Title: Building Trust in Ecosystems and Ecosystem Components
The main objective of the project is to develop a framework that enables measurable, risk-based trust while developing, deploying and operating complex interconnected ICT systems, in order to increase trust in ICT supply chains.
At the end of this project, improved market opportunities for EU vendors of security components will emerge. It will increase the trust of both by developers using / integrating the ICT components and by end-users of IT systems and services, protecting the privacy of citizens and trustworthiness of ICT. The development and implementation of certification processes will be accelerated. Advanced cybersecurity products and services will be developed improving trust in the Digital Single Market. The use of more harmonized certification schemes will increase the business cases for cybersecurity services as they will become more reliable. Validation platforms will provide assessments with less effort compared with nowadays and assure better compliance with relevant regulations and standards.
Scientific and Technological Impact and Innovation
BIECO is expected to create a significant scientific and technological impact through the innovation capacity it introduces in the areas of ICT security and secure software and system engineering. In particular, the main following scientific and technological innovations are foreseen:.
- Novel methods and tools that enable the systematic building of trust in software components of ICT systems that enter a supply chain and are susceptible of containing hiding intended faults that express into malicious behavior.
- Novel methods and tools that enable prediction of malicious behavior during system operation at runtime and enable an ICT system to become resilient to planned cyber attacks.
- Novel tools for optimizing the secure software development process
The concept of BIECO is based upon delivering a framework for increasing trust within ICT supply chains. Supply chains are complex ecosystems composed by different processes, actors (including end users, software and hardware providers, and organizations), technologies, information and resources, which form extremely intricated information management systems. As a result, security in these contexts is also a complex issue, and it is necessary to face it with an integrated perspective rather than analyzing the behavior of each of its individual components.
In order to address this, BIECO will offer a holistic approach for building and validating several technologies and methodologies that are specifically oriented to foster security and trust within ICT ecosystems. The main outcomes and the building blocks of the project, are the following:
- Vulnerability assessment: this asset will focus on improving the detection of vulnerabilities within ICT components and understanding how a certain vulnerability can propagate across the whole supply chain and impact other systems that are not subject to the same vulnerability. In order to do this, an advanced machine learning based tool for vulnerability detection will be developed, putting a special focus on improving aspects such as the accuracy or usability of the tool. Regarding the propagation of vulnerabilities, methodologies such as ant colony optimization, and other vulnerability propagation analysis techniques will be explored.
- Resilience mechanisms: as some vulnerabilities might remain undetected, it is necessary to adopt a preventive approach and assume that a cyberattack will happen, exploiting that vulnerability. In the ICT supply chain this is a serious issue, as it can put at risk not only the vulnerable system but also the complete supply chain. Therefore, BIECO will explore new methods to guarantee the resilience of the systems, ensuring recovery in case an attack occurred. This will be done by performing self-checks on the systems, forecasting the failures of the different components and their impact on the supply chain and offering methods to bring systems into a safe-operation state.
- Auditing processes: understanding the security guarantees provided by each of the ICT components, as well as their interactions with other elements of the supply chain, is crucial in order to ensure the integrity of the whole ecosystem. For that purpose, simulation models that represent accurately the behavior of ICT systems and components within a supply chain will be generated. Unknown interactions between components, the integration of new systems within the supply chain, or changes environmental and operational conditions will also be monitored, and behavioral profiles (MUD) will be generated to monitor suspicious behaviors that could represent a possible attack to the system.
- Risk analysis: BIECO will provide a tool audit complex algorithms and interconnected ICT systems, including the analysis of the interaction between components when they are exploited. The tool will also offer a visual representation of the possible attack paths, as well as support to safety aspects, analyzing the impact of vulnerabilities in a cyber-physical system that could derive into a physical hazard.
- Mitigation strategies: the proposed mitigation strategies in BIECO will address security (i.e., avoiding unauthorized access and changes on systems’ behaviour), privacy (regarding unauthorized data access and exposure) and accountability aspects (blockchain).
- Security and privacy claims: BIECO will develop a security certification methodology combining security testing and security risk assessment, to obtain a trust level based on the evidence provided by the execution of a series of tests. To this end, we will explore different security metrics that could be measured in an objective way, as well as a set of security claims essential to measure the global security of the ICT system. Based on the certification results, the ICT system will obtain a label and a behavior profile, aiming to enforce the security during its operation phase.
Funding programme: HORIZON 2020
36 months (1/09/2020 – 31/08/2023)
- Total budget: 5M€
- Holisun budget: 429k€