ebook img

strategic research agenda PDF

201 Pages·2015·1.94 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview strategic research agenda

CYBERSECURITY STRATEGProIduCce dR by EtheS EARCH European Network and Information Security (NIS) Platform AGENDA – SRA Final version v0.96 Last modified: August 2015 Editors: Pascal Bisson (Thales), Fabio Martinelli (CNR) and Raúl Riesco Granadino (INCIBE) CYBERSECURITY STRATEGIC RESEARCH AGENDA Acknowledgements This cybersecurity strategic research agenda has been developed by the Working Group 3 (WG3), Secure ICT Research and Innovation, of the European Network and Information Security (NIS) Platform – NISP, a public/private cooperation supported by the European Commission. We want to start by showing our appreciation with distinction to Dr. Afonso Ferreira (DG CONNECT European Commission) who provided continuous support, insight and expertise that greatly assisted all WG3 activities toward the completion of all deliverables and the effective coordination among all stakeholders. We thank all WG3 members and WG3 Steering Committee (formed by all leaders and editors) and overall NIS platform members. We also thank our colleagues Alejandro Pinto González and Aristotelis Tzafalias (DG CONNECT European Commission) together with chairs from NISP WP1 – Risk Management (Carl Colwill / Ian Morton / Miguel Ángel Sánchez Fornié / Guillermo Manent) and WP2 – Information Sharing (Waldemar Grudzien / Will Semple) who provided assistance and research gaps in their specific fields. We thank Rossella Mattioli, Daria Catalui and Lionel Dupré (ENISA) for assistance with Member States engagement, Education coordination activities as well as the availability and support of the ENISA platform https://resilience.enisa.europa.eu. We would also like to show our gratitude to Paul Timmers, Jakub Boratynski, Pierre Chastanet, Ann-Sofie Ronnlund, Martin Muehleck and H4 Secretariat from DG CONNECT. In addition our colleagues from European Commission who were responsible of the launch of NISP, Giuseppe Abbamonte, Gustav Kalbe, Olivier Bringer, Alessandra Falcinelli and Virginie de Haan for sharing valuable comments and suggestions with us during the course of WG3. Last we want to thank all keynote speakers who attended NISP WG3 physical meetings as well as “anonymous” reviewers for their insights. We are also immensely grateful for their comments, although any mistakes are our own and for them we apologise. 2 CYBERSECURITY STRATEGIC RESEARCH AGENDA Contents Acknowledgements ........................................................................................................... 2 1 Executive Summary ........................................................................................................ 6 2 Introduction ..................................................................................................................... 8 2.1 Context and motivation ............................................................................................................................ 8 2.2 Methodology of the SRA.......................................................................................................................... 9 2.3 Structure of this document....................................................................................................................... 9 2.4 Status of this document ........................................................................................................................... 9 3 Area of Interest 1: Individuals’ Digital Rights and Capabilities (Individual layer) ... 10 3.1 Description of the AoI 1’s vision ............................................................................................................ 10 3.2 Description of the issues and challenges .............................................................................................. 10 3.3 Identification of Technology, Policy and Regulation enablers / inhibitors ............................................. 15 3.4 Gap analysis (tech., policy, regulation, and competences) for achieving the vision ............................. 17 4 Area of Interest 2: Resilient Digital Civilisation (Collective layer) ............................ 22 4.1 Description of the AoI 2’s vision ............................................................................................................ 22 4.2 Description of the issues and challenges .............................................................................................. 23 4.3 Identification of Technology, Policy and Regulation enablers / inhibitors ............................................. 26 4.4 Gap analysis (tech., policy, regulation, and competences) for achieving the vision ............................. 32 5 Area of Interest 3: Trustworthy (Hyperconnected) Infrastructures (Infrastructure layer) 35 5.1 Description of the AoI 3’s vision ............................................................................................................ 35 5.2 Description of the issues and challenges .............................................................................................. 35 5.3 Identification of Technology, Policy and Regulation enablers / inhibitors ............................................. 36 5.4 Gap analysis (tech., policy, regulation, and competences) for achieving the vision ............................. 36 5.5 Structure of this Section ........................................................................................................................ 36 5.6 ICT Infrastructure ................................................................................................................................... 37 5.7 Smart Grids ........................................................................................................................................... 40 5.8 Transportation ....................................................................................................................................... 43 5.9 Smart Buildings in Smart Cities ............................................................................................................. 46 5.10 Industrial Control Systems, including SCADA, in selected sectors (Water, Food/Agriculture, Nuclear, and Chemical Operation) ............................................................................................................................. 48 5.11 Public Administration and Open Government ..................................................................................... 53 5.12 Healthcare Sector ................................................................................................................................ 55 5.13 Automotive / Electrical Vehicles .......................................................................................................... 58 5.14 Insurance ............................................................................................................................................. 60 5.15 General Privacy Aspects for all Infrastructure Sectors ........................................................................ 63 6 Cross analysis .............................................................................................................. 65 6.1 Introduction: Purpose and Scope .......................................................................................................... 65 3 CYBERSECURITY STRATEGIC RESEARCH AGENDA 6.2 Commonalities ....................................................................................................................................... 66 6.3 Divergences ........................................................................................................................................... 94 6.4 Key Observations .................................................................................................................................. 97 7 Opportunities and recommendations ......................................................................... 99 7.1 Research ............................................................................................................................................... 99 7.2 Policy ................................................................................................................................................... 103 7.3 Business .............................................................................................................................................. 107 7.4 Education ............................................................................................................................................. 111 8 Conclusion .................................................................................................................. 117 Appendix I – References ............................................................................................... 118 Appendix II – List of contributors ................................................................................. 120 Appendix III – Glossary ................................................................................................. 124 Appendix IV – Key research activities as derived from other Research Agendas ... 126 Appendix V – Other Research Agendas ...................................................................... 191 Index of figures Figure 1. Solutions versus goals in eHealth sector ......................................................................................... 57 Figure 2. Areas of Interest coverage areas. .................................................................................................... 98 Figure 3. Cross-domain processes. ............................................................................................................... 112 Figure 4. Levels of proficiency in cybersecurity. ............................................................................................ 113 Index of tables Table 1. Fostering assurance research timeline. ............................................................................................ 69 Table 2. Focus on data research timeline. ...................................................................................................... 73 Table 3. Enabling secure execution timeline. .................................................................................................. 76 Table 4. Preserving privacy research timeline. ............................................................................................... 79 Table 5. Increasing trust research timeline...................................................................................................... 81 Table 6. Managing cyber risks research timeline. ........................................................................................... 85 Table 7. Protecting the ICT Infrastructure research timeline. .......................................................................... 87 Table 8. Achieving User–centricity research timeline. ..................................................................................... 92 Table 9. Example of expected benefits/contributions per research commonality ......................................... 101 Table 10. Key research activities as derived from other Research Agendas. ............................................... 190 Table 11. Other Research Agendas from Europe. ........................................................................................ 194 Table 12. Other Research Agendas from European Countries. ................................................................... 196 Table 13. Other Research Agendas from Countries outside Europe. ........................................................... 198 4 CYBERSECURITY STRATEGIC RESEARCH AGENDA Table 14. Other Research Agendas from International Institutions. ............................................................. 201 5 CYBERSECURITY STRATEGIC RESEARCH AGENDA 1 Executive Summary This document presents the Strategic Research Agenda (SRA) in the area of cybersecurity, as developed by Working Group 3 (WG3), Secure ICT Research and Innovation, for the EU Platform on Network and Information Security (NIS), in the period September 2013 – August 2015. This SRA complements and underpins the EU NIS Strategy, and provides input to the secure ICT Research & Innovation agenda at national and EU levels, including the Horizon 2020 programme. It is the main outcome of NISP WG3 on “Secure ICT Research and Innovation” and is intended to be a living document also referred to by other NISP WG (i.e. WG1 on Risk Management, and WG2 on Information Exchange). Other deliverables from WG3 (i.e. Secure ICT Landscape [NISL15], Snapshot of Education & Training landscape for workforce development [NISE15] and Business Cases and Innovation Paths [NISB15]) were used as input to shape this SRA, each of them providing insights on relevant topics and its own added value. As stated on the Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace1, over the last two decades, the Internet and more broadly cyberspace has had a tremendous impact on all parts of society. Our daily life, fundamental rights, social interactions and economies depend on information and communication technology working seamlessly. An open and free cyberspace has promoted political and social inclusion worldwide; it has broken down barriers between countries, communities and citizens, allowing interaction and sharing of information and ideas across the globe. In addition, the global economy is rapidly becoming digital. Therefore, the European Commission proposed a Digital Single Market Strategy for Europe2, in which the free movement of goods, persons, services and capital is ensured and where individuals and businesses can seamlessly access and exercise online activities under conditions of fair competition, and a high level of consumer and personal data protection, irrespective of their nationality or place of residence. However, a secure cyberspace is vital for a healthy digital market, given that risk alone undermines trust and confidence in the [global] digital economy, reducing its potential value by as much as $3 trillion by 20203. Based on the above, the following vision guided the SRA development. Individual needs and fundamental rights should be placed at the very centre of how we design, manage and control network technologies and ICT. Networks and ICT should be designed to consider, from the perspective of the individual, each of the following characteristics: diversity, control (e.g. user empowerment), privacy, fairness, democracy, freedom of expression and safety. The concept of individuality includes being able to ‘individualise’ according to people’s differences. Individual rights (and duties), for example of ordinary people and consumers, must be respected, while transparency (without intrusiveness) must be provided at all times. The social, legal and regulatory aspects of security and privacy need to be investigated through interdisciplinary endeavours. Future digital technologies and the Internet will not only be an ever more present extension of ourselves, but will eventually also be part of us. This will take us closer to a global digital civilisation that can bring benefits to all. Resilience is key for a functional digital civilisation. This civilisation must be empowered to manage and balance the risks it faces according to its own requirements, in the same way that physical civilisations do. Resilience also involves empowering people collectively to make decisions on security and privacy. Such decisions could concern privacy requirements, for instance, and be based on the preference of a group of people. Instead of working out their own preferences, many people will rather choose to trust those of a particular group. Protecting the collective interest of organised individuals, institutions and businesses in digital interconnected societies is hence crucial. This can be thought of as the ‘supply side’ of the digital civilisation. Finally, as far as the vision is concerned, future infrastructure processes and resources in almost all areas will themselves be based on ICT infrastructures. They will be adaptive, decentralised, collaborative and efficiently controlled. Such infrastructures must be safe, reliable, predictable and 1 Official pdf file at: http://ec.europa.eu/digital-agenda/news-redirect/9596 2 http://ec.europa.eu/priorities/digital-single-market/ 3 Tucker Bailey, Andrea Del Miglio, and Wolf Richter, “The rising strategic risks of cyberattacks,” McKinsey Quarterly, May 2014. 6 CYBERSECURITY STRATEGIC RESEARCH AGENDA always available. They must also operate confidentially, protecting privacy by resisting and reacting to cyber incidents in real time. Furthermore, users should have permanent access to information enabling them to check the trustworthiness of the infrastructure and its services (even if partly compromised). In this document, ‘end user’ refers to all those who use ICT with a view to making cyberspace more trustworthy in the context of existing legal frameworks. They include consumers, private individuals, industry, small and medium-sized enterprises (SMEs), law enforcers and public security agents. In this respect, the technologies envisaged in the SRA are aimed at delivering the vision set out above while preserving European values. The end users, in all their dimensions, are well represented in the three layers of the SRA. These are: the individual layer, comprising consumers and ordinary people; the collective layer, where civilisation principles must be respected by all kinds of organisations and guaranteed by European security players; and the infrastructure layer, which aims at ensuring the protection of our critical infrastructures by several different agents. After an initial cross-analysis of these different layers, the following research priorities emerged: Fostering assurance; Focussing on data; Enabling secure execution; Preserving privacy; Increasing trust; Managing cyber risks; Protecting ICT infrastructures and Achieving user-centricity. The result of empowering end users (individuals, SMEs, public security agents) through technology will ensure a more trustworthy cyberspace. Legal frameworks will have to adapt and evolve together with new technology. ICT is ubiquitous, critical and pervasive. While this document focuses on digital security, a secure and trustworthy cyberspace is also required in many other areas, from crisis management to urban security. Stakeholders in one or more of the areas described may find insights for their own specific interests in the corresponding sections of this document. 7 CYBERSECURITY STRATEGIC RESEARCH AGENDA 2 Introduction 2.1 Context and motivation This document presents the Strategic Research Agenda (SRA) in the area of cybersecurity, as developed by Working Group 3 (WG3), Secure ICT Research and Innovation, for the EU Platform on Network and Information Security (NIS). In 2013 the EU launched its cybersecurity strategy4 to increase Member States’ preparedness for possible cyber attacks capable of harming the EU and its economy. It is estimated that, worldwide, over a million people fall victim to cybercrime every day.5 The global cost of cybercrime was estimated at Euro 313 billion in 2011. According to a recent survey in Europe,6 75 % of the businesses contacted say cyber attacks have been a concern for some time or that they are an increasing concern. The majority of respondents believe that their organisation has been the victim of a targeted attack, with a full 30 % reporting a significant business impact. In this document WG3 identifies the key challenges and desired outcomes in terms of innovation-focused, applied research for cybersecurity. It proposes new ways to promote truly multidisciplinary research that fosters collaboration between researchers, industry and policymakers, and recognises the difficulties faced by some segments, such as SMEs, in engaging with traditional research mechanisms. Given the variety of the challenges and the diversity of the players involved in cybersecurity, privacy and trust research, WG3 also served as a facilitator for the coordination of related activities. Beyond the scope of the Horizon 2020 research and innovation programme (H2020), WG3 should also help identify the elements of a possible European industrial strategy for cybersecurity. In addition it should look at ways to increase the impact and commercial uptake of research results in the area of secure ICT, including the use of innovative financial instruments and funding methods as well as new business models. WG3 currently has more than 180 members. Its membership is balanced between industry representatives and scientific and academic researchers, on the one hand, and representatives of Member States and policy, economic and legal experts on the other. The main objectives of WG3 are: 1. To map the current research landscape by identifying relevant stakeholder groups, national and EU research and innovation programmes in cybersecurity, trustworthy ICT and privacy, and prospective markets. This has resulted in two products: a. A comprehensive report on the state of the art in secure ICT and the research landscape [NISL15]. b. An extensive report on business cases and innovation paths [NISB15]. 2. To produce an analysis of the higher education and training courses in cybersecurity available in Europe and beyond. This has resulted in the following report: a. A snapshot of the education and training landscape for workforce development [NISE15] 3. To identify the possible scenarios for cybersecurity in the medium-to-long term (e.g. to 2020); to investigate the research, innovation, technological and educational challenges involved in addressing these scenarios successfully from technical, social and economic perspectives. This document represents the fourth product” a. The Cybersecurity Strategic Research Agenda (SRA) of the EU NIS Platform. It includes knowledge gathered in the above reports and is intended to be a dynamic document. 4 Joint communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace /* JOIN/2013/01 final */ 5 http://europa.eu/rapid/press-release_IP-12-317_en.htm. 6http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cyber-crisis-cooperation/cce/cyber-exercises/exercise-survey2012. 8 CYBERSECURITY STRATEGIC RESEARCH AGENDA 2.2 Methodology of the SRA The findings in this document have been obtained in various ways. WG3 organised several expert meetings to structure its activities and prepare the main products in line with the objectives set out above. In particular, SRA brainstorming sessions were organised where WG3 members were asked to set out their visions of developments they hoped to see in the period to 2020. The initial material produced was processed and three main areas of interest (AoIs) emerged, with the following (tentative) titles: 1. Individuals’ Digital Rights and Capabilities (Individual layer) 2. Resilient Digital Civilisation (Collective layer) 3. Trustworthy (Hyperconnected) Infrastructure (Infrastructure layer) Three subgroups were formed to elaborate the AoIs. They were asked to address the following questions: 4. What is your vision for your AoI in the long term? 5. What are the main issues and challenges for your AoI? 6. Who are the enablers/inhibitors of the vision (from a technological, policy, organisational perspective)? 7. What research gaps need to be covered in the coming years? In an initial phase, the three AoI groups worked in parallel to formulate their respective outcomes. Each group identified the main challenges and research gaps from its own perspective. The findings per AoI can be used in several ways by ‘single-interest’ stakeholders. The initial drafts for each AoI were cross-analysed to identify common enablers/inhibitors/gaps across the different areas as well as possible conflicts (for example, an enabler for one AoI becoming an inhibitor for another). It is recommended that the main findings of the cross-analysis be used to prioritise the research and innovation gaps to be addresses on the basis, for instance, of the criterion of commonality. The results of the subgroups’ work and of the cross-analysis phase have been validated through open consultations within and outside WG3. 2.3 Structure of this document The structure of this document reflects the methodology used. The three following sections describe the main findings for each AoI and answer the main questions raised above. Section 6 describes the cross-analysis outcomes and presents the possible prioritisation of the research activities. Section 7 considers a broader perspective that also takes policy, economic, social and educational aspects into account, since innovation is key for H2020. This section summarises the main outcomes of the other WG3 products, namely the report on business cases and innovation paths and the report about education and training. Overall it is recognised that enhancing cybersecurity is a complex process that concerns the EU on several levels, not just in technological terms. Section 8 contains some concluding remarks. It is also worth noting that this document includes as annexes several other research agendas from other sources and that it is complemented by WG3’s three other deliverables, i.e. [NISL15, NISB15, NISE15]. 2.4 Status of this document This document should be considered a candidate final revision version provided by NIS-WG3 for wider consultation also outside NIS WG3 community. 9 CYBERSECURITY STRATEGIC RESEARCH AGENDA 3 Area of Interest 1: Individuals’ Digital Rights and Capabilities (Individual layer) 3.1 Description of the AoI 1’s vision Information and Communication Technologies (ICT) and related services are coming ever closer to people under paradigms like mobility, ubiquity, and personalization [RAN13]. Related and partially overlapping paradigms are universal connectivity, thin client cloud computing and the Internet of Things. All these paradigms are triggering the creation of more and more data about users, e.g. movement and other behaviour profiles. People notice, that it is increasingly difficult to lead one’s life without generating data of one or the other kind, often without exactly knowing, where the data are selected, stored and processed. At the same times attacks by large state organisations on security and privacy protection of ICT services and infrastructures of all kind are discussed more openly, especially since the recent disclosures of international spying and massive surveillance activities. For some experts the revelations were no news, but for many people the dangers of undetected tampering of systems and of gathering, analysis and manipulation of information are now becoming so obvious, that their trust into ICT infrastructures and their operators is massively reduced. This lack of trust is not only an individual problem of the people not trusting ICT, ICT services or the respective providers. It is also not just a problem for the providers, who feel the lack of trust as a loss of customer acceptance and revenue. The problem is that even the functioning of democracy is at stake. In several European countries, the fundamental right of “Informational Self-Determination” has been assured and it has been warned to beware of a “chilling effect” on citizens’ participation in democratic processes: A person who is uncertain as to whether its behaviour is being taken note of and that information being used or transferred to others will attempt to avoid standing out through its behaviour. Persons who assume, for example, that attendance of an assembly or participation in a citizens’ interest group will be officially recorded and that this could expose them to risks will possibly waive exercise of their corresponding fundamental rights. This would not only restrict the possibilities for personal development of those individuals but also be detrimental to the public good, as self-determination is an elementary prerequisite for the functioning of a free democratic society based on the freedom of action and participation of its citizens. These concepts are echoed by the Charter of Fundamental Rights of the European Union [EC00], especially its Articles 6, 8, 11, and 21 on liberty and security, protection of personal data, freedom of expression and information, and non-discrimination. Civil security is not only to be an important pillar of these fundamental rights, it is also dependent on them. Individuals, who do not know, what is known about them, are easily prone to blackmailing by, e.g. organized crime to other forms of corruption. Only citizens with the courage to stand out if needed, e.g. to make a statement as part of a police investigation and to keep it up in court later, are a reliable partners in protecting the values and the security of their society. Consequently AoI 1’s vision is that individuals’ needs and fundamental rights are placed at the very centre of how we design, manage, and control network and information and communications technologies. Networks and ICT should be designed to take into account each of the following from the perspective of the individual: diversity, control (e.g. user empowerment), privacy, fairness, democracy, freedom of expression, safety. The concept of individuality includes being able to ‘individualise’ according to the differences of people. Individual Rights (and duties) of e.g. citizens and consumers must be respected and transparency (without intrusiveness) must be provided at all times. Social, legal and regulatory aspects of security and privacy need to be investigated in an interdisciplinary research context. There is the need for thorough research addressing some fundamental weaknesses in current ICT architectures, e.g. the difficulties to control information flows. Also there is need for infrastructures that are resilient against overly swift actions from large actors, which can be achieved by storing less data or by being distributed wisely. In any case, the subject of trust and the relation between trust and security needs to be researched more thoroughly. 3.2 Description of the issues and challenges 10

Description:
This cybersecurity strategic research agenda has been developed by the Working Group 3 (WG3), Secure. ICT Research and .. As stated on the Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace1, over first step on giving people control over their digital lives. 5.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.