NIS Platform WG3 Secure ICT Research & Innovation

Cybersecurity Strategic Research Agenda

Fabio Martinelli – CNR

Raul Riesco Granadino – INCIBE

(co-chairs)

Aljosa Pasic - ATOS

Agenda

Introduction

NIS Platform and WG3

Cybersecurity Strategic Research Agenda – SRA (Strategic

Research Agenda)

Conclusions

Introduction (references)

Letter of President Juncker to Comissioner Oettinger:

“Developing and implementing measures to make Europe more trusted

and secure online, so that citizens and business can fully reap the

benefits of the digital economy. I would like to work with the Vice-

President for Digital Single Market on a plan to make the EU a

leader in cyber security preparedness and trustworthy ICT, and to

increase the confidentiality of communications.”

Context

Promoting a Single Market forcybersecurity products

The Commission:

Launch in 2013 a public-private platform on NIS solutions todevelop incentives for the adoption of secure ICT solutionsand the take-up of good cybersecurity performance to beapplied to ICT products used in Europe.

Propose recommendations to ensure cybersecurity acrossthe ICT value chain, drawing on the work of this platform

The Commission asks ENISA to:

Develop technical guidelines and recommendations for theadoption of NIS standards and good practices in the publicand private sectors.

Fostering R&D investments and innovationThe Commission will:

Use Horizon 2020 to address a range of areas in ICT privacy andsecurity, from R&D to innovation and deployment. Horizon2020 will also develop tools and instruments to fight criminaland terrorist activities targeting the cyber environment.

Establish mechanisms for better coordination of the researchagendas of the European Union institutions and the MemberStates, and incentivise the Member States to invest morein R&D.

Promote early involvement of industry and academia indeveloping and coordinating solutions. This should bedone by making the most of Europe’s Industrial Base andassociated R&D technological innovations, and becoordinated between the research agendas of civilian andmilitary organisations;

The NIS Platform

(Launched June 2013)

The NIS Platform

• A key action of the EU Cybersecurity Strategy• Identify and develop incentives to adopt good cybersecurity practices

• Promote the development and the adoption of secure ICT solutions

• A public-private platform• More than 200 participants (still increasing)

• 18 MS + Norway: ministries, NIS agencies, NRAs, CERTs

• Research & academia

• Industry: ICT, finance, post, transport, healthcare, defence, energy, water sectors

• An open and inclusive multi-stakeholder Platform• Appropriate scientific, geographic, and sectorial coverage

• Driven by the participants

WG3 Scope and Objectives

• Scope– Address Cyber Security research and innovation in the context of

the EU Cyber Security Strategy and the NIS Platform.

– Identify key challenges and desired outcomes

– Promote truly multidisciplinary research that foster collaborationamong researchers, industry and policy makers

– Examine ways to increase the impact and commercial uptake of research results in the area of secure ICT

• Main objectives of WG3 within the NIS Platform– Contribute to the coordination of the European activities in Research

and Innovation in connection with the European Cyber Securitystrategy

– Produce high quality deliverables (regularly updated) summarizing itsmain findings

– As an open forum, to be one of the main sources of inspiration for thecrafting of H2020 Work Programmes

WG3 Steering Committee

The human factor

Secure ICT Research Landscape

Mari Kert, EOS Editor

Javier Lopez, U. Malaga Editor

Evangelos Markatos,

FORTHEditor

Bart Preneel, KU Leuven Editor

WG3 SC

Business cases and innovation paths

Zeta Dooly, WIT Editor

Paul Kearney, BT Editor

Strategic Research Agenda

Pascal Bisson, Thales Editor

Fabio Martinelli, CNR Editor / Co-Chair of WG3

Raúl Riesco Granadino,

INCIBEEditor / Co-Chair of WG3

Kai Rannenberg,

Goethe UniversityAoI#1 Leader

Gisela Meister, GI-DE AoI#1 Leader

Nick Wainwright, HP AoI#2 Leader

Jim Clarke, TSSG AoI#2 Leader

Steffen Wendzel, U.

Bonn AoI#3 Leader

Piero Corte,

EngineeringAoI#3 Leader

Herve Debar, Telecom

SUD ParisX-Analysis Leader

Volkmar Lotz, SAP X-Analysis Leader

Aljosa Pasic, ATOS X-Analysis Leader

Neeraj Suri, TU

DarmstadtX-Analysis Leader

Education and training for workforce

development

Maritta Heisel, U.

Duisburg EssenEditor

Claire Vishek, INTEL Editor

CO-CHAIRS

Fabio Martinelli, CNR

Raúl Riesco Granadino, INCIBE

Methodology – an EU Coordinated Action

• Interactive sessions within NIS WG3 + cross-synchronization with several EU initiatives (business, innovation, research, education…) (avg.>60 experts / session)

• Virtual / online meetings:• x7 subgroups (bi/weekly) / subgroup

(x1 dedicated to Business deliverable)• x1 Steering Committee (monthly) with all leaders

• >200 members (experts) inside NIS WG3 + several EU initiatives actively contributed i.e. CSA)

WG3 Main deliverables

https://resilience.enisa.europa.eu/nis-platform/wg3-secure-ict-research-

and-innovation/shared-spaces/snapshot-of-education-training-landscape-

for-workforce-development/Education-Training.pdf/view

https://resilience.enisa.europa.eu/nis-platform/wg3-secure-ict-research-and-

innovation/shared-spaces/the-strategic-research-agenda-sra/https://resilience.enisa.europa.eu/nis-platform/wg3-secure-ict-research-and-innovation/shared-

spaces/business-cases-and-innovation-paths/business-cases-and-innovation-paths-interim-version/view

https://resilience.enisa.europa.eu/nis-platform/shared-documents/wg3-

documents

Strategic Research Agenda (SRA)

https://resilience.enisa.europa.eu/nis-platform/shared-documents/wg3-documents

Process

Each area of interest was investigated separately

for

• Identifying challenges, enablers/inhibitors

(technical, policy, organizational) and research

gaps• Those elements are useful to stakeholders mainly interested to

one perspective

A cross analysis was then performed in order to

identify common emerging themes and possible

divergences.

AoI3

Three main areas of interest

Preserving privacy• Privacy Enhancing

Technologies

• Privacy-aware security

mechanisms

• ID management

Fostering assurance• Security Engineering

• Certification

• Cyber Insurance

Focussing on data• Data protection

• Data provenance

• Data-centric security policies

• Operations on encrypted data

• Economic value of personal data

Enabling secure execution• Secure platforms

• Intrusion Prevention/Detection

• Secure operating Systems

Managing cyber risks

• Dynamic, composable risk assessment

• Integrated risk metrics and indicators

• Managing complexity and system evolution

Increasing trust• Dynamic trust assessment

• Computational Trust Models

• Trust and big data

Standardization and Interoperability

• Crypto ("everywhere")

• Certification, assurance, risk, security metrics/indicators

• Information sharing

Education and awareness

• Multi-disciplinary focus

• Responsiveness to changes

• End-to-end skill development

• Continuous awareness

Achieving user-centricity• Focus on user centric design and

engineering

• Usability of security mechanisms

Protecting ICT Infrastructure

• Networks

• Cloud

• Mobile

• IoT, others

Summary of commonalities

Common focus

Fostering Assurance

Security / Privacy by Design

Security Requirements

Engineering

Secure Engineering Principles

Secure Languages and

Frameworks

Secure Computing

Security Validation

Metrics

Quantification of Risk

Cyber Insurance

Practical Certification Schemes

Interdisciplinary Research

(including economics)

Common focus

Focus on Data

Data protection

(confidentiality)

Data protection (integrity and

availability)

Provenance of data

Secure data processing

Operations on encrypted data

Query privacy

Data-centric policies

User empowerment

Privacy-aware Big Data

analytics

Economic value of personal

and business data

Enabling secure execution

Secure Execution Platforms

Operating Systems Security

Security-supporting Services

Control and Intrusion

Prevention Systems

Secure integration

Preserving privacy

Development of privacy-

preserving cryptographic

protocols

Private communication

networks

PETs for organizations and

infrastructure

Privacy Engineering practices

Usability of PETs

Data sanitization and

anonymization

Mobile privacy-preserving

applications

Surveillance monitoring tools

Privacy-preserving monitoring

tools

Partial identities

Scalable and interoperable of

Identity Management solutions

Increased Trust

Computational models of trust

Dynamic trust assessment

Privacy aware trust negotiation

Trust and big data

Common focus

Managing cyber risks

Methods to reduce and

manage systems complexity

Dynamic risk assessment and

management

Formal interoperable models

Statistical and predictive risk

analysis

Autonomous detection and

remediation by a man-machine

effective cooperation

Integrated risk metrics and

indicators

Visual decision making

governance frameworks

Legal risk assessment and

management

Incentives for adoption of risk

management best practices

and reducing barriers

Protecting the ICT

infrastructure

Security-enhanced technology

standards

Handling of Legacy Systems

Attack detection and

monitoring

Smart Phones / BYOD

Forensics and Fraud

Protection

Novel Malware/ Steganography

in the Network/Novel Data

Leakage

Big Data Security

Network virtualization and

management

Achieving User-centricity

User centric technologies

Engineering technologies for

users

Incentives of user centric

design and usability in

cybersecurity

Reduce digital divide

Technologies to reduce user

misbehaviour

Usability of security

mechanisms

Usability of authentication

Visualization techniques that

ease “intelligibility”

Usable secure public key

algorithms that cannot be

compromised by quantum

computing

19

Common focus

Standardisation and

interoperability

Critical Infrastructure

Protection: processes and

resources more adaptive,

decentralized, transparently

collaborative and efficiently

controlled

Interoperability to co-exist with

other legacy systems still

under depreciation

End-user to trust cross-

boundary interoperable and

privacy guaranteed

communications (as an

example)

Industrial transparency of

hardware and software

components and

functionalities

Key opportunity for EU to be

the reference for privacy and

security-by design to end

users

Transparency and a stronger

coordination and cohesion of

stakeholders groups

Education and awareness

Multi-disciplinary focus

Responsiveness to changes in

technology and societal

environment

End-to-end skill development

Alignment of curricula and

training with demand for skills

Using appropriate

methodologies for teaching

cybersecurity at all levels, from

awareness to focused

expertise

Bring all Member States to the

agreed upon baseline with

regard to cybersecurity

indicators

Topic / Timeframe Short (1-3) Medium (3-5) Long (5-8)

Security / Privacy by DesignSchemes for focused problem

areasGeneric theories and frameworks

Security Requirements

Engineering

Requirements specification and

elicitation languages for security,

privacy and trust

Tool support Fully integrated security

requirements engineering

Secure Engineering PrinciplesSecurity Guidelines, focused tool

support

Comprehensive methodology and

tools, Security IDE

Theoretical foundations and

supporting methods and tools

Secure Languages and

Frameworks

Secure Programming languages,

type systems

Integrated secure development

and operation frameworks

Secure Computing Individual schemes Generic schemesSignificant improvements on

efficiency

Security Validation Static and dynamic analysis Integrated analysisIntegrated analysis based on

formal semantic models

Metrics Security Process KPIs Security Quality KPIs

Quantification of Risk Risk metricsRisk assessment frameworks

based on publicly available data

Cyber Insurance Operational insurance schemes

Practical Certification Schemes Lightweight certification

Interdisciplinary Research

(including economics)Economic models Socio-economic models

Timeline Example (I)

Timeline Example (II)

Topic / Timeframe Short (1-3) Medium (3-5) Long (5-8)

Methods to reduce and manage

systems complexity

Methods and process for

managing risk interdependencies

Simpler tools and interfaces

available to support these

processes

Dynamic risk assessment and

managementAutomation of risk analysis

Advanced real time multi-

dimensional sensing capabilities

Significant improvements on real

time risk estimation

Formal interoperable models

Comprehensive set of formal

interoperable semantic models

based on ontologies.

Comprehensive set of guidelines

and interoperable standards

approved and established in

practice

Statistical and predictive risk

analysis

Theoretical foundations and

supporting methods and tools for

intentioned threats prediction

Statistical methods to estimate the

current strength of the system

against current and predictive

risks

Autonomous detection and

remediation by a man-machine

effective cooperation

Effective means of man-machine

co-operation

Pseudo-autonomous real-time

reasoning systems for detection

and remediation

Integrated risk metrics and

indicators

Auditable calculation methods for

risk metricsIntegrated KPI

Visual decision making

governance frameworks

New techniques for appropriate

risk decision making

Integrated visual decision

frameworks to support this new

techniques

Legal risk assessment and

managementLegal risk semantic formal models

Comprehensive legal risk

guidelines and interoperable

standards approved and

established in practice

Incentives for adoption of risk

management best practices and

reducing barriers

Research into the use and take-up

of risk management methods and

practices by SMEs

Lightweight certification and other

effective models

Contribution per each research topic (I)

Topic / Benefits Business Citizens SocietyFostering Assurance Business will be able to

operate across Digital Single

Market (DSM) thanks to more

uniform assurance/protection

requirements and achieved

levels.

Citizens will be able to compare

offerings and make informed

decisions based on

cybersecurity

assurance/protection levels, in

order to avoid “fake” or

misleading advertising of

security products and services.

Trust in digital space will

increase with the full trust

ecosystem of EU wide

assurance schemes, related

processes (auditing,

certification, labelling…), and

society awareness and

incentives actions.

Focussing on Data Business will be able to build

innovative data-driven

services while being compliant

with the data protection and

privacy legislation.

Citizens will have better means

to monitor and control data

usage, as well as to express

their preferences.

Wealth of data will be

exploited for various

purposes, from healthcare

research to fraud detection.

More effective use of

available data sources, while

maintaining trust, will be

enabled.

Enabling secure

execution

Business will save costs on

security management and

post-incident activities.

Citizens will enjoy higher level

of privacy protection in a

seamless and user-friendly

manner.

Integration and seamless use

of devices and data across

life domains (e.g. work and

home) will be achieved.

Preserving privacy Minimising the number and

impact of privacy breaches will

lead to the increase of trust,

for business compliant with

EU privacy legislations, thus

making this a competitive

feature.

Citizens will have more

guarantees that their privacy is

respected, as well as more

transparency and control in

usage of their data.

Societal values will be

preserved, such as respect of

minorities, dignity, etc.

Contribution per each research topic (II)

Topic / Benefits Business Citizens SocietyIncreasing trust Trust will be linked to

demonstrable and transparent

metrics and properties,

instead of marketing or

subjective perception, which is

improve e-service uptake.

Citizens will be enabled to

make more informed decisions,

based on recognised trust

labels, benchmarks, certificates

etc.

Society will evolve to trust

digital institutions in a similar

way to their trust in the

physical world.

Managing cyber risks More frequent and accurate

assessment will lead to more

effective use of resources.

Citizens will be able to make

instant decisions based on risk

"traffic lights".

Notion of cybersecurity risk

will become an

essential/fundamental part of

digital culture.

Protecting the ICT

infrastructure

Reduction of "out-of-business"

due to ICT infrastructure

downtimes and reduction of

industrial espionage.

Availability of services that rely

on ICT infrastructures.

Less disruptions in critical

services for society.

Achieving User-centricity More users, attracting

potential new customers, will

access digital services.

Simplification will increase the

use of advanced protection

mechanisms, including

automation for human-error

prone tasks or cumbersome

activities.

Wellbeing achieved by

citizens that feel comfortable

with new or complex

technologies.

Data

Mobile

Cloud

health

Smart Grids

….

Cyber security applicationdomains

Conclusion

SRA Highlights (I)

• A structured document of more than 200 pages.

• More than 70 contributors.

• Offers several different perspectives, from the protection of the citizen, the society

and the infrastructure.

• Very informative and truly representing the main findings of the different subgroups

working on it.

• The material seems sound although it leaves room for a more visionary perspective.

• The assessment work of the priorities might be extended in a quantitative way.

SRA Highlights (II)

In addition more general opportunities were identified:

• Fostering European cyber security and privacy cooperation and governance (i.e.

cPPP)

• Balancing cyber security and privacy issues

• Mitigating European dependencies on external knowledge/technology

NIS WG3 Assessment

• WG3 members worked well and in a truly cooperative manner in these two

years of operation

• The deliverables were produced mainly on time and according to the initial

terms of reference and instrumental for H2020 WP 2016-2017 definition

• The work was done on a volunteer basis

• The number of requests to join WG3 increases as we showcase the

activities in several fora

• Overall NIS WG3 represents a significant set of stakeholders, ranging from

MS representatives to industry/academia experts (likely an even wider

variety of expertise would be useful)

• The capability of working in a distributed manner through sub groups with

autonomous leaderships still with common goals is a plus of the NIS WG3

NIS WG3 next steps

• Publication of deliverables at ENISA portal. Done

• SRA in candidate release version as well as education one (for final comment).

Landscape and Business are in final, v2 and v1 respectively. Done

• NIS WG3 is committed to maintenance of the deliverables. On-going

• Further dissemination of NIS WG3 SRA and of the other deliverables. i.e.

Cybercamp

• Continue to build consensus also outside WG3 (with other research agendas) and

reinforce the coordination with all the main stakeholders, including SMEs. On-going

• Be ready to contribute to the contractual Public-Private Partnership (cPPP) on

Cybersecurity to be launched early next year in the framework of the Digital Single

Market initiative of the EC. On-going

Acknowledgments

We thank all WG3 members and WG3 Steering Committee (formed by all leaders and

editors) and overall WG3 members as well as WG1 and WG2 chairs/members that

contributed to our work.

We want to start by showing our appreciation with distinction to Dr. Afonso Ferreira (DG

CONNECT European Commission) who provided continuous support, insight and

expertise that greatly assisted all WG3 activities toward the completion of all deliverables

and the effective coordination among all stakeholders.

We would also like to show our gratitude to Paul Timmers, Jakub Boratynski, Pierre

Chastanet, Ann-Sofie Ronnlund, Martin Muehleck, Rafael Tesoro and H4 Secretariat

from DG CONNECT. In addition our colleagues from European Commission who were

responsible of the launch of NISP, Giuseppe Abbamonte, Gustav Kalbe, Olivier

Bringer, Alessandra Falcinelli and Virginie de Haan for sharing valuable comments

and suggestions with us during the course of WG3.

We thank Rossella Mattioli, Daria Catalui and Lionel Dupré (ENISA) for assistance

with Member States engagement, Education coordination activities as well as the

availability and support of the ENISA platform https://resilience.enisa.europa.eu.

NIS PlatformWG3 Secure ICT Research & Innovation

Thank you.