Full spectrum situation awareness

1.1.1     Problem

A survey[1] by the European Union Agency for Network and Information Security (ENISA) said three-quarters of the businesses have seen cyber security as a concern for some time. The majority of respondents believed that their organisation had been the victim of a targeted attack, and almost a third of them reported a significant business impact. The situation gets worse in the ambit of multimodal transport systems that are experiencing an increasing digitalization phase and where the interplay between security and safety become paradigmatic. The growth in the Internet of Things (IoT) and the increase in connected devices used by transportation operators in expanding networks will only increase the number of vulnerable points for unauthorized access.

There is indeed a great demand for cyber protection mechanisms. These mechanisms in turn are based on information, either for incident reporting, for attack prediction or for system protection improvement, which are corresponding to three processes of incident management: pre-incident, incident in progress, post-incident.

Current IT services generate an increasing number of information regarding several events. Events range from system logs like access tracing, to hardware traps received from the hypervisors, to application audit trails that identify business transactions, all possibly running on cloud infrastructures, with related logs. The diverse nature of these data with the 5V[2] of big data challenges related to data storage, due especially to long retention periods, make it difficult to perform either real-time detection of exceptional events – aimed to promptly take corrective actions – or deep and narrow historical data analysis aimed at identifying warning signs of security threats.

The involuntary modification of the setting for regulation or modification of an alarm may have disastrous consequences for the quality of products, services provided, which will make the environment or the security and safety of individuals more vulnerable in the face of cyber – attacks or even terrorist attacks.

In fact, Advanced Persistent Threat (APT) identification is a key issue in modern Security Information and Event Management (SIEM), and in general in correlation systems that try to identify (concealing) security threats. It is good to have global as well as local analysis points that can benefit locality of information as well as global scope of warnings. An appropriate edge analytics infrastructure could allow performing local analysis and predictions, minimizing disclosure of sensitive information, still allowing global warning facilities. The same infrastructure could be used to offer advanced security mechanisms (that more and more need artificial intelligence approaches).

It is also worth noting that there is a strong interplay between cyber treats and information and physical treats. The recent advent of Covid-19 shows the complex interplay. On the one hand the relevance of Covid-19 on the citizens has been used to vehiculate virus through phishing emails (i.e. cyber security attacks), on the other hand cyber security attacks are used to vehiculate fakes news as the case of Lithuania where cyber attacks were used to distribute fake news on the origin of the virus diffusion in this country (pretending it comes from US military) – thus leading to cyber/information treats – see below the timeline. This examples shows the need to consider cyber and information treats together – having a full spectrum analysis and observation of the treats to fully understand the consequences.

Figure 1.

[1] On National and International Cyber Security Exercises, available at:  http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cyber-crisis-cooperation/cce/cyber-exercises/exercise-survey2012

[2] 5V big data challenges: Data Volume, Velocity, Variety, Veracity and Value.

1.1.2     Goal and objectives

The CyberSecurity Observatory (360* OCS) acts within cyber space at large  with the aim of informing, raising awareness and responding to the needs of public and private entities on how to know, understand and react to cyber security threats as well as information treats (fake news and disinformation).

It will follow the collect, analyze, inform and react approach for a full spectrum protection.

The OCS will provide updated and valid solutions obtained through the involvement of experts within the IT security field who will assess the seriousness of the threats and provide the best solutions for the various stakeholders. OCS activities will leverage various sources: public and private, which will allow greater knowledge of threats, also improving the analysis and discovery of new threats and vulnerabilities through a cooperative process.

It will be an operational platform where many services will be offered to the stakeholders.

1.1.3     Methodology

The ability to agglomerate data from different sources will allow you to expand the search domain of the different threats, and will also allow you to inform the actors involved in the observatory in good time.

The OCS project aims at developing a technological framework to unleash the power of information sharing coupled with edge based collaborative analytics for cyber protection.

The framework allows data prosumers (producers/consumers) to easily express their preferences on how to share their data, which analytics operations can be performed on such data and by whom, with whom the resulting data can be shared etc. This entails a framework that combines several technologies for expressing and enforcing data sharing agreements as well technologies to perform data analytics operations in a way which is compliant to these agreements. Among these technologies we can mention data-centric policy enforcement mechanisms and data analysis operations directly performed on encrypted data provided by multiple prosumers. 

The framework mainly based on an Information Sharing Infrastructure (ISI) and an Information Analysis Infrastructure (IAI) that can be deployed in several ways and on several devices (from cloud  to mobile devices). This concept extends the one developed in C3ISP[1] project (where several prosumers offers controlled data to a centralized analytics service) to a fully decentralized environment. Being potentially computed at the edge, the analysis process is increasingly more privacy friendly (i.e. not the raw data but only the results of the locally analysed data are provided to the upper layer). When the shared data are actually cyber threat information, we get a powerful system for creating Information Sharing and Analysis Centre (ISAC), which will be one of the pilots.

Figure 2.

Below a picture that illustrates the different sources one could manage and the conceptual workflow.

Figure 3.

[1] C3ISP – H2020, Collaborative and Confidential Information Sharing and Analysis for Cyber Protection, https://c3isp.eu/

1.1.4       Impact

The 360 OCS will be a valid tool to contrast all the cyber and information treats with unprecedented capabilities. It will allow the stakeholders to understand the attacks, to mitigate their consequences and reduce their impact also in the future.

This will range from pure cyber threats to information ones, in particular for social events as elections (where the influence of foregoing countries can be analysed). The result will be a full spectrum understanding and reaction capability.

Such kind of instruments are crucial for the national sovereignty.

At CNR level will allow to leverage on the many expertize, from pure cyber to legal and economic ones.