Management of cyber-attacks and other risks in the context of Horizon 2020

Whether it’s private citizens, small and medium-sized companies, or the public power grid, we are dependent on elaborate computer systems for routine processes. Without a properly functioning digital system, we could neither withdraw cash from an ATM or turn our lights on, as nearly everything we do in our everyday lives is in some form based on computer networks. Therefore, the protection of digital infrastructure and digital systems requires a decisive resolution towards a higher level of cybersecurity.

Digital security and privacy for every citizen and enterprise

The European Commission defines the challenges of digital security and privacy as follows:

Some members of the digital society in the EU are more vulnerable as they are less prepared to confront with cyber-attacks. The scale, value and sensitivity of personal data in the cyberspace are significantly increasing and citizens are typically uncertain about who monitors, accesses and modifies their personal data. Personal data breach may facilitate abuse by third parties, including cyber-threats such as coercion, extortion and corruption.

To make sure that the lack in cybersecurity of private citizen’s and organisations cannot be exploited by others, it is essential for them to be able to assess the posed risks appropriately and act accordingly. Citizens must be aware of the options they have in shaping their online experience, and especially the way in which they share their personal data and private information.

Small and Medium-sized Enterprises and Micro Enterprises are also increasingly vulnerable to malicious activity; a distressing fact considering their exposed position and their most likely insufficient cybersecurity measures. These companies usually only allocate limited resources to dealing with cyber-threats in all their forms. This makes it arguably easier to attack a medium-sized enterprise than a corporation that spans the globe.

To increase security in these fields, the European Commission promotes cybersecurity in two areas: 1. The protection of citizens’ security, privacy and personal data and 2. Cybersecurity knowledge sharing among SMEs and MEs so as to strengthen cooperation and actual security outcomes.

The expected outcomes of these projects are:

• Citizens and SMEs&MEs are better protected and become active players in the Digital Single Market, including implementation of the NIS directive and the application of the General Data Protection Regulation.
• Security, privacy and personal data protection are strengthened as shared responsibility along all layers in the digital economy, including citizens and SMEs&MEs.
• Reduced economic damage caused by harmful cyber-attacks and privacy incidents and
  data (including personal data) protection breaches.
• Pave the way for a trustworthy EU digital environment benefitting all economic and social actors.

Keeping the power flowing

The European Commission defines the challenges of cybersecurity in the EPES (Electrical Power and Energy System) as follows:

The Electrical Power and Energy System (EPES) is of key importance to the economy, as all other domains rely on the availability of electricity, hence a power outage can have direct impact on the availability of other services (e.g. transport, finance, communication, water supply) where backup power is not available or the power restoration time goes beyond the backup autonomy.

With the transition to a decentralised energy system, digital technologies are playing an increasingly important role in the EPES: they contribute reducing the energy consumption; they enable the integration of higher shares of renewables and promote a more energy efficient system. At the same time, with the growing use of digital devices and more advanced communications and interconnected systems, the EPES is increasingly exposed to external threats, such as worms, viruses, hackers and data privacy breaches.

As these digital power systems grow in complexity, threats against providers of the basic commodity of energy and electricity under fire from many sides. Because of the growing number of interconnected smart devices, cases of attempted manipulation and sabotage of power systems will most likely rise, since more vulnerable points in the system exist. And these threats are to be taken very seriously. Power outages can paralyse whole city districts and result in high damages as well as threaten human lives.

Another development that might severely jeopardise the operability of our energy systems is the proliferation of microgrids, as private acquisition and operation of renewable energy generators grows.

The emergence and the spreading of future threats to EPES calls for a clear strategy of strengthening system resilience, improving risk assessment, and taking into account the ongoing process decentralisation of the power grid. Additional required projects include the development of an information collection and sharing systems that allow better communication and analysis of threats, a definition of clear cybersecurity principles in the field of EPES, consistent standards and certification possibilities, and policy recommendations to the European Union to catalyse further improvements.

The expected outcomes of these projects are:

• Built/increased resilience against different levels of cyber and privacy attacks and data breaches (including personal data breaches) in the energy sector.
• Ensured continuity of the critical business energy operations.  The energy sector is better enabled to easily implement the NIS directive.
• A set of standards and rules for certification of cybersecurity components, systems and processes in the energy sector will be made available.
• Cyber protection policy design and uptake at all levels from management to operational
  personnel, in the energy sector.
• Manufacturers providing more accountability and transparency, enabling third parties monitoring and auditing the privacy, data protection and security of their energy devices and systems.

Securing critical sectors

The European Commission defines the challenges of cybersecurity in critical sectors as follows:

In critical vertical sectors/domains, cybersecurity technologies deployed in several application domains should be aligned to the specific domain needs, linking the demand and supply sides for such cyber technologies. In the context of an increased digitization and also of growing complexity of cyber-attacks, there are certain
sectors/subsectors identified as critical from the point of view of cybersecurity needs in the NIS Directive: energy (electricity, oil, gas), transport (air transport, rail transport, water transport, road transport), banking, financial market infrastructures, health sector (health care settings, including hospitals and private clinics), drinking water supply and distribution, and digital infrastructure.

These sectors are important customers of cybersecurity solutions; hence it is of outmost importance to facilitate the engagement of end-users towards defining and providing sector-specific common requirements about digital security, privacy and personal data protection. Building security, privacy and personal data protection by design and by default, principles and standards should be clearly defined to protect the critical infrastructures in these sectors and ensure personal data integrity and confidentiality.

The substantiality of the mentioned sectors makes it necessary to focus special cybersecurity efforts on them. Aside from the aforementioned energy sector and the related drinking water supply and distribution, there are a number of others who deserve special attention.

The transport sector features an overwhelming diversity of components and solutions with a long life-cycle. Challenges in this area include migrating these solutions and the underlying infrastructure over to a higher level of cybersecurity.

The healthcare sector relies on an especially complex pharmaceutical supply chain, where a zero-error rate is important above all else. Cybersecurity solutions need to ensure that traceability and zero error deliveries can be guaranteed. It also requires special protection because of the highly sensitive patient data it depends on. Should supply chains be digitally disrupted, catastrophic events with a likely loss of life can be expected.

The bedrock of all exchanges of goods and services, the financial sector, needs special attention as well.

To reach a sufficient level of cybersecurity in these fields, the Horizon 2020 program envisages a number of research projects: The creation of a pan-European system for access to multimodal transport, transport protection against cyber-attacks of all forms, cybersecurity standardisation of transportation, creation of a dynamic vulnerability database in the health ecosystem, risk assessment in all fields of the health sector, the provision of privacy-aware security tools that allow stakeholders to access relevant health data, the provision of resilience-enhancing technologies in the finance sector, ICT tools for insurance companies, standardisation and adoption of said standards in the finance sector.

The expected outcomes of these projects are:

Short term:

• The technological and operational enablers of co-operation in Response and Recovery will contribute to the development of the CSIRT Network across the EU, which is one of the key targets of the NIS Directive.
• Identified relevant generic and specific aspects related to cybersecurity and digital privacy in the respective critical domains/sectors addressed.
• Advanced holistic systems and innovative proof concepts for managing cybersecurity and privacy risks in the respective critical domains/sectors addressed.
• Advances in the state-of-the-art analysis of specific aspects of the respective critical domains/sectors addressed, such as related cyber threats, attacks and vulnerabilities;
• Sound analysis of cascading effects of specific related cyber threats within the supply chain of the respective critical domains/sectors addressed.
• Improved cybersecurity information sharing and collaboration among stakeholders of the respective critical domains/sectors addressed, and with CERTs/CSIRTs.
• More targeted and acceptable security management solutions addressing specificities of the respective critical domains/sectors addressed.
• Trigger the fast adoption of cybersecurity/privacy/personal data protection best practices in the respective critical domains/sectors addressed.

Medium term:

• Better response and recovery technologies and services that will help organizations in the respective critical domains/sectors addressed to significantly reduce the impact of propagated and cascaded threats, vulnerabilities and breaches.
• Enhanced protection against emerging novel advanced threats in the respective critical sectors/domains addressed.
• Improved security governance of the respective critical domains/sectors addressed.
• Greater and more mature EU cybersecurity market in the respective critical domains/sectors addressed.
• Reduce the impact of breaches with various levels of success in penetrating the defences.

Long term:

• Better cybersecurity for specific standards in the respective critical domains/sectors addressed, that will trigger fast adoption of best practices in the related industry.
• Established trust chains among all entities in the eco-systems of the respective critical domains/sectors addressed.
• Better implementation of the relevant EU legislation (e.g. NIS, eIDAS, GDPR) in the respective critical domains/sectors addressed.
• Companies/organisations in the respective critical domains/sectors addressed are more willing to promote cyber security, privacy and personal data protection in the whole EU specific ecosystem.

Keywords

Horizon 2020, Framework Programme, H2020, FP9, European Union, European Commission, SwafS, Science with and for Society, infrastructure, cybersecurity, health sector, finance sector, transportation sector, SME, ME, citizens, stakeholder