanceofsecurityinitiativeseffectivelyatvariousorganizationlevels.

• Compliance:itfollowsknownstandardsorbestpracticesandletthecybersecurityimplementationframeworkmanagedifferencesbetweendifferentstandards.

• Measuresecuritylevel:itisusedtodefinethesecuritylevelachievedataparticulartimeperiod.• Identify gaps in CSS document: the framework should be able to detect if CSS needs further

amendmentsincaseitdoesnotguaranteetheachievementoftherequiredsecuritylevel.• Implementationlevel:itshowstheneedofaframeworkthatcanbeimplementedatthenational

level.

2.2.6 ComparisonHCS-IFproposedprovidesgreatersecurityassuranceasithasbeenimplementedusingaholisticapproach.Accordingly to the table below, the frameworks is divided into the following categories, representing

of58

security system implementation analysed by different sectors and differing one to the other by theexchangeddatatype,datatobeprotectedornetworkstructure:

• Management and Governance: Information security frameworks usually target themanagementperspectiveofinformationsecurity.

• Guidelines:Manyframeworksprovideguidelinestofacilitatethedeploymentofsecuritysystems.• DedicatedGeneric:Thereareseveralframeworksimplementedforspecificissuesorentities.• Genericframework:Therearegeneralframeworkforimplementingsecuritystrategies.• Providerspecific:Someproprietaryimplementationshavebeencreatedforsecuritysystems,most

knownareIBMsecurityframeworkandOracleReferenceArchitecture(ORA)• Openarchitectures:Therearevariousavailableenterprisearchitecture(EA)frameworksthatvary

incompleteness,visualaspects,simplificationandrepresentation.

ThesecategoriesarecomparedwiththemainfeaturesoftheholisticHCS-IFapproach.

Criterion/FrameworkCategory Resilience

Measureperformance Compliance

Measuresecuritylevel

IdentifyGaps

Holisticimplementation

level

ManagementandGovernance

Yes No No No No No

Guidelines Yes No No Yes No Yes

Dedicated No No Yes No No Yes

Generic No Yes No No No Yes

Providerspecific

Yes Yes Yes Yes No No

Openarchiterctures

Yes Yes Yes Yes No No

HCS-IF Yes Yes Yes Yes Yes Yes

Table1-Comparisonbetweendifferentcyber-securityframeworkcategories

of58

3 USERPERSPECTIVEANALYSISIn this section, we will report the user perspective analysis of the holistic cyber-security investigationaccomplished.We focusonBuilding EnergyManagement Systems (BEMS),Multi-access EdgeComputing(MEC),andInternetofThings(IoT)scenarios,describedinthefollowing.

BUILDINGENERGYMANAGEMENTSYSTEM(BEMS)Automatic control of electrical components in buildings has become a necessary task for any energymanagement system (EMS) in order to achieve optimal performance. The aim of a modern EMS is toenhance the functionality of interactive control strategies leading towards energy efficiency and amoreuserfriendlyenvironment.TheEMSoperatesseveralbuildingsystems,suchasthesupervisorycontrolanddata acquisition (SCADA), which controls the smart-grid of one or more buildings, and the buildingmanagementsystem(BMS),whichcontrolsthebuildingheatingdemand,accesscontrol,securitysystem,fire alarm system, etc. Cyberattacks on EMS can lead to significant financial impact and safety risk.Cyberattacks on EMS can lead to significant financial impact, when EMS becomes part of the buildingnetwork,wherethepossibilityofEMScyber-attackincreases.ThemostcommonattackthreatstoEMSareman-in-the-middle(MiTM)anddenial-of-services(DoS).WhereMiTMmanipulatesthecriticalsensorsandactuationvaluestoimpacttheenergyusageoftheEMS,e.g.,manipulatingthebuildingboilerset-pointbyanegativeoffsetof5degreescan increase thebuildingenergyconsumptionby8% [Paridari,2016].DoScanbeused to shut-down theenergy supply system for critical infrastructures. Themain challenging forend-user in developing a security system for EMS is protecting andmonitoring themassive vulnerabilitypoints introduced by connecting several heterogynous systems such as network, data-base, physicalenvironment,etc. Inaddition,existingmethodsforEMScyber-securityaremainlybasedonrunningtestsand benchmarks to evaluate the possible cyber-attacks and their impact [Gold, 2009]. These methodsrequireexpertknowledgetomanuallyperformthetestsandattackassessment.Thereiscurrentlynoend-to-endframeworkthatcoversthemainstepsinEMScyber-securitydesignflow.EMSistypicallybuiltinaclosednetworkwithlimitedremoteaccesstothebuildingoperations.ThiswasareasontoreduceexposingtheremoteattacksofEMS.Recently,EMSbecameapartof IoTsystem;hencecybersecuritybecameanessential task at the building commissioning time. A common commercial building automation tools formonitoring and policy editor use basic features based on some guidelines, such as NESCOR standard.ANASTACIA introduces thebaseline for securely integrating severalheterogeneouscyberphysical systemcomponents,andprovidingintrusiondetectionandresiliencycapabilitytotheEMS.

ANASTACIAaimstodetectuncommonbehaviourintheBEMSandreactandadaptthesystem,forinstanceenforcing security policy to isolate the compromised smart objects from the rest of the BMS system orimprovingthesecuritybetweencertainIoTdevicesorwithindevicesinsomenetworks.

MULTI-ACCESSEDGECOMPUTING(MEC)Nowadays,manycompanieshaveadoptedthecloudtechnologiesasgrowingstrategy. Indeed, thecloudbringspower,agility,andcostsavingduetoitscomputingandstoragecapacities.AccordingtoThalesDataThreat Report [Thales, 2017], Advanced Technology Edition, issued in conjunctionwith analyst firm 451research,93%ofrespondentswillusesensitivedata inanadvancedtechnology(ascloud,SaaS,bigdata,IoT and container) environments this year. A majority of those respondents (69%) also believe theirorganizationsaredeployingthesetechnologiesaheadofhavingappropriatedatasecuritysolutionsinplaceand88%believenetworksecurityvery/extremelyeffectiveatprotectingdata.Moreover,securityattacksas DDoS become a major issue in term of costs to the digital economy actors. Recently, a new cloudparadigmcalledMulti-accessEdgeComputingisemerging,pushedbyETSI[ETSI,2015].Multi-accessEdgeComputing(MEC)offersapplicationdevelopersandcontentproviders,cloud-computingcapabilitiesandanITserviceenvironmentattheedgeofthenetwork.Thisenvironmentischaracterizedbyultra-lowlatency

of58

and high bandwidth as well as real-time access to radio network information that can be leveraged byapplications.TheMECneedstoplan for thebestcomputing facilityplacementtoservetherequestsandthatisalsoabletoonlineschedulevirtualmachineresourcesandrequestassignmenttocloudfacilitiesandto secure the different communication and tomitigate the security attacks. ANASTACIA aims to ensurethat,thesystemcanreacttominimizedifferentsecurityattacks.ANASTACIAwillassistadministrators(endusers)toprovideanenforcednetworkaccesspolicyandallowthemtoprotecttheexchangeddatamoreover it of credentials. The administrators canuseANASTACIA to ensure that his system is safe from theattacksandtodefense incaseofsecurityattacks. Indeed,byusingANASTACIA,endusers,candetectanattackandsendittotherightmodulesinordertostoptheattacksbydeployingtheappropriatesecurityappliancesasdemandintherightplacesbasedonSDNandNFVtechnologies.

Infact,thesmartsecuritycamerasandIoTscanbeusedforamassivedistributeddenial-of-service(DDoS)astheattackthatdisruptedU.S. internettrafficontheOctober21th2016,wheretheattacksweremadepossibleby the largenumberofunsecured internet-connecteddigitaldevices, suchashomeroutersandsurveillancecameras.Eventhoughsomeofthesedevicesarenotpowerfulcomputers,theycangeneratemassive amounts of bogus traffic, especially using a large numbers of IoT devices. The detection andmitigation of such kind of attacks need dynamic and agile features to accommodate to the attacks.AnastaciaaimstofulfillsuchasneedsbyproposingasolutionbasedonNFVandSDNapproachesthatbringremarkablebenefits toprovideon-demand security features in software-basednetworks.Moreover, theincreased capabilities of Edge infrastructure can even augment the efficiency of the envisioned securitysolutions,byenablingpromptreactionsneartheIoTdevices.

INTERNETOFTHINGS(IOT)TheissueofsecurityandprivacyisheightenedinIoTdomains:astheconnectivityofobjectsexponentiallyincreases, soare thepossibilities forhacking into thesystem. It isnoted that IoTcoversahugescopeofdiversemarketsandtheneedsofsecurityandprivacyvarydependingonthetypesofservices.Inordertofindgeneralrequirementsfromtheuserperspective,wefocusonthecommonriskscomingfromtheIoTcommunicationpatternsthatapplytoheterogeneousIoTservicesandapplications.

Communicationtypes in IoTsystems includeend-devicetoend-device (e.g.,sensornodetosensornode,sensornode toactuator,etc.),end-device togateway,gateway tocentraldevices (e.g., cloudserver, IoTplatformservers,etc.),and/orcentraldevicestoapplicationservers.ThenetworkcommunicationsforIoTservices and applications naturally embed the traditional security and privacy risks, such as sessionhijacking,DDoSattack,denialservice, IPspoofing,man-in-the-middle,etc.WhatbringsmorecautiousonIoTinsecurityandprivacyisthevulnerabilityofIoTdevices.Itiswellknownthatthelow-poweredsensornodesandtheircommunicationprotocolsaremuchvulnerableonsecurityattacks.Inadditiontoit,privacyrelated data such as location info is often included for IoT services, which brings the needs of carefulprivacydesign.ThenewsontheTeddybearhackinginthecybersecurityconferenceinattheWorldForuminTheHague2onMay16,2017demonstratesthesecurityweaknessofIoTcommunicationprotocols,that11yearsoldboy,Pauldemonstratedhisabilitiesbyusinghisbear,whichconnectedtothecloudviaWi-FiandBluetooth,toreceiveandtransmitmessages.HepluggedaRaspberryPiintohiscomputerandscannedthe conference hall for Bluetooth-connected devices. The other news in February of 2017 that policeofficers in England arrested a London suspect who allegedly hacked into home routers in 2016 over 1millionGermanhouseholds3 alsogives increasingalarmson IoTbased services.We shouldpayattentionthat no security enabled home IoT devices are connected to Internet and any devices connected to thehomerouterscanbehacked.TheotherexampleofshowingvulnerabilityofIoTdevicesisthenewsthata

2 https://securityintelligence.com/news/with-teddy-bear-bluetooth-hack-11-year-old-proves-iot-security-is-no-childs-play/ 3 http://www.news1130.com/2017/02/23/german-federal-police-say-british-hacker-arrested-in-london/

of58

couplehasbeenarrestedbyhackingWashington’sCCTVdaysbeforePresidentTrump’sinauguration4.ThenewsonhackinginIoTsystemsanddevicesarecomingmoreoften,whichmeansthatsecurityandprivacyalertsonIoTareincreasingmoreandmorebymoredevicesareconnectedeachother.

TheotheraspecttobeconsideredrelatedtoIoTsecurityandprivacyisregulationrelatedissuesonpoliciestoshareprivacydataamongstakeholders.WhenIoTisintegratedwithrobotics,theseneedsbecomemorecomplicate and even include ethic issues. Thus, it is extremely important to build security and privacysystembydesignandalsotoprovideusersclearinformationonthesecuritylevelofthesystemtobeusedandtonotifyuserswhetherthereisariskonprivacydataonusingthesystemorservices.ANASTACIAcanfulfillsuchneedsbydesigningandimplementingholisticsolutionsenablingtrustandsecurityby-designforcyber physical systems (CPS) based on IoT and cloud architectures. Especially, it also includes dynamicsecurityandprivacysealprovidinguserscertificationlevelofthesystemandinformationonprivacydata.

4 http://www.telegraph.co.uk/news/2017/02/05/two-arrested-london-hacking-us-cctv-systems-days-president-trumps/

of58

4 BUSINESSPERSPECTIVEANALYSISIndustrial Control Systems (ICS) play an important role in the monitoring and control of physical andchemicalprocesses.ICSisageneraltermthatencompassesseveraltypesofcontrolsystems,usedinEMS,industrial production, including supervisory control and data acquisition (SCADA) systems, distributedcontrol systems,andother smaller control systemconfigurations suchasprogrammable logic controllers(PLC), often found in the industrial sectors and critical infrastructures. Automatic control ofelectrical/thermal components in buildings has become a necessary task for ICSs, in order to achieveoptimal performance. In this context, the ICS is often called an energy management system (EMS).Nowadays, EMS industry looking for developing a secure EMS that detects attacks and maintains thephysicalsysteminasafestate,duringandafterthedetectedattack.

Ontheotherside,InternetofThingsapplicationshaveopenedabiginvestmentmarkettoofferinnovativeservices thatenrich thequalityof life.Forexample, ithasbecomecommontohavesystems thatcollectdatarelatedwiththetrafficinhugecities,managetheenergyand/orwatersystemofabuildingandevenmonitorandcontrolsystemsthatmaintainthesecurityofthehabitantsofawholecountry.Thesetypesofsystemsusuallyhandlesensitivedataandmakedecisionsrelyingblindlyonthequalityofthem.Therefore,the security of the whole platforms here described becomes a crucial topic when developing suchtechnologies. Although the market already provides the technologies that implement the underlyingplatform,thepropositionofasecure-by-designapproachisstillmissing.

TheANASTACIAprojectaimstacklingthislackofofferbyprovidingthemarketwithacompletesetoftoolsandmethodologiesthatcopewiththesechallengesby:

• Proposingasecure-by-designmodellinganddevelopingapproach,• Developing a Cyber-physical network (CPS) managed by software defined network (SDN)

techniques,• Providingasetofmonitoringandreactiontoolsthatimplementasecurityframeworktailoredfor

CPSandSDN,• Definingasecurityandprivacysealusedtoguaranteethesecurityofthemonitoredplatform.

ThesetoftoolsdesignedaimstoprovidethemarketwithinnovativetechnologiestailoredforthespecificusecasesoftheANASTACIAproject.However,theprojectwillalsoprioritizetheusageofopenstandardsandmodularapproaches,facilitatingtheadaptationoftheANASTACIAframeworktootherusecasesandtechnologies.

Thedescribedsetoftechnologiesandmethodologieswillenhancethemarketbybringingacost-effectiveway to ensure the security of cyber physical networks. The ANASTACIA project will enlarge the valuepropositionof themarketbybringinganovelandcompletesolution to implementsecurecyberphysicalnetworks,whichismainlycomposedbyasetoftoolssolvingeachoneapartofthewholeproblematic.Forexample, themarket proposition is based on Firewalls and IntrusionDetection Systems that are able todetect some attacks, although they are designed for specific endpoints and network architectures. Inaddition, these toolsdonot supportautomatic reaction, leaving thedecisionand implementationof thecountermeasure to be implemented manually but the system administrator. This fact makes thedeploymentsofsuchsystemsabigchallengewhentryingtoadaptthemtocyberphysicalnetworks.Thepropositionofacompleteapproachanditssecuritycertificationispartofthemainvaluepropositionoftheexpectedresults.

In this sense, this proposal will not only attract actual enterprises that use IoT-based cyber physicalnetwork, but also new potential customers that will rely on the ANASTACIA approach to enhance theirsystemswiththeautomaticsecurityenforcementmechanismsprovidedbytheproject.Theseenterprisesinclude,butarenot limitedtogovernments,energyandwatercompanies,realestateandtransportationcompanies. At the same time, these companies might be interested in investing in the proposed

of58

technologies,whichwillallowthemtoadapttheresultsoftheprojecttotheirrequirements,anddeployitinnewenvironments.

Insummary,ANASTACIApoints itsprincipalbusinessareatotheadoptionof thedevelopedtechnologiesandmethodologiesintoexistingSDN-andNFV-basedIoTnetworks.Atthesametime,thedevelopmentofaSecuritysealwillopenthebusinessopportunitiesofcertifyingalready-existingIoTdeployments.Inbothareas,theANASTACIApartnerslookforwardtoexploitingtheproject’sresultsbyenhancingtheirtoolstotackletheuseintheframeoftheproject,butalsoadaptingthemtonewusecases,leadingtonewbusinessopportunities.

of58

5 TECHNICALPERSPECTIVEANALYSISIn this section of the document, we report the technical perspective analysis accomplished during thedevelopment of the project. The ANASTACIA project relies on policy-based network and securitymanagementtodealwithcyber-attacksinCPS-IoTscenariosthroughSDNandNFV.Wewillnowfocusontheanalysisofcurrentsecuritypolicymodelproposalsandsolutionsunderconsideration,hencediscussingsoftware-basednetworksecurityenablers.Finally,wefocusonnewsecurityandprivacythreatsinIoT.

SECURITYPOLICYMODELPROPOSALSUNDERCONSIDERATION

5.1.1 xCIM-SDL/SPLCommon Information Model (CIM)5 is the main standard that provides a common definition ofmanagement-related information independent of any specification. The model defines concepts forauthorization, authentication, delegation, filtering, and obligation policies. However, for an informationmodeltobeuseful, ithastobemappedintosomespecificationandforourproposeCIMmodelsarenotsuitablebyitself,duetothehugeamountofclasseswhichiscompound,soxCIM[Bernal]modelisbasedonCIM,butincludingonlytherelevantclassesofthemodelaswellassomeextendedclasses.

xCIMSecurityPolicyLanguage(xCIM-SPL)allowstotheuserthedefinitionofsecuritypolicies inordertoestablish thedesired securitybehaviourof the system,usinga friendlyhigh level languagenearly to thespoken English, whereas xCIM System Description Language (xCIM-SDL) is a submodel that allow todescribe the system in a medium level abstraction representation. Both are based on XML and wereappliedonthescopeofPOSITIF6andDESEREC7Europeanprojects.

Currently, xCIM-SPL supports filtering, authentication, authorization, channel protection and operationalpoliciespolicytypes,butthe language iseasilyextensible.ComposedofanXMLschemaforeachtypeofsecuritypolicy,thexCIM-SPLiscomposedoffiveindependentXMLschemas.

ThelinkbetweenxCIM-SPLandSDLelementsisdoneusingtheinternalformat.Theinternalformatisalowlevellanguageforformalmodellingdesignedfordevelopers.SincebothSPLandSDLinstancesaredefinedin internal format, this link isdirectlyachievedusing the internal format.Tobuildautomatically theXMLschemafromanyCIMversionauthorsdesignedanautomatictransformation.

5 http://www.dmtf.org/standards/cim 6 http://cordis.europa.eu/project/rcn/75115_en.html 7 http://www.deserec.eu

of58

Figure4:SPLtoxCIMtranslationprocess

Therefinementconsists ina translation fromthehigh-level specification to low-level rulesspecifiedbyalanguagebasedCIM-PolicyInformationModel(i.e.xCIM-SPLorinternalformat).ThetranslationprocessisbasedonthedirecttransformationtheSPLelementstoxCIM-SPLelements.Butduetolackofinformationprovided by the natural human concepts, the authors use templates for fill it, and in order to ease thedefinition,transformationandmanipulationofsecuritypoliciesalsoprovideapolicyconsole.

5.1.2 SECURED–HSPL/MSPLHigh-levelSecurityPolicyLanguage(HSPL)andMedium-levelSecurityPolicyLanguage(MSPL)[Vallini]aretwopolicy languagesdefinedwithin theEuropeanSECURED8project inorder to specify securitypolicies.HSPL is the policy language suitable for expressing the general protection requirements of typical non-technical end-users, such as “do not permit access to illegal content” or “block access to peer-to-peernetworks”, whereas that MSPL is an abstract language with statements related to the typical actionsperformedbyvarioussecuritycontrolsbutexpressedindependentofthefinaldevices,itmeans,expressesspecific configurations by technically-savvy users in a device-independent format, such as “deny *.sex”,“denysrc192.168”,or“inspectimage/*formalware”.

Bothpolicy languagesarebasedonXMLandare focusedonthecapabilityconcept.Acapabilitydenotesany kind of security functionality that can be provided by a Personal Security Application (PSA). A PSAimplements some security controls, generally, by a software module, e.g. filtering, logging orauthentication. Specifically, the model includes capabilities like authorization, authentication, dataprotectionandgeneralsecurity.

Simplified HSPL Example

<hspl_list>

<hspl subject='SensorA' id='HSPL0'>

<action>no_authorise_access</action>

<objectH>Internet_traffic</objectH>

</hspl>

</hspl_list>

8 http://www.secured-fp7.eu

of58

MSPL is defined by a meta-model that specifies the main concepts (like policies, rules, conditions, andactions),and it isorganizedbycapabilities. In this context, capabilitiesaredefinedasbasic features thatcan be configured to enforce a security policy (e.g. channel protection, filtering, anti-virus, parentalcontrol…).

Simplified MSPL Example

<ITResource ID="MSPL_f9b27422-15b3-4bb5-ad21-3e08af5b1a1c"...>

<configuration xsi:type="RuleSetConfiguration"...>

<capability>

<Name>Filtering_L4</Name>

</capability>

<defaultAction xsi:type="FilteringAction">

<FilteringActionType>ALLOW</FilteringActionType>

</defaultAction>

<configurationRule>

<configurationRuleAction xsi:type="FilteringAction">

<FilteringActionType>DENY</FilteringActionType>

</configurationRuleAction>

<configurationCondition

xsi:type="FilteringConfigurationCondition">

<packetFilterCondition>

<SourceAddress>10.0.0.1,</SourceAddress>

</packetFilterCondition>

</configurationCondition>

<Name>Rule0</Name>

</configurationRule>

<resolutionStrategy xsi:type="FMR"/>

<Name>MSPL_f9b27422-15b3-4bb5-ad21-3e08af5b1a1c</Name>

</configuration>

</ITResource>

Finally, MSPL policies are translated to a lower level tasks or configurations, it means, the policies arerefinedtoaspecificsecurityconfigurationortaskforaspecificPSA.Inordertosupportawidesetoflow-levelsecuritycontrolsispossibletodevelopdifferentrefinementpluginsforeachkindoftechnologies,e.g.NetFilter/iptables,SDN,etc.

of58

Figure5:MediumtoLowrefinementprocess

Figure 5 showsworkflowwhere a coordinator is requesting a translation fromaMSPLpolicy to a lowersecuritycontrolconfiguration. In thiscase,a lower levelservicerequest toapluginrepository thepluginthatiscapabletotranslatetheMSPLsentencesintoaspecificsecuritycontrolconfigurationsortasksforaspecificsecuritycontrol,e.g.iptables,NetFilter,etc.Oncetheservicereceivesthesuitableplugin,itinvokesthemethodinchargetomakethetranslation.

5.1.3 I2NSF Information Model of Network Security FunctionsCapabilities

I2NSF Information Model of Network Security Functions Capabilities from IETF [Xia, 2017] provides adefinition for amodel of security capabilities for automaticmanagement of Network Security Functions(NSFs),understandingcapabilitieslikeasetofavailablefeaturesinamanagedentity.ThismodelprovidesstandardinterfacesinordertoobtaintherequiredNSFatagiventime,andthecriteriatoselectaspecificNSF is independent to the vendor, relying instead on the capabilities. Furthermore, when an unknownthreat(e.g.,zero-dayexploits,unknownmalware,andAPTs)isreportedbyanetworksecuritydevice,newcapabilitiesmaybe created, and/orexisting capabilitiesmaybeupdated. Thesenewcapabilitiesmaybesent and stored in a centralized repository, or stored separately in a local repository. In either cases, astandardinterfaceisneededduringthisautomatedupdateprocess.

As can be seen on Figure 6, there are two relevant types of Interfaces to Network Security Functions(I2NSF):

• InterfacebetweenI2NSFclientsandasecuritycontroller.• InterfacebetweenNSFs.

of58

Figure6:I2NSFInterfaces

IndefiningthecapabilitiesofaNSF,itisusedthe“Event-Condition-Action”(ECA)policyrulesetmodel:

• AnEventisdefinedasanyimportantoccurrenceintimeofachangeinthesystembeingmanaged,and/orintheenvironmentofthesystembeingmanaged.

• ACondition is a set of attributes, features, and/or values that are tobe comparedwith a set ofknownattributes,features,and/orvaluesinordertomakeadecision.

• NSFsprovidesecurityfunctionsbyexecutingseveralActions.

The I2NSF capability interface is in charge of controlling and managing the NSFs by means of theinformationaboutthecapabilitieseachNSFowns.Thecapabilityinterfaceisusedforadvertising,creating,selectingandmanagingasetofspecificsecuritycapabilitiesindependentofthetypeandvendorofdevicethatcontainstheNSF.

Initially,therearethreecommoncategoriesofcapabilitiesi.e.networksecurity,contentsecurityandattackmitigation.Eachcategorycontainssub-modelsthatprovidesmorespecificpolicyruleslikeauthentication,accounting,authorizationortrafficinspectionrules.

5.1.4 PolicyModelsRelationshipThe below Figure 7 shows the relationship between the aforementioned proposals. As can be seen,HSPL/MSPL extends and improves the idea exposed on xCIM-SPL/SDL, and I2NSF IETF group reuses andextendstheconceptonI2SNFFramework.

of58

Figure7:PolicyModelsRelationship

Framework for Interface to Network Security is described on draft draft-ietf-i2nsf-framework-049 anddefinesareferencemodelforI2NSF.AmodelofaSecurityCapabilitiesispresentedondraftdraft-baspez-i2nsf-capabilities-0010, whereas draft-xia-i2nsf-capability-interface-im-0611 is focused on the capabilityinterfaceofNSFsandproposesitsinformationmodelformanagingthevariousnetworksecurityfunctions.The last two drafts aremerged on draft-xibassnez-i2nsf-capability-0012, and there is a recent update ondraft-xibassnez-i2nsf-capability-0113.

SECURITYPOLICIESSOLUTIONSUNDERCONSIDERATIONTheOpenDaylightNetwork Intent Composition14 projectwill enable the controller tomanage and directnetwork services and network resources based on describing the “Intent” for network behaviours andnetwork policies. It means, is an interface that allows clients to express a desired state in animplementation-neutral form that will be enforced via modification of available resources under thecontroloftheOpenDaylightsystem.

9 https://tools.ietf.org/html/draft-ietf-i2nsf-framework-04 10 https://tools.ietf.org/html/draft-baspez-i2nsf-capabilities-00 11 https://tools.ietf.org/html/draft-xia-i2nsf-capability-interface-im-06 12 https://tools.ietf.org/html/draft-xibassnez-i2nsf-capability-00 13 https://tools.ietf.org/html/draft-xibassnez-i2nsf-capability-01 14 https://wiki.opendaylight.org/view/Network_Intent_Composition:Main

of58

Figure8:ODLintentworkflow

As canbe seen in Figure 8, intents are described to the controller through a newNorthBound Interfacewhich provides generalized and abstracted policy semantics instead of Openflow-like flow rules. Thepolicies are expressed generally on XML or JSON, and the component that transforms the intent to theimplementationistypicallyreferredtoasarenderer.

Ontheotherhand,ONOSalsohasitsownintentframework.TheONOSIntentFramework15isasubsystemthatallowsapplicationstospecifytheirnetworkcontroldesires informofpolicyratherthanmechanism.Authors refers to these policy-based directives as intents. These intents can be translated via intentcompilationintoinstallableintentswhichresultsonsomechangesovertheenvironment.ONOSprovidesaset of built-in intents, but the framework is extensible in order to allow developers to add its owndynamically.

Beyond the SDN controllers, Open Stack Group Based Policy16 introduces a concept of a group thatrepresentsacollectionofnetworkendpointsand fullydescribes theirproperties.Everything in thesamegroupmust be treated the sameway (that is it has the samepolicy).GBP introduces also a rule sets todescribesecureconnectivitybetweenGroupsasisillustratedonFigure9.Rulesetsmayimplyswitchingorroutingbehaviours,buttheyofferasimplewaytodescribehowsetsofmachinescancommunicateinnon-networking terms. Critically, they are also reusable. The same rule set can be used for differentcombinations of Groups. Automation and security aremuch easier through GBP. By simply becoming amember of a group, a virtualmachine inherits all of its policies, allowing developers to easily automatescaling up and down. In fact, it was designed to make advanced capabilities such as service chainingextremelyeasytouse.AsGBPhasprogressedinOpenStack,acorrespondingprojecthasbeendevelopedintheODLcommunitytobuildanopensourcenetworkoverlaysolutionusingODLandOpenvSwitch(OVS).TheGBPprojectcannaturallysupportOpenDaylight inthisconfigurationandallowittoactasanetworkcontrollerthroughitsexistingsouthboundinterface.

15 https://wiki.onosproject.org/display/ONOS/Intent+Framework 16 https://wiki.openstack.org/wiki/GroupBasedPolicy

of58

Figure9:OSGroupBasedPolicy

TheOpenDaylightGroupBasedPolicy17projectdefinesandimplementsanintentsystem,allowinguserstoexpressnetworkconfigurationinadeclarativeversusimperativeway.GBPoffersanintentbasedinterface,accessed via the GUI called UX, via the REST API or directly from a domain-specific-language such asNeutronthroughamappinginterface.ThisintegrationwillallowperformoperationsnotcurrentlyavailableinOpenStack like theuseof ServiceFunctionChaining.Themajorbenefitof thisarchitecture is that themapping of the domain-specific-language is completely separate and independent of the underlyingrenderer implementation, it means, when another renderer is added, for instance, NetConf, the samepolicycannowbeleveragedacrossNetConfdevicessimultaneously.

BackingagaintoOpenStack,Congress18providesamechanismtoallowOpenStackclientstodefinepolicytobeappliedacrossallOpenStack components,notonlynetworking related. It is a cloud servicewhosesoleresponsibilityispolicyenforcementwhichusestheNeutronGroup-basedpolicyinordertoprovideahigh-levelabstractionfordefiningnetworkconnectivitybetweengroupsofendpoints.Thepolicylanguagesupported by Congressmust be general-purpose and declarative. Actually, OpenStack Congress is usingDatalogaspolicylanguage.

OVERVIEWOFSOFTWARE-BASEDNETWORKSECURITYENABLERSTheANASTACIAprojectaimsatexploringtheopportunitiesthatSoftwareDefinedNetworkingandNetworkFunctionVirtualizationoffer incopingwithsecurity threatsagainst IoTservices. In thisvein, theefficientorchestration of software-based security enablers plays a key role to meet the desired policy-drivensecurityrequirements.InthefollowingSections,wepresenttheseemergingnetworksolutions,especiallyhighlightingtheirfeaturesandbenefitstowardstheprovisioningofadvancedsecuritymechanisms.

5.3.1 OverviewofSoftwareDefinedNetworkingSoftwareDefinedNetworking(SDN)isanetworkarchitecturewhichdecouplesthecontrolandforwardingfunctions, introducing enhanced network programmability. Accounting for the separation of control anddataplanes, network control canbedone separately,without affectingdata flows. In thisway, networkintelligenceisprovidedbyacentralizedcontrollerandthecomplexityoftheunderlyingswitchingdevicesisnotably reduced in comparison with traditional networks. The SDN paradigm offers a simplerprogrammablenetworkenvironmentandahigherlevelofflexibilityforexternalapplicationstodefinethenetworkbehaviour.

17 https://wiki.opendaylight.org/view/Group_Based_Policy_(GBP) 18 https://wiki.openstack.org/wiki/Congress

of58

OpenNetworkingFoundation(ONF)19,anon-profitconsortiumdedicatedtodevelopment,standardization,andcommercializationofSDN,hassuggestedareferencemodel forSDNnetworks,assketched inFigure10.Thisarchitectureincludesthreelayers:

• Thedataplane includesnetworkelements(e.g.,switches,routers,etc.)whichareresponsibleforprocessingpacketsbasedontherulesprovidedbyacontroller,andforcollectingnetworkstatus,suchasnetworktopologyandtrafficstatistics.

• The control plane bridges the application plane and the data plane, translating applications’requirements into appropriate forwarding rules to be enforced over the underlying networkswitches. To this aim, the south-bound interface allows the SDN controller to access functionsprovided by the switching devices. These functions may include reporting network status andmanagingpacketforwardingrules.Ontheotherhand,thenorth-boundinterfaceprovidesserviceaccess points in various forms, e.g., Application Programming Interfaces (APIs), so that SDNapplications can communicate their network requirements to the SDN controller. Also, via thenorthbound APIs, the SDN applications can access network status information reported fromswitchingdevices,modifynetworkbehaviouraccordingly,andrequestnewpacketforwardingrulestoswitchingdevices.

• The application plane refers to the SDN applications developed to implement specific userrequirements.Throughtheinterfacesprovidedbythecontroller,SDNapplications,suchasdynamicaccess control and loadbalancing,mayhavedynamic and granular access of network resources,anddefinetrafficflowsatthedataplane.

Figure10:SDNreferencearchitecture

Twomainopen-sourceprojectsare leadingtheadoptionofSDNinabroadrangeofenvironments.OpenNetworkOperatingSystem(ONOS)20 isadistributedandmodularSDNcontrollerspecificallydesignedforserviceproviders.Themaingoalsbehinditsdevelopmentarehighavailability,scalability,andperformance.ThenetworkconfigurationcanbecommunicatedtothecontrollerthroughitsnorthboundAPIsasintents,whichareenforcedintheunderlyingnetworkthroughthesouthboundAPIsusingtheOpenFlowprotocol.Open DayLight} (ODL)21 is an open source SDN controller supported by the Linux foundation. Similar toONOS,itismodularandsupportstheOpenFlowprotocolforsouthboundcommunications,aswellasotherstandard protocols defined by the IETF, such as NETCONF. ODL employs a model-driven approach todescribethenetwork,thefunctionstobeperformedonitandtheresultingstateorstatusachieved.19 Open Networking Foundation, https://www.opennetworking.org/sdn-resources/sdn-definition 20 ONOS project, http://onosproject.org/ 21 Open DayLight, https://www.opendaylight.org/

of58

5.3.1.1 SDNfeaturesforenablingsecuritymechanisms

The use of software-defined networking is gaining high momentum also in the security researchcommunities[Ali,2015]. InthisSection,weprovideanoverviewofthemajorSDNfeatureswhichcanbeexploredtoprovideadvancedsecuritycountermeasuresforIoTsystemswithintheANASTACIAproject.

DynamicFlowControl:Byleveragingthedecouplingofcontrolanddataplanes,anetworkapplicationcanmanagenetwork flowsdynamically. Indeed,whenanSDNswitchdoesnothavea flow rule toprocessaspecific packet, a relevant request is forwarded to the controller which can decide the relevant packetprocessingbasedonspecificapplicationpolicies.Thisfeaturecanenableadynamicaccesscontrolfunction,whichiscommonlyimplementedtoprotectanetworkaccordingtothespecifiedprivilegesandpolicies.

Traffic Isolation: SDN can be exploited to enable forwarding of different network traffics over the samephysicalnetwork infrastructure,whileguaranteeing thedesired levelof isolation [Sherwood,2009]. Thisfeature candrastically limit thepropagationanddamagesof security attacksbetweendifferentnetworkdomains.Furthermore, itcanbeusedtoseparatemalicious(orsuspicious)networkflowsdynamically. Inthis vein, SDN-based separation solutions can offer different level of network abstractions, so toappropriately separate network traffics and provide network views according to desired securityproperties.

Network-Wide Visibility with Centralized Control: In SDN, all data planes are managed by a centralizedcontrollerwhich is in charge of flow rule configuration. In addition, through the control plane, networkstatusinformationcanbecollectedfromeachdataplanebysendingstatisticsquerymessages.Therefore,anetworkapplicationrunningonthecontrolplanecanhaveupdatedstatusofrelevantdataplaneandflowrequestmessages through thenorthboundAPIs. In thisway,SDNcanease thenetwork-widemonitoringand the detection/defence of network-wide attacks. For example, the network administrator canimplement anomaly analysis to identify network-wide attacks bymonitoring the network state changes.Moreover,networkresourcecanbetimelyreorganizedtomitigatelarge-scalenetworksecurityvectors.

Network Programmability: Since data forwarding in an SDN network can be controlled by a networkapplicationprogram,SDNprovidesanenhancedflexibilitytoenablenewnetworkfunctionsandtoextendnetwork functionalities. To empower this feature, several network programming languages have beenproposedsofar[Trois,2016],boostingthedevelopmentofnewSDN-basednetworkapplications.

5.3.2 OverviewofNetworkFunctionVirtualizationThe deployment of virtualized network services provides remarkable benefits in terms of increasedflexibility, improved capital efficiency, and enhanced operational efficiencies in Telco networks [Taleb,2014].ETSI ISGNFVhasdesignedahigh-level functionalarchitectural framework for themanagementofvirtualizednetworkfunctions[ETSI-NFV,2014],whichincludesthreelayers,asillustratedinFigure11:

• NetworkFunctionsVirtualizationInfrastructure(NFVI)block• VirtualizedNetworkFunction(VNF)block• ManagementandOrchestration(MANO)block

of58

Figure11:ETSINFVreferencearchitecture

NetworkFunctionsVirtualizationInfrastructure(NFVI)block:Thisblockcomprisesthehardwareresourcesproviding necessary processing, storage, and network capabilities, as well as the virtualization softwarecomponents,tocreatethevirtualizationenvironment.

Virtualized Network Function (VNF) block: The VNF block refers to the virtual network functions (VNFs)whichareexecutedleveragingthevirtualizedresourcesofferedbytheunderlyingNFVI.

ManagementandOrchestration (MANO)block:MANO isdefinedasa separateblock in thearchitecture,which interactswithboththeNFVIandtheVNFblocks.TheETSINFVframeworkdelegatestotheMANOlayer themanagementofall the resources in theinfrastructure layer for theefficientdeploymentof theVNFs.TheMANOmaincomponentsare:

• Virtualized InfrastructureManager (VIM):VIMmanages thevirtualization layer and controlshowthehardwareresourcesareusedinNFVIblock.VIMisthereforeresponsibleforthecontrolofNFVIresourcesincludingthecreation,maintenanceandmanagementofvirtualmachines(VMs).Italsooperates with other management functional blocks to determine the servicerequirements andthenmanagetheinfrastructureresourcestofulfilthem.

• VNFManager(VNFM):VNFMisresponsibleforthecontrolofVNFslifecycle,includingthecreation,configuration,maintenance,performance,andsecuritymanagementofVNFinstances.

• NFVOrchestrator(NFVO):NFVOhasacentralroleintheframeworkbycoveringbothresourceandserviceorchestration.Tothisaim,theNFVOworkswiththeVIMtoprovidetheresourcesnecessaryforhostingVNFs.Furthermore,theNFVOisinchargeofinteractingwiththeVNFMtomanagetheconfigurationofrelevantVNF.

Furthermore, the ETSINFV ISGhas specified several information elements to efficientlymanage the on-boardingandlifecycleofNetworkService(NS)andrelevantVNFs.ANScanbeconsideredasaforwardinggraph of Network Functions interconnected by supporting network infrastructure. In the following weprovideabriefdescriptionofthemainETSINFVinformationmodels[ETSI-NFV-MANO,2014].

AVNFDescriptor(VNFD) isatemplatewhichdescribesaVNFintermsof itsdeploymentandoperationalbehaviourrequirements.ItisprimarilyusedbytheVNFMintheprocessofVNFinstantiationandlifecyclemanagementofaVNFinstance.TheVNFDalsocontainsconnectivity,interfaceandKPIsrequirementsthatcanbeusedbyNFVMANO functional blocks to establish appropriateVirtual Links (VLs)within theNFVIbetweenitsVNFComponentinstances,orbetweenaVNFinstanceandtheendpointinterfacetotheotherNetworkFunctions.

AVirtualLinkDescriptor (VLD) isadeploymenttemplatewhichdescribestheresourcerequirementsthatareneeded for a linkbetweenVNFs, PhysicalNetwork Functions (PNFs) andendpointsof theNS,whichcouldbemetbyvariouslinkoptionsthatareavailableintheNFVI.

of58

Atthehighest levelof theETSINFV informationmodels, theNetworkServiceDescriptor (NSD) isusedbytheNFVOtoinstantiateaNS,whichcanbecomposedbyoneormoreVNFs,PNFs,andVLs.Furthermore,severalVNFForwardingGraphscanbedefinedtosteertrafficamongdifferentnetworkforwardingpaths,e.g., to meet specific QoS requirements. Therefore, a NSD is a deployment template for a NS whichreferencesallotherdescriptorsrequiredforthecomponentsincludedintheNS.

ToboosttheadoptionoftheNFVparadigm,severalopen-sourceprojectshavebeendevelopedrecently.Inthefollowingwelistthemaininitiatives:

OpenBaton22, developed by Fraunhofer FOKUS and TU Berlin, is an open source NFV platform whosearchitecture is ETSI MANO compliant. It ensures the development of virtual network infrastructures byportingandfurtheradaptingnetworkfunctionstothespecificcloudenvironment.TheOpenBatonprojectintegratesanNFVOrchestrator to coordinatenetwork servicesdeployment, andagenericVNFManagerthatcanbereplacedbyeitherJujuorcustomizedVNFMsusingavnfm-sdk.Thelife-cycleofdeployedVNFscan be managed through an Element Management System. OpenBaton also enables multi-tenancybetweendifferentoperators.

OpenSourceMano(OSM)23isanETSI-hostedprojectthataimstoprovideend-to-endserviceprovisioningand orchestration through a Network Service Orchestrator. The framework also includes a ResourceOrchestrator responsible forprocessing the resourceallocation requirementsof eachVNF,basedon thecorresponding descriptor. OSM can also integrate multiple VIMs for resource provisioning, and SDNcontrollersfornetworkmanagement.

OpenNetworkAutomationPlatform(ONAP)24isarecentprojectderivedfromthemergingoftwodifferentopen-sourceNFVplatforms, i.e., ECOMP (EnhancedControl,Orchestration,ManagementandPolicy)andOpen-O. It aims at creating a harmonized and comprehensive framework for real-time, policy-drivensoftware automation of VNFs. It expands the scope of ETSIMANO compliant including further softwarecomponents and providing support for efficient utilization of network resources, elasticity, security, andreliability.

5.3.2.1 NFVfeaturesforenablingsecuritymechanisms

TheNFVparadigmofferspromisingfeaturestoincreasethenetworkcapabilitiesofferedbyTelcoprovidersand to provide the opportunities to faster develop and deploy new network services. Differentopportunities for enabling and efficiently orchestrating security enablers can also be envisaged byexploitingtheNFVparadigm,whosekeyfeaturesarediscussedinthefollowing.

Decoupling software from hardware: the basic principle of NFV deals with the opportunities to usecommodityserversfordeployingvirtualizednetworkfunctions.Inthisway,notablereductionofdedicatedhardwarecanbeachieved.Thisaspectcanbeextremely significantalso in thenetworksecuritydomain,wherehardware-basedfirewall,DPIs,etc.canbereplacedbysoftware-basedinstances.

On-demandscalability:byexploitingthedynamicinstantiationofVNFs,networkadministratorcanachieveahigherlevelofscalabilityandallowfinergranularity.Inthisway,virtualsecuritynetworkfunctionscanbescaledup/downaccordingtothecurrentworkload,thusensuringtherequiredperformance.

Flexiblenetworkserviceprovisioning:Thesoftware-baseddeploymentallowsforincreasedefficiencyinthedeploymentof servicesover a sharedphysical infrastructure. Furthermore,different components canbedynamically integrated along the forwarding paths. This can enable the creation of appropriate securityservice chains where user traffic is appropriately processed according to security policies. Also, securityoperatorscanleveragesoftware-basedfunctionsdeploymenttotimelymitigatedetectedsecurityattacks.

22 Open Baton project, http://openbaton.github.io 23 Open Source Mano project, https://osm.etsi.org 24 Open Network Automation Platform project, https://www.onap.org

of58

The NFV paradigm fully embraces the cloud delivery models of on-demand service provisioning, thussupportingtheconceptofSecurity-as-a-Service.Inthisvein,theCloudSecurityAlliance(CSA)25hasdefinedguidelines for cloud-delivered defence solutions, to assist enterprises and end-user towidely adopt thissecurityparadigmshift.TheNFVapproachpresentsremarkableadvantageswithrespecttothehostinginremoteclouddatacenters, since thevirtualizedsecurity functionscanbedeployedalong the forwardingpath,avoidinginefficienttrafficdetouring.Furthermore,theprovisioningofsecurityfunctionstowardstheedgeofthenetworkcanbetterscalewiththeexpectedhugeamountoftrafficgeneratedbyIoTdevices.

NEWSECURITYANDPRIVACYTHREATSINIOTWith the number of IoT devices increasing, customers accessing to this technology are also increasing,leveragedbythereductionofpricesandthe increaseonthenumberof functionalities.Furthermore, IoTdevices are becoming a critical part of Cyber Physical Systems which are the core of many criticalinfrastructures.

ThissectionanalysesthecurrentcontextregardingthesecurityandprivacythreatscurrentlyappearinginIoT/CPS.ItisworthnoticingthatthereareimportantdifferencesbetweenthetraditionalITdomainandthecurrentIoT/CPScontext.Thesedifferencesreallyimpactonthetypeofeventsthreateningtheseplatformsandhowtheyaremanaged.

Themaindifferencesderive fromthedynamicandchangingcharacterof IoT/CPSplatforms,witha largenumberofdevicesconnectinganddisconnecting,installedanduninstalledinashortperiodoftime.Thisisespeciallycriticalforactivitiessuchaspatchingandupdating,whicharedifficult(andcostly)toaddressinsuch changingenvironments.Not tomention compliance requirements thatnewupdatesmightneed tofulfil, in order to avoid violations of certifications procedures that these systems, if running on a criticalenvironment,needtocomply.

Closely related to the dynamicity of IoT/CPS platforms is the large amount of legacy systems running intheseplatforms.It iscommonthatmanydevicesfromdifferentvendorsusedifferentprotocolsandhavedifferentcapabilities.Sometimestheyareprovidingjustanaloguesignalsthathavetobetransformedintodigital informationinordertobeusedwithintheplatform.This isan issuethathasahigh impactonthesecurity of an IoT /CPS platform, as many legacy systems require tailored implementations of certainsecuritymechanisms. For other devices, due to resource limitations, those securitymechanisms are notevenpossible.

Another aspect that is inherent to IoT/CPS is the real-time capabilities that, very often, these systemsrequire. This impacts on theway that security events and potential threats aremanaged, as availabilitymightbecomeaparamountaspecttoconsider,especiallyforverycriticaldomains.

Theaforementioneddistinctivefeaturesareexploitedbymaliciouspartiestodesignattacks,but,whoarethesemaliciouspartiesandwhataretheirmotivations?Authorsin[Cardenas09]classifypotentialattackersintofourmaingroups:(1)cybercriminals,whichaimistotargetanyunprotectedsystem,withnospecificpurpose,butwhoseattacksmightcausenegativesideeffects.(2)Disgruntledemployees,orsimplycarelessones,installingmalwarefromtheinsideofthesystem.Theseinsiders’attacksareverydifficulttomanage,as the attacker has direct access to the computer and networks, even if the network is physicallydisconnected fromthepublic Internet. (3)Terrorists,activistsandorganizedcriminalgroups,whichhavedeep knowledge of systems and are able to exploit even unknown vulnerabilities. Very often theseattackersaremotivatedbyeconomicinterests,usingthemforextortionsorsimplyforpublicdiscredit.(4)Nationstates,mainlyfocusedoncyberespionage.

ThefollowingsubsectionsanalysethecontextofthreatsinIoT/CPSfromthreeperspectives:

25 Cloud Security Alliance, https://cloudsecurityalliance.org

of58

Analysis of threats: what are threats and what are the dimensions that need to be considered whenanalysingthem.

Analysisofcyber-attacks:whatisthelifecycleofanattack,thisis,theidentificationofthephasesthatanyattackfollowswhenbreakingintoasystem.

Security objectives: what are the objectives that any security protection policy has to consider whendealingwiththeprotectionagainstpotentialthreatsandtheircorrespondingattacks.

The current analysis of threats management in IoT/CPS concludes with the identification of the mostparamountattacksandthreatsandaclassificationofcountermeasures.

5.4.1 CyberThreatAnalysisAccordingtotheInfoSecInstitute[Kost14],athreatcouldbeanythingthatleadstointerruption,meddlingordestructionofanyvaluableserviceoritemexistinginthefirm’srepertoire.Threatanalysisisessentialtocombat cyber-attacks. The analysis of the information, internal and external, associated to a potentialthreat represents the difference between reacting to attacks and preventing attacks, thus reducing itsimpactwithinasystem.

Threatanalysisevaluatesfourdimensionsassociatedtopotentialthreats:

1. Scope,whichisthecollectionofitems(devices,information,premises,andservices)thatathreatcantarget,andthus,canbepotentiallycompromised.

2. Data collection, which is the ability to gather cyber threat information used by threats, such asvulnerabilities,listofopenports,listofemailsorIPaddressesofasystem.

3. Riskanalysis,inordertodeterminethelevelofexposuretoathreat.Thisisdonebyevaluatingthecurrent mechanisms that an IoT/CPS platform has to neutralize threats in terms of availability,confidentialityandintegrity.

4. Mitigationandanticipation,derivedfromtheoutcomesofphases(1),(2)and(3).Thisphasewouldbecapableofdesigningmitigationmeasuresandpreventsimilarattacksinthefuture.

Itisworthnoticingthat,despitethefactthatanyIoT/CPSplatformmightbesubjecttobeattackedinmanyways,theriskofsufferingasuccessfulcyber-attackishigherwhenthreeaspectsconverge(seeFigure12):

• SystemSusceptibility.Notall systemsarevulnerable tobeattacked. Ingeneral,updatedsystemsare less vulnerable that systemswithoutdated software installed in their devices.Asmentionedbefore, this is a problem in IoT/CPS platforms, with a large number of many different devicesrunning different operative systems or built with different technologies. Additionally, not allsystemsareinterestingforattackers.Onlythosetargetsthatmightreturntheattackeranytypeofvalue are worth the effort of exploiting known vulnerabilities (even more for the effort ofdiscoveringandexploitingzero-dayvulnerabilities).

• Threataccessibility.Notallsystemsareaccessibletobeattacked.Devicesphysicallydisconnectedfromthepublicinternetarelessvulnerabletocyber-attacks,whiledevicesphysicallyprotectedarelessvulnerabletotamperingattacks.

• Threat capability. The existence of known techniques or tools to exploit vulnerabilitiesmakes iteasierforattackerstosucceed.

of58

Figure 12: Dimensions of a successful attack

Therefore,when these three dimensions converge at the same time, the likelihood of being attacked ishigh,andthereforethesystem/platformisclearlycompromised.

5.4.2 LifecycleofCyberAttacksThepreviousthreatanalysiscanbedetailed inasetofstagesthattypicallycharacterizethe lifecycleofacyberattack[Sage17][LECC]:

• Initialreconnaissance:anattackerwillstudythescopeofhis/herattackbyevaluatingtheavailabledefences of a system and its potential vulnerabilities, either logical (i.e., software zero-dayvulnerabilities), physical (i.e., direct access to a temperature sensor) or human (i.e., unsatisfiedemployee).

• Initialcompromise:anattackerisabletogainentryinsomesystem/platformnetworkbyexploitinganyofthevulnerabilitiesidentifiedinthereconnaissancestage.

• Command and Control: once inside of the platform, the attacker typically would install anymalicioussoftware,suchasremoteaccesstools,inordertoquicklyaccessagaintothesystemwithveryfewresources.

• Escalate privileges: attackers typically try to escalate their privileges once inside the system, forexample,byobtainingPKIcertificatesorwiththeinstallationofkeyloggerstoobtainpasswords.

• Move Laterally: attackers scan the network internally in order to find additional targets, forexample,toaccesstootherdevicesandperforminginternalvulnerabilityscans.

• Target Attainment: attackers finally gets access to the pursued resources, either retrieval ordeletion of files or info from databases, or simply resetting configurations or shutting downdevices.

ThreatCapability

SystemSusceptibility

ThreatAccesibility

Successful

Attack

of58

Figure 13: Cyber Attack lifecycle

5.4.3 SecurityobjectivesforIoT/CPSThethirdpillartoanalyseisrelatedtothesecurityobjectivethathastobereachedfortheprotectionofanIoT/CPSagainstthreatsandattacks.Accordingto[Wang10],fourobjectivestypicallytargeted:

• Confidentiality, in order to prevent the disclosure of sensible information (including themaintenanceofuser’sprivacy)tounauthorizedindividualsorsystems.

• Integrity, in order to ensure that the data managed in the system have not been altered byunauthorizedparties.

• Availability, in order to ensure that the services provided in IoT/CPS platforms or the resourcesofferedbydevicesareworkingproperlywithoutinterruptions.

• Authenticity, in order to ensure that all the processes (data management, transactions, andcommunications)aregenuineandproduced/consumedbytrustedparties.

5.4.4 MainthreatsinIoT/CPSAmyriadof cyberattacksare threatening IoT/CPS infrastructures.Almosteveryweek some relevantnewincident involving cyber-attacks and IoT appears in the mass media. One of the first proven massivecyberattacksinIoThappenedin2014,when750.000maliciousemailsweresentfrom100.000fromdevicessuch as TVs or refrigerators. In October 2015 a massive DDoS attack, triggered from smart light bulbs,webcamsorsmartthermostats,affected importantDNSservers intheUSA.ManycyberattackshavealsotargetedIoTinfrastructuresbuiltovercriticalinfrastructures.Themostsalientoneoccurredalreadyin2010whenthesocalledStuxnetruinedseveralnuclearcentrifugesofnuclearpowerplantsbyexploitingseveralvulnerabilitiespresent inaccesscontroldevices.Morerecently, in thewinterof2015,aUkrainianpowergridsufferedthesocalledBlacknetattack.Theattackmanagedtoinstallmalwareinmanydeviceswithinthepowergridpremises. The resultwas the completeblackoutof anentire city.AnothermassiveDDoSattacktriggeredfrommanydifferentdevicestookdownforaweekinNovember2016thecentralheatingsystemofaFinnishcity.

Typical approaches to analyse security threats and vulnerabilities in IoT/CPS divide these platforms intothreeconceptual layers:physical layer,network laterandapplication layer[Gao13]. ThefollowingtablessummarizethemostimportantthreatsforIoT/CPSandgroupthemaccordingtothelayerwheretheyareapplied:

Table 2: Security Threats of Physical Layer

Security threats Description

Physical attack Physicalattackmainlyreferstothephysicaldamageforthenodes.

Equipment failure Equipments reduce or lose performance due to external forces, environment oraging.

Initialreconnaissance

Initialcompromise

CommandandControl

Escalateprivileges

MoveLaterally

TargetAttainment

of58

Line fault Linefailureisthefailureofpowerlinesonthenodes.

Electromagnetic leakage

By processing electromagnetic signal equipments at work radiated out, attackerscanrestoretheoriginaldata.

Electromagnetic interference

Unwantedelectromagneticsignalsorcommotionsmakenegativeimpactsonusefulsignals,resultinginsystemperformancedegradation.

Denial of Service (DoS)

Attacker makes the target system stop providing services through networkbandwidthconsumption.

Channel blocking Data cannot be transmitted for communication channel has been occupied for alongtime.

Sybil attack Singlemalicious node hasmultiple identities, to attack the system by controllingmostofthenodes.

Replay attack Attackerresendsthelegitimatedataobtainedbefore,togetthetrustofthesystem.

Perception data destruction

The unauthorized addition, deletion, modification and destruction of perceptiondata.

Data intercept Illegal access to the data resources through intercepting the communicationchannel.

Data tampering Attacker intercepts and modifies the data, then sends modified data to therecipient.

Unauthorized access

Resourcesareaccessedbyunauthorizedusers.

Passive attack Attackerpassivelycollectsdatabysniffingandinformationcollection.

Node capture Gatewaynodeorordinarynodeiscontrolledbyattackers.

Thefollowingtableliststhetypicalsecuritythreatsthatarefocusedonthenetworklayer.

Table 3: Security Threats of Network Layer


DDoS Plenty ofmalicious nodes attack target server as the sources of DoS at the sametime.

Routing attack Attacker interferes with the normal routing process by sending forged routinginformation.

Sink node attack Interrupting data transmission between physical layer and network layer byattackingthesinknode.

Direction misleading attack

Maliciousnodemodifiesthesourceanddestinationaddressesofdatapacketsthensendsittoawrongpath,resultinginnetworkroutingconfusion.

of58

Black hole attack Maliciousnodecheatsothernodestoestablishroutingconnectionswithit,andthendiscardthepacketshouldbeforwarded,causingpacketloss.

Flooding attack Exhausting the resources of the network servers on network layer by Smurf andDDoS.

Trapdoor Allowtheexceptionofsecuritypolicywhenspecificdatatransporting.

Sybil attack Malicious node illegally has multiple identities, to obstruct data transmission bycontrollingmostofthenodes.

Sinkhole attack Maliciousnodeattractsnormalnodesaroundasapointintheroutingpath,sothatalldatawillflowthroughit.

Wormhole attack Malicious nodes attack together to get the routing right by the less routing hopsbetweenthemaliciousnodes.

Routing loop attack

Maliciousnodemodifiesthedatapathtocauseaninfiniteroutingloop.

HELLO flooding attack

Maliciousnodemakesnodes inthenetworkawarethat it istheirdirectneighbourbyusingstrongsignaltobroadcastroutinginformation.

Spoofing attack Maliciousnodespoofsnormalnodestosenddatathroughaninefficientpathortoafailurenode.

Selective forwarding

Malicious node deliberately loses some or all of the key information in theforwarding.

Tunnel attack Maliciousnodeshidethereallinkdistancebetweenthemtoluretheothernodestoestablishroutingpaththroughthem.

False routing information

Malicious node attacks network layer network by tampering with the routinginformation.

Finally,thefollowingtableliststhetypicalsecuritythreatsthatarefocusedontheapplicationlayer.

Table 4: Security Threats of Application Layer


Privacy data leaking

Leaking of privacy data of users due to the insecurity of data transmission, storageandpresentation.

Unauthorized access

Illegalaccesstothenetworkandsystemdata.

Malicious code Codeinthesystemwithnoeffectbutmayhavesecurityrisks.

Forged control commands

Attackers maliciously use the system or damage the system by forging controlcommands

Loophole Attackingthesystembyusingtheloopholesintheapplicationsonapplicationlayer.

of58

Viruses, Trojan horses

Viruses and Trojan horses are the generally security threats of applications onapplicationlayer.

SQL injection attack

SQLinjectionisacommonmeanofattackondatabaseofthesystem.

5.4.5 CommoncountermeasurestomitigatethreatsinIoT/CPSAcountermeasureisdefinedasanactiontakentoweakentheeffectofanotheractionorasituation,ortomake it harmless. In general, threats are unavoidable and every system has to be designed with theassumption that itwilloftensuffer frommanydifferent typesofattacks.According to [Cardenas09], thegrowing concern for protection IoT/CPS against malicious cyberattacks is based upon the premises ofprevention,detection,recovery,resilienceanddeterrence.

Prevention is the first defence against cyberattacks, and becomes a challenge mostly targeted by thestandardizationcommunity frommanydifferentdomains.Someexamplesarethecybersecuritystandardfor controls systems in the Electric sector createdby theNorthAmerican Electric Reliability Corporation(NERC). NIST has also published a set of best practices in the NIST SP 800-53, with a set ofrecommendations that can provide guidance for analysing the security of most companies. The ISA(International Society of Automation) is developing the ISA99, which includes a set of s standards,recommended practices, technical reports, and related information that will define procedures forimplementingelectronicallysecuremanufacturingandcontrolsystemsandsecuritypracticesandassessingelectronicsecurityperformance,withtheobjectivesof improvingconfidentiality, integrityandavailabilityofcontrolsystems.

Thedetectionandrecoveryagainstattacksisthemainreactioncountermeasuretoaddresswhenanattackhassucceeded.Theusageofmonitoringtoolsbecomesthefirstmechanismtodetectattacks.Tothisend,akey aspect for detecting attacks is the deep knowledge of the system. Very often this is done throughhumanintervention,althoughtheneedofautomaticrecoverybecomesoneoftheparamountchallengesbeingcurrentlytargetedbyindustry.

Systemresilience,togetherwithsecuritybydesignprinciples,becomesanother importantaspectusedtoreactorpreventattacks.Somespecificactionsrelatedtothisaspectaretheredundancy(topreventsinglespointoffailure),diversity(havingthesameservicerunningondifferentSOs),orthelimitationofprivileges(separating privileges among different users to limit the access that a corrupted entity can have to thesystemanditsresources).

Notbeingthemostsuccessfulmeasuretopreventorreacttoattacks,deterrencebecomesthebasicaspectthat any domain should have. However, very often this aspect depends on successful legislation, lawenforcement and international collaboration, which have been proved not to be effective enough topreventcyber-attacks.

The specific case for IoT is very challenging given the diversity of operative systems, interfaces, andcapabilities for the devices operating in an IoT platform. A common strategy to react to threats is onlypossiblethroughtheunificationofalltheaccessmodesavailableateverydevice.Tothisend,theusageofSDN andNFV technologies becomes essential for the definition and invocation of countermeasures thatallows to react to ongoing attacks or potential threats. Actions such as the isolation of compromiseddevices (in order to avoid a potential extension of the attack to critical parts of the platform), thereconfiguration of certain parts of the IoT platform (for example, assigning different IPs to compriseddevices),therestartofsomedevicesorthechangeofaccesspoliciesatruntimearesomeofthepossibleactionstobecarriedoutwhenreactingtoattackssuchasDoS,malware,etc.

of58

6 LEGISLATIVEANDSOCIOLOGICALPERSPECTIVEANALYSISDigitalinteractionsarefundamentallylinkedtotrustandsecurity.ThewidespreadadoptionandevolutionofICThasledtobothanincreaseininnovativeactivitiesacrossallsectors;andthecontinuouslyexpansivereachofsecurityvulnerabilitiesandrisks.Asrecenteventsandsecuritybreaches26havecaughtthemedia’sattention;discussionsonthe(in)securityofnetworkandinformationsystems,havebecomecommonplace.This inturnhasstirredincreasing levelsofconcernamongthepublic,whomorenowthaneverclaimforviablesolutionscapableofrestoringtheirtrustandprotectingtheirsecurity.

Despite this situation, there is no simple answer capable of ensuring total ICT security, “Security is notachievedbyasingletechnicalfix,norcanitcomeaboutbecauseonecompanyorsectoroftheeconomydecidessecurity is important.Creatingsecurityandtrust intheInternetrequiresdifferentplayers(withintheirdifferentresponsibilitiesandroles)totakeactionclosesttowheretheissuesareoccurring”27.

As traditional approaches based only on technical solutions give way to holistic approaches, a trendtowards the involvement of end-users into the creation of secure ICT environments is now focused onfosteringasecuritymindsetthatembedssecurityconsiderationsintotheeverydaychoicesofusers28.

Inthiscontext,informingandconveyingtrusttosecurity-awareusershasbecomemorerelevantthanever.InthewordsofRobertHayes,“Trustisattheheatofasuccessfulsecuritystrategy,yetknowingwhoandwhatcanbetrusted,andwhetherthattrustshouldbeabsoluteorconditional, isextremelydifficult”29.Aholistic approach to security, aimedat empoweringandeducatingenduserswill require the creationoftoolsdesignedtofacilitateend-usertrust.

A leap forward towards this direction can be achieved through the introduction of end-user iterativesecurity validation tools. Through the integrationof technical, educational andmethodological solutions,end-users are not only given the opportunity to monitor the status of the ICT systems that are mostrelevanttothem;butalso,totakepreventativeandcurativestepstowardssecuringtheirinformationfromcyberattacks.

Networkandinformationsystemsandservicesareincreasinglyatrisk,themoretheyplayavitalrolein our society. Their reliability and security are essential to economic and societal activities, and inparticulartothefunctioningofthemarketaswelltotheprotectionofrightsandlibertiesofindividualswhoseinformationcirculateinthosenetworks.

In the light of this, the European Union is in the process of reviewing the regulatory frameworkgoverningthecybersecurityandtheprotectionofpersonaldata.

In2016,theEuropeanUnion legislatoradoptedDirective2016/1148concerningmeasuresforahighcommon level of security of network and information systems across the Union (hereinafter “NISDirective”).TheDirectiveprovideslegalmeasurestoboosttheoveralllevelofcybersecurityintheEUbyensuring:

- Member States preparedness by requiring them to be appropriately equipped, e.g. via aComputerSecurityIncidentResponseTeam(CSIRT)andacompetentnationalNISauthority;

26 See https://dig.watch/issues/cybersecurity 27 Internet Society (2015), Internet Society approach to cyber security policy, https://www.internetsociety.org/news/internet-society-approach-cyber-security-policy 28 Dutton, William (2017), Fostering a Ccyber security mindset. https://policyreview.info/articles/analysis/fostering-cyber-security-mindset 29 Hayes, Robert (2016), Cybersecurity: a question of trust. https://blogs.microsoft.com/microsoftsecure/2016/10/20/cybersecurity-a-question-of-trust/

of58

- cooperation among all the Member States, by setting up a cooperation group, in order tosupportandfacilitatestrategiccooperationandtheexchangeof informationamongMemberStates. Theywill also need to set a CSIRT Network, in order to promote swift and effectiveoperational cooperation on specific cybersecurity incidents and sharing information aboutrisks;

- acultureofsecurityacrosssectorswhicharevitalfortheeconomyandsocietyandmoreoverrelyheavilyonICTs,suchasenergy,transport,water,banking,financialmarketinfrastructures,healthcare and digital infrastructure.Businesses in these sectors that are identified by theMember States as operators of essential services will have to take appropriate securitymeasuresandtonotifyserious incidentstotherelevantnationalauthority.Alsokeydigitalservice providers (search engines, cloud computing services and onlinemarketplaces) willhavetocomplywiththesecurityandnotificationrequirementsunderthenewDirective.ThisshouldincludealsoprovidersofIoTservicesandproducts.

Further to the NIS Directive, the relevant European legal framework also protects personal dataagainst data breaches, by means of security obligations imposed on undertakings by Regulation679/2016 (hereinafter “GDPR”). More specifically, and regardless of the role they bear within thepersonal data processing, organizations in Europe must implement appropriate technical andorganizationalmeasurestoensurea levelofsecurityappropriatetotherisk, including interaliaasappropriate:

- thepseudonymisationandencryptionofpersonaldata;- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of

processingsystemsandservices;- the ability to restore the availability and access to personal data in a timelymanner in the

eventofaphysicalortechnicalincident;- a process for regularly testing, assessing and evaluating the effectiveness of technical and

organizationalmeasuresforensuringthesecurityoftheprocessing.

Astrategywhichembedstheprotectionofpersonaldata–alsointermsofsecurity–intothedesignandfunctioningofthesystems,needsthereforetobedevisedandfollowed.

Thestrategyshouldincorporatethefollowingelements:

a) clearallocationofroleswithinthepersonaldataprocessing,inorderto:a. identifythedatacontroller,thedataprocessor(s)andthepersonsprocessingpersonal

dataundertheauthorityofthecontrollerorprocessor;b. formally bind the data processor(s) to guarantee a certain level of safeguards for

personaldata;c. mapanypotential stakeholder thatmayprocesspersonaldataoutside theEuropean

Unionandformallybindittoguaranteeacertainlevelofsafeguardsforpersonaldata;d. assigntherelevantauthorizationandauthenticationprofilestothepersonsprocessing

personaldataundertheauthorityofthecontrollerorprocessor.b) appointmentof aDataProtectionOfficer,wherenecessary, in the lightof thebusiness and

relateddataprocessingactivitiescarriedoutbythedatacontrollerand/orprocessor;c) a Data Protection Impact Assessment (DPIA), where necessary; this process is anyway

recommendedforservices,applications,systemsthatprocesspersonaldata,eventhoughtheydonotseemriskyattheoutset.TheDPIAisacrucialsteptoascertainwhetherpersonaldatarunrisksintermsofsecurity,andwhattheremediesaretothoserisks;

d) implementationoftheprinciplesofdataprotectionbydesignandbydefaultthroughoutthewholedatalifecycle;

of58

e) policiesandprocedures toperiodically test thesecurity resilienceofa system (e.g.,penetrationtests,vulnerabilityassessments,etc.)andcarryouttherelevantremediationactivities;

f) adherencetocodesofconductand/orcertificationmechanismsforsecurityofpersonaldatag) awelldefinedinternalproceduretocopewithanydatabreachesandnotificationthereof:

a. tothecompetentDataProtectionAuthority,within72hoursafterhavingbecomeawareofit;

b. to the data subjects involved, without undue delay, unless any of the followingconditionsaremet:

i. the controller has implemented appropriate technical and organisationalprotectionmeasures, and thosemeasureswere applied to the personal dataaffected by the personal data breach, in particular those that render thepersonal data unintelligible to any personwho is not authorised to access it,suchasencryption;

ii. thecontrollerhastakensubsequentmeasureswhichensurethatthehighriskto the rights and freedoms of data subjects referred to in paragraph 1 is nolongerlikelytomaterialise;

iii. itwouldinvolvedisproportionateeffort.Insuchacase,thereshallinsteadbeapublic communication or similar measure whereby the data subjects areinformedinanequallyeffectivemanner.

On top of this, the revision of rules for privacy in the electronic communications sector shall befollowed, as the EuropeanUnion is planning to replace the currently in force Directive 2002/58/ECwithaRegulationthatshouldextendprivacyandsecurityobligationstothesocalled“over-the-top”providerstoo.

This regulatory approach is framedwithin theDigital SingleMarket Strategypursuedby the EuropeanCommission, which encompasses Internet of Things developments too. According to the recentCommission’sCommunicationonthissubject:30

“TheCommissionwillconsiderthepossibleneedtoadaptthecurrentlegalframeworktotakeaccountof new technological developments (including robotics, Artificial Intelligence and 3D printing),especially from the angle of civil law liability and taking into account the results of the ongoingevaluation of the Directive on liability for defective products and the Machinery Directive.Predictabilityontheaccesstopatentprotectedtechnologyendorsedinstandards(standardessentialpatents) is key for the rollout of Internet of Thingswhere a broad range of sectorswill implementstandardsonmobileconnectivity.TheCommissionisassessingeffectivemeanstoensureabalancedframework for the licensing of this intellectual property respecting the interests of both developersandusersoftechnology.

The Commission will: o by autumn 2017, subject to Impact Assessment, prepare a legislative proposal on the EU free

flow of data cooperation framework which takes into account the principle of free flow of data within the EU, the principle of porting non-personal data, including when switching business services like cloud services as well as the principle of availability of certain data for regulatory control purposes also when that data is stored in another Member State;

30 COM (2017) 228 final, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on the Mid-Term Review on the implementation of the Digital Single Market Strategy.

of58

o in spring 2018, based on an evaluation of existing legislation and subject to an Impact Assessment, prepare an initiative on accessibility and re-use of public and publicly funded data and further explore the issue of privately held data which are of public interest.

o also further analyse whether to define principles to determine who is liable in cases of damage caused by data-intensive products.

o continue to assess the need for action concerning the emerging data issues as identified in the data Communication from January 2017, such as data access rights”.

The regulatory framework described above is evidently in a transitional phase and requires to becloselyfollowedbyanyinterestedpartyandproactivelyimplementedinthedailybusinessactivities,inorder toensurenotonly formalcompliancewith the rulesyet substantialprotection to thesystemsandthepersonaldatatheycarry.

of58

7 SECURITYINANASTACIAIn this section of the document we will try to contextualize security aspects previously considered, bymappingthemontheexpectedimplementationoftheANASTACIAplatform.

ANASTACIAPROTECTIONLAYERSConcerning the development of the ANASTACIA platform, the deploy of efficient protection systems iscrucial in order to effectively identify and mitigate threats targeting the system. In this context, it isimportant to exploit already available consolidated solutions, with the aim of avoid repeated design,engineering and implementation of already available components. Such approach leads to focus on thedevelopmentof innovativecomponentsofthesystem. Inthiscontext,threedifferentkindsofprotectioncomponentscanbeconsidered,inordertoimplementsecurityontopofthreedifferentlayers:

• Consolidatedcomponentsofftheshelf(COTS)The firstprotection layer focuseson theadoptionofconsolidatedsolutionsprovidedbynetworkand security vendors.Although suchexploitationdoesnot represent an innovative characteristicfor the ANASTACIA platform, it provides efficient security solutions against well known threats,today mitigated by different vendors. For instance, it is worth to mention that during thedevelopmentofthisdocument,animportantcyber-securityeventoccurred.Indeed,inMay2017,the WannaCry ransomware was discovered, targeting several companies around the world andencryptingdataonthetargeteddevicesandreplicating itself throughvulnerablesystemssharingdata on the network. The attack, exploiting a recent but known vulnerability, caused seriousdamagestoawiderangeofcompaniesaroundtheglobe.Nevertheless,attimeoffirsttarget,theattack was already mitigated by some vendors of network appliances (e.g., Sonicwall). Byconsidering this sample, it is important to avoid to “reinvent the wheel”, by exploiting alreadyavailableCOTScomponents(tobekeptcontinuouslyupdated)thatareabletoprovideprotectiontoawiderangeofwellknownthreats.

• Alreadyavailablepartners’productsandsystemsThe second protection layer is focused on the adoption of products and services alreadyimplementedbythepartnersoftheproject.Unlikethepreviouscase,theadoptionandexecutionofsuchtools isnotavailabletothemass. Inthiscontext,theMontimageMonitoringTool(MMT)implemented by Montimage, represents a software able to analyse network traffic and extractprotocolsmetadata.ByusingDeepPacketandFlowInspectiontechniques(DPI/DFI),it’spossibletoextrapolate metadata given in input to other modules of the tool. Such tools, not necessarilyavailablepublicly,provideanimportantcontributionduringthesecurityimplementationactivities,duetotheinnovativecharacteristicsofthetoolthemselves.

• InnovativeprotectionsolutionsThelastprotectionlayertobeconsideredduringthedevelopmentofANASTACIAsecurityaspectsis related to the design and development of innovative protection systems. The ANASTACIAplatformwillbenefitfromresearchactivitiesexecutedinordertoimplementnovelalgorithmsandsystemsable to counter cyber-attacks. In this context, theworkwill be focusedon studying twocategoriesofattacksinparticular:fromoneside,DenialofService(DoS)attacks,executedinordertomakeanetworkservicenotavailabletolegitimateusers;thefocusishereonrecentcategoriesofattacksknownaslow-rateDoS,orSlowDoSAttacks.Ontheotherside,covertchannelswillbeinvestigated; such attacks are executed in order to bypass network restrictions or to exfiltratesensitiveinformationoutsideoftheorganizationnetwork.BoththesekindsofthreatsrepresentaseriousdangerfortheentireANASTACIAplatform.Thefocuswillconcernthestudyofthethreatsandtheidentificationofrunningattacks,byanalysingthenetworklivetraffic.

of58

CURRENTANASTACIAPROGRESSInthissectionofthedocumentwefocusonthetechnicalaspectsoftheANASTACIAframeworkwiththeaim of analyse the current state of the ANASTACIA framework development, accordingly to the resultsachievedintheotherrunningWPs.

Accordinglytothefollowingfigure,wefocusonthetechnicalWPs,hence,onWP2“SecurityandTrustbyDesignEnablers”,WP3“PolicyEnforcementandRunTimeEnablers”,WP4“MonitoringandAlert/ReactingEnablers”,andWP5“DynamicSecurityandPrivacySeal”.

Figure14-FocusoncurrentANASTACIAdevelopmentanalysis

WewillnowbrieflydescribetheprogressstatusofthementionedWPs.

7.2.1 WP2“SecurityandTrustbyDesignEnablers”TheaimoftheWP2istodefinetheorchestrationpoliciesforSDNandIoTcontexts,toanalyzeandfocusonspecific attack threats and mitigation measures, to investigate privacy risk models and associatedcontingency plans, and to provide a set of secure software development guidelines and procedures.Followingconsiderationshavebeenmadesofar.

• PolicydefinitionandpolicyfororchestrationTwo policy languages, previously described, have been considered: X-CIM (Common InformationModel), the main DMTF standard that provides a common definition of management-relatedinformationindependentofanyspecification,andHSPL/MSPL(High-levelSecurityPolicyLanguageand theMedium-level Security Policy Language), language policies defined within the EuropeanSECURED project. Moreover, a comparison between themost adopted SDN controllers and themost relevant open-source NFV-MANO has been accomplished. Finally, a prototype focused onisolatingdevicesfromSDNnetworkshasbeen implemented.SuchprototypehasbeendevelopedbyadoptingHSPL/MSPLpoliciesandspecificOpenDayLightSDNplugins.

• AttackthreatselectionThefocusisonlastgenerationthreatsandinparticularonlow-ratedenialofservice(DoS)attacksand cover channels technologies. As previously mentioned, low-rate DoS threats are emergingattackstargetingnetworkserversystemswiththeaimofmakingthemunreachable.Thenoveltyoftheattacksandtheirbehaviour,similar tothebehaviourofa legitimateclientcommunicatingonthe network, makes them extremely difficult to counter. On the other side, covert channels,executedinordertobreakthenetworkinordertoaccessfilteredservices,orbyinsiderthreatsto

of58

exportsensitivedataoutsideoftheorganizationnetwork,arealsoparticularlydifficulttoidentify,sincethemaliciouspayloadisencapsulatedonunfilteredprotocolspackets.

• AttacksmitigationBy considering in particular intrusion detection systems (IDS), two different approaches areconsidered: signature based detection, generating signatures of well known threats in order toidentify them, and anomaly based detection, distinguishing between legitimate and anomalousscenarios by comparing specific metrics computed from live traffic with the computation of alegitimatetraffic.

7.2.2 WP3“PolicyEnforcementandRunTimeEnablers”The aim of theWP3 is to design and develop algorithms, protocols andmechanisms to orchestrate therequired security functions, according to the desired policies. The security orchestrator implemented inWP3 is a crucial element of the ANASTACIA platform, to efficiently manage the deployment andconfigurationofsecuritymechanismsincomplexscenarioslikeSDN,NFV,andIoT.Inthisvein,thefollowingconsiderationshavebeenmade.

Policy Refinement Procedures for Security EnablersOrchestration Security capabilities define thesetofnetworksecurityfunctionsNSF(VNFiftheyarevirtual)thatwillenabletheselectedpoliciesrequirements.Thesesecuritycapabilitiesallowtodescribethesecurityfeaturesofthesysteminatechnology-agnosticway,withouttheneedtodesignatespecificimplementations.ANSF/VNF,alsocalled security enabler, implements security controls. High-level Security Language (HSPL) istranslated intosecuritycontrolsthroughatwostepsprocessusingaMedium-levelsecurityPolicyLanguage(MSPL)first,henceapplyingaconversionfromMSPLtocertainenablersecuritycontrols.The low-level configuration can be then used to effectively orchestrate the required securityenablers.

• OrchestrationofSecurityFunctionsAccountingfortheheterogeneityofavailablesecurityenablers,theANASTACIAorchestrationisincharge of efficientlymanaging the enforcement over different environments, such as NFV, SDN,IoT.Tothisaim,specificeffortshavebeenaddressedtoinvestigatetheinteractionswithrelevantcontrolandmanagementmodules.IncaseofSDN,theNorthboundAPIsofSDNcontrollercanbeexploited toenforce relevant SDN flow rules, aswell as to receive statistic information from theunderlyingSDNswitches.TodeployandconfiguresecurityVNFs,theANASTACIAorchestrationcanrefertotheManagementandOrchestration(MANO)blockoftheETSIISGNFVarchitecture,whosefeatures have been detailed in Section Errore. L'origine riferimento non è stata trovata.. Tomanagesecuritycontrols intheIoTdomain,theANASTACIAorchestrationwillrelyonspecific IoTcontrollers,whichcancommunicatewiththeIoTdevicesviadifferentIoTmanagementprotocols,such as Constrained Application Protocol (COAP), Lightweight Machine to machine (LWM2M),RESTCONF.

7.2.3 WP4“MonitoringandAlert/ReactingEnablers”The aimofWP4 is to implementmonitoring, alert and reaction components/enablers of theANASTACIAplatform.FollowingactivitiescharacterizetheworkbehindWP4development.

• MonitoringmoduledesignThe architecture of the module has been defined. The module will be implemented to detectsecurityissuesbyadoptingasignature-basedstrategy,analysingthenetworktrafficandlookingforabnormalitiesbyusingthesignaturesdatabase.AdataanalysismodulebelongingtothemonitoringmodulecomponentmakesuseofDPI/DFI technologies to test the rulesdefined in thesignaturesdatabase.Theoutputofthemoduleincludesthelistofverdictsofthetestedproperties.

• Alert,reactionanddetectionmoduledesign

of58

Thearchitectureofthemodulehasbeendefined.SuchmoduleisacoreelementoftheANASTACIAplatform, as it analyses the verdicts received by the monitoring module, hence proposingcountermeasuresandraisingalerts,whereneeded.

7.2.4 WP5“DynamicSecurityandPrivacySeal”The aim of the WP5 is to research, analyse, design, develop and implement an innovative model ofDynamic Security and Privacy Seal that combines the obligations from the new European General DataProtection Regulation (GDPR) and other relevant normative dispositions, ISO norms and ITUrecommendations; togetherwith real timemonitoring of deployed systems, including a quantitative andqualitativerun-timeevaluationofthequalityofsecurityandprivacyrisks,whichcanbeeasilyunderstoodandcontrolledbythefinalusers.

The Dynamic Security and Privacy Seal will be closely integrated with the rest of the ANASTACIAarchitecture.Severalconsiderationshavebeenmadesofar.

• LegalObligationsandNorms

Relevant normative dispositions on privacy and cybersecurity have been identified in theinternational, regional and national level, particularly through the GDPR, e-Privacy Directive, NISDirective and Swiss Law. Research will focus on the specific interplay between these normativebodiesandthestandards/modelsconsideredbelow.

• StandardsandModelstobeConsidered

Various ISOStandardsand ITU-T recommendationshavebeen identifiedandnotedaspotentiallyrelevant, these will be analysed in parallel to a number of Privacy Impact AssessmentMethodologies, Threat Analysis Models and the principles and recommendations generated byrelevantstakeholdersonIoTsecurityandprivacy.Onceclarityhasbeenachievedonthecontextualframework,researchwillfocusonsynthetizingthePrivacyandSecurityrequirementsthatmustbeaddressedbytheSeal,willalongwiththelistingoftherisksandthreatstobemonitored.

• DynamicSecurityandPrivacySeal(DSPS)Model

WP5will thenexplore thepossibility to combine ISOand regulatory requirementswith real timemonitoring. A specificmodelwill be designed and specified. Several optionsmay be considered,including completely ICT-based models and hybrid models where on-site human inspection cancomplement ICR tools.Once a solution thatmeets these requirements is found, identification ofrelevantAnastasiaenablerscapableofaddressingthelistofrisksandthreatstobemonitoredwilltakeplace. Finally, a set of specifications to furtherdefine theprocess anduser interfacewill begeneratedalongwiththetechnicalrequirementsfortheDSPSimplementation.

• DynamicSecurityandPrivacySeal(DSPS)ImplementationOncethemodelwillhavebeenclearlyspecified,WP5willstart implementingthesealasahighlytrustableandauthenticateddynamicseal.WP5willmostlikelyadopttheperspectiveofanexternalservice located in a secured server and connected to the distributed ANASTACIA platforms withhighly secured and authenticated access. Later on, WP5 will focus on the user interface andexperiencebyleveragingrealusecases.

of58

8 CONCLUSIONSIn this document, we have analysed ANASTACIA security framework structure, by considering a holisticview, through the adoption of a holistic cyber-security approach. We have first introduced ANASTACIAtechnical details, hence formalizing and describing HCS-IF, the Holistic Cyber-Security ImplementationFrameworkadopted.

Wehave thendiscussed theBuilding EnergyManagement System (BEMS),Multi-access EdgeComputing(MEC), and Internet of Things (IoT) scenarios considered in ANASTACIA, by evaluating, from users’perspective, theircharacteristicsandanalysinghowtheANASTACIAplatformcanprovideaddedvalue, interms of security provided to the system. Then, we have considered business aspects related to theANASTACIAplatform,byanalysingtheprofitandadvantagesthesystemcanprovidetothestakeholders,from thebusinesspointof view.Wehavealsoanalysed technical aspectsofANASTACIA,withparticularfocusonsecurityanddataprivacyandmanagement,discussingnetworksecurityenablerssecurityaspectsandthreatstobeconsidered,withspecialfocusonIoTenvironments.Also,wehavestudiedlegislativeandsociological aspects of ANASTACIA, by analysing security related regulations and considering theimportanceofprovidingtrusttosecurityawareusers.

Thedetailedanalysisaccomplishedduring thedevelopmentofANASTACIATask1.1anddescribed in thisdocumentwillresultacrucialelementforthedevelopmentoftheentireplatform,duetothemulti-aspectpointofview.

of58

9 APPENDIXI:SECURITYRELATEDTERMINOLOGYInthefollowing,accordinglytotheNISTglossaryofkeyinformationsecurityterms[Nist,2013],wereportaselectedsubsetoftermsrelatedtothecyber-securitycontext.

Term Definition

Access Authority Anentity responsible formonitoringandgrantingaccessprivileges forotherauthorizedentities.

Access Control List (ACL) 1. A list of permissions associated with an object. The list specifies who or

what is allowed toaccess theobject andwhatoperationsareallowed tobeperformedontheobject.

2. A mechanism that implements access control for a system resource byenumeratingthesystementitiesthatarepermittedtoaccesstheresourceandstating,eitherimplicitlyorexplicitly,theaccessmodesgrantedtoeachentity.

Access Point A device that logically connects wireless client devices operating ininfrastructuretooneanotherandprovidesaccesstoadistributionsystem, ifconnected,whichistypicallyanorganization’senterprisewirednetwork.

Account Management, User Involves:

theprocessofrequesting,establishing,issuing,andclosinguseraccounts;

trackingusersandtheirrespectiveaccessauthorizations;

managingthesefunctions.

Accountability Thesecuritygoalthatgeneratestherequirementforactionsofanentitytobetraced uniquely to that entity. This supports non- repudiation, deterrence,fault isolation, intrusiondetection andprevention, and after-action recoveryandlegalaction.

Ad Hoc Network Awirelessnetwork thatdynamicallyconnectswirelessclientdevices toeachotherwithouttheuseofaninfrastructuredevice,suchasanaccesspointorabasestation.

Add-on Security Incorporation of new hardware, software, or firmware safeguards in anoperationalinformationsystem.

Advanced Encryption Standard (AES) The Advanced Encryption Standard specifies a U.S. government- approved

cryptographicalgorithmthatcanbeusedtoprotectelectronicdata.TheAESalgorithmisasymmetricblockcipherthatcanencrypt(encipher)anddecrypt(decipher) information. This standard specifies the Rijndael algorithm, asymmetricblockcipherthatcanprocessdatablocksof128bits,usingcipherkeyswithlengthsof128,192,and256bits.

Anomaly-Based Detection The process of comparing definitions of what activity is considered normal

againstobservedeventstoidentifysignificantdeviations.

Attack Sensing and Warning (AS&W) Detection, correlation, identification, and characterization of intentional

of58

unauthorized activity with notification to decision makers so that anappropriateresponsecanbedeveloped.

Attack Signature Aspecificsequenceofeventsindicativeofanunauthorizedaccessattempt.

Attribute-Based Access Control Access control based on attributes associated with and about subjects,

objects, targets, initiators, resources, or the environment. An access controlrulesetdefinesthecombinationofattributesunderwhichanaccessmaytakeplace.

Authentication Protocol A defined sequence of messages between a Claimant and a Verifier thatdemonstratesthattheClaimanthaspossessionandcontrolofavalidtokentoestablish his/her identity, andoptionally, demonstrates to the Claimant thatheorsheiscommunicatingwiththeintendedVerifier

Automated Security Monitoring Use of automated procedures to ensure security controls are not

circumvented or the use of these tools to track actions taken by subjectssuspectedofmisusingtheinformationsystem.

Backdoor Typically unauthorized hidden software or hardware mechanism used to

circumventsecuritycontrols.

Baseline Security Theminimumsecuritycontrolsrequiredforsafeguardingan ITsystembasedon its identified needs for confidentiality, integrity, and/or availabilityprotection.

Black Box Testing Atestmethodologythatassumesnoknowledgeoftheinternalstructureandimplementationdetailoftheassessmentobject.

Black Core AcommunicationnetworkarchitectureinwhichuserdatatraversingaglobalInternetProtocol(IP)networkisend-to-endencryptedattheIPlayer.

Blended Attack Ahostileactiontospreadmaliciouscodeviamultiplemethods.

Blinding Generatingnetworktrafficthatislikelytotriggermanyalertsinashortperiodof time, to conceal alerts triggered by a “real” attack performedsimultaneously.

Boundary Protection Monitoring and control of communications at the external boundary of aninformation system toprevent anddetectmalicious andother unauthorizedcommunication,throughtheuseofboundaryprotectiondevices(e.g.,proxies,gateways,routers,firewalls,guards,encryptedtunnels).

Brute Force Password Attack A method of accessing an obstructed device through attempting multiple

combinationsofnumericand/oralphanumericpasswords

Buffer Overflow Attack Amethodofoverloadingapredefinedamountofspaceinabuffer,whichcanpotentiallyoverwriteandcorruptdatainmemory.

Bulk Encryption Simultaneousencryptionofallchannelsofamultichanneltelecommunicationslink.

of58

Callback Procedure for identifying and authenticating a remote information systemterminal, whereby the host system disconnects the terminal and re-establishescontact.

Central Services Node (CSN) TheKeyManagement Infrastructurecorenodethatprovidescentralsecurity

managementanddatamanagementservices.

Certificate Adigitalrepresentationofinformationwhichatleast

1)identifiesthecertificationauthorityissuingit,

2)namesoridentifiesitssubscriber,

3)containsthesubscriber'spublickey,

4)identifiesitsoperationalperiod,and

5)isdigitallysignedbythecertificationauthorityissuingit.

Certificate Revocation List (CRL) A list of revoked public key certificates created and digitally signed by a

CertificationAuthority.

Certification Authority (CA) Atrustedentitythatissuesandrevokespublickeycertificates

Cipher Block Chaining- Message Authentication Code (CBC-MAC)

A secret-key block-cipher algorithm used to encrypt data and to generate aMessage Authentication Code (MAC) to provide assurance that the payloadandtheassociateddataareauthentic.

Claimant Apartywhoseidentityistobeverifiedusinganauthenticationprotocol.

Closed Security Environment Environment providing sufficient assurance that applications and equipment

areprotectedagainsttheintroductionofmaliciouslogicduringaninformationsystem life cycle. Closed security is based upon a system's developers,operators, and maintenance personnel having sufficient clearances,authorization,andconfigurationcontrol.

Cloud Computing A model for enabling on-demand network access to a shared pool ofconfigurable IT capabilities/ resources (e.g., networks, servers, storage,applications,and services) that canbe rapidlyprovisionedand releasedwithminimalmanagementeffortorserviceproviderinteraction.Itallowsuserstoaccesstechnology-basedservicesfromthenetworkcloudwithoutknowledgeof,expertisewith,orcontroloverthetechnologyinfrastructurethatsupportsthem. This cloud model is composed of five essential characteristics (on-demand self- service, ubiquitous network access, location independentresource pooling, rapid elasticity, and measured service); three servicedelivery models (Cloud Software as a Service [SaaS], Cloud Platform as aService [PaaS],andCloud InfrastructureasaService [IaaS]);andfourmodelsfor enterprise access (Private cloud, Community cloud, Public cloud, andHybridcloud).

Common Misuse Scoring System (CMSS) Asetofmeasuresoftheseverityofsoftwarefeaturemisusevulnerabilities.A

software feature is a functional capability provided by software. A softwarefeature misuse vulnerability is a vulnerability in which the feature alsoprovidesanavenuetocompromisethesecurityofasystem.

of58

Common Vulnerabilities and Exposures (CVE) A dictionary of common names for publicly known information system

vulnerabilities.

Communications Cover Concealing or altering of characteristic communications patterns to hideinformationthatcouldbeofvaluetoanadversary.

Communications Profile Analyticmodelofcommunicationsassociatedwithanorganizationoractivity.The model is prepared from a systematic examination of communicationscontent and patterns, the functions they reflect, and the communicationssecuritymeasuresapplied.

Communications Security (COMSEC) AcomponentofInformationAssurancethatdealswithmeasuresandcontrols

taken to deny unauthorized persons information derived fromtelecommunications and to ensure the authenticity of suchtelecommunications.COMSEC includescryptosecurity, transmissionsecurity,emissionssecurity,andphysicalsecurityofCOMSECmaterial.

Community Risk Probabilitythataparticularvulnerabilitywillbeexploitedwithinaninteractingpopulationandadverselyimpactsomemembersofthatpopulation.

Comprehensive Testing A testmethodology that assumes explicit and substantial knowledge of theinternal structure and implementation detail of the assessment object. Alsoknownaswhiteboxtesting.

Computer Forensics Thepracticeofgathering, retaining,andanalyzingcomputer-relateddata forinvestigativepurposesinamannerthatmaintainstheintegrityofthedata.

Computer Network Attack (CNA) Actions taken through the use of computer networks to disrupt, deny,

degrade, or destroy information resident in computers and computernetworks,orthecomputersandnetworksthemselves.

Computer Network Defense(CND) Actions taken to defend against unauthorized activity within computer

networks. CND includes monitoring, detection, analysis (such as trend andpatternanalysis),andresponseandrestorationactivities.

Confidentiality Preserving authorized restrictions on information access and disclosure,includingmeansforprotectingpersonalprivacyandproprietaryinformation.

Configuration Control Process of controlling modifications to hardware, firmware, software, anddocumentation to protect the information system against impropermodificationpriorto,during,andaftersystemimplementation.

Content Filtering The process of monitoring communications such as email and Web pages,analyzing them for suspicious content, and preventing the delivery ofsuspiciouscontenttousers.

Continuous Monitoring The process implemented to maintain a current security status for one ormore information systems or for the entire suite of information systems onwhich the operational mission of the enterprise depends. The processincludes: 1) The development of a strategy to regularly evaluate selected IAcontrols/metrics, 2) Recording and evaluating IA relevant events and theeffectiveness of the enterprise in dealing with those events, 3) Recording

of58

changes to IA controls, or changes that affect IA risks, and4) Publishing thecurrent security status to enable information-sharing decisions involving theenterprise.

Counter with Cipher Block Chaining-Message Authentication Code (CCM)

Amodeofoperationforasymmetrickeyblockcipheralgorithm.Itcombinesthe techniques of the Counter (CTR) mode and the Cipher Block Chaining-Message Authentication Code (CBC-MAC) algorithm to provide assurance oftheconfidentialityandtheauthenticityofcomputerdata

Countermeasures Actions,devices,procedures, techniques,orothermeasures that reduce thevulnerabilityofaninformationsystem.Synonymouswithsecuritycontrolsandsafeguards.

Cover-Coding Atechniquetoreducetherisksofeavesdroppingbyobscuringtheinformationthatistransmitted.

Covert Channel An unauthorized communication path that manipulates a communicationsmedium in an unexpected, unconventional, or unforeseen way in order totransmit information without detection by anyone other than the entitiesoperatingthecovertchannel.

Critical Infrastructure System and assets, whether physical or virtual, so vital to the U.S. that theincapacityordestructionofsuchsystemsandassetswouldhaveadebilitatingimpact on security, national economic security, national public health orsafety,oranycombinationofthosematters.

Cross Site Scripting (XSS) Avulnerabilitythatallowsattackerstoinjectmaliciouscodeintoanotherwise

benignwebsite.Thesescriptsacquirethepermissionsofscriptsgeneratedbythe target website and can therefore compromise the confidentiality andintegrity of data transfers between the website and client. Websites arevulnerable if theydisplayuser supplieddata fromrequestsor formswithoutsanitizingthedatasothatitisnotexecutable.

Cross-Certificate A certificate used to establish a trust relationship between twoCertificationAuthorities.

Cryptanalysis 1) Operations performed in defeating cryptographic protection without aninitialknowledgeofthekeyemployedinprovidingtheprotection.

2) The study of mathematical techniques for attempting to defeatcryptographic techniques and information system security. This includes theprocess of looking for errors or weaknesses in the implementation of analgorithmorofthealgorithmitself.

Cryptographic Hash Function Afunctionthatmapsabitstringofarbitrarylengthtoafixedlengthbitstring.

Approved hash functions satisfy the following properties: 1) (One-way) It iscomputationallyinfeasibletofindanyinputwhich

maps to any pre-specified output, and2)(Collisionresistant)Itiscomputationallyinfeasibletofindany

twodistinctinputsthatmaptothesameoutput.

Cyber Attack Anattack,viacyberspace,targetinganenterprise’suseofcyberspaceforthe

of58

purpose of disrupting, disabling, destroying, or maliciously controlling acomputingenvironment/infrastructure;ordestroyingtheintegrityofthedataorstealingcontrolledinformation.

Cybersecurity Theabilitytoprotectordefendtheuseofcyberspacefromcyberattacks.

Cyclical Redundancy Check (CRC) A method to ensure data has not been altered after being sent through a

communicationchannel.

Data Encryption Standard (DES) Cryptographicalgorithmdesigned for theprotectionofunclassifieddataand

published by the National Institute of Standards and Technology (NIST) inFederal Information Processing Standard (FIPS) Publication 46. (FIPS 46-3withdrawn19May2005)SeeTripleDES.

Data Integrity Thepropertythatdatahasnotbeenalteredinanunauthorizedmanner.Dataintegritycoversdatainstorage,duringprocessing,andwhileintransit.

Data Security Protectionofdatafromunauthorized(accidentalorintentional)modification,

destruction,ordisclosure.

Defense-in-Breadth Aplanned, systematic set ofmultidisciplinary activities that seek to identify,manage, and reduce risk of exploitable vulnerabilities at every stage of thesystem, network, or sub-component life cycle (system, network, or productdesign and development; manufacturing; packaging; assembly; systemintegration;distribution;operations;maintenance;andretirement).

Defense-in-Depth Information security strategy integrating people, technology, and operationscapabilitiestoestablishvariablebarriersacrossmultiplelayersanddimensionsoftheorganization.

Denial of Service (DoS) The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours,dependingupontheserviceprovided.)

Digital Forensics The application of science to the identification, collection, examination, andanalysis of data while preserving the integrity of the information andmaintainingastrictchainofcustodyforthedata.

Digital Signature An asymmetric key operationwhere the private key is used to digitally signdata and the public key is used to verify the signature. Digital signaturesprovideauthenticityprotection,integrityprotection,andnon-repudiation.

Distributed Denial of Service (DDoS) ADenialofServicetechniquethatusesnumeroushoststoperformtheattack.

Eavesdropping Attack AnattackinwhichanAttackerlistenspassivelytotheauthenticationprotocolto capture information which can be used in a subsequent active attack tomasqueradeastheClaimant.

Embedded Cryptographic System Cryptosystemperformingorcontrollingafunctionasanintegralelementofa

largersystemorsubsystem.

of58

Encrypted Network A network onwhichmessages are encrypted (e.g., using DES, AES, or otherappropriatealgorithms)topreventreadingbyunauthorizedparties.

Encrypted Key A cryptographic key that has been encrypted using an Approved securityfunctionwithakeyencryptingkey,aPIN,orapassword inordertodisguisethevalueoftheunderlyingplaintextkey.

End-to-End Encryption Communications encryption in which data is encrypted when being passedthroughanetwork,butroutinginformationremainsvisible.

Exploit Code Aprogramthatallowsattackerstoautomaticallybreakintoasystem.

Exploitable Channel Channel that allows the violation of the security policy governing aninformation system and is usable or detectable by subjects external to thetrustedcomputingbase.

Firewall A gateway that limits access between networks in accordance with localsecuritypolicy

Firewall Control Proxy Thecomponentthatcontrolsafirewall’shandlingofacall.Thefirewallcontrolproxycaninstructthefirewalltoopenspecificportsthatareneededbyacall,anddirectthefirewalltoclosetheseportsatcalltermination.

Firmware Theprogramsanddatacomponentsofacryptographicmodulethatarestoredin hardware within the cryptographic boundary and cannot be dynamicallywrittenormodifiedduringexecution.

Flooding Anattackthatattemptstocauseafailureinasystembyprovidingmoreinputthanthesystemcanprocessproperly.

Forensics Thepracticeofgathering, retaining,andanalyzingcomputer-relateddata forinvestigativepurposesinamannerthatmaintainstheintegrityofthedata.

Formal Method Mathematical argument which verifies that the system satisfies amathematically-describedsecuritypolicy.

Gateway Interface providing compatibility between networks by convertingtransmissionspeeds,protocols,codes,orsecuritymeasures.

Hacker Unauthorizeduserwhoattemptstoorgainsaccesstoaninformationsystem.

Handshaking Procedures Dialoguebetweentwoinformationsystemsforsynchronizing,identifying,and

authenticatingthemselvestooneanother.

Hash Function Afunctionthatmapsabitstringofarbitrarylengthtoafixedlengthbitstring.Approvedhashfunctionssatisfythefollowingproperties:

1)One-Way.Itiscomputationallyinfeasibletofindanyinputthatmapstoanyprespecifiedoutput.

2) CollisionResistant. It iscomputationally infeasibletofindanytwodistinct

of58

inputsthatmaptothesameoutput.

Hash-based Message Authentication Code (HMAC)

Amessage authentication code that uses a cryptographic key in conjunctionwithahashfunction.

Identity-Based Access Control Access control based on the identity of the user (typically relayed as a

characteristic of the process acting on behalf of that user) where accessauthorizationstospecificobjectsareassignedbasedonuseridentity.

Information Security The protection of information and information systems from unauthorizedaccess, use, disclosure, disruption, modification, or destruction in order toprovideconfidentiality,integrity,andavailability.

Information Systems Security Engineering (ISSE)

Process of capturing and refining information protection requirements toensuretheirintegrationintoinformationsystemsacquisitionandinformationsystemsdevelopmentthroughpurposefulsecuritydesignorconfiguration.

Intrusion Detection Systems (IDS) Hardware or software product that gathers and analyzes information from

various areas within a computer or a network to identify possible securitybreaches, which include both intrusions (attacks from outside theorganizations)andmisuse(attacksfromwithintheorganizations.)

IP Security (IPsec) Suite of protocols for securing Internet Protocol (IP) communications at thenetwork layer, layer3of theOSImodelbyauthenticatingand/orencryptingeachIPpacketinadatastream.IPsecalsoincludesprotocolsforcryptographickeyestablishment.

Jamming An attack in which a device is used to emit electromagnetic energy on awirelessnetwork’sfrequencytomakeitunusable.

Kerberos A widely used authentication protocol developed at the MassachusettsInstitute of Technology (MIT). In “classic” Kerberos, users share a secretpasswordwithaKeyDistributionCenter(KDC).Theuser,Alice,whowishestocommunicate with another user, Bob, authenticates to the KDC and isfurnished a “ticket” by the KDC to use to authenticate with Bob. WhenKerberosauthentication isbasedonpasswords, theprotocol is known tobevulnerable to off-line dictionary attacks by eavesdroppers who capture theinitialuser-to-KDCexchange.Longerpasswordlengthandcomplexityprovidesome mitigation to this vulnerability, although sufficiently long passwordstendtobecumbersomeforusers.

Key Distribution Center (KDC) Communication security facility generating and distributing key in electronic

form

Key Establishment The process by which cryptographic keys are securely established amongcryptographic modules using manual transport methods (e.g., key loaders),automatedmethods(e.g.,keytransportand/orkeyagreementprotocols),oracombination of automated and manual methods (consists of key transportpluskeyagreement).

of58

Key Management The activities involving the handling of cryptographic keys andother relatedsecurityparameters(e.g.,IVsandpasswords)duringtheentirelifecycleofthekeys,includingtheirgeneration,storage,establishment,entryandoutput,andzeroization.

Key Transport Thesecuretransportofcryptographickeysfromonecryptographicmoduletoanothermodule.

Keyed-hash based message authentication code (HMAC)

Amessage authentication code that uses a cryptographic key in conjunctionwithahashfunction.

Labeled Security Protections Accesscontrolprotectionfeaturesofasystemthatusesecuritylabelstomake

accesscontroldecisions.

Malware Aprogramthat is inserted intoa system,usually covertly,with the intentofcompromisingtheconfidentiality,integrity,oravailabilityofthevictim’sdata,applications,oroperating systemorofotherwiseannoyingordisrupting thevictim.

Man-in-the-middle Attack (MitM) Anattackontheauthenticationprotocol run inwhich theAttackerpositions

himselfinbetweentheClaimantandVerifiersothathecaninterceptandalterdatatravelingbetweenthem.

Mandatory Access Control (MAC) Ameansofrestrictingaccesstosystemresourcesbasedonthesensitivity(as

representedbya label)of the information contained in the system resourceandtheformalauthorization(i.e.,clearance)ofuserstoaccessinformationofsuchsensitivity.

Message Authentication Code (MAC) Acryptographicchecksumondata thatusesa symmetrickey todetectboth

accidental and intentional modifications of the data. MACs provideauthenticityandintegrityprotection,butnotnon-repudiationprotection.

Multi-Hop Problem The security risks resulting from a mobile software agent visiting severalplatforms.

Mutual Authentication Occurs when parties at both ends of a communication activity authenticateeachother.

Network Sniffing A passive technique that monitors network communication, decodesprotocols,andexaminesheadersandpayloadsforinformationofinterest.Itisbothareviewtechniqueandatargetidentificationandanalysistechnique.

Non-repudiation Protectionagainstanindividualfalselydenyinghavingperformedaparticularaction.Providesthecapabilitytodeterminewhetheragivenindividualtookaparticularactionsuchascreating information, sendingamessage,approvinginformation,andreceivingamessage.

Off-line Attack Anattackwhere theAttackerobtains somedata (typicallybyeavesdroppingon an authentication protocol run, or by penetrating a system and stealingsecurity files) that he/she is able to analyze in a system of his/her ownchoosing.

of58

Off-line Cryptosystem Cryptographic system in which encryption and decryption are performedindependentlyofthetransmissionandreceptionfunctions.

Online Attack An attack against an authentication protocol where the Attacker eitherassumes the roleof aClaimantwith a genuineVerifier or actively alters theauthenticationchannel. Thegoalof theattackmaybe togainauthenticatedaccessorlearnauthenticationsecrets.

Online Cryptosystem Cryptographic system in which encryption and decryption are performed inassociationwiththetransmittingandreceivingfunctions.

Organizational Information Security Continuous Monitoring

Ongoingmonitoring sufficient to ensure and assure effectiveness of securitycontrols related to systems, networks, and cyberspace, by assessing securitycontrol implementationandorganizationalsecuritystatusinaccordancewithorganizational risk tolerance – and within a reporting structure designed tomakereal-time,data-drivenriskmanagementdecisions.

Over-The-Air Key Distribution Providingelectronickeyviaover-the-airrekeying,over-the-airkeytransfer,or

cooperativekeygeneration.

Packet Sniffer Softwarethatobservesandrecordsnetworktraffic.

Passive Attack An attack against an authentication protocol where the Attacker interceptsdatatravelingalongthenetworkbetweentheClaimantandVerifier,butdoesnotalterthedata(i.e.,eavesdropping).

Password Cracking The process of recovering secret passwords stored in a computer systemortransmittedoveranetwork.

Penetration Testing Atestmethodologyinwhichassessors,usingallavailabledocumentation(e.g.,systemdesign,sourcecode,manuals)andworkingunderspecificconstraints,attempttocircumventthesecurityfeaturesofaninformationsystem.

Phishing Tricking individuals into disclosing sensitive personal information throughdeceptivecomputer-basedmeans.

Policy-Based Access Control (PBAC) Aformofaccesscontrolthatusesanauthorizationpolicythatisflexibleinthe

types of evaluated parameters (e.g., identity, role, clearance, operationalneed,risk,andheuristics).

Policy Certification Authority (PCA) Second level of the PKI CertificationManagement Authority that formulates

thesecuritypolicyunderwhichitanditssubordinateCAswillissuepublickeycertificates.

Quality of Service (QoS) The measurable end-to-end performance properties of a network service,whichcanbeguaranteedinadvancebyaService-LevelAgreementbetweenauser and a service provider, so as to satisfy specific customer applicationrequirements. Note: These properties may include throughput (bandwidth),transitdelay(latency),errorrates,priority,security,packetloss,packetjitter,etc.

Radio Frequency Aformofautomaticidentificationanddatacapture(AIDC)thatuseselectricor

of58

Identification (RFID) magneticfieldsatradiofrequenciestotransmitinformation.

Replay Attacks An attack that involves the capture of transmitted authentication or accesscontrol information and its subsequent retransmission with the intent ofproducinganunauthorizedeffectorgainingunauthorizedaccess.

Risk Analysis The process of identifying the risks to system security and determining thelikelihoodof occurrence, the resulting impact, and the additional safeguardsthatmitigatethisimpact.Partofriskmanagementandsynonymouswithriskassessment.

Risk Assessment Theprocessofidentifyingriskstoorganizationaloperations(includingmission,functions, image, or reputation), organizational assets, individuals, otherorganizations,andtheNation,arisingthroughtheoperationofaninformationsystem.

Part of riskmanagement, incorporates threat and vulnerability analyses andconsiders mitigations provided by security controls planned or in place.Synonymouswithriskanalysis.

Role-Based Access Control (RBAC) A model for controlling access to resources where permitted actions on

resources are identified with roles rather than with individual subjectidentities.

Root Certification Authority In a hierarchical Public Key Infrastructure, the Certification Authority whose

publickeyservesasthemosttrusteddatum(i.e.,thebeginningoftrustpaths)forasecuritydomain.

Rootkit Asetoftoolsusedbyanattackeraftergainingroot-levelaccesstoahosttoconceal the attacker’s activities on the host and permit the attacker tomaintainroot-levelaccesstothehostthroughcovertmeans.

Sandboxing Amethodofisolatingapplicationmodulesintodistinctfaultdomainsenforcedby software. The technique allows untrusted programswritten in an unsafelanguage, such as C, to be executed safely within the single virtual addressspace of an application. Untrustedmachine interpretable codemodules aretransformed so that all memory accesses are confined to code and datasegmentswithin their fault domain. Access to system resources can also becontrolledthroughauniqueidentifierassociatedwitheachdomain

Secure Hash Algorithm (SHA) Ahashalgorithmwiththepropertythatiscomputationallyinfeasible1)tofind

a message that corresponds to a given message digest, or 2) to find twodifferentmessagesthatproducethesamemessagedigest.

Secure Socket Layer (SSL) Aprotocolusedforprotectingprivateinformationduringtransmissionviathe

Internet.

Note:SSLworksbyusingapublickeytoencryptdatathat'stransferredovertheSSLconnection.MostWebbrowserssupportSSL,andmanyWebsitesusethe protocol to obtain confidential user information, such as credit cardnumbers. By convention, URLs that require an SSL connection start with“https:”insteadof“http:.”

of58

Spoofing “IPspoofing”referstosendinganetworkpacketthatappearstocomefromasourceotherthanitsactualsource.

Spyware Softwarethatissecretlyorsurreptitiouslyinstalledintoaninformationsystemtogatherinformationonindividualsororganizationswithouttheirknowledge;atypeofmaliciouscode.

Steganography Theartandscienceofcommunicatinginawaythathidestheexistenceofthecommunication.Forexample,achildpornographyimagecanbehiddeninsideanothergraphicimagefile,audiofile,orotherfileformat.

Threat Analysis Theexaminationofthreatsourcesagainstsystemvulnerabilitiestodeterminethethreatsforaparticularsysteminaparticularoperationalenvironment.

Tunneling Technology enabling one network to send its data via another network’sconnections. Tunneling works by encapsulating a network protocol withinpacketscarriedbythesecondnetwork.

Transport Layer Security (TLS) Anauthenticationandsecurityprotocolwidelyimplementedinbrowsersand

Webservers.

Trusted Agent Entity authorized to act as a representative of an agency in confirmingSubscriber identification during the registration process. Trusted Agents donothaveautomatedinterfaceswithCertificationAuthorities.

Validation Theprocessofdemonstratingthatthesystemunderconsiderationmeetsinallrespectsthespecificationofthatsystem.

Verification Confirmation, through the provision of objective evidence, that specifiedrequirements have been fulfilled (e.g., an entity’s requirements have beencorrectlydefined,oranentity’sattributeshavebeencorrectlypresented;oraprocedure or function performs as intended and leads to the expectedoutcome).

Virtual Private Network (VPN) Avirtualnetwork,builton topofexistingphysicalnetworks, thatprovidesa

secure communications tunnel for data and other information transmittedbetweennetworks.

Vulnerability Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Wi-Fi Protected Access-2 (WPA2) The approved Wi-Fi Alliance interoperable implementation of the IEEE

802.11i security standard. For federal government use, the implementation must use FIPS-approved encryption, such as AES.

of58

10 REFERENCES[Ali,2015]Ali,SyedTaha,etal. "Asurveyofsecuringnetworksusingsoftwaredefinednetworking." IEEE

transactionsonreliability64.3(2015):1086-1097.

[Atoum, 2014] Atoum I., et al. “A holistic cyber security implementation framework”, InformationManagement&ComputerSecurity,2014

[Bernal] Bernal J., et al. “Networking and Traffic Engineering in Emerging Distributed ComputingApplications”,Chapter4SecurityPolicySpecification]

[Cardenas09]Cardenas,A.,Amin,S.,Sinopoli,B.,Giani,A.,Perrig,A.,&Sastry,S.(2009,July).Challengesforsecuring cyber physical systems. InWorkshop on future directions in cyber-physical systemssecurity(p.5).

[ETSI,2015]ETSI.Mobile-edgecomputing(mec);proofofconceptframework.2015.

[ETSI-NFV, 2014] ETSI GSNFV 002,Network Functions Virtualisation (NFV) - Architectural Framework, v.1.2.1,2014.

[ETSI-NFV-MANO,2014]ETSIGSNFV-MAN001,NetworkFunctionsVirtualisation(NFV)–ManagementandOrchestration,v.1.1.1,2014.

[Gao13]Gao,Y.,Peng,Y.,Xie,F.,Zhao,W.,Wang,D.,Han,X.,...&Li,Z.(2013,October).Analysisofsecuritythreatsandvulnerability for cyber-physical systems. InComputerScienceandNetworkTechnology(ICCSNT),20133rdInternationalConferenceon(pp.50-55).IEEE.

[Gold,2009]GoldS.,“Thescadachallenge:securingcriticalinfrastructure”,NetworkSecurity,2009(8):18–20,2009

[Kost14] Dimitar Kostadinov. Cyber Threat Analysis. Infosec Institute. July 2014. Online:http://resources.infosecinstitute.com/cyber-threat-analysis/.Lastaccess:May2017.

[LECC] Cyber Attack Lifecycle. Law Enforcement Cyber Center. Online:http://www.iacpcybercenter.org/resource-center/what-is-cyber-crime/cyber-attack-lifecycle/. Lastaccess:May2017.

[Nist, 2013] NIST, Glossary of Key Information Security Terms (revision 2). DOI 10.6028/NIST.IR.7298r2,2013.Online:http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf

[Paridari, 2016] Paridari K., et al. “Cyber-Physical-Security Framework for Building Energy ManagementSystem”,ACM/IEEE7thInternationalConferenceonCyber-PhysicalSystems(ICCPS),2016

[Sage17]Threat LifecycleManagement:OverviewandSolutions.TheSageGroup.2017.Availableonline:http://thesagegrpmentoring.com/wp-content/uploads/sites/524/2017/03/Sage-Group-LE-Solutions-Threat-Lifecycle-Management.pdf.Lastaccess:May2017.

[Sherwood,2009]Sherwood,R.,Gibb,G.,Yap,K.K.,Appenzeller,G.,Casado,M.,McKeown,N.,&Parulkar,G.(2009).Flowvisor:Anetworkvirtualizationlayer.OpenFlowSwitchConsortium,Tech.Rep,1-13.

[Taleb, 2014] Taleb, T. (2014). Toward carrier cloud: Potential, challenges, and solutions. IEEE WirelessCommunications,21(3),80-91.

[Thales,2017]ThalesDataThreatReport,https://dtr.thalesesecurity.com,2017

[Trois, 2016] Trois, C., Del Fabro, M. D., de Bona, L. C., & Martinello, M. (2016). A Survey on SDNProgramming Languages: Toward a Taxonomy. IEEE Communications Surveys & Tutorials, 18(4),2687-2712.

[Vallini]ValliniM,“PolicySpecification”,SECURED-FP7project,D4.1

of58

[Wang10]Wang,E.K.,Ye,Y.,Xu,X.,Yiu,S.M.,Hui,L.C.K.,&Chow,K.P.(2010,December).Securityissuesandchallengesforcyberphysicalsystem. InProceedingsofthe2010 IEEE/ACMInt'lConferenceonGreen Computing and Communications & Int'l Conference on Cyber, Physical and SocialComputing(pp.733-738).IEEEComputerSociety.

[Xia,2017]XiaL.,etal.“InformationModelofNSFsCapabilities”,draft-xibassnez-i2nsf-capability-01,March12,2017

[Soomro, 2016] Soomro et al. "Information security management needs more holistic approach: Aliteraturereview."InternationalJournalofInformationManagement36.2(2016):215-225

[James, 2016] James et al. "CYBERSECURITY EDUCATION: A HOLISTIC APPROACH TO TEACHINGSECURITY."IssuesinInformationSystems17.2(2016)

20170629 ANASTACIA-D1.1-Final · 2017. 6. 30. · Title: 20170629_ANASTACIA-D1.1-Final Author:...

Documents

Transcript of 20170629 ANASTACIA-D1.1-Final · 2017. 6. 30. · Title: 20170629_ANASTACIA-D1.1-Final Author:...