SG4 – Cyber Security

Settore Guida ICT per la Sicurezza

Cyber security is a key issue for the protection of people, data, and assets. Cyber security technologies encompass a plethora of solutions, including: Physical Security Information Management (PSIM),  Security information and event management (SIEM), Security Operation Center (SOC), Identity Management, Building Automation, Video Surveillance, Access Control, and Forensics. Since the scope of cyber security is so wide, it is important to identify the objectives which need to be prioritized. Specifically, we have identified the following six objectives:

  • Cyber-physical protection systems;
  • Cyber intelligence via information management;
  • Design and development of crisis management systems;
  • SCADA and Smart Grid Security;
  • Cloud Computing Security;
  • Mobile Security.

Cyber-physical protection systems
The research activity encompasses the whole cycle of electronic access (including authentication and authorization/profiling of users), network control, and system monitoring with respect to complex, distributed ICT systems. Users can be  individuals, groups, physical objects, logical entities, or applications. The objective is to make the interconnected system of national critical networks and individual infrastructures more resilient and secure. This is typically achieved by a combination of means, and in particular: i) enforcing both passive (firewalls) and active (intrusion
detection and prevention) perimeter defense systems, ii)  improving the technologies for design and development of network protocols and services, and iii) continuously  monitoring network status and traffic. Network protection is of paramount importance, since it is a pillar on which many other vital aspects of the modern society are based. With respect to prevention and investigation, lawful interception is a key topic. Important mechanisms also include intrinsic security of unmanned systems, and specific solutions for secure network communication in wireless segments (e.g. surveillance, intrusion detection, and mitigation of cyber attacks). More effective convergence is needed among a plethora of cyber security technologies, including: Physical Security Information Management (PSIM), Security information and  event management (SIEM), Security Operation Center (SOC), Identity Management, Building Automation, Video Surveillance, Access Control, and Forensics.

Cyber intelligence via information management
The objective of the research activity is the development of effective cyber intelligence features, to guarantee citizens’ global security, by exploiting the huge potential of currently available as well as emerging Information Management technologies (including high-performance and cloud computing platforms). Security will be improved along several axes, including protection of ICT systems, Critical Infrastructures, and assets. The developed technologies will provide a set of tools which will support a security process consisting of the following three phases: plan, control, and react. A key role will be played by information flow collection technologies, e.g. those based on video surveillance.

Design and development of crisis management systems
The research activity is targeted at studying systems which can improve crisis management functions and interventions, in various contexts. The amazing complexity and scale of systems and infrastructures to be protected call for solutions that allow effective coordination of actions, in a timely fashion. This entails support for near real time analysis and correlation of symptoms related to attacks targeting individual components/systems, as well as the overall system. Mechanisms should be developed to counter/mitigate attack effects and consequences.

SCADA and Smart Grid Security
Traditional Critical Infrastructures (CIs) were intrinsically secure systems,  due to a combination of factors, and in particular:  i) they consisted (almost exclusively) of special purpose devices, which were based on proprietary technologies; ii) individual sub-systems operated almost in isolation, i.e. they did not interact with the external world, with the exception of the system being controlled; iii) they were largely based on dedicated (as opposed to shared) communication links; iv) they massively relied on proprietary (as opposed to open) communication protocols. These trends have been largely subverted, and it will be even more so in the future. First, Wireless Sensor Networks (WSNs) have become an integral part of virtually any CI. Second, Commercial-Off-The-Shelf  (COTS) components are being massively used for implementing Supervisory Control And Data Acquisition (SCADA) systems. Third, subsystems are being connected using the Infrastructure of the corporate Local Area Network (LAN), or even Wide Area Network (WAN) links, possibly including the public Internet, as well as wireless/ satellite trunks. An important objective will be improving SCADA and smart grid security and resilience, via effective integration of State-Of-The-Art sensor, communication, information, and control technologies. This will entail developing the following main functional blocks, all operating in real time: i) monitoring, ii) detection and diagnosis, iii) risk assessment, and iv) reaction and remediation. Data will be collected from a variety of heterogeneous hw/sw components that are typically found in SCADA networks and smart grids (e.g. PMUs, PDCs, smart meters, databases, Operating System logs, and network devices). All functions must be designed and implemented using fault- and intrusion-tolerance techniques, so to achieve a high level of trustworthiness.

Cloud Computing Security
In a nutshell, the objective of Cloud Computing Cyber Security research will be to build cloud platforms that are more secure, confidential, and dependable, meaning that they will allow honest
users to do their business and/or social activity reliably (since they would benefit from improved security, confidentiality, and dependability), while also limit the possibility for malicious users
of exploiting the aforementioned properties for their evil purposes. To achieve this, effective support is needed for:  1) accurate and timely fault and intrusion detection & diagnosis features,
to be made available both to cloud providers and to cloud users; 2) fault- and intrusion-tolerant forensic facilities for producing evidence to be used to prosecute criminals in court, 3) efficient and scalable mechanisms for implementing confidential communication channels exclusively dedicated to authorized users and 4) access and usage control mechanisms for the transparent as well as accountable dissemination of data in the cloud. These objectives address some of the thirteen technical risks that have been identified by ENISA in their recent report on cloud security open issues. Research should take a use case driven approach, meaning that it should be inspired by substantial case studies, which are diverse enough to provide a comprehensive set of requirements. Demonstrators should be set up, which should consist of multiple clouds, based on heterogeneous technologies, and located at geographically distant sites.
The research program, while extremely rich in RTD content, should also make substantial contributions in terms of innovation, i.e. efforts should be made to take research results to the
next step (i.e., “out of the lab”).

Mobile Security
Over the last years we have witnessed a proliferation of mobile devices, such as smartphones and tablets, which are becoming day-by-day more pervasive. Current operating systems for mobile devices are based upon the concept of apps. Apps are lightweight applications that are distributed through on-line marketplaces, such as the Apple AppStore or Android Google Play. Using this paradigm, users browse apps on markets and install them directly on their devices. Regrettably, this model is affected by major security and trust issues that can lead to massive malware spread. Three main factors are worth mentioning: 1) a widespread platform, 2) readily accessible development tools, and 3) sufficient attacker motivation (typically, but not always, monetary). With the advent of open platform smartphones, the growing market-share parallels the rise in the number of mobile threats.
It is easier for developers, including malware writers, to write and distribute applications and it is easy for malware authors to create trojans that are very similar to popular apps. Currently, more than half of all mobile threats collect device data or track users’ activities. Almost a quarter of the mobile threats are designed to send content and one of the most popular ways for phone malware authors to make money is by sending premium SMS messages from infected phones. Increasingly, phone malware does more than send SMS. For example, we see attacks that track the user’s position with GPS and steal information. People regard their phones as personal, private, intimate parts of their life and view phone attacks with alarm. Mobile threats are now using server-side polymorphic techniques, and the number of variants of mobile malware attacks is rising faster than the number of unique families of mobile malware. Effective mechanisms must be made
available to users to discriminate good apps from malware apps. Flexible trust models must be developed, to favor openness while preserving security and privacy.

SG 4 Partners: Cyber Security