Uploaded by bicho madis

European Cybersecurity Strategic Research and Innovation Agenda for Public Private Partnership

advertisement
Disclaimer: The following document represents solely the views of its authors from
industry, research and technical organisations and cannot in any circumstances be
regarded as the official position of the European Commission.
European Cyber Security cPPP Strategic Research & Innovation Agenda
European Cyber Security cPPP Strategic Research & Innovation Agenda
Contents
1
Executive Summary ......................................................................................................................... 4
2
Research and Innovation Strategy .................................................................................................... 9
2.1
Context, overview and Implementation Strategy for SRIA ...................................................................... 9
2.1.1
Cybersecurity products and services ...................................................................................................... 11
2.1.2
SRIA Preparation Process with broader community ............................................................................... 13
2.2
Mechanisms for SRIA implementation ................................................................................................. 13
2.2.1
Interaction among instruments for implementation.............................................................................. 15
2.3
Relationships with other cPPPs ............................................................................................................ 15
3
Estimated budget .......................................................................................................................... 17
4
Cyber Pillars................................................................................................................................... 19
4.1
4.2
5
Cyber Pillar for cybersecurity trustworthy Innovation .......................................................................... 20
Cyber Pillar for a technical cybersecurity experimentation and training ecosystem ............................... 22
Cyber technical projects / technical priority areas .......................................................................... 25
5.1
Identification and analysis of technical priority areas. .......................................................................... 25
5.1.1
Assurance / risk management and security/privacy by design .............................................................. 25
5.1.2
Identity, Access and Trust Management ................................................................................................ 27
5.1.3
Data security ........................................................................................................................................... 29
5.1.4
Protecting the ICT Infrastructure ............................................................................................................ 31
5.1.5
Cybersecurity Services ............................................................................................................................ 33
6
Innovation deployment and validation........................................................................................... 35
6.1
Cyber trustworthy infrastructures........................................................................................................ 36
6.1.1
Digital citizenships (including identity management) ............................................................................. 36
6.1.2
Risk management for managing SOC, increasing cyber risk preparadness plans for NIS etc. ................ 36
6.1.3
Information sharing and analytics for CERTs and ISACs (includes possibly trusted SIEM, cyber
intelligence .............................................................................................................................................................. 36
6.1.4
Secure Networks and ICT (Secure and trusted Routers, Secure and Trusted Network IDS, Secure
Integration, Open source OS) ................................................................................................................................. 36
6.2
Demonstration/ cyber pilots projects................................................................................................... 37
6.3
Bottom-up Track for Cybersecurity Innovation ..................................................................................... 42
7
Non-Technical Aspects ................................................................................................................... 43
7.1
Education, training, and skills development ......................................................................................... 43
7.2
Fostering innovation in cybersecurity .................................................................................................. 45
7.2.1
Develop a cybersecurity ecosystem ........................................................................................................ 46
7.2.2
Define the cybersecurity value chain ...................................................................................................... 48
7.2.3
Boosting SMEs ......................................................................................................................................... 52
7.3
Standardisation, regulation and certification ....................................................................................... 54
7.3.1
Standardisation ....................................................................................................................................... 54
7.3.2
European Cybersecurity quality/ trust label ........................................................................................... 56
7.4
Societal aspects ................................................................................................................................... 59
8
Key Performance Indicators KPIs .................................................................................................... 60
9
Contributors .................................................................................................................................. 62
10
Annexes ..................................................................................................................................... 65
10.1 Detailed technical topics with timeline ................................................................................................ 65
10.1.1 Assurance and security and privacy by design........................................................................................ 65
10.1.2 Identity, Access and Trust Management ................................................................................................ 68
10.1.3 Data security ........................................................................................................................................... 73
10.1.4 Protecting the ICT Infrastructure ............................................................................................................ 76
European Cyber Security cPPP Strategic Research & Innovation Agenda
10.1.5
Cybersecurity Services ............................................................................................................................ 89
1 Strategic vision for the SRIA
This SRIA defines the priorities for research, and innovation for European cybersecurity industry in upcoming years.
As SRIA of a contractual Public Private Partnership, the emphasis is on transforming innovation and applications into
new business opportunities that help to solve the challenges that Europe (and others) are facing, but also brings
growth to cybersecurity industry, helping to create new technical solutions and services and support their go to
market actions in the European internal market as well as in entering to other markets.
The initial SRIA we are proposing to initiate the European cybersecurity cPPP has been developed to answer the
main strategic objectives of the cPPP, namely:

Foster and protect from cyber threats the growth of the European Digital Single Market considering its
cultural and economic ecosystem, ensuring a level playing field (access to products and services with
adequate security, independently of the provider);

Develop the European cybersecurity market and the growth of a strong, competitive European
cybersecurity and ICT industry, with an increased market position;

Develop and implement European cybersecurity solutions for the critical steps of trusted supply chains, in
sectoral applications where Europe is a leader.
1.1 An evolving environment
The cybersecurity environment is in perpetual evolution. In order to develop the SRIA we had to consider existing
technologies / solutions / services / threats and their possible evolution. In addition, we also to consider the current
and future ICT and ICT security market.
We are entering a period of transformation due to the nature of systems and services, including 5G, IoT, and more.
Here are some (certainly not exhaustive) high level “market evolutions / needs” that may be used to justify the
investment.
For instance, we have to consider the following phenomena:
 ICT convergence
o
Softwarisation and virtualization  dynamics and perimeters of the systems disruption (part of 5G,
for instance)
o
Risk and opportunities to converge security functions/capabilities in a “Software Defined” approach
o
XaaS1  end of perimetric/proprietary systems and its defence, usage (and industry) going to
consumption of services instead of by system property
o
ICT and OT (Operations Technologies) convergence

Infrastructure required to become up to mission critical

Scalability, distribution and limited intrinsic IoT in terms of security capabilities
 Increased B2B needs

Market fragmentation with FOG2, IoT, XaaS etc.
1
XaaS= Anything as a Service : the acronym refers to an increasing number of services that are delivered over the Internet rather
than provided locally or on-site.
2
FOG computing or FOG networking is an architecture that uses one or a collaborative multitude of end-user clients or nearuser edge devices to carry out a substantial amount of storage (rather than stored primarily in cloud data centers),
European Cyber Security cPPP Strategic Research & Innovation Agenda

Data exchange in confidentiality (not just privacy) much more necessary than before
(including security data)
 Analytics availability

Both a risk (privacy, data quality, and so on) and an opportunity (e.g. to increase smart
detection of threats of any kind: fraud, terrorism, etc.)
 Security as a service

Is increasingly seen as a solution to compensate for lack of skills and means (from citizen to
industry / economy)

European industry needs an EU label (despite different points of view from MS)

European industry needs standards or ways to describe a security service and the SLA
attributes of a service in terms of security
 Label/SLA
1.2 Cyber coordination and cyber pillars (ecosystem) projects
The development of the SRIA has considered the wide palette of threats and an agreed products & services
segmentation. Once defined with experts the present and potential future needs / gaps, we have tried to group the
many priorities in an appropriate way to take the best decision for investments on R&I but also on further
implementation of the developed innovation.
At the same time, we had to consider the development of the whole ecosystem that will provide awareness and
sustainability for the best implementation of these solutions.
To support and better coordinate the implementation of the SRIA, we have proposed (about 10% of the overall cPPP
budget for the two following topics):

Cyber Coordination Projects: mainly devoted to coordination and support activities at several levels (e.g.
market update, link across R&I projects, dissemination & awareness, events etc.)

Cyber Pillars: socio-technical ecosystems for innovation and experimentation
o
Cyber Pillar for cybersecurity trustworthy Innovation (to support SMEs and start-ups, innovative
business models, etc.)
o
Cyber Pillar for a technical cybersecurity experimentation and training ecosystem (e.g. support to
cyber range environments enabling the growth of cybersecurity industry and strengthen Europe’s
cybersecurity capacity by enabling practical hands-on training, testing, exercising, evaluating,
education, experimentation and validation activities, support to standardisation and possibly to
certification and trust labels, validation of the elements in the value chain, etc.).
These are support actions that can have an impact on all the other different projects, market segments and
application areas.
Adequate investment in these projects will provide the solid substrate to build and develop innovation and the
European cybersecurity users and suppliers.
Other non-technical aspects identified in the SRIA (for further development in the frame of an European
cybersecurity industrial policy) are:

Education, training, skills development

Fostering innovation in cybersecurity: development of a cybersecurity ecosystem
communication (rather than routed over the internet backbone), and control, configuration, measurement and management
(rather than controlled primarily by network gateways such as those in the LTE core network).
European Cyber Security cPPP Strategic Research & Innovation Agenda

Define the cybersecurity value chain

Boosting SMEs

Bottom-up Track for Cybersecurity Innovation

Standardisation, regulation and certification

Societal aspects
1.3 Cyber technical projects / technical priority area
A more consistent work is expected when dealing with Cyber technical projects / technical priority areas which
accounts for about 40% of the SRIA budget.
Five main areas have been identified for such basic Products & Services:

Assurance / risk management and security / privacy by design

Identity, access and trust management (including Identity and Access Management, Trust Management)

Data security

Protecting the ICT Infrastructure (including Cyber Threats Management, Network Security, System Security,
Cloud Security, Trusted hardware/ end point security/ mobile security)

Security services (including Auditing, compliance and certification, risk Management, cybersecurity
operation, security training services)
This is the sector for R&I activities deeply involving the entire supply chain, from academia for basic research and
modelling, to RTOs for further development of the ideas, to users for specification of operational needs and
industries (large / SMEs) to bring technologies and basic solutions to higher readiness levels.
1.4 Innovation deployment and validation
1.4.1 Cyber trustworthy infrastructures / Integration project
These Products & Services are the basic “building blocks” which should be integrated and validated in a wider
Innovation deployment and validation approach that accounts for about 50% of the SRIA budget.
Consistent with the industry-driven approach and the objectives of the cPPP, this is the part where suppliers and
users / operators should integrate, test, validate and demonstrate innovations. These projects are intended to
integrate and bring innovations as close as possible to market and initiate a close cooperation across the different
stakeholder to close the “death valley” gap.
Four main areas of integration have been identified by the cyber trustworthy infrastructures / Integration projects:

Digital citizenships (including identity management)

Risk management for managing SOC, increasing cyber risk preparedness plans for NIS etc.

Information sharing and analytics for CERTs and ISACs (includes possibly trusted SIEM, cyber
intelligence)

Secure Networks and ICT (Secure and trusted Routers, Secure and Trusted Network IDS, Secure
Integration, Open source OS). Particular emphasis and budget is given to this area, as considered
fundamental and strategic for Europe and the possibility to develop solutions in sensitive / strategic
areas where an increased Digital Autonomy is needed.
European Cyber Security cPPP Strategic Research & Innovation Agenda
1.4.2 Demonstration/ cyber pilots project
The next step foreseen by the SRIA roadmap is the implementation of these (transversal / generic) solutions to
different kind of verticals, each with their own specific needs. This approach dealing with Demonstration/ cyber
pilots projects has been proposed to work closely with users and operators (public and private) to allow them to
verify the need and the results of the introduction of innovative solutions in effective environments. Main targets
and priorities are those areas that present strategic interest (economic, political / national security, societal) in
Europe, including but not limited to:

Smart Grids (Energy)

Transportation (including Automotive / Electrical Vehicles / Logistics/ Aeronautics/ Maritime)

Smart Buildings and Smart Cities

Industrial Control Systems (Industry 4.0)

Public Administration and Open Government

Healthcare

Finance and Insurance
1.4.3 Bottom-up Track for Cybersecurity Innovation
A last approach is dedicated to the Bottom-up Track for Cybersecurity Innovation. It aims at reducing the time from
idea to market, stimulate private sector investment and to take best-in-class-innovations on a fast track to outpace
international competition. For cybersecurity and privacy innovations industry can propose any R&I topic related to
any sector. This track aims at complementing the pre-defined pillars as well as set priority R&I topics.
Examples of prioritisation
1.5
We have seen that the palette of priorities is very wide and the SRIA is very ambitious in its formulation of challenges
and envisaged projects.
Yet, all these topics are important for the cybersecurity of the specific systems or of the specific applications.
Prioritisation should be found for Products/Services/Technologies (Technical Projects) and the Cyber Infrastructures
(Integration Projects). The Vertical Applications (Pilots) could be considered as “use cases” for the demonstration of
evolution and do not necessarily need to be prioritized (they can also take advantage from the complementarity with
other H2020, Regional funded initiatives and other PPPs on Transports, Energy, 5G, Security, Healthcare …).
If we are looking for a possible prioritisation in terms of Technical Projects, we could consider as priorities the
following:

Protecting the ICT Infrastructure and enabling secure execution.

Data Protection/Security.
The above two technologies are partially provided through Security & Privacy by Design and Identity & Access
Management, which are to be considered as enablers of the top priorities.

Managed Security Services are also to be considered a priority due to the need of empowering widespread
baseline Cyber Security adoption (also justified by the very high market dynamics, as presented in § 4.2.2 of
the Industry Proposal).
Looking for a possible prioritisation in terms of Cyber Infrastructures we could consider that:

The evolving needs for ICT security, e.g. for mobile communication, cloud, virtualization etc. For instance, the
evolution of communication networks towards 5G is ongoing, and also linked with 3GPP and ETSI standards
new releases. The 5G goal of providing an ecosystem for reducing costs and favouring new services above is
directly related to solutions considering multiple bearers, network slicing, network functions virtualization
with provision via Cloud, etc.… All of these solutions need increased protection from cyberattacks, including
European Cyber Security cPPP Strategic Research & Innovation Agenda
a way to validate the guaranteed reliability and level of protection of each component within the ecosystem.
Therefore Cyber Infrastructure for Secure ICT is necessarily a top priority in the budget.

The Digital Citizenship with all aspects related to Digital Identity Management and secure access to all Public
Administration services is rapidly proceeding in all European nations, and this requires an adequate
protection of the related platforms, so also the Cyber Infrastructure for digital citizenship is a priority (also
justified by the high market dynamics, as presented in § 4.2.2 of the Industry Proposal).

New services are more and more based on information sharing and data analytics, with data gathered from
the web, sensors, and information providers. Data must be protected and trusted if we want to generate
value from them, especially if we think of applications in Health, Finance, and Critical Infrastructures.
Therefore we have also to consider as a priority the related Cyber Infrastructures for Information sharing,
storage and analytics, with a relevant support given by the Cyber Infrastructures for Intelligence, Threat and
Risk Management, relying on technologies as Artificial Intelligence, High Performance Computing, and
Advanced Visualization. Probably the budget related to these two last cyber infrastructures can be lower, but
the activities cannot be delayed.
2 Executive Summary
The rapid development in the digitalisation of economic activities and societies, the emergence of new technologies
and the rise in digital connectivity and interconnectedness are matched by a corresponding acceleration of needs for
technologies and solutions to provide security, ensure privacy and maintain trust in digital systems and networks.
These needs are reinforced by the increasing prevalence and changing nature of cyber threats, and modes of attack
and forms of malicious behaviour. These developments are not delimitated by national borders and, specifically in
the context of the Digital Single Market (DSM), require a response at a European-level.
Building on the fast digitalisation of several sectors of the European economy, the need for a comprehensive, panEuropean approach on cybersecurity is gaining strategic importance for the European society and industry as a
whole.
Cyber security is an essential enabling factor for the development and exploitation of digital technologies and
innovation and is, therefore, inextricably linked to future prospects for growth, job creation and Europe’s response
to environmental and societal goals. Specifically, Europe’s ambitions to develop or reinforce its leadership in key
economic areas (e.g. health, energy, transport, finance, communications, Industry 4.0, and public services) must be
accompanied by cybersecurity solutions that meet the needs of emerging digital markets.
The European cybersecurity market is about 25% (i.e. about €17bln) of the world market (estimated at €70bln in
2015), with an average yearly growth slightly larger than 6%, when the world market is growing at about 8%/year.
Also for this reason, it is urgent for Europe to boost its growth in the cybersecurity / IT security sector.
Recent study compiled by European cybersecurity industry leaders pointed out that Europe is in danger of falling
behind in the international digital economy field. The study report also emphasised an important strength: the fact
that Europe is the most trusted area in the world when it comes to ensuring high level of data security and privacy.
This competitive advantage needs to be maintained and built upon. To improve the situation, we need to build on
our strengths and tackle the weaknesses taking advantage from the many opportunities the dynamic digital market
is offering.
The proposed cPPP should provide an important component to delivering this response, bringing together actors
throughout Europe and across the diverse segments of the economy and society implicated in the development of a
secure and trusted digital market (e.g. technology and solution suppliers and service providers, public and private
sector customers and users, policy makers and public administrations) in pursuit of an agreed and coordinated
strategy and policy actions aimed at:

Protecting the (growth of the) European Digital Single Market from cyber threats;

Structuring, consolidating and strengthening the European cybersecurity market with trustworthy and
privacy aware technologies, products services and solutions;
European Cyber Security cPPP Strategic Research & Innovation Agenda

Supporting the development of European capabilities to develop and bring to market innovative
cybersecurity technologies and, thereby, building a strong, resilient and globally competitive European
cybersecurity industry with a strong European-based offering and an equal level playing field.
The objective of this proposal is to bridge the gap between capacity building and the deployment of trusted
European cybersecurity solutions on European and international markets. Therefore, creating new business
opportunities for European industry while addressing the challenges faced by Europe and defending its stance on
safeguarding the privacy of citizens.
This objective substantiates the intention to build a sustainable cybersecurity industry in Europe, even beyond the
scope of the ECS cPPP, by setting up a long term industrial strategy to reach expected impacts monitored through
Key Performance Indicators (KPIs).
It should be noted that this proposal should be aligned with the establishment of a shared ecosystem and the
support of cybersecurity industrial activities fostering the exchange of experiences, competences, pooling of
resources, raising general awareness, setting up general education / specific training programmes etc.
Based on an analysis of the current nature and evolution of cyber threats in Europe supplemented by a detailed
SWOT and market analysis, the proposal suggests to build this long term industrial strategy upon the strategic
priority areas (both technical and non-technical) identified in the SRIA (Strategic Research & Innovation Agenda).
The commitment of stakeholders, for project activities running in the context of the ECS cPPP, is targeted to add a
leverage factor of 3 in addition to the European Commission (EC) contributions under Horizon 2020 instruments.
Therefore, the economic and industrial relevance of the scope of the cybersecurity cPPP coupled to relevant
activities for market development, will facilitate Research and Innovation (R&I) investments in addition to and
beyond the engagement of the EC in this partnership.
Having strong offering in the cybersecurity domain is also a crucial part in increasing the European digital autonomy
for sensitive applications. Another relevant aspect is that there are many new emerging technological realities that
are still in the early adoption phase and need the cybersecurity offering to be developed to match their specific
needs. As these new areas (e.g. IoT, Big Data, Quantum Computing, Cloud, Mobile and embedded systems, smart
grids etc.) are still emerging and escalating, then everybody has an equal chance to provide necessary cybersecurity
products and services.
European cybersecurity industry should take advantage of these opportunities, particularly in those economic
sectors and applications where Europe is leader. In some field, several cPPPs have already been brought to life. In
these areas, collaboration with those other cPPPs is foreseen in the current proposal.
The proposal recommends the creation of an international non-profit association called ECSO with a governance
model structuring the work and activities of actors engaged in the ECS cPPP. This Association will allow open
participation of all legal entity established in the countries participating in H2020. As security is a national
prerogative, the participation of representatives from the national administrations is expected as well.
While the ECS cPPP will focus on R&I, the ECSO Association will tackle also other industry policy aspects for market
and industrial / economic development.
The link between the SRIA priorities with its R&I priorities - which are the target of the ECS cPPP - and the policy
support activities - which are one of the main targets of the ECSO Association - is essential to get the commitment of
the private sector and reach a satisfying leverage factor as envisaged in the cPPP H2020 rules.
3 Research and Innovation Strategy
3.1 Context, overview and Implementation Strategy for SRIA
We remind some initial guidelines for the cPPP (that includes recommendations for the SRIA):


Gather industrial and public resources to deliver innovation against a jointly agreed strategic research and
innovation roadmap.
Maximize available funds through better coordination with European countries.
European Cyber Security cPPP Strategic Research & Innovation Agenda




Focus on a few technical priorities defined jointly with industry.
Seek synergies to develop common, sector-neutral technological building blocks with maximum replication
potential
Obtain economies of scale through engagement with users/demand side industries and bringing together a
critical mass of innovation capacities.
Be a platform to discuss other supporting measures for the industry
Several projects and initiatives have been launched for defining strategic research and innovation agendas on
cybersecurity (and related fields as cybercrime and cyber defence). Many stakeholders are involved. The cPPP would
maintain an open process of structuring its SRIA.
The initial SRIA has been elaborated by the informal cPPP SRIA WG (informally created during the Jan. 20th kick-off
meeting) starting from findings of the NIS WG3 SRA and defining and agreeing priorities together with the industry
(and Member States representatives) by using qualitative and quantitative methods.
The NIS WG3 SRA covers the whole cybersecurity spectrum from different but complementary socio-technical
perspectives. It is thus structured around 3 areas so-called Areas of Interest (AoI), with the titles of:
1. Citizen Digital Rights and Capabilities (looking at cybersecurity from an individual perspective),
2. Resilient Digital Civilisation (taking a collective/societal perspective),
3. Trustworthy Hyper-connected Infrastructures (looking at the secure and resilient infrastructures – in
particular critical infrastructures). This Area of Interest is the largest and can be articulated in:
a. ICT Infrastructure (including cloud, mobile, networks, etc.)
b. Smart Grids (Energy)
c. Transportation (including Automotive / Electrical Vehicles)
d. Smart Buildings and Smart Cities
e. Industrial Control Systems (Industry 4.0)
f.
Public Administration and Open Government
g. Healthcare
h. Finance and Insurance
Each of these areas provides a Vision, a list of issues challenges, an inventory of (Technology, Policy, Regulatory)
enablers vs inhibitors and ends with an analysis of the gaps where a number actions are recommended (as per
nature of the gap) to fill in those gaps and so achieve the Vision (this may range from research action to
standardisation action going through regulation action).
In addition, to the recommended actions at individual level (i.e. AoI level), there are the recommended actions at
collective level that this section stresses and which result from the cross-analysis performed of the 3 AoIs. Taking
inspiration from the cross analysis we can give here the main research commonalities identified by NIS WG3:
1.
2.
3.
4.
5.
6.
7.
8.
Fostering assurance
Focussing on data
Enabling secure execution
Preserving privacy
Increasing trust
Managing cyber risks
Protecting ICT infrastructures
Achieving user-centricity
European Cyber Security cPPP Strategic Research & Innovation Agenda
These topics are illustrated more into the details in in the NIS WG3 SRA, giving their further refinements in subtopics
and proving a timeline for their solution. We claim that those topics should be of interest of the scientific,
technological and industrial communities3.
One of the main recommendations of the NIS WG3 SRA was also the creations of a global contractual governance
that would approach holistically the business and innovation issues related to cybersecurity.
This definitely demands considering market as well as strategic national issues.
3.1.1 Cybersecurity products and services
In this cPPP the industry perspective will be analysed and developed in order to contribute to the creation of the
Digital Single Market:
1. Stimulate the competitiveness and innovation capacities of the digital security and privacy industry in
Europe.
2. Ensure a sustained supply of innovative cybersecurity products and services in Europe.
We thus consider the main elements of the market and the security products and services and make those the
cornerstone of our approach for the identification of the cybersecurity technical priorities as well as the main vertical
sector of analysis as depicted by the NIS directive and consultation for cPPP.
We use the following classification for cybersecurity product and services (others could be used as well):
Cybersecurity Products & Services:

Assurance, security / privacy by design

Identity, access and trust management
o
Identity and access management
o
Trust management

Data security

Protecting the ICT Infrastructure and enabling secure execution:

o
Cyber threats management
o
Network security
o
System security
o
Cloud security
o
Trusted hardware/ end point security/ mobile security
Cybersecurity services
o
Auditing, compliance and certification
o
Risk management
o
Cybersecurity operation
o
Security training
Another alternative segmentation (proposed in the NIS WG3 Business cases and innovations paths deliverables)
proposes the following classification based on sectors where in the next years good market opportunities are
envisioned:

Security services and capabilities
3
While there is a general consensus that those topics are relevant we leave as future work the finer-grained classification of the
relevance based on other criteria as scientific and technological excellence, business relevance and societal impact.
European Cyber Security cPPP Strategic Research & Innovation Agenda



Trusted and resilient infrastructure
Secure software/systems engineering methods and tools
Security management solutions
The “Products & Services” approach will be the cornerstone of our analysis for defining the technical priorities for
the cPPP. In doing so we will consider the vertical sectors (as smart grids, e-health,…) and their needs vs security
products. The main goal is to provide a set of cybersecurity capabilities technologies that can be used in different
application domains with maximum efficiency and impact.
The first phase is to set up these priorities. Also the maturity level of such products should be analysed in order to
see the European cybersecurity strength and weaknesses.
In the following picture we link the vertical sectors (or application domains or hyper connected infrastructures as
mentioned in the NIS WG3 SRA) with the products and eventually with the research areas/topics to be funded to fill
the existing gaps.
cPPP perspective on Products and Services and relationships with application domains and Secure ICT infrastructures
From Application domains to Secure ICT infrastructures to Security Products &
Services
Hyperconnected (Critical) Infrastructures
Application
Industry 4.0
Domains
Energy
Transport
Finance
Public Services
/
eGovernment
Health
Smart &
Secure
Cities
Other
Built on top of
Secure
ICT
infrastru
ctures
IoT
Mobile
Embedded
Networks/5G
Cloud/
web services
Other
Cybersecurity operations
services
Risk Management
Audit, compliance and
cerification
Hardware
(device/ednpoint)
cloud security
systems security
Network security
Data security
Trust management
Identity and access
management
Products
&
Services
Security and privacy by
design
Relying on
Research
Areas/
Topics
Technology
Research
The vertical sectors will provide requirements and needs to the lower layers, by requiring proper technologies and
processed to secure the development and operation. These products in turn will use security product and services.
These are still in an evolution phase and research needs will be further identified or detailed.
European Cyber Security cPPP Strategic Research & Innovation Agenda
3.1.2 SRIA Preparation Process with broader community
As mentioned before, the initial SRIA has been developed starting from the findings of the NIS WG3 and further
elaborated inside the informal cPPP SRIA WG during the 4 months of initial operations. For the future, we do plan to
collect input from all the cPPP WGs, interact with the scientific and technology advisory groups (also consisting of
the NIS WG3 members and PASAG ones) and follows the governance procedures as set up by the ECSO. We will also
consider the practitioners communities including white hat hackers.
The cPPP SRIA is planned to be revised yearly.
3.2 Mechanisms for SRIA implementation
The ECS SRIA will use a coordinated set of mechanisms to implement its research and innovation activities. In doing
so, it will also be coherent with the H2020 framework although proposing also mechanisms to overcome some of its
limitations.
These mechanisms are common also to other cPPPs (e.g. Big Data Value):
1) Cyber Coordination Projects: mainly devoted to coordination and support activities at several levels
2) Cyber Pillars: socio-technical ecosystems for innovation and experimentation
3) Cyber Technical Projects: mainly devoted to build the basic capabilities, often involving research and
innovation actions
4) Cyber Trustworthy Infrastructures (“lighthouse projects”):

Large projects able to develop cyber infrastructures allowing a better protection of the European
DSM, while promoting European innovative products and services across several application
domains
5) Cyber Pilots: developed to pilot and experiment solutions in specific vertical domains
In principle other kind of instruments could be set up, especially when working at national regional level and by
suing structural funding.
Five kinds of mechanisms
In order implement the research and innovation strategy, and to align technical with cooperation and coordination
aspects, five major types of mechanisms are recommended:


Cyber Coordination (Coordination and Support Actions): These projects will foster cooperation (also
international) for efficient information exchange and coordination of activities. In particular, support could
be provided by the following envisaged activities:
o
A coordination action for the ECSO operation
o
Coordination actions for the KPIs monitoring activities
o
Coordination actions for cooperation at national/regional/level (cross border cooperation)
o
Coordination actions for international relationships with US/Japan/Worldwide
o
Creation of an European Observatory on the cybersecurity market
Cyber Pillars (socio-technical ecosystems for innovation and experimentation/training): Combination of
organisational and technical elements – will allow challenges to be addressed in an interdisciplinary way and
will serve as a hub for other research, innovation and experimentation activities. We envisage at least Cyber
Pillars for:
a. Cyber Pillar for Innovation – Cyber Trustworthy Innovation Ecosystem
b. Cyber Pillar for training/education/cyber experimentation facilities – Cyber experimentation and
training Ecosystem
European Cyber Security cPPP Strategic Research & Innovation Agenda

Technical projects: Small or large scale technical projects, often R&I activities for developing new
cybersecurity capabilities. We should ensure that these projects contribute to develop the technical
competences and contribute to the KPIs of the cPPP. These projects would be based on the technical
priorities defined in the later sections.

Trustworthy Cyber Infrastructures (“lighthouse projects”): Large projects that will help to develop large
Five mechanisms for ECS cPPP implementation in the H2020 programme
infrastructure in the cyberspace, mainly crossing several domains that may lead to a direct competitive
advantage to industry and or of strategic relevance for European countries. It includes large scale projects
which could be funded through a number of different channels, including Horizon 2020 and structural funds.
They are specifically designed to raise awareness of the Partnership and give it increased visibility.
a. Cyber Infrastructure for information sharing and analytics:
- for CERTs and ISACs
b. Cyber Infrastructure for digital citizenships (including identity management)
c. Cyber Infrastructure for risk management
d. Cyber infrastructure for Secure ICT:
- Secure and Trusted Routers, Trusted Network IDS, Secure Operating Systems, Secure
Integration Services.
These large demonstration actions could would have a sufficient budget (between 20 and 40 M€ of overall
total budget) to provide significant results and impact. Specific subject would be chosen each year following
primary criteria of proximity to the market (that is, high marketable readiness level or high investment
readiness level). On this respect, a significant number of those final customers, end-users (or investors)
should be present and involved in the project as active part of the consortium. They should participate in the
backbone of the project conception from the beginning. The lighthouse projects should respond to a
consistent business case and, subsequently, they should provide a robust business plan to be implemented
in a relative short-term time-scale (i.e., less than 3 years to market). This philosophy should be one of the
main drivers for the election of the annual priority for this action. Because the magnitude of their impact,
the lighthouse projects have also to clearly demonstrate how the sector, subsector or application domain
will be substantially influenced, not only because the technological step forward but also on other aspects
European Cyber Security cPPP Strategic Research & Innovation Agenda
such regulations and policy recommendations, customer behaviour and attitude, new business models (i.e.,
cyber-insurance market…), etc. Given the large expected impact of the lighthouse projects not only at
European level but abroad, the proposal of the annual focus theme would be also agreed and coordinated
with the Member States and the other countries participating in the cPPP.

Cyber Pilots: These projects, mainly innovation based, are devoted to the piloting of solutions, in specific
vertical domains. These pilots will use the cyber infrastructures previously described and capabilities
developed in the technical projects to demonstrate how the developed innovations can satisfy specific
requirements in key vertical sectors, gathering attention and commitment of users and potential
procurement bodies.
These projects (in particular the cyber infrastructure ones) are triggered and guided by the platform’s feedback and
put in place by stakeholders and members of the Partnership. They can be funded by private, local, regional or
structural funds coming from cities, regions, banks, etc. and make up a significant and crucial contribution in working
towards the smart urban systems of tomorrow.
3.2.1 Interaction among instruments for implementation
The following picture highlights the role of the different kind of projects in the cPPP. In particular, technical projects
are used to deliver the basic capabilities (building blocks) on top of which both large cyber infrastructures (cross
domains) and domain specific pilots can leverage.
One of the main goals of the cPPP is the achievement of pilot solutions for cyber infrastructures. Such cyber
infrastructures should address core aspects of ICT. The number and size of the pilot projects will depend also on the
relevance of the sector for the cPPP members as well as the avoidance of duplication of efforts with other European
initiatives.
Interaction among instruments (focus on infrastructures, technical projects and pilots).
3.3 Relationships with other cPPPs
Cybersecurity pervades several application domains as previously evidenced. While the cPPP cyber would support, in
an industry led approach, the definition of requirements and main research challenges, still, in many application
domains, it is crucial to check the existing efforts done/planned with respect to other cPPPs (or European initiatives).
We can mention here some of the European initiatives that could be relevant for the cPPP in cybersecurity.
European Cyber Security cPPP Strategic Research & Innovation Agenda
Existing PPPs with the European Commission are:

Factories of the Future (FoF)

Energy-efficient Buildings (EeB)

Sustainable Process Industry (SPIRE)

Big Data Value (BDVA)

European Green Vehicles Initiative (EGVI)

Photonics

Robotics

High Performance Computing (HPC)

Advanced 5G networks for the Future Internet (5G)
Other Research Public-Private Partnerships in FP7:

Future Internet PPP (FI-PPP)

A 3D printed key to the Factory of the Future

Nanotech sun block for your home

Modular, flexible, sustainable: the future of chemical manufacturing
Other important initiatives which could be linked to the ECS cPPP are:

The AIOTI (Alliance for Internet of Things Innovation)

The EIP AHA (European Innovation Partnership on Active and Healthy Aging)

The EIP SCC (Smart Cities and Communities)

Sesar JU (for a Single European Sky – Air Traffic Management)

Shift2Rail JU

ECSEL JU (Electronic Components and Systems for European Leadership)
Several envisaged members of the cPPP cybersecurity are active members in these initiatives. It will be of particular
relevance to create explicit flow of information with those, as 5G, BDV, FoF, EeB, HPC that definitely immediately
overlaps with some of the research challenges we plan to address here. As part of the cPPP SRIA definition, these
stakeholders will be contacted and the cybersecurity cPPP could also provide a sort of overall cooperation, trying to
ensure that the main security concepts are developed inside the cyber cPPP, thus avoiding the creation of
duplications or technological silos in specific domains that would not allow proper interoperable evolution of the
technologies.
In the following picture we show some potential relationships.
European Cyber Security cPPP Strategic Research & Innovation Agenda
4 Estimated budget
Given the current time frame we analyse the budget for 2017-2020 also considering that most of the topics have
been also fixed already in the appropriate committees for 2016 (and mostly 2017).
We tried to balance among the different instruments, including the ratio between research and innovation activities,
providing slightly more relevance to the latter.
It is estimated that for an entire programme of 4 years, and where projects will of course continue to run several
years beyond, an investment of approximately €850M (with an hypothesis of €450M from the European Commission
– note that following H2020 reimbursement rule, the EC contribution of €450M is roughly balanced by a contribution
from project partners of about €400M) would be required to be allocated between 2017 and 2020. Given the
current trend and the significant role of innovation in the cPPP Cyber, a tentative budget sharing has been
developed:
- 40% of the budget will be allocated to research and innovation or related activities,
- 51% in Cyber Infrastructures (integration and demonstration) to bring innovation close to
market
- 6% to projects developing the ecosystem
- 3% to coordination and support activities.
The estimated budget initially depicted by the cPPP SRIA WG is presented below. It is currently given in a coarse
grain format.
The rationale for the following simulation of budget distribution is based upon the following elements.
The budget distribution over the 4 years (EC contribution + contribution from project partners) is considering in 2017
the amount presently envisaged in the ongoing call for proposal (ending August 2016). Also the distribution of the
budget allocated in 2017 among the different priorities is following (as much as possible) the existing work
programme. The budget in the following 3 years is more or less stable, for an average annual overall amount of
roughly €250M.
European Cyber Security cPPP Strategic Research & Innovation Agenda
Looking at the budget distribution in the different actions, the 6% budget (i.e. about € 50M over 4 years) for the
development of the ecosystem, is roughly constant over the years, with a slight increase after 2017, for a possible
better support to testing tools and education activities.
The distribution of 3% in coordination and support actions (i.e. almost € 30M over 4 years) is constant over the
years.
The two main areas where the budget is distributed are the R&I actions (i.e. the technical projects based on
technical priorities) with 40% (i.e. € 340M budget) and the Cyber Infrastructure actions (i.e. products / services for
different applications) with 51% (i.e. € 433M budget).
While research activities will increase and peak in the middle of the programme, the innovation actions of novel
applications and technologies (the “cyber infrastructure”) will start with an offset.
Indeed, after the relatively limited value for R&I activities in 2017, the budget will (at least) double to provide strong
support to new technologies and services.
The distribution of the €340M among the different topics (according to the provided product / services
segmentation) has been divided in the 5 main areas:

Assurance, security and privacy by design: 12% of the R&I actions budget

Identity, access and trust management: 11% of the R&I actions budget

Data security: 19% of the R&I actions budget

Protecting the ICT Infrastructure and enabling secure execution: 44% of the R&I actions budget

Cybersecurity services: 14% of the R&I actions budget
The budget for “Assurance, security and privacy by design” could look relatively high from an industry / economy
point of view, but is considering the priorities imposed by the “societal security” approach.
The budget for “cybersecurity services” could look relatively low, when considering the high expected growth of the
service sector. Likely this value, initially estimated by the SRIA technical experts, will be updated in the future when
better leveraging upon marketing / industrial experts.
The budget for “Protecting the ICT Infrastructure and enabling secure execution” could look quite high (also 50% of
the overall R&I actions), but we estimate that this is the core area where there will be strategic market evolutions in
the future, and where European solutions will be needed, for instance of threat identification and management, for
overall system security including IoT, 5G and other mobile devices, for cloud security etc. The D priority in Cyber
Infrastructures (Secure Networks) is actually gathering several high priority elements. For this reason, its budget is
considerably higher than the other priorities.
The budget for “Cyber Infrastructure” of €433M is divided in three areas:
•
Integration Projects (for validation of existing technologies): 52% of the “cyber infrastructure” budget
•
Demonstration / pilot projects (solutions implemented in different applications) : 38% of the “cyber
infrastructure” budget
•
Bottom up track on innovation (a new instrument to reduce the time from idea to market, stimulate
private sector investment and to take best-in-class-innovations on a fast track to outpace international
competition) : 10% of the “cyber infrastructure” budget
The budget for “Demonstration / pilot projects” is more or less equally spread across the different main vertical
applications, with some priority given to those applications where Europe is leader.
The budget for the “bottom up track on innovation” is quite limited, as considered for the moment as a “tentative
approach”.
The budget for the integration projects is quite important and is divided into the main areas for transversal
validation of innovative technologies and services. Particular emphasis is given to the area of secure networks and
ICT, as considered fundamental and strategic for Europe and the possibility to develop solutions in sensitive /
strategic areas where an increased Digital Autonomy is needed.
European Cyber Security cPPP Strategic Research & Innovation Agenda
CYBER PILLARS
Trustworthy Innovation Ecosystem
Technical Experimentation Ecosystem
RESEARCH & INNOVATION ACTIONS (technical projects based on technical
priorities
3.1.1
Priority “Fostering assurance and security and privacy by design”
identity, access and trust management
3.1.2
Priority “Identity and Access Management”
3.1.3
Priority “Trust Management”
data protection, including encryption
3.1.4
Priority “Data security”
Protecting the ICT Infrastructure and enabling secure execution:
3.1.5
Priority “Cyber Threats Management”
3.1.6
Priority “Network Security”
3.1.7
Priority “System Security”
3.1.8
Priority Cloud Security”
3.1.9
Priority “Trusted hardware/ end point security/ mobile security”
Security services
3.1.10
Priority “Auditing, compliance and certification”
3.1.11
Priority “Risk Management”
3.1.12
Priority “Managed/management security services”
3.1.13
Priority “Security training services”
CYBER INFRASTRUCTURE (produts / services used in different applications)
Integration Projects (validation of existing technology solutions)
A) digital citizenships (including identity management)
B) risk management for managing SOC, increasing cyber risk preparadness
plans for NIS etc.
C) information sharing and analytics For CERTs and ISACs (includes possibly
trusted SIEM, cyber intelligence)
D) Secure Networks and ICT (Secure and trusted Routers, Secure and
Trusted Network IDS, Secure Integration, Open source OS)
Demonstration / Pilot projects (solutions in different applications)
Energy, including smart grids
Transport
Finance
Healthcare
Smart & Secure Cities
Public Services / eGovernment
Industrial Critical Systems / Industry 4.0
Bottom up track on innovation
COORDINATION (Stakeholder cooperation for Roadmapping Dissemination
& Communication; KPI monitoring activities; MS cooperation; International
Relationship; EU observatory; Governance, …)
2017
10
2018
13
2019
14
2020
14
TOTAL
51
15
36
%
6.0%
44
107
98
90
339
42
36
39.9%
63
150
48
50.9%
20
63
71
70
224
22
45
40
20
45
50
50
0
13
14
17
117
165
18
22
18
22
22
31
32
44
6
7
7
7
27
3.2%
100
248
254
248
850
100.0%
5 Cyber Pillars
Cyber pillars are a combination of organisational and technical elements – will allow challenges to be addressed in an
interdisciplinary way and will serve as a hub for other research, innovation and experimentation activities.
The envisaged priorities consider the development of a trustworthy innovation ecosystem and a technical
experimentation ecosystem.
These priorities are closely linked to the “non-technical priorities” presented later in this document.
European Cyber Security cPPP Strategic Research & Innovation Agenda
5.1 Cyber Pillar for cybersecurity trustworthy Innovation
Background
The proposed pillar will support the convergence of actors required to strengthen European cybersecurity market,
convergence of innovators, academic entrepreneurs, industry, venture capitalists and educators focused on impact
of technology rather than development of technology is critical to the market maturation.
Cybersecurity innovation embodies process, service, organisational, people, administrative and marketing
dimensions. Stakeholders recognise the requirement activities identified the need for supports innovation across the
entire lifecycle. Funding supports and intervention and initiatives aimed at core R&I, networking, customer
engagement and commercialisation are warranted. Innovation drives new product realisation and development.
Significant opportunities exist for innovation in the cybersecurity technology space, yet complex market, regulatory,
policy, commercial, and economic considerations create several barriers to transforming research outputs into
market-centric product and service applications.
Cybersecurity products and services still diverge quite a lot from traditional goods, as they are public goods (nonexcludable and non-rival), theoretically not scarce, opportunity costs of their use are not as high as for traditional
goods and there are strong externalities in their production and use. Moreover, their technical complexity increases
information asymmetries and renders competition dynamics that are quite different from the traditional brick-andmortar industries (e.g. there is a strong monopolisation tendency).
Innovation processes in cybersecurity and privacy industries require higher security standards compared to other
industries and it can be expected that some of the open innovation models will not be applied here in order to serve
the security of the innovation process. This trustworthiness factor greatly influences and a Cyber Pillar provides
opportunities to address this in Europe.
Cybersecurity is a risk mitigation measure rather than providing any direct return on investment value itself making
value propositioning and justification arguments more difficult for cybersecurity suppliers. Moreover, the difficulty
of estimating tangible benefits leads to a problem of making a business case for spending on cybersecurity. Often,
companies only react with increased spending on IT security after a large-scale data breach has occurred. In such a
situation, it is relatively easy for IT staff to make a business case. So timing is important for showing the value
proposition of innovative cybersecurity products and services. Furthermore, as firms act under budget constraints,
the option of spending more funds on improving IT security competes with other options that might improve
revenues (such as spending more on marketing). Support to vendors on financial prioritisation is essential.
A Cyber hub for cybersecurity can support organisations to invest and transform their ideas into their products,
services and systems that are informed by the market conditions thereby increasing feasibility of success by
considering the market and business aspects as a major part of their technology offering. This pioneering market
lens serves to promote and ensure technology developments are aligned to market, regulatory and economic
standards and underpinned by sound market segmentation and demand considerations to enable commercialisation
of innovation. In addition, it is crucial to link inter-disciplinary research in the area of innovation with other European
Horizon 2020 initiatives, on the concept, process and actuation of knowledge and solution co-creation and coimplementation (see for example H2020-INSO-2015, New Forms of Innovation).
A European Cyber hub for trustworthy innovation should be considered as essential element of the ecosystem that
enables the growth of cybersecurity industry and strengthen Europe’s cybersecurity capacity by enabling process,
service, organisational, people, administrative and marketing dimensions. The goal is to provide ecosystem that
resembles to real-life business environment for product and service market release.
A key enabler of this hub is the innovation network and knowledgebase delivery from an impartial source (national
and Pan-European cybersecurity clusters would be strong candidates), could form a strong approach that would
greatly assist cybersecurity innovators. In addition, influencers can educate society of the consequences for
neglecting cybersecurity or the violations of privacy.
The fragmentation of the cybersecurity market and community in Europe, split between business and technical
expertise, and platforms in their current set-up need many modifications to enable bigger scalability (e.g. data
analytics development, market definition, competitor analysis.
European Cyber Security cPPP Strategic Research & Innovation Agenda

Assess existing economic and procedural barriers to innovation and identify appropriate incentives needed
to increase security product and service adoption;

Focus on trustworthiness; Reputation and value chain analysis at European level

Cybersecurity network analysis; trends on global alliances and partnering strategies

Facilitate financing management of up-scaling and spin-outs.
Challenges
The nuances and difficult aspects of innovation reside in the market domain in which it is situated, as innovators
need to know where they fit, what the demand is, what are the regulations, who are their customers, and is there
room for them in the market. The value of great technology innovation is not realized if there isn’t demand or a
market for it. No innovator or funding body wants a situation where technology innovation is chasing a market
application. For cybersecurity technology innovation to have a commercial relevance and societal impact there has
to be an integration of technology push and market demand. Nonetheless, it is also the responsibility of innovators
to create that demand within the market, if it is not immediately explicit.

The approach to cybersecurity business innovation is fragmented across domains, technology, accelerators
and Incubators

There is a tendency to adopt competitor innovation models, whereas customised innovation practices based
upon requirements are essential. Training can address this.

There is conflict in collaborative research in relation to process (knowledge) and product (economic benefit),
incentives to harmonise basic research and disruptive innovation are required.

There is limited support for stakeholders to prioritise sustainability of research beyond initial funding, paths
to market delivery are immature

There are no open hubs to involve more participants to the product and service realisation, training,
investment, modification, market alignment etc.

Reputation based innovation is dispersed, alliances are one dimensional

Cybersecurity trustworthy innovation has difficulty testing its inter-operational capacity and shifting
between pillars should be facilitated
Envisaged actions (with links to KPIs)

Research, development and implementation of a cybersecurity trustworthy
innovation hub environment that enables stakeholders to increase their innovative
capacity in a European context

New and upcoming SME’s and innovative enterprises to adopt and exploit research
outputs in order to embed these within the market place and compete effectively.

Transparency of cybersecurity markets toward competition policy enhancement

Increase innovation productivity, pursue formalized innovation procedures.

o
align incentivisation within existing innovation ecosystem and culture in
Europe.
o
implement an analytical approach to innovation incentivisation.
o
conduct evidence-based implementation of incentivisation.
o
monitor incentivisation of innovation.
o
tailor incentive schemes to risk associated with the innovation (incremental
or greenfield).
o
evaluate successes and failures.
The cybersecurity domain is highly trust-based, hence prior reputation and credibility
European Cyber Security cPPP Strategic Research & Innovation Agenda
is necessary in order to successfully sell products and services in the domain.
Cybersecurity innovators need to manage their trustworthiness formally for market
credibility.

Innovators should consider alliances and partnerships with other organisations to
enter the market.

Developing and piloting the open-hub concept to widen the range of beneficiaries,
including universities, SMEs, tradesmen etc.

Development of sustainable business models.

Development and piloting of analytics modules to enhance market management.

Researching, development and piloting of modules to support innovation KPIs.

Research and development to use cybersecurity innovation gurus.

Defining and maintaining reference architectures, frameworks and interface
standards, and encourage and co-ordinate the creation of ecosystems of compatible
and interoperable products and services across a cluster of research and innovation
projects. These architectures, frameworks and standards should be defined in such a
way as to promote competitive innovation, and should themselves be designed for
evolution.
5.2 Cyber Pillar for a technical cybersecurity experimentation and training ecosystem
Background
According to the holistic approach in cybersecurity, the level of skills and awareness of different stakeholders plays a
crucial role in efficient cyber defence. Also, since countries borders do not exist in the cyber domain, collaboration,
experience exchange and networking between different specialist, experts, researchers, policymakers, large
companies and SMEs, critical service providers, products developers etc. cross borders and cross domains is
important to ensure that everyone’s digital resources are well protected, that tools are up to date and in accordance
with the changing cyber threats.
Cyber range environments should be considered as basic and crucial elements of the ecosystem that enables the
growth of cybersecurity industry and strengthen Europe’s cybersecurity capacity by enabling practical hands-on
training, testing, exercising, evaluating, education, experimentation and validation activities. The goal of these
environments is to provide ecosystem that resembles to real-life operational environments for practicing, as many
activities cannot be simulated in the real environments.
Many cyber ranges have been created in Europe and we have several years of practical experience with organizing
international as well as national cyber exercises using these platform. Largest international cyber exercises are
organized using Estonian infrastructure since 2010 – for example 16 countries have been involved in 2015 Locked
Shields exercises (organized in cooperation with NATO CCDCOE in Tallinn), more than 400 specialists were
participating in that serious game session.
There is a growing demand for providing training and exercise services to even wider range of parties, the number of
players in existing formats is increasing year by year. Also, there are many ways to develop the ecosystems further in
order to create value for many other stakeholders including researchers, experimenters, SMEs, policy makers,
universities and students etc. Federating existing platforms would enable to create even more complex simulation,
testing, exercises and training environments that would even more resemble to the complexity of the situation in
real life where almost everything is somehow connected.
The platforms in their current set-up need many modifications to enable bigger scalability (e.g. automation of
manual preparatory work, data analytics development to automate analysis of exercise results etc.). They also need
technical upgrading as the technological realities change fast.
There are two main development directions:
European Cyber Security cPPP Strategic Research & Innovation Agenda

Black-box cyber range to provide organisations their own closed testing environment;

Open Range to expand the organisations that can benefit from using the environment. Open range is an
environment that enables many additional stakeholders to harvest the benefits of hands-on practicing in
complex simulation environments, to test out tools, conduct penetration testing, malware detection or other
thematic exercises etc.
Challenges

There is lack of training ranges to satisfy the needs for cybersecurity exercises. Needs for trainings exceed
the availability of the environments.

The exercise ranges are often government funded, and since the government agencies do not have business
intentions, there is a lack of sustainable business models to scale the systems to meet the needs of other
interest groups (start-ups, vital service providers, universities, large companies etc.).

Preparation work to prepare for one large scale training typically involves a lot of manual work that could be
automated.

There is limited availability for many stakeholders to benefit from cyber range environments as they have
not been expanded to meet their needs yet (e.g. SMEs, researchers, universities etc.), only limited piloting
has been conducted.

Strategic serious games are usually not supported by technical environments that would enable to log the
necessary data that can later be used for developing new strategies, products, frameworks etc.

Analytics of environments needs more automation to enable better analysis, e.g. automate analysis of
situational awareness, risks and competences profiling etc. The serious games environments are also
environments that can provide input to new products development – these benefits are today not
sufficiently harvested, stronger collaboration with the industry is needed.

There are no open ranges to involve more participants to the exercises, trainings, testing, experimenting etc.

There is a lack of offering of closed black box ranges for parties that need a closed environment to conduct
trainings (e.g. vital service providers that want to exercise domain specific or secret scenarios).

There is a lack of cooperation between different existing environments. Integrating / federation solutions
would enable trainees to get more versatile experiences and knowledge. It would also enable to involve
ranges that have very specific configurations that are difficult to recreate due to some domain specific
components (e.g. specific SCADA system ranges etc.).

The educational potential is not fully harvested - cyber ranges / serious games environments are rarely used
in educational programs to build practical, hands-on competences of students. In Tallinn Technical
University, first steps have been takes but there is a huge potential to use the range in much wider scale.
Product development and automation is needed to scale these capabilities.

The potential for introducing new technical tools and services within the exercise frameworks in rarely done.
So the start-ups and SMEs are not taking advantage of the opportunity to test and market their solutions in
the complex attack-defence simulation games.
The actions here envisaged should also be considered in the light of the activities foreseen later (§ 4.1) on nontechnical priorities concerning “Education, training and skills development”.
Envisaged actions (with links to KPIs)


Development of scalable exercises environments that enable to multiply the capacity of
hands-on technical exercises, trainings, simulations, experimenting, product testing and
serious strategic games.
Developing and piloting the open-range concept to widen the range of beneficiaries,
including cybersecurity specialists, universities, SMEs, policy makers etc. (KPI 7)
European Cyber Security cPPP Strategic Research & Innovation Agenda







Creating standards for integrating different cyber ranges and federating existing ranges to
enable large scale cross-border cyber trainings and exercises and to provide more
versatile experiences to trainees, researchers etc. (KPI 7)
Developing and piloting of black box ranges to provide closed exercise environments for
domain or company specific trainings.
Development of sustainable business models for both, open and black box ranges.
Creating automation modules to reduce the manual work necessary for preparing each
exercise, training etc. session.
Development and piloting of analytics modules to enhance game session analysis
(situational awareness, profiling of competences, weaknesses etc.).
Development and piloting of wider scale use of technical games environments by
cybersecurity students as well as students of other relevant domains (e.g. law students,
policy and governance students etc.), including preparing necessary training scenarios.
Development and piloting of using cyber ranges to conduct strategic (table-top) trainings
for policy makers, lawyers, vital service providers etc., including preparing necessary
training scenarios.
Researching, development and piloting of modules to support using cyber range
environments to test new products and solutions in complex simulation situations to
enable start-ups and SMEs to beta-test and market their tools.
Research and development to use technical ecosystems to profiling and certifying
cybersecurity experts. (KPI 7)
Because the important on-the-field-experience in this pillar, the cPPP should consider the possibility to get some
funding as part of H2020 projects and to coordinate with other existing programmes such as:

The ones managed by DG-Education and Culture, aiming to support permanent tools for continuous learning
and skills development in specific domains (i.e., cybersecurity skills development addressed to noncybersecurity sectors or workers).

The ones provided though theH2020 Excellent Science Pillar such as the networks of excellence or the
industrial PhD, etc.
To conclude, below are listed the potential beneficiaries and their main benefits:
Potential beneficiaries and their benefits
Technical ecosystem
for training, testing, exercising,
evaluating, education,
experimentation and validation
activities





Start-ups, SMEs, innovative
products creators
beta-testing products
testing tools in complex
environment
marketing
platform
to
specialists
selling products
input: new ideas for product
development
Policy makers
 strategic trainings
 testing policies and laws
 testing
international
collaboration frameworks
 raising
awareness
among
public sector
Universities, R&D
organisations
 R&D platform
 resource development
 teaching platform
 awareness rising among other
fields (politics, law, etc.)
 research (master’s
thesis,
doctoral studies)
 collaboration platform
Horizontal benefits
 National & international collaboration exercises
(federated network of ranges)
 certification platform
 ideas for new products development
Defence forces
 strategic trainings
 technical exercises
 testing
international
collaboration frameworks
 relationship
building
with
colleagues
Critical infrastructure
providers, Large companies
 training specialists, profiling
specialists
 profiling weaknesses, input to
risks & business continuity
management
 testing tools
 finding specialists to hire
 federating
own
testing
environment with larger ranges
Challenges
 Business model development
 Trust building (testing teams)
 sustainable funding mechanisms
marketing, network building
European Cyber Security cPPP Strategic Research & Innovation Agenda
6 Cyber technical projects / technical priority areas
6.1 Identification and analysis of technical priority areas.
Based on these previous considerations we have taken a solutions oriented approach when defining the technical
priorities, focusing on those needs that have to be fulfilled to support citizens and organisations alike, reinforcing the
“close to market” dimension of the cPPP.
In particular, when identifying the research priorities, the members of the cPPP SRIA WG have been driven by the
main goals of the cPPP and were asked to identify those research and innovation challenges that would maximize
the impact of their solution.
This process has led to focus on the 5 key technical areas below, further split in several research challenges4.
In particular, we consider the following classification and grouping for the cybersecurity Products & Services:

Assurance / risk management and security / privacy by design

Identity, access and trust management (including Identity and Access Management, Trust Management)

Data security

Protecting the ICT Infrastructure (including Cyber Threats Management, Network Security, System Security,
Cloud Security, Trusted hardware/ end point security/ mobile security)

Security services (including Auditing, compliance and certification, risk Management, cybersecurity
operation, security training services)
6.1.1 Assurance / risk management and security/privacy by design
6.1.1.1
Scope
The “quest for assurance” in cybersecurity is a long-standing issue with many facets and related aspects. It is
commonly agreed that, in order to be effective security, privacy and trust considerations should be integrated from
the very beginning in the design of systems and processes (i.e. security/privacy/trust by design). This entails a whole
series of activities, including social and human aspects in the engineering process all the way to a certification that
the developed systems and processes address the planned security/privacy/trust properties.
In addition to the aim of building a secure system, we often need to prove (through evidence) that the system is
secure. This is also necessary when considering systems of systems, whose security depend not only on the
individual security of subcomponents but also on the security of the integration of these subcomponents. The
engineering process of the systems should thus take into account those security/privacy/trust/compliance
requirements and should consider, in addition, costs and risks in the development process and in the system’s
lifetime.
Indeed, cost and risk constitute two relevant factors in building and operating (security-sensitive) systems. The cost
of developing security countermeasure should be related to the value of assets to be protected (and often in the
digital world these are less tangible). Therefore the issue in this respect is not only cost, but also how a value can be
assigned to one or more assets, used by an organisation in its own economic sector of activity. On the other hand,
risk is linked to the capability to predict the current strength of the system. Thus security and corresponding risk
metrics are crucial (as other quantitative aspects of security).
This process of encouraging assurance techniques and processes can also be addressed by regulators. Indeed, the
introduction of regulatory actions could ease and support the adoption of assurance techniques (delivering benefits
to the overall security level of the infrastructures, systems and products).
4
See the Appendix for a more detailed description.
European Cyber Security cPPP Strategic Research & Innovation Agenda
Starting from these considerations, risk should be managed with respect to the assets to be protected, and
investment in security should be aligned to the value of the assets. In this context, the residual risk could then be
managed with other approaches beyond security countermeasures.
6.1.1.2
Research challenges
We suggest to structure along the dimensions of security / privacy by design, security / privacy validation, and
processes.

Security / Privacy by Design. . By “security / privacy by design” we understand all methods, techniques and
tools that aim at enforcing security and privacy properties at software and system level from the conception
and guaranteeing the validity of these properties. Since the required security and privacy properties depend
on the system context and the application domain, understanding these requirements and being able to
precisely define them is a prerequisite. Hence, security requirements engineering, is part of this discipline.
In order to come up with practical, feasible techniques, emphasis should be on close integration with
existing software requirements engineering approaches (like, for instance, those based on UML, but with a
stronger focus on automation and modularisation) and the inclusion of risk assessments and needs. The
identified requirements need to be formally traceable to security features and policies throughout all phases
of the secure development lifecycle, considering the complete system view (which might include
assumptions about the context that need to be enforced upon deployment).

Secure (programming) languages and frameworks. Secure programming fulfil a set of requirements “by
default” via enforcing secure architectures and coding. While there is an existing body of research in the
field, there are typically good reasons why developers prefer potentially insecure approaches: performance,
interoperability, ease of use, ease of testability etc. The challenge is to provide secure development and
execution environments that are identical to traditional environments with respect to these qualities, but
still allow the flexibility and expressiveness developers are used to (e.g., including higher order language
constructs).

Open Source Security. A significant share of today’s security vulnerabilities stems from the fact that typical
software applications are no more monolithic but composed of hundreds, sometimes thousands of opensource components, whereby each component’s life-cycle is disconnected from that of the application and
beyond the control of the application developer. A prerequisite for effective and efficient response
processes is, on the one hand, complete transparency of an application’s supply chain (with the ability to
track & trace every single application dependency) and, on the other hand, accurate and comprehensive
vulnerability intelligence, e.g., with regard to affected component functionality, code and versions. Based
thereon, application developers must assess the impact of a given open-source vulnerability in the context of
a specific application, and contrast it with alternative mitigations and related costs.

Security validation. Security validation comprises all activities that aim at demonstrating the security
qualities of (specified, implemented or deployed) software and systems. Hence, it includes formal
verification, static code analysis, dynamic code analysis, testing, security runtime monitoring, and more.
Since all of these methods have particular strengths and weaknesses, emphasis should not only be on their
individual advancement (which includes increase of automation, coverage analysis, modularisation,
soundness, efficiency), but also on understanding their complementarity. For instance, promising results
have been achieved by combining static and dynamic code analysis, and further combination and interaction
of different techniques are seen as a valuable approach towards managing complexity and increasing the
quality of results.

Metrics. Metrics are key to understanding the security level of a system under development as well as in
operation. Hundreds of metrics have been proposed, but they still lack a mapping to the actual risks that
relate to a particular measurement. Hence, metrics should be derived from risk models and assessments,
taking technical and business context into account and adapting to system and context evolution. This
contributes to the quantification of security and privacy risks, as an ingredient of balancing the cost of
security measures and their potential risk reduction. The cost typically can refer to several aspects of the
system, including performance, or the accuracy, correctness and utility of the protected data. One major
challenge in this context is to ensure that metrics are meaningful to market players in their own sector of
economic activities, yet are comparable across sectors.
European Cyber Security cPPP Strategic Research & Innovation Agenda

Methods for development of functionally correct and error free security protocols and interfaces. Security
protocols and interfaces appear everywhere in secure system designs and their functional correctness and
security properties are key to guarantee the overall security of a system. To enable efficient development
and verification of security protocols and interfaces tools and mechanism for reliable and systematic
protocol verification is needed. Academic efforts in this area include e.g. formal methods for protocol
analysis based on model checking, epistemic logics and other formalisms. However, existing tools and
mechanisms are limited and would need to be extended and made more efficient to be able to handle the
complex real life protocols used in current security solutions where security features are deeply
intertwined with low level details of the system functionality. Furthermore, there is a gap between
languages and descriptions used by security engineers and those used by existing tools. This gap needs to be
closed to bring the benefits of the academic work to the market.

Combination of functional safety and security. There is a great interest on developing engineering methods
that can tackle in a single approach functional and non-functional aspects. Security and safety are crucial, for
instance in the interplay of real time aspects (e.g. delays introduced by crypto operations). Additionally,
degraded modes due to safety or security issues, should be taken into account with the aim of the role of
cybersecurity on avoiding them and dealing with them.

Methods for developing resilient systems out of potentially insecure components. Building on research
performed in the context of composing (secure) service oriented systems and system assurance and
verification, models for specifying security and trust attributes of hard- and software components, that can
be formally validated and verified, provide a baseline for system development methodologies which must
guarantee a minimum (defined) level of resiliency for complex (cyber-physical) systems.
6.1.1.3
Expected outcome

Integrated assurance frameworks (in a risk management approach) including the management of cost,
efficiency and risks, able to merge security and safety aspects

End-to-end adaptive security engineering frameworks

Adaptation to specific operating context and related risk exposure (and their evolution)

Support of diverse deployment models (cloud, mobile, platform, platform services)

Increasingly resilient systems

User-friendliness, i.e. easy to comprehend and evaluate evidence

Link to cyber-insurance policy elaboration and dynamic management
6.1.2 Identity, Access and Trust Management
6.1.2.1
Scope
Despite being a well-established market in its own right, the Identity and Access Management (IAM) marketplace is
still a dynamic and growing one. Notions of extended enterprises and more advanced B2B interactions based on
Internet services become more commonplace, driven by e.g. cloud services, new hosting models and diversifying
partners and relationships. Developments such as the Internet of Things (IoT) trigger diversity of form factors and
capabilities of authentication tokens. Hence, current IAM approaches do not cater to the full range of needs created
by the increasing mix of devices brought on by IoT, machine-machine and man-machine interactions and similar
developments. Core challenges exist around cross-domain authentication, authorisation in new distributed contexts
and the need to avoid monopoly situations and single points of failure, when users are authenticated and their
authorisations are being checked. For end users to trust the digital society, they need to be able to not only
understand but also manage the actual level of security delivered by different providers and control the degree of
identification.
Indeed individuals need to be empowered to develop trust into digital services and/or apps for them to make
informed decision. This calls for methodologies and tools to not only focus on Security and Privacy by design but also
Trustworthiness by design. This calls also for proper lifecycles to be covered from development to management
(monitoring) going through important steps such as certification, distribution and deployment. It also calls for
European Cyber Security cPPP Strategic Research & Innovation Agenda
innovation in managing the dynamic dimension of authentication, when a user’s identity needs to be re-assessed
after an initial approval.
6.1.2.2
Research challenges

Usability of authentication. Overcoming the dangers caused by the often careless use and management of
passwords will only succeed if alternatives are user-friendly and strongly embedded into applications.

Flexibility of authentication and authorisation. To support the appropriate degree of identification during
authentication and authorisation, identity service providers need to offer a complete range of choices, so
users and providers can agree on a mutually acceptable way of authentication. This includes also the
different levels of authentication in terms of the sensitiveness of the service delivered by the provider, and
in some cases the need to manage the dynamic dimension of an authenticated user (re-authentication
during usage of a service).

Partial identities. Research is needed to build technologies that allow users to separate their identities for
different aspects of life.

Certificate and signature sustainability. Identity certificates and other digital signatures need to survive the
test of time, i.e. their integrity needs to sustain the whole period of commercial relevance and/or legal
validity.

Scalability of authentication. Scalability has several facets. It refers to the number of transactions that need
to be supported as well as to the abilities of the respective devices. It also needs to cover the management
of sensitive authentication data.

Interoperability of authentication. As interoperability via intermediaries is creating major overheads and
security risks, more direct approaches to interoperability need to be researched and tested through pilots,
so that the relevant information can be accessed by those who need it, be it users, who want to qualify
towards providers or the providers themselves.

Computational trust models. There is the need to define sound computational trust models able to cope
with the heterogeneity of modern ICT infrastructures, ranging from IoT to cloud services.

Decentralized trust frameworks (e.g. blockchain). When dealing with trust it is always relevant to be able
not to rely on a single authority but also considering decentralized trust models. This also extends to
operations across several application domains.

Trust and big data. Big data heavily interplays with trust. On the one hand, we need to trust the collected
data, i.e. who are the providers, who accessed the data etc., on the other hand data helps to define proper
trust and reputation systems, often based on recorded evidence by several parties.

Credential personalisation. Initial security credential provisioning is a critical step within the chain of trust
that must be ensured no matter independently of which security technologies are used.
6.1.2.3
Expected outcome

Best practices in authentication are supported by usable technologies embedded seamlessly into
applications, including management of different levels of authentication and dynamicity.

Users and relying parties are provided with a range of authentication options that they can choose from to
agree on a mutually acceptable way of authentication avoiding over-identification, delivering the degree of
assurance and liability appropriate for the respective service.

Citizens can enjoy the privileges of services needing strong authentication, focusing on those specific
attributes that require this level of authentication

Certificates and signatures remain valid for at least a long as the corresponding documents and trust
relations are commercially relevant and/or legally valid.

Authentication operates in a distributed fashion without single points of failure on critical paths and
considering small scale devices as used in the Internet of Things.

Authentication operates in an interoperable fashion without overheads and additional security risks
European Cyber Security cPPP Strategic Research & Innovation Agenda

Increased trust in the cyber world;

Requirements for trusted security credential provisioning (e.g. trusted secure elements)

More efficient on-line Business
6.1.3 Data security
6.1.3.1
Scope
A major characteristic of current and future systems and applications is the ever-increasing amount of valuable data
that needs to be properly managed, stored, and processed. Data can be produced by systems as a consequence, for
example, of interconnected devices, machines and objects in the Internet of Things, and by individuals as a
consequence, for example, of business, social and private life moving on-line, thus including data resulting from
observations (e.g., profiling) and data intentionally provided (e.g., the prosumer role of individuals). As the value of
data increases, opportunities based on their exploitation and the demand to access, distribute, share, and process
them grows. Highly connected systems and emerging computing infrastructures (including cloud infrastructures) as
well as efficient real-time processing of large amounts of data (including Big Data methods and applications)
facilitate meeting these demands, leading to a new data-driven society and economy.
The collected data is often of a highly sensitive nature (e.g. medical data, consumer profiles, and location data) and
need to be properly protected. With data being stored and processed in the cloud, and exchanged and shared
between many previously unknown and unpredictable parties, this protection cannot stop at a single system’s
border, but needs to be applied to data over its full lifecycle, independent of which system is processing the data,
which access channels are used and what entity is controlling the data. Hence, a system-centric view on security and
privacy, including, among others, secure devices and infrastructures (cf. sections below), needs to be complemented
by a data-centric view, focusing on data lifecycle aspects.
Providing transparency on where data resides, who has access to it, and for which purposes it is being used, together
with mechanisms that allow the data owner to control the usage of his/her data, have been identified by all areas of
interest (AoIs) as essential aspects of a data-centric view and a prerequisite of a secure and privacy-preserving digital
life. While research has already produced a number of relevant contributions (e.g., sticky policies, privacy policies,
and techniques for protecting data at rest), many challenges remain open, including enforcement and usability.
These challenges are not only of a technical nature: for example, lack of awareness of the value of data (and what
data is actually produced when engaging in digital life) has been mentioned as an inhibitor of trust and growth of
digital services.
6.1.3.2
Research challenges
A variety of challenges need to be addressed to take advantage from the availability of large amounts of data in a
secure and privacy compliant way. These challenges should cover issues related to the protection of data as well as
the use of data for security.

Data protection techniques. The size and complexity of collected data in most cases leads to the use of
cloud technology and to their storage at external cloud-based repositories using cloud-based services, which
offer flexibility and efficiency for accessing data. While appealing with respect to the availability of a
universal access to data and scalable resources on demand, and to the reduction in hardware, software, and
power costs, the outsourced storage can potentially increase the risk of exposing sensitive information to
privacy & security breaches and also links back to the trust issue highlighted earlier. The ensuing security and
privacy requirements create the need for scalable and well-performing techniques allowing the secure
storage and management of data at external cloud providers, protecting their confidentiality from the cloud
providers themselves. However, protecting data means ensuring not only confidentiality but also integrity
and availability. Integrity and availability of data in storage means providing users and data owners with
techniques that allow them to verify that data has not been improperly modified or tampered with, and that
its management at the provider side complies with availability constraints specified by the data owner. The
variety of data formats (i.e., structured, unstructured, and semi-structured) makes the definition and
enforcement of such techniques a challenging issue.

Privacy-aware Big Data analytics. We are in the era of Big Data where the analysis, processing, and sharing
of massive quantities of heterogeneous data brings many benefits in several application domains. For
European Cyber Security cPPP Strategic Research & Innovation Agenda
instance, in the health care domain the data accumulating in health records can be used as the basis of
predictive models that can lower the overall cost and significantly improve the quality of care, or can be used
to develop personalized medicine. The application of Big Data analytics, however, can increase the risks of
inferences that can put the privacy of users at risk. Anonymizing the sensitive data as a prior step can be of
help, even though it diminishes the utility of the data for the latter analysis. We therefore need to develop
techniques addressing issues related to data linkage, the knowledge of external information, and the
exploitation of analysis results.

Secure data processing. Distributed frameworks are often used for processing large amounts of data. In
these frameworks, cloud providers processing data might not be trusted or trustworthy. There is therefore
the need of solutions providing guarantees on the correct and proper working of the cloud providers. This
requires the design of efficient and scalable techniques able to verify the integrity of data computations (in
terms of correctness, completeness, and freshness of the computation results), also when the processing of
the data is done in real-time, and to ensure that data is distributed, accessed and elaborated only by
authorized parties.

User empowerment. For users or organisations there is great convenience in relying on a cloud
infrastructure for storing, accessing, or sharing data, due to the greater availability, robustness, and
flexibility, associated with significantly lower costs than those incurred by managing data locally.
Unfortunately, this convenience comes at the price of a certain loss of control over data. Although cloud
providers implement data protection features, in some cases linked to legislation and regulations, this
protection typically consists in applying basic security functionalities and does not move beyond this security
to actually provide the data owner with effective control over his/her data. This situation has a strong impact
on the adoption and acceptability of cloud services. In fact, users and organisations placing data in the cloud
need to put complete trust that the providers will correctly manage the outsourced information. There is
therefore the need to re-empower users with full control over their data, enabling them to a) wrap data with
a protection layer that offers protection against potential misuse, created by a cyber-breach or an incidental
access and b) manage data across its complete lifecycle.

Operations on encrypted data. The confidentiality of data externally stored and managed is often ensured
by an encryption layer, which prevents exposure of sensitive information even to the provider storing the
data. Encryption can increase the complexity of accessing and retrieving data. The research community has
increased its efforts to supporting efficient fine-grained data retrieval and has developed solutions based on
specific encryption schemas or on the use of indexes (metadata) that support query functionality. With
respect to the use of specific encryption schemas, any function can, in theory, be executed over encrypted
data using (expensive) fully homomorphic encryption constructions. In practice, however, efficient
encryption schemas need to be adopted. An interesting problem is then how to select encryption schemas
that maximize query performance while protecting data according to defined security requirements (e.g.,
data should be encrypted in a way that the frequency of values is protected). With respect to the use of
indexes, we note that indexes should be clearly related to the underlying data (to support precise and
effective query execution) and, at the same time, should not leak information on the data to observers,
including the storage provider. Another important dimension is that when indexes are combined with other
protection techniques (e.g., access control restrictions), these combinations should not facilitate / increase
the risk of privacy breaches. The design of inference-free indexes that can be combined with other
protection techniques without causing privacy violations are key aspects that require further investigation.

Provenance and quality of data. The impact of data in our daily lives is growing. For instance, it is possible to
collect medical data from individuals via smartphones or medical “self-tracking” devices. New “intelligent”
meters installed in personal homes give greater control to home owners on their overall energy
consumption. The collection, analysis, and use of data allow individuals to take preventive actions, make
healthier choices, manage their ecological impact etc. Across all these scenarios, it is important to establish
an agreed and understood level of trust on the data – without this, potential cyber-intrusions can create a
huge backlash and completely block the pro-activeness of citizens in acting to improve their own quality of
life. In this context, tracking data provenance is key to: i) verify whether data originates from trusted sources
and has been generated and used appropriately; and ii) evaluating the quality of the data. The definition of a
formal model and mechanisms supporting the collection, persistence and transparency of information about
the creation, access, and transfer of data is therefore of paramount importance.
European Cyber Security cPPP Strategic Research & Innovation Agenda

Query privacy. In several scenarios neither the data nor the requesting user have specific privacy
requirements but what is to be preserved is the privacy of the query itself (e.g., a query that aims at
retrieving information about the treatments for a given illness discloses the fact that the user submitting the
query is interested in this illness). It is therefore important to design efficient and practical solutions
(possibly exploiting the presence of multiple providers to increase the level of protection) that enable users
to query data while ensuring access confidentiality (i.e., protecting the user query) with respect to the
provider storing the data. Effective protection of query confidentiality requires not only protecting
confidentiality of individual queries, but also protecting confidentiality of access patterns.

Big data secure storage Protection and security of data, especially those of public interest (data relevant to
CII and IIS) are crucial. The amount of data processed in both the public and private sectors is growing and so
is the need for its storage, leading to an ever increasing uptake of cloud base solutions. However, when
combined with the increasing use of online services, the security of the storage solutions has to be
implemented, but it also has to be credible and demonstrable to expert and non-expert users.
6.1.3.3
Expected outcome

Secure and privacy aware data processing and storage

Advanced mechanisms that protect effectively users’ privacy and guarantee the integrity and
confidentiality of their sensitive data

Efficient management and increased deployment of data-encrypted processing and storage solutions

User friendly (i.e. also for non-expert users) transparency and control options incorporated as “standard
features” across all storage solutions

Increased and efficient uptake by users of the transparency and control options
6.1.4 Protecting the ICT Infrastructure
6.1.4.1
Scope
The increased interconnections created within the Internet as well as between the Internet and critical
infrastructures have made our society vulnerable to attacks that spread across hundreds of thousands of computers,
mobile devices or even intelligent connected objects at lightning speeds. This is one of the most challenging
dimensions of cybersecurity, the speed and scope of cyber-attacks or incidents.
Furthermore, the ability to remotely compromise intelligence devices coupled with the potential value that can be
created by stealing information or modifying operations through a device under attack has created a completely new
environment for cyber-criminals.
Society, businesses and governments have become increasingly dependent on the correct and uninterrupted
operation of networks, both at global and local levels. On the other hand, cyber criminals and terrorists are
becoming increasingly skilled at compromising networks through sophisticated attacks. Therefore, all networks
constitute, in one or more dimensions, a Critical Information Infrastructure – CII.
Unfortunately, contrary to the physical world where barriers can in some case limit negative impacts, cyber-space is
effectively without frontiers at least across the democratic regions. In this context, cyber-space has to inherit from
the physical world a concept of “barriers”, through a pro-active approach to protect critical information
infrastructures. Strategic management of CIIs has to balance the benefits created through “ease of connection and
remote control” versus the increased level of risks.
The protection of the infrastructure therefore requires a holistic approach pervasive across all the communication
dimensions, including also the software and hardware involved in the network and connected to the network.
For instance, secure execution environments can be used by the software across solutions and services. These
secure execution environments not only encompass the execution platforms and the operative systems, but also the
mechanisms (e.g. security supporting services, control and intrusion prevention systems) that ensure a pre-defined
level of security in the execution of all processes.
European Cyber Security cPPP Strategic Research & Innovation Agenda
Another dimension is the hardware level, covering a broad range of fixed and mobile devices. Also important is the
increasing use of IoT devices, and the set of pre-requisites to be fulfilled prior to trusting a connected device
whether this device is used in the field of Critical infrastructure, Industry 4.0, Automotive (ADAS, V2V, V2X), Smart
City, Smart Home, Building Automation, Healthcare, Wearables or any other connected system.
6.1.4.2
Research challenges

Secure network design, usage and management. At the network level, research on security topics is
especially required for security-by-design, risk assessment, privacy and data leakage, attack/ malware/
misuse detection and mitigation, across all layers. This includes both network usage and network
management. On the usage side, network security research needs to take into account the move towards
network virtualisation. On the management side, network security research needs to take into account
network deployment and management, connectivity, resilience of network operations under malicious and
accidental faults.

Control and intrusion prevention systems. Just as a body needs an immune system, it is essential to
provide control and intrusion prevention systems to effectively monitor the state of the environment and
rapidly react against a wide range of (potential) threats - from short lived threats to severe and continuous
ones. This challenge also addresses the need to share information across operators to speed up the
detection of developing incidents.

Secure integration. As multiple systems and paradigms increasingly interact with each other in distributed
and dynamic environments, it is crucial to achieve a fully secure integration across these systems. Not only
do we need to allow novel technologies to cooperate with each other, but we also need to consider the
migration of legacy systems, whose components and protocols are not usually able to cope with the latest
and upcoming security and privacy risks. One key dimension also includes managing the (future)
integration of unknown systems, reflecting the reality that infrastructures are in constant evolution in
terms of breadth of connected devices and level of interconnection with other networks. This is further
developed also in a next priority.

Network Intrusion Detection Systems. Network Intrusion Detection Systems are currently often based on
the “perimeter security” paradigm. The externalisation of IT resources to outside providers and new
approaches to hardware, such as BYOD (bring your own device), make the notion of perimeter obsolete.
Intrusion Detection Systems need to adapt in order to be able to work in an environment where there is no
perimeter.

Secure execution platforms. In order to provide a secure execution environment, the platforms themselves
(e.g. cloud servers, mobile devices, processors in cars, IoT devices) must guarantee the secure execution of
all operating systems and services. However, this is not a trivial task. In current paradigms, like cloud
computing, the attack surface has expanded, and new risks and threats have appeared, without a
structured management of the expansion. This also extends beyond the technical challenge to incorporate
who is actually in charge of controlling and managing this expansion. The technical solutions have to ensure
that they provide the teams in charge with appropriate tools to implement these controls.

Bring Your Own Device (BYOD). BYOD is a major trend in organisations, with trends of well over 50% of
workers will be mobile by 2020. Research challenges therefore have to address both the complexity of
dynamic networks, as already addressed, but also of flexible and secure connectivity of the devices across
networks while making them part of the security management operations at network level.

Security-supporting services. Secure execution environments require several security-supporting services,
such as data protection and secure communication protocols. Software services can be complemented by
the use of security-supporting devices, such as specific cryptographic hardware (Hardware Secure
Modules).

Operating systems (OS) security. Each application is only as secure as the OS it runs on. As a result, the
isolation of applications and the minimisation of the attack surface becomes a necessity. The benefits from
component-oriented design (i.e. reusability, adaptability) can be brought to operating systems by defining
standards to which operating systems components must adhere.
European Cyber Security cPPP Strategic Research & Innovation Agenda

SIEM. The Security information and event management (SIEM) market is defined by the customer's need to
understand, prioritise and analyse security event data in real time for internal and external threat
management, and to collect, store, analyse and report on log data for incident response, forensics and
regulatory compliance. Forensics of mobile computing platform and fraud protection also constitute
research challenges.

Legacy management support. The Internet of Things increasingly connects novel objects to infrastructures.
In this context, the handling of how legacy network systems can adequately manage and guarantee
security and resilience when allowing interaction with totally new devices has to be addressed.
6.1.4.3
Expected outcome

A larger base and range of data is available for a comprehensive and precise security analysis

New threats are detected more rapidly through the increased collaboration and available information –
solutions are deployed more rapidly, new security practices are routinely incorporated to the security
assessment of system managers.

Security control and intrusion prevention systems become more efficient and adapted to new and dynamic
environments

Network operations become more resilient

Design guidelines and products implementing secure execution platforms, including secure boot, remote
attestation, and secure virtualized environments

Operating systems designed according to new security guidelines

Security supporting services allow data protection and device protection

Best practices for integration of secure components in a secure system with interoperability and
management in distributed systems

Secure virtualisation environments ensuring isolation for different architecture paradigms (e.g., virtual
machines, containers, etc.)

Trusted cloud operational environment based on dynamic root of trust and anti-tamper security hardware

Incorporation of mobile device owners in the overall security policy of a network (at technical and at
collaborative levels)
6.1.5 Cybersecurity Services
6.1.5.1
Scope
This topic focuses on the processes (and their constituent elements) required to provide, manage and measure
privacy and security, and the tools required to support them. The issues apply to formal and informal socio-technical
organisations of all types and scales from individuals and families, through SMEs, to large businesses and
governmental departments, multi-national corporations, nation states, the European and the society at large.
Cybersecurity services can be delivered through a wide diversity of models, ranging from internal services (hosted
within the customer organisation) to external (used from external hosted resources) and consultancy based
approaches. The choice between these models is done based on a wide variety of reasons, from economic to
sensitiveness of operations, from internal capability at technological level to ease of use and flexibility of external
approaches.
For instance, large organisations (and ones for which security is a core business function) may elect to perform
security processes using only internal resources, but increasingly, the complexity and wide coverage of the required
skills and tools make outsourcing a more attractive option. For smaller organisations, affordability issues often make
automated security-as-a-service (SaaS) offerings more attractive. Micro-businesses and individuals are likely to want
fully holistic solutions.
But across all these dimensions, cybersecurity services increasingly have to address an end-to-end approach, and
have to start from the values (and therefore assets) that are important to the business in which customers operate.
European Cyber Security cPPP Strategic Research & Innovation Agenda
How many man-hours will be lost if a process stops? If an asset stops operating? What will be the cost of reputation
damage created if data is leaked to the outside world?
One increased complexity is the notion of responsibility –outsourcing some or all security functions does not absolve
a customer organisation of its actual responsibility with respect to the outside world of customers, partners and
society as a whole.
Recover
Respond
Detect
Protect
Identify
Governance, Risk and
Compliance
Temple model of security processes
Cyber-security services can be analysed through a ‘temple’ model, used to categorize security processes and the
services used to deliver them. The pillars of the temple are the five core functions of the NIST cybersecurity
framework5:

Identify: maintain a complete and accurate model of the organisation being protected and its business
context;

Protect: Develop, implement and operate the appropriate safeguards to ensure continued delivery of the
organisations key services;

Detect: Develop, implement operate the appropriate activities to identify the occurrence of cybersecurity
threats, attacks, breaches, etc.

Respond: Develop, implement and operate the appropriate activities to take action regarding a detected
cybersecurity event.

Recover: Develop, implement and operate the appropriate activities to restore any capabilities or services
that were impaired due to a cybersecurity incident.
The temple pediment represents Governance, Risk and Compliance (GRC):

Governance: the strategic management of security processes, including setting policies and defining a
prioritised approach to risks;

Risk: modelling, analysis, assessment, treatment, etc. of security risk

Compliance (including certification): Measuring/assessing/auditing/certifying the extent to which internally
and externally set security policies and standards are a) followed, and b) effective.
6.1.5.2
Research Challenges
Research challenges include the following:

Security-supporting services. Definition and reference implementation of a full range of composable
security-supporting services to allow construction of security solutions for all types and scales of
5
‘Framework for Improving Critical Infrastructure Cybersecurity’, Version 1.0, National Institute of Standards and Technology,
February 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
European Cyber Security cPPP Strategic Research & Innovation Agenda
organisations. This also extends to managing the evolution of organisations, in terms of dimensions,
operations, change in prioritised assets, new business contexts etc.

Practical Certification Schemes. Means of certifying compliance that are practical and affordable to apply,
and meaningful to customers and other stakeholders. Automated means of assessing compliance against
multiple external and internal standards, including compositional methods.

Methods to reduce and manage systems complexity. GRC methods and tools taking into account the full
complexity of organisations and the security context, but making this complexity manageable via a visual
interface.

Quantification of Risk. Improved means of modelling, analysing, assessing and quantifying risk.

Dynamic Risk assessment and management. Development of real-time risk-assessment and management
tools taking into account the dynamic status of the organisation, its systems, and its threat environment.
Tools and services for real-time situation assessment and decision support, response and remediation
planning and supervised enactment, autonomous response with safeguards and supervision. Enabling
security policies and processes that adapt in the face of an evolving threat environment

Cyber Insurance. Innovative services to provide affordable and trusted means of transferring security risk to
an external party, including the definition of policies through a collaboration between the customer and the
insurance providers and the dynamic management of the policy in relation to the environment of the
customer, external threat intelligence and other sources of intelligence.

Security validation. Improved, automated auditing and testing tools and services.

Down-scaling and Up-scaling. Making enterprise-level security available to, usable by, and affordable for
SMEs, micro-business and individuals; developing security process models and institutions for composite and
de-centralised organisations (federations, dynamic virtual organisations, business and social ecosystems,
etc.).
6.1.5.3
Expected Outcomes

Definition of a cybersecurity strategy by each individual organisation, building on concrete and quantified
prioritisation of assets most at risk linked to the business sector in which the organisation operates

Inclusion of cybersecurity policy as a strategic decision at executive / board level of organisations

Cyber-insurance policies becoming the norm across organisations, building on a common definition of “level
of cyber-risks”, but an adaptation / personalisation to how this level is selected by an organisation based on
its own operating context

European organisations and individuals have access to comprehensive security management solutions in line
with their contexts, affordable, and evolvable to keep pace with escalating threats and innovations in
technology and practice.

European organisations and individuals provided with support and processes that help detect and respond
to internal and external threats and failures, enable them to function under adverse conditions, and selfrepair in order to resume normal operations as soon as possible.

Creation of a dynamic and innovative European market in cybersecurity services, which will itself yield
significant economic benefit, as well as serving the needs of European organisations.
7 Innovation deployment and validation
The budget for the integration projects is quite important and is divided into the main areas for transversal
validation of innovative technologies and services. Particular emphasis is given to the area of secure networks and
ICT, as considered fundamental and strategic for Europe and the possibility to develop solutions in sensitive /
strategic areas where an increased Digital Autonomy is needed.
European Cyber Security cPPP Strategic Research & Innovation Agenda
7.1 Cyber trustworthy infrastructures
These projects would see the use and validation of existing or newly developed technologies / services bringing
innovative solutions to trustworthy infrastructure.
These projects are an extension (and effective application) of what presented in the technical priorities for R&I
actions.
7.1.1 Digital citizenships (including identity management)
The Digital Citizenship with all aspects related to Digital Identity Management and secure access to all Public
Administration services is rapidly proceeding in all European nations, and this requires an adequate protection of the
related platforms, so also the Cyber Infrastructure for digital citizenship is a priority.
More details on this topic are given in section 5.1.2 and 10.1.2.
7.1.2 Risk management for managing SOC, increasing cyber risk preparedness plans for NIS etc.
More details on this topic are given in section 5.1.1 and 10.1.5.2.
7.1.3 Information sharing and analytics for CERTs and ISACs (includes possibly trusted SIEM, cyber
intelligence
New services are more and more based on information sharing and data analytics, with data gathered from the web,
from sensors, from information providers. Data must be protected and trusted if we want to generate value from
them, especially if we think at applications as Health, Finance, Critical Infrastructures. Therefore we have also to
consider as a priority the related Cyber Infrastructures for Information sharing, storage and analytics, with a relevant
support given by the Cyber Infrastructures for Intelligence, Threat and Risk Management, relying on technologies as
Artificial Intelligence, High Performance Computing, Advanced Visualization. Probably the budget related to these
two last cyber infrastructures can be lower, but the activities cannot be delayed in time.
More details on this topic are given in section 10.1.4.
7.1.4 Secure Networks and ICT (Secure and trusted Routers, Secure and Trusted Network IDS,
Secure Integration, Open source OS)
Europe needs priority investments for R&I and deployment in market leading / sensitive sectors with strategic
solutions and services.
For instance, the evolution of communication networks towards 5G is ongoing, and also linked with 3GPP and ETSI
standards new releases. The 5G goal of providing an ecosystem for reducing costs and favouring new services on top
is directly related to solutions considering multiple bearers, network slicing, network functions virtualization with
provision via Cloud, … All these solutions need increased protection from Cyberattacks, and also a way to validate
the guaranteed reliability and level of protection of each component within the ecosystem. Therefore Cyber
Infrastructure for Secure ICT is necessarily a top priority in the budget.
In the strategic market segments of operating systems, computer and mobile phones manufacturing, routers,
processors, components and other various software, Europe suffers from a technological dependence in information
technology vis-à-vis the foreign providers.
We should reduce the weakness of the EU supply chain by developing European ICT / cybersecurity technologies /
solutions for increased digital autonomy, like routers, SIEM, IDS etc.
The European industry needs an investment effort for R&I and deployment in these areas that can only be supported
at a European level. An investment of this scale cannot reasonably be undertaken by one Member State alone.
In cybersecurity, when “national products and services” exist, they often correspond to specific “national sovereign
European Cyber Security cPPP Strategic Research & Innovation Agenda
needs” and are not usually capable to compete on a global scale. Although Europe has some positive examples of
cybersecurity industry their number and size in other sectors remain limited on the global scale.
We can identify a few major projects that should take place at European level due to the complexity and the amount
of budget involved. These projects should allow the development of competence and competitiveness in strategic
NIS elements and global leadership.
Member States administrations could help to identify specific cybersecurity capacity needs and flag them in their
priorities for EU funding or other kind of private funding for further market implementation of the developed /
tested solutions, hence driving the development for an effective final use.
We have identified, for instance, a group of urgent concrete projects that would further allow the development of
strategic components and national capacity building.
o
European trusted and secure router (such development requires significant investments which no country
and private company can afford alone, though it is one of the most strategic elements in the network)
o
European Trusted Intrusion Detection System (IDS) host terminal and network based, to ensure detection
rules can be trusted: design should be adapted also to cloud architecture
o
Open source operating system for trusted services
o
…
7.2 Demonstration/ cyber pilots projects
As mentioned, the hyperconnected infrastructures (the Area of Interest 3 of the NIS WG3 SRIA) represent the set of
vertical sector where secure ICT is deployed and used. Each of these vertical sectors (also named application
domains) demands for specific aspects for cybersecurity. These needs will be analysed and projects in research
products, services and capabilities that in turn needs new research and innovations. We list here the main elements
of these vertical sectors, knowing that they have a special role in the cPPP where specific WGs are planned for those
sectors.
We describe hereafter the main issues (for a full account see the NIS WG3 SRIA):

Smart Grids (Energy)

Transportation (including Automotive / Electrical Vehicles / Logistics/ Aeronautics/ Maritime)

Smart Buildings and Smart Cities

Industrial Control Systems (Industry 4.0)

Public Administration and Open Government

Healthcare

Finance and Insurance
European Cyber Security cPPP Strategic Research & Innovation Agenda
Smart Grid (Energy)
A Smart Grid can be defined as a process, rather than a product. It is the digitalisation of the electricity
infrastructure and it is the transition from a closed, centralized, analogue infrastructure to an open, largely
decentralized, digital infrastructure. A Smart Grid is the transition from a system where generation, based on fossil
fuel, adapts to users consumption, to a system where user consumption must be flexible enough to adapt to the
fluctuations of the renewable based generation. Finally, a Smart Grid is a system where electricity is traded as a
commodity on international marketplaces.
The benefits of the Smart Grid are envisioned to be a more economic, sustainable and reliable supply of energy.
However, significant security concerns have to be addressed for this scenario, due to the possible dangers of
missing availability of energy for customers, as well as threats to the integrity and confidentiality of customer's
data. These concerns are of particular relevance, because energy grids have a significantly longer lifespan than
telecommunication networks. In addition, privacy concerns have risen, such as the possibility of creating
behavioural profiles of customers if their energy consumption is transmitted over the Smart Grid in small time
intervals. In particular, the attack surface is increasing over time in the Smart Grid for two reasons. Firstly, an
increased amount of private sensitive customer data is available to service providers, utility-, and third party
partners. Secondly, new data interfaces such as new and improved meters, collectors, and other smart devices
cause new entry points for attackers.
Resilience has always been the prime goal for the operators in charge of the generation, transmission and
distribution infrastructures. In Europe, these operators have a long track record of success in containing accidents,
avoiding black outs, and mitigating the effects of natural disasters. With the Smart Grid, cybersecurity is now at
the core of their efforts to provide a resilient infrastructure.
The issues linked to cybersecurity follow from the very nature of the Smart Grid transition. It should be assumed
that all software components could be compromised either because they are exposed to the Internet, or because
physical security can be bypassed. It should be assumed that all components of the Smart Grid, from smart
meters, to power plants, or relays could be targets for cyber-attacks, as well as the SCADA systems used to
monitor these software components. As mentioned earlier, user’s privacy should be enforced, and the
mechanisms of trading marketplaces should be resilient.
The fact that any components might be compromised is commonplace on the Internet. The obvious solution is to
rely on encryption whenever data is transmitted or stored. The problem then is (i) to secure encryption keys, (ii) to
secure encryption and decryption and (iii) to secure the computation that takes place on decrypted data. The
existing hardware protection techniques (e.g., trusted execution environments or hardware secure modules) can
be used to guarantee confidentiality and integrity (as the sensitive data is protected in hardware that can provide
tamper-resistance and tamper-evidence), but the availability can depend on the level of protection of the
software that accesses to the secure hardware. Sandboxing techniques can be used to contain the computations
on decrypted data. Note that these techniques address the issues linked to cybersecurity as well as privacy.
The challenges thus are the following. First, the use of hardware protection techniques must be integrated in the
software development processes that shape the Smart Grid. Second, it is crucial to devise denial of service
defence methods that do not disrupt the Smart Grid. Third, the Smart Grid architecture and governance must be
such that compromised components are detected and isolated in a way that minimizes the impact on the rest of
the infrastructure. Finally, disaster recovery testing techniques.
Transport
Transportation systems are becoming increasingly complex, incorporating numerous, intricate control systems
and sub-systems working in parallel; also, they interoperate in an environment composed by a large number of
diverse service providers, across several countries. A wider use of communications and information technology
will increase the efficiency and functionality of transportation systems. The increase in complexity, functionality
and connectivity comes at the price of an increased vulnerability.
These complex infrastructures will be highly distributed and thus difficult to protect; besides, it is also important
to consider that every country has its own networks and every transport operator has its own strategy regarding
European Cyber Security cPPP Strategic Research & Innovation Agenda
the protection of its infrastructure.
Vehicles and other means of transport will be connected to communication networks to support infotainment,
safety and emergency functionalities. Transport support systems will be more easily accessible by nomadic users –
this is a truly indispensable factor in the transport sector.
This new scenario will introduce new threats and risks, and more critical dependencies with risk management,
prevention, infrastructures monitoring, collaboration and crisis management, user data privacy. Some challenges
in security and resilience will be common factors across the different types of transport: assess and manage risks,
prevent attacks, monitoring and protection, unauthorized data access, modification or destruction, manage
incidents, privacy of users data, secure and precise positioning of transport means and goods.
Smart cities
The term “Smart City” provides an umbrella that integrates various types of infrastructure, including traffic light
management, smart factories with industrial control systems (ICS) (covered by an own section), power plants (also
covered by an own section), public transportation (covered by an own section as well), and smart buildings.
Smart buildings can be considered a key component of today’s infrastructure and today’s smart cities as they are
also a surrounding element for other infrastructure. For instance, a smart factory can be located inside a smart
building, which provides physical access control (PAC) and other functionality for the industrial control system
(ICS). Being not always a critical infrastructure, a smart building can be basically everything from a small smart
home to an international airport, including all its automated components, such as baggage transfer, airconditioning, smoke removal systems, or heating.
Addressing side channels and covert communications in smart cities is an essential challenge as the feasibility to
observe inhabitants, citizens, or employees working or living in buildings as well as elders in Ambient Assisted
Living (AAL) is linked to serious threats (e.g. selling electronic healthcare sensor data at the black market). Data
leakage protection of sensor data must thus be achieved, what can be done by securing wireless sensor networks
(WSN) and other technology used in smart cities, and especially in smart buildings.
One challenge in this regard is the increasing inter-connectivity of smart systems (“systems of systems” within the
Internet of Things, IoT) that leads to additional security threats previously not foreseen by the design of these
systems. In an extended scenario, so-called smart building botnets or cyber physical botnets (CPS botnets) are
thinkable and feasible, i.e. botnets consisting of a high number of CPS like buildings and utilize their sensors and
actuators to perform malicious activities. Some of the thinkable activities performable by such botnets are mass
surveillance as well as complex scenarios. For instance, a (regional) oil/gas seller might use a smart building botnet
to slightly increase the heating levels in his customer’s homes each night in order to force them to order oil/gas
sooner as they actually were required. To achieve a stealthy mass-surveillance (which can be used for data
leakage as well), it is expected that “network steganography” can serve as an enabling technology.
Industrial Control Systems
Industrial Control Systems, as used in Water, Food, Nuclear and Chemical operations, form a diverse ecosystem
with varying components and protection goals. A shared feature of those – as well as similar system in transport,
electricity and manufacturing – is that the security maturity level is largely rather low, and many deployed systems
have no security whatsoever. In the past, this was argued to be acceptable, as these systems where operated as
separate islands with no connection to the outside world. With the increasing use of off-the-shelf components,
remote maintenance and system integration, as well as increasing realisation that air-gapping rarely works in a
practical system deployment, those systems are now increasingly exposed to external attacks, and data gathered
from commercial companies and national CERTS show a massively increased number of targeted attacks in this
domain.
So far, in the industrial control system domain, great emphasis has been taken on safety issues, while security in
many systems plays a minor role. While this does give some starting point – the safety culture already accepts
investments on product feature that do not add functionality in this sense, and require strict procedures and
documentation. At the same time, safety and security often conflict – a firewall or encryption on a communication
layer add security, but also add an additional point of failure from a safety perspective. This – and the need for
European Cyber Security cPPP Strategic Research & Innovation Agenda
easy maintenance - is also one of the reasons why many systems lack any meaningful access control, which is one
of the primary security controls in IT systems. As opposed to normal IT components, ICS components usually have
a very long lifetime, sometimes remaining in the field for decades. Thus, any security concept needs to be
prepared to integrate legacy systems and architectures, and new systems need to be ready for requirements for
an extensive period, without resulting in excessive pricing. An additional problem from this long lifetime is the
availability of the suppliers; few suppliers are willing to commit to provide maintenance and security patches for
such a long time, and there is a high probability that some suppliers or their subcontractors may be outlived by
their devices. One recent example is Windows XP, which is still widely used in the ICS domain, but which is being
phased out by the supplier and will have very limited support in the future. Consequently, a number of ICS
systems have been hit by classical botnets, i.e., attack programs that had no intention to sabotage a control
system, but scan the internet for outdated systems and turn them into spam-bots.
Due to their nature, many components in ICS systems are constrained in a number of ways, such as available
memory, computation power, or user interfaces (This can be very case specific – while some components are
essentially full PCs, others are highly optimized for cost and extremely constraint). This restricts the number of
available security controls, and further complicates future-proofness. In addition, constrained memory forces
programmers to cut corners, while secure code usually includes additional checks, controls, and error handling
routines that eat up memory (lack of proper input validation is a common issue in ICS components). Furthermore,
many ICS components have little hardware (such as execute-bits) or operating system support for security, making
it even harder to produce secure code. This issue is enlarged by the generally low security maturity in the ICS
component domain – ICS security rarely got attention comparable to IT security, and few suppliers had a need to
implement security coding competence and policies. This is matched with a low maturity level on the
procurement side; just as some suppliers struggle to implement secure devices, so do buyers struggle to clearly
define requirements for the procurement process.
With ICS systems being increasingly connected, there is also an increasing level of dependencies, many of which
are not well defined. A number of control systems, for example, require precise time, which is acquired from the
GPS system, which creates a common point of failure over numerous systems. Furthermore, many manufacturers
require a remote maintenance possibility, which will massively complicate any security architecture.
ICS systems can reach an enormous level of complexity – the biggest example, the smart grid, covers an entire
continent with a system that has literally 100s of millions of components. It is well known that software services of
this level of complexity are difficult to execute6, and therefore execute those in a way that results in a secure
system. Digitizing an already complex control system is therefore something that requires a high level of skill in
planning and execution, which may not always be available. Furthermore, increasing complexity and reliance on
digital components make it harder to revert to a manual backup plan. For the time being, it is still possible in many
systems to at least safely shut them down manually, which is a property that is increasingly disappearing.
eGovernment
Public services are at the core of modern societies, and their availability and trustworthiness is a key enabler for
economic growth and social innovation. Innovation in Public Administration is influenced by different drivers, such
as the necessity to cut costs and to “do more with less”, the rising expectations of citizens with respect to
participation and openness of public processes and data, the pervasive availability of mobile devices which
represent an ubiquitous entry point to services, the mass usage of social media, and the obsolescence of old
legacy systems versus the growing trend toward cloud-based ICT infrastructures for Governments.
All in all, governments must engage with the wider public and follow the open government principles in order to
“make the services more user-friendly and effective, improve the quality of decision-making, promote greater
trust in public institutions and thus enhance public value” [EC13], but at the same time they have to cope with
strong economic constraints, which require the conception of new sustainability strategies and the reuse of best
practices and solutions across all governmental levels.
The key role played by ICTs in such transformation is both a fundamental enabler and a source of issues. Indeed,
for example, digitalisation of public services and mobile government (mGovernment can be seen as the extension
6
http://www.iag.biz/images/resources/iag%20business%20analysis%20benchmark%20-%20full%20report.pdf
European Cyber Security cPPP Strategic Research & Innovation Agenda
of eGovernment to mobile platforms) on the one hand help improving efficiency of the back-office and provide
users with better and ubiquitous services, and on the other hand increase the attack surface and causes new
security issues and privacy concerns, including distributed denial of service, identity thefts and information
leakage.
eHealth
The massive trend towards seamless system and data interconnection, mobile services, smart devices and data
analytics has already started and will lead to revolutionary changes in health care and nursing.
Healthcare systems have been evolving during the last years to address the new challenges deriving from the new
social and economic conditions Europe is experiencing: citizen aging, more and more increase of chronic disease,
overlap between health and social problems, new family models and the request for a rationalisation of
healthcare costs.
The following factors can contribute to meeting these challenges:


Citizens empowerment easing the adoption of healthy lifestyles to prevent chronic diseases and, as a
consequence, leading to a reduction of healthcare costs
Reinforcing community care and its integration with hospital care (integrated care) are enablers to put the
patient at the centre of the healthcare system and benefit in this way of a better management, for
instance, of chronicity, physical inabilities and new family compositions.
In this scenario, the ICT will play a relevant role enabling eHealth for citizens’ empowerment and eHealth for
integrated care. Specifically, to address these two aspects which are strictly related to each other, it will be
necessary to move towards a digitalisation of all the healthcare levels which is a precondition to put the citizens /
patients in the position to exploit and use all the information – shared also with the healthcare and social
institutions – necessary to enable the self-management of care and prevention. As this information is extremely
sensitive, it will be necessary to enable mechanisms that preserve the privacy of the citizens and the
confidentiality of their data. All this will be possible thanks to infrastructures enabling the hosting and sharing of
an increasing amount of clinical data following standards of reliability and security.
Finance and insurance
Insurers, over the next years, will deal with new personal data coming from sensors, increase the usage of cloud
solutions and look after an emergent cyber insurance market. The cybersecurity, privacy and trust consequences
of the aforementioned technology driven developments are also relevant. Core insurance processes (i.e. risk
pricing, reserving7 and claims handling) are the focus, while asset management, finance, marketing and sales are
not considered enough. Ordinary cybersecurity management is not well considered either. Insurers have
traditionally priced risks based on risk factors. For example, Motor Third Party Liability (MTPL) coverage is
traditionally rated according to variables such as age, territory, vehicle type and previous claims history. Health
insurance rates may depend on age, gender and medical history. There is a growing consensus [PWC12] that the
increasing use of mobile sensors will improve the way certain risks are priced by insurers, making insurance rates
closer to the underlying risk drivers. Data coming from so-called black boxes are already being used within MTPL
tariffs, which in some countries start to be based on vehicle usage and driving style. “Mobile health” is also
expected to make health insurance rates more and more based on lifestyles. The shift towards more risk sensitive
prices, driven by increased data availability, means that insurers will collect and analyse a larger amount of data,
mainly personal. Previous examples refer specifically to individual risks, even if there is evidence that mobile data
may improve commercial insurance pricing as well. The use of new data by insurers brings about challenges,
among which people awareness, technology user friendliness, assurance of security and privacy, and
discrimination of people based on technology skills and privacy preferences.
7
Reserving is the process of setting aside the amount to fulfil insurance obligations and settle all commitments to policyholders
and other beneficiaries arising over the lifetime of the portfolio (source: www.iaisweb.org).
European Cyber Security cPPP Strategic Research & Innovation Agenda
Another important topic rapidly gaining attention is insurance of cyber risks. The insurability of the network and
information security itself has been debated by institutions and scholars. Measurability is necessary for a risk to be
insurable, since rates are built upon loss frequency and cost. However, existing actuarial models cannot rely on
historical loss data, since the quantity of historical data is scarce and its homogeneity is compromised by
continuous technological advances. The lack of reliable models to estimate the value of loss / stolen data also
prevents the reliable evaluation of losses. Cyber risks are highly correlated because of the monoculture of used
technologies, i.e., the same attack surface, which can be exploited in a similar way (e.g., by worms). Models for
computation of correct premiums and coverage must consider this correlation. Moreover, outbreaks of the
correlated breaches impose heavy burden on an insurer. In other insurance markets such problem is solved with
geographical distribution of insured organisations (e.g., in case of earthquake insurance) or with re-insurance of
high losses. Note that in cyber-insurance case, technologies are similar in different geographical regions, and most
worms are equally dangerous for US as well as for China or Germany. Re-insurers for cyber risks do not exist yet at
all. This leads to the policies with large amount of exclusions and high prices. More accurate models, e.g., which
use diversity in technology, may help to solve some of these problems.
7.3 Bottom-up Track for Cybersecurity Innovation
The European Union is determined to strengthen the cybersecurity industry to transform new ideas into
commercially attractive products, processes and services while taking the necessary action to define a framework
build on minimum requirements to security and privacy.
A specific funding mechanism is crucial for the competitiveness of European cybersecurity industry to fuel trusted
innovations. The “Bottom-up Track for Cybersecurity Innovation” aims at reducing the time from idea to market,
stimulate private sector investment and to take best-in-class-innovations on a fast track to outpace international
competition. For cybersecurity and privacy innovations industry can propose any R&I topic related to any sector. This
track aims at complementing the pre-defined pillars as well as set priority R&I topics. This gives maximum flexibility
to push emerging and disruptive ideas of any kind forward, which is a necessity in increasingly challenging changing
IoT world. It supports quick deployment and market take-up of innovations while reducing the vulnerability risks.
Scope: The Bottom-up Track supports projects related to any topic, sector or challenge undertaking innovation from
the demonstration stage through to market uptake, including stages such as piloting, test-beds, systems validation in
real world/working conditions, validation of business models, pre-normative research, and standard-setting. It
targets relatively mature new technologies, concepts, processes and business models that need a last development
step to reach the market and achieve wider deployment. To this end, if a proposal involves technological innovation,
the consortium must declare that the technology or the technologies concerned are at least at Technology Readiness
Level (TRL) 6, where appropriate.
Impact:
Fast development, commercial take-up and/or wide deployment of sustainable trustworthy innovative solutions
(products, processes, services, business models etc.) in enabling and industrial technologies and/or for tackling
societal challenges.
Increased industry participation, including SMEs, and more industry first-time applicants to Horizon 2020.
Proposed Budget: 50 M€
Call schedule: 1 per year
European Cyber Security cPPP Strategic Research & Innovation Agenda
Envisaged actions (with links to KPIs)

A specific funding mechanism is crucial for the competitiveness of European
cybersecurity industry to fuel trusted innovations. The “Bottom-up Track for
Cybersecurity Innovation” aims at reducing the time from idea to market,
stimulate private sector investment and to take best-in-class-innovations on a
fast track to outpace international competition. It supports projects related to
any topic, sector or challenge and aims at complementing the cPPP’s predefined pillars as well as set priority R&I topics.
8 Non-Technical Aspects
8.1 Education, training, and skills development
There is a need for re-thinking education at different levels. It is not a matter of standard recycling, but a real
multidisciplinary, coordinated and coherent approach is needed. The customers of the education, training and skills
development can be segmented as:

General population – individuals that are not cybersecurity experts but users or ICT technologies and
services.

Students of all ages under an education curriculum. Targeting the education in primary and secondary
schools as well as at university level.

Experts - addressing the needs of continuous learning for professionals of different sectors that have high ICT
dependency, in order to raise awareness and enhancing their skills.
In order to reach those segments, many tools need to be set up:

At general population, ICTs have changed our lives as they have penetrated almost all domains and majority
of the people are highly dependent of well-working ICT tools to conduct their daily business.

At education level, there is a big awareness gap and lack of integrated training modules on cybersecurity
related aspects an all school levels, starting from low awareness and skills of teachers themselves. The same
is true for professional training on university level, including lack of cybersecurity modules in higher
education training programs for vital service domains etc. Furthermore, there are only few existing
cybersecurity higher education programs in Europe.

At professional level, there is a lack of accessible tools for continuous awareness, training and skills
development on cybersecurity aspects. Cybersecurity skills are more and more a prerequisite by employers
in a multi-faceted approach (i.e. law, insurance, testing facilities from many ICT and non ICT sectors, critical
infrastructures, etc.) and, at the moment, there are more jobs than qualified candidates, while the
unemployment rate stays very high in some European countries. On the other hand, professional training
programs are very fragmented and leaded by specific international companies that develop them for specific
purposes or under request (usually also very costly).
It is clear that to reach these target segments, it is necessary to set up new training models (i.e., massive open online
courses, etc.) and accessible tools to facilitate the access to knowledge and raise general awareness. Also efforts
need to be made to enable career re-orientation to support entering the cybersecurity field in later stages of the
career.
The benefits are obvious:

Cybersecurity will produce new innovation paths and market niches such as cybersecurity insurance,
cybersecurity risks and practices, security engineering, security management, and many more.

Having a coordinated view will encourage Member States and the other countries participating in the cPPP
to agree upon a baseline of cybersecurity indicators.
European Cyber Security cPPP Strategic Research & Innovation Agenda

In addition, there is a social aspect of cybersecurity as tool for awareness in human values (particularly
among the youngest people) through, for instance, the user empowerment and control of personal data, the
digital legal education (right to be forgotten, freedom of speech, anonymity versus trust and security,
crowdsourcing versus legacy manufacturing etc.).
The common educational needs of the target segments identified above should have:

Multi-disciplinary focus

Responsiveness to changes in technology and societal environment

End-to-end skill development

Alignment of curricula and training with demand for skills

Using appropriate methodologies for teaching cybersecurity at all levels, from awareness to focused
expertise
Among others, one of the goals to be developed within the frame of the cPPP would be to set up a cyber
College/Academia8 (or network of academia and colleges) with the goal to:

Collaborate in preparing training materials and modules for professional training as well as training on lower
educational levels.

Generate a consensus on a core of European higher education curricula for cybersecurity studies at
university level (both traditional and virtual education) as well as propose a plan for integrating cybersecurity
studies modules to professional education of vital service providers and public servants. For that purpose,
synergies with DG-Education programmes and funds have to be found. At the moment, there is a fairly
sparse collection of courses and competences but not a unified approach.

Coordinate a network of PhD studies on cybersecurity, deeply connected with the industry, i.e., under the
format of industrial PhDs already existing in the H2020 Excellence Science Pillar.

To promote creativity and innovation in young students and young researchers by proposing challenges,
prizes, cyber-campus activities, etc., in order to connect them with the needs of the citizens and of the
industry.
Finally, the scope of education, training and skills development can provide an opportunity for a close collaboration
with other European bodies (i.e., NATO, especially NATO CCDCOE and other decentralised European agencies).
Envisaged actions (with links to KPIs)

8
Establishment of a European Cybersecurity Academy and a Network of
national Cybersecurity “academies” in order to provide multi-disciplinary
curricula and training recognized at European level. The network/-s may
reach several of the next segments:
o
Graduate students, in order to develop their skills as future
cybersecurity specialists. Also specific modules for non-ICT students
will be deployed for basic knowledge and awareness making.
Cyber-camps and cyber-challenges will be organized to test their
abilities.
o
Teachers either from primary school and graduate, in order to
expand the number of students and centres connected with the
Cybersecurity Academy. Advanced contents and a knowledge base
should be available to facilitate cybersecurity skills widespread.
o
Industry (including SMEs), industry associations and service
providers all ICT and non-ICT related.
This could be done with similar initiatives lead by NATO and other organizations in order to maximize synergies.
European Cyber Security cPPP Strategic Research & Innovation Agenda
o
Cybersecurity specialists and researchers, aiming to improve and
update their skills, sharing experiences, best practices exchange,
etc. Testbeds and hands on labs should be available at European
level. Policy makers and public sector in general.

To reach the biggest number of customers, a combination of both the
traditional (classroom) education with training activities using innovative
and accessible tools will be used (i.e., cyber range platforms , distant
learning platforms, VTC, …).

Close collaboration with private actors already providing this short of
education under demand level should be stablish in order to reach an
homogenous “quality level”. (KPI 7)

Establishment of a European Cybersecurity teachers and doctoral Network
connecting university to industry needs at highest level. Hands-on labs,
Cyber-camps and cyber-challenges will be organized to test their
proficiency and innovation capabilities. (KPI 7)

Establishment of a European primary school level education programme.
(KPI 7)

Organisation of a number of cross-border exercises and trainings not only
for awareness raising but also for products testing by researchers in order
to improve European products and services resilience (e.g. European bug
bounty programme). Advanced trainings like Bootcamps could improve
specific needs at European level. The themes of the bootcamps, exercises
and challenges will be selected each year and they may cover the industry
needs but also advanced or next coming threats. A number of significant
countries should collaborate each year in an incremental way in order to
reach wider consensus and common scenarios by 2020. Coordination and
collaboration with European external bodies of the Commission (i.e.,
external agencies such as ENISA and others) as well with NATO facilities are
also envisioned. (KPI 7)

Organisation of annual cycles of large scale international exercises with
participation of a significant number of experts from abroad Europe. The
exercises will aim to create a consensus al global level, to exchange best
practices and knowledge and to provide the policy makers of
recommendations for better protection and other cybersecurity aspects.
Under a fixed theme each year, a number of advanced trainings sessions
(e.g. cyber exercises, bootcamps) will be deployed annually. Coordination
and collaboration with European external bodies of the Commission (i.e.,
external agencies such as ENISA and others) as well with NATO facilities are
also envisioned. (KPI 7)
8.2 Fostering innovation in cybersecurity
Innovation models have evolved from insular, linear, and reactive models of innovation towards the more
contemporary models that are fluid and adaptable processes that aim to raise development efficiency and speed to
market through inter-organisational cooperation and strategic alliances. The Cybersecurity Innovation value chain is
enacted by an open ecosystem of small and large enterprises, individual inventors, research institutes and
universities. Large enterprises are experimenting with a variety of schemes to stimulate and benefit from
entrepreneurial activities outside their organisations. Similarly, national and European research programmes are
trying out new instruments designed to encourage participation by small companies and to grow this sector of the
market. Information gathering and analysis is still in progress, but it appears that while the general philosophy of
European Cyber Security cPPP Strategic Research & Innovation Agenda
Open Innovation is shared, there is considerable variation in how it is interpreted and applied, and a consensus on
best practice has yet to emerge.
8.2.1 Develop a cybersecurity ecosystem
The breadth of cybersecurity and privacy challenges within wider technology, policy, and economic perspectives is
vast in scope. In aiming to build systems with as few security flaws as possible, strong demands are placed on many
stakeholder types, how best to introduce the right economic incentives that fairly balance those costs across the
various actors in the security value chain is critical. In tandem, many cybersecurity clusters and accelerators have
been created in Europe in recent years and we have several years of practical experience with organizing
international as well as national cyber strategy.
There are many ways to develop the cybersecurity ecosystem further in order to create value for many other
stakeholders including researchers, experimenters, SMEs, policy makers, universities and students etc. Innovation
clustering initiatives are viewed as a key abstraction for creating the appropriate ecosystem, however these are
often characterised and constrained by their regional nature, a European-wide initiative is recommended.

Collaborating and competing

Geographically dispersed across Europe but linked to other global initiatives

Specialized in a special field, linked by common technologies and skills

Of a critical mass (this refers to fact that a cluster should include actors, which together have a certain
weight in their sector in order to be able to build momentum, i.e. to be able to establish self-supporting
processes.)

Either institutionalised (having a proper cluster management) or non-institutionalised.
While clusters are usually created and thought of in terms of driving competitiveness and growth, particularly with
regards to innovation, their definition may also be focussed on other primary objectives, such as providing a legal
framework or similar umbrella to support funding or marketing initiatives, or in some cases to provide a supporting
reference model for statistical measurement. The notion of clusters it is often used interchangeably with other terms
such as innovation or technology “hubs”, “districts”, “milieu” etc. While some academic literature has suggested
nuanced differences when comparing such terms, consensus on similarities and differences has been difficult to
establish.
8.2.1.1
Key Cluster Characteristics.
Clusters of specific firms within a specialist industrial or technological domain are viewed as an increasingly
important source of economic development across the advanced industrial economies, and a central focus of
technology policy. By composition, there are generally accepted to be four cluster types:
1. Geographical cluster
2. Sectoral clusters (businesses operating together from within the same commercial sector)
3. Horizontal cluster (interconnections between businesses at a sharing of resources level)
4. Vertical cluster (i.e. a supply chain cluster).
Researchers have also attempted to decompose the structural topology and characteristics of clusters, noting
several approaches such as:
1. “Hub and spoke” approach that is typically led by a few dominant anchor firms, usually large firms
2. “Satellite” approaches whereby organisations co-locate branch facilities of a similar nature in near proximity
to one another - R&D divisions are often clustered in such a manner in a location away from corporate
headquarters to achieve such benefits for example
3. State-centred clusters are another approach, led and dominated by the presence of one or a few large public
or non-profit entities, such as universities, RTOs, or military/national security institutes (the latter
particularly evident for PACs).
European Cyber Security cPPP Strategic Research & Innovation Agenda
Broadly, it is agreed that the initial formation of the most successful clusters has resulted from accidental or
serendipitous events, and is often driven initially by key anchor individuals with a vested interest in harnessing local
networks in a given area, more so than top-down policy drivers. However, it is agreed that once a cluster reaches a
certain point of scale, policy intervention can achieve significant impact and is indeed necessary for the cluster to be
sustainable. Despite this, within the cybersecurity spectrum some key emerging ecosystem initiatives on a global
level are strongly premised on a top-down policy approach, the emerging shift of cybersecurity emphasis in Israel
from Tel Aviv and Haifa towards Be’er Sheva being a strong case in point.
8.2.1.2
Key Characteristics of High-Performing cybersecurity Ecosystems
A broad range of complementary ingredients are necessary in order for innovation environment settings to flourish:
1. Sustained proximity to cybersecurity challenges
2. Provision of sustained talent flow
3. Strong ecosystem planning and oversight
4. Multi-faceted support from academia and research institutes
5. Appropriate funding supports
8.2.1.3
Funding of cybersecurity innovation
In a cybersecurity context more explicit funding supporting cybersecurity -based start-ups in Europe are emerging.
For example, in June 2014 London-based C5 Capital became the first focused cybersecurity investment fund in
Europe, providing a $125m fund for cybersecurity start-ups. So far two investments have been made, an $8m
investment in monitoring provider Balabit, as well as investment in Qinetiq spinout Metrasens9. Managers of the
fund now believe that European ICT and cybersecurity companies are now at an increased competitive advantage in
Europe as a result of recent NSA surveillance scandals in the US, as such firms are not subjected to the same levels of
data collection as their US counterparts. Traditionally, European cybersecurity companies have sought expansion
funding to expand into US markets by default, but other markets such as the Middle East and Asia are now also seen
as attractive alternatives10. Local European vendors will also always benefit from understanding the local needs of
the region, often giving them a competitive advantage over US and other non-European vendors over others, but
there is now increased demand for Europeans to provide alternative services to protect citizens and their embodied
data in their own markets.
8.2.1.4
9
Areas for opportunity

European funded projects should include market studies for their technologies and consider lifecycle costs to
ensure market-viability of their technology.

Business cases for disruptively innovative products need to take into account the difficulty of displacing
incumbent solutions arising from dependency networks, regulations (which can either promote or inhibit
innovation) and other potentially inhibitory factors.

Research is needed to look at market dynamics aspects of innovation in cybersecurity.

Exploitation of cybersecurity innovation from research is challenging, often the stakeholders involved in the
realisation of research are unable to commit to driving it from research into the market. Facilitation of a
repository of research output could link entrepreneurs with researchers.

Further analysis of implementation of research results into successful cybersecurity products and services
could improve the development of success indicators to monitor exploitation during the research lifecycle
and beyond.

Research into the origins of successful cybersecurity products and services could further our knowledge of
early intervention and supporting instruments.
http://www.c5capital.com/
http://www.scmagazineuk.com/vc-funding-for-european-cybersecurity-firms/article/356360/2/
10
European Cyber Security cPPP Strategic Research & Innovation Agenda

Most research projects solve problems of the future and the first results are available in 3-4 years, whereas
customer needs and expectations, especially in cybersecurity, are close to immediate. This problem deserves
special support and treatment, maybe through the open calls managed by individual projects or dedicated
platform.
8.2.2 Define the cybersecurity value chain
Definition of “Cybersecurity” commonly refers to the safeguards and actions that can be used to protect the cyber
domain, both in the civilian and military fields, from those threats that are associated with or that may harm its
interdependent networks and information infrastructure. Cyber-security strives to preserve the availability and
integrity of the networks and infrastructure and the confidentiality of the information contained therein.
Cybersecurity value chain challenges are shared between all pure players. Pure players are those who either have a
cybersecurity product or a cybersecurity business unit. Other ICT players who are competing in other sectors,
however their ICT solutions should be secure, are competing in other different sectors than cybersecurity, so their
challenges ae usually different.
European pure players in cybersecurity share:

A common strategic market segment (cybersecurity),

Same type of customers,

Same trends,

Same strategic challenges to overcome in the future
European companies which are competing globally, could benefit from a Digital Single Market, not only reducing
market barriers inside European market but also it can be a tremendous opportunity to facilitate joint offering,
mergers and acquisitions for having a more competitive offer from Europe as well as more competitive pure players
and innovation chain.
As a first step, it is recommended to create and maintain an interactive catalogue of European Cybersecurity pure
players as well as European clusters in cybersecurity to facilitate easy access to European products and services by
any customer but also networking between all different actors inside the value chain to facilitate competitive
advantage initiatives through joint offering, mergers or acquisitions.
It is also recommended to make a periodic (at least one per year) European cybersecurity market analysis in order to
monitor revenue and growth (CAGR) indicators for European industries. Market analysis also allows the
identification of different type of customers and their principal concerns while buying cybersecurity products.
Individuals, governments (local, regional, national), SMEs, large enterprises, CIP operators, Defence, Home affairs are
usually cybersecurity customers. Sophisticated demand concept is introduced as a catalyst for European
cybersecurity industry by sharing ideas and opportunities as market challenges. For example finance, energy, CERTs,
could be considered sophisticated demand in the way they probably know if a solution is available for a current or
potential need. A good connection and intervention of sophisticated demand inside the innovation chain, could
benefit the entire ecosystem ranging from researchers to pure players.
Market segments today range from ICS (industrial control systems) and CIP to monitoring and intelligence.
Common challenges for European pure players in cybersecurity might be:

Market knowledge

Sharing intelligence

Local/regional/national market development

International market (DSM and beyond)
Activities at European level along above axis could benefit the entire European value chain competiveness.
The market is fragmented with at national and international level, with big players moving to lead different
segments and product types (ranging from basic to corporate, or even industrial).
European Cyber Security cPPP Strategic Research & Innovation Agenda
Key factors for CISOs are interoperability with legacy infrastructure and usability of each solution.
Public procurement, instruments definition to boost local procurement, incubators, accelerators, investors and
venture capital dissemination as well as the promotion of cybersecurity talent are key differences from global
leaders like US and Israel.
The definition and support by this cPPP of collective actions, either direct or indirect projects, could benefit the
positioning and competiveness of European Value Chain.
The value chain of pure players in cybersecurity arena includes:

Manufacturers (SW, HW and mixed)

Channel (wholesale and distributors)

Services (integrators, consulting, managed security service providers (MSSP), value added resellers (VAR) and
specialized services providers.
End users or customers represent the last mille of the value chain ranging from sophisticated demand to individuals.
Governments, clusters, forums and other IT related associations play a major role in the cybersecurity value chain.
In addition, there are also research and innovation providers, training providers, funding or venture capital events
for entrepreneurship and start-ups initiatives.
The cybersecurity industry may keep a balanced representation of each type of entities along the whole value chain.
Today, manufacturers, MSSP and specialized service providers represent most of the industry representation today.
Cybersecurity Value Chain (source: INCIBE))
A differentiator of the cybersecurity industry is that we see far deeper integration in value chains of companies than
traditionally the case. Delivering spare parts for an automobile producer does not require utterly deep integration
into business procedures and operations of that producer. However, implementation of an early warning and threat
European Cyber Security cPPP Strategic Research & Innovation Agenda
detection system that scans all of the producer’s communication traffic in order to identify anomalies is a rather
deep integration into the company inner workings.
The cybersecurity market is deeply influenced from various themes driven by technical, human, societal,
organisational, economic, legal, and regulatory concerns among others; these factors combine to create marketplace
and innovation ecosystem with complex value chain relationships.
Value chain positioning in the cybersecurity domain impacts on innovation focus and capacities: much of the
innovation in the domain can be characterised as incremental (e.g. integrating components of technology from
suppliers, tech plug-ins for a platform or providing a service wrap around technology delivery), as opposed to radical
new developments that forces businesses to re-organize or leading to the emergence of wholly new markets.
A supply chain connects inputs to outputs by representing different stages of production. Supply chain analysis offers
insights into the production of cybersecurity and privacy-enhancing goods and services. It allows the description of
vertical relationships that exist between market players and their integration at different levels of the production
process. Interrelations in the production of cybersecurity products and services are becoming more important the
more functions are outsourced to partner firms.
Note that in today’s digital markets, it is not sufficient to speak about vertical relationships, as is done here for
exposition reasons, networks of suppliers and buyers characterize these markets. Through increased integration,
cybersecurity risks are shared between ever more partners in the supply network.
The supply chain analysis facilitates also a better understanding of the incentive structures inherent in vertical
relations, because the firms’ contracts state rules on:

The allocation of value added (and revenues extracted) in the production process between the different
actors in the supply chain; and

The allocation of risks and liabilities related to the production and provision of the security goods and
services.
Firms may vertically integrate in order to internalize mark-ups or to offer a broader product portfolio. At this stage,
there are a number of open questions. For example, it is an open question whether in cybersecurity markets, firms
also vertically integrate hardware, software and services in order to obtain full control over the security of their
supply chain. It is also not clear, if greater disintegration increases cyber-risks (i.e. through linkage attacks) and
therefore negatively affects the resilience of ICT systems.11
While many still see the supply chain as a physical entity, digital services and product provision allows companies to
deeply integrate into each other’s supply chains. One example is the outsourcing of real-time surveillance of
networks to IT-companies. Another are e-forensics and e-discovery, where the contracted consultant scans vast
amounts of diverse internal and sensitive documents (PDFs, e-mails, Word documents) and therefore obtains deep
insights into a firm’s business dealings and secrecies. As stated above, in order to deliver secure cybersecurity
products and services, the supply chain needs to be secure. Some interview partners put forth that in Europe there is
an over-reliance on products developed outside of Europe.
The management of secure supply chains is a critical question not only for firms active in the cybersecurity business,
but also for critical infrastructure industries. In the former, however, industry stakeholders often describe
cybersecurity as part of their company’s DNA: In order to develop secure products, product development and
production must be based upon secure processes and inputs.12 And the same must holds for the idea development
stage. Some companies therefore establish an extra monitoring department that ensures whether security products
have been developed securely. In the ICT business and the ICT security business, secure supply chain management
includes software, hardware, business procedures and overall system architecture. Vulnerable software aside,
11
An example of a linkage attack is the recent Target Stores incidence in the U.S. (The interested reader is referred to Vijayan, J.
(2014). Target Attack shows danger of remotely accessible HVAC Systems,
http://www.computerworld.com/article/2487452/cybercrime-hacking/target-attack-shows-danger-of-remotely-accessible-hvacsystems.html)
12
The same holds for services.
European Cyber Security cPPP Strategic Research & Innovation Agenda
hardware is also exploitable (e.g. by containing manipulated microchips). Further, hardware and software interact
and both depends on each other.
The management of cyber-secure supply chains is also important in critical infrastructure organisations including
banking and finance, water and utilities, and the health sector. These are – as end-users of products and services – at
the final stage of the chain that needs to be secure in order to allow a secure operation of critical infrastructure.
Synonymous with ICT markets in general, cybersecurity firm-level innovation challenges transcend infrastructural,
market, knowledge, cost and regulatory/legal domains. Typically, cybersecurity innovators’ competencies and
investments are predominantly directed in the early phases of the innovation lifecycle (ideation through to concept
development); whereas significant scope and requirements occur in the latter stages (test and implementation.
Accordingly, the cybersecurity stakeholders surveyed identified a broad scope for innovation supports across the
entire innovation value chain and ecosystem (i.e. strategy, business intelligence, ideation, portfolio management,
resource management development, and launch).
Resonant of the ‘crossing the chasm’ debate, there are strong levels disconnect between ICT security researchers
technology innovation and accompanying business development/diffusion innovation skills and acumen. While the
imperative of underpinning innovation development activities with sound commercial business cases is recognised,
competency and proficiency in this area is severely deficient.
Highly commoditised mass-market PACs product segments, with low levels of differentiation at the commercial level,
and differentiation that is difficult to validate at the technical level. This makes it harder for PACs end-users to select
and evaluate products, and for PACs innovators to differentiate themselves in the marketplace.
Very high market barriers to entry in established supply-side market segments, namely those serving (1) Larger
Enterprise, (2) Government, and (3)Military/Defence.
Difficulty in creating ROI arguments and compelling value propositions around cybersecurity products, especially as
next generation PACs products become more complex and expensive. This is being offset to some extent by growth
in demand for Managed Security Services (MSS) and similar forms out outsourced security solutions.
Extending research into the behavioural aspects of legitimate stakeholders and malicious actors within the
cybersecurity environment could further our understanding of underground markets and the threat landscape.
Envisaged actions (with links to KPIs)

Encourage all stakeholders in the value chain to produce an annual market
analysis. This analysis may also include new products, technologies, new
growing segments or niches in order European pure players could develop
new strategies aligned with the international market. (KPIs 1, 3, 4, 5, 6)

Encourage all stakeholders to facilitate intelligence sharing at European
level in order SMEs and start-ups could also have access to zero day or up
to date vulnerability databases, so their products could be fine-tuned. A
Testbed could be a good instrument to facilitate high quality of any
European product but also high quality European research as a first step of
any new product or startups. (KPIs 1, 5, 9)

Develop testbeds in which any European product could benefit either from
interoperability tests at least between European products (to facilitate
adoption by CISOs of new products – as it is one of their main concerns) or
vulnerability tests (for example by developing an European bug bounty
programme) in order European products could be under stress test
continuously to reduce risk of vulnerabilities and zero-days while in
production. (KPIs 1, 4, 5, 8, 9)

Encourage all value chain to share experiences and opportunities of
cybersecurity by organizing coordinated events at European level. This is as
of much relevance while considering innovation and research. Research
need to be focused on customer and pure players’ needs. It is also
European Cyber Security cPPP Strategic Research & Innovation Agenda
recommended to organize cross-sectorial events to identify new niche
opportunities as well as to involving clusters at European level. CS applied
to other sectors could benefit ROI calculations as of economy of scale. (KPIs
3, 4)

Encourage Member States and the other countries participating in the cPPP
to boost national markets as well as DSM by specific public procurement
actions. (KPI 1)

Develop joint international business development actions, like business
missions (both ways) to facilitate DSM and beyond. Sophisticated demand
could be a good partner for this type of missions. (KPI 1)

Develop and support along the time, cybersecurity specialized incubators
and accelerators either focused on niche products but also on essential
services which today come from outside Europe. These instruments should
count with European and National support as well as private funding as any
of these startups could be a competitive advantage of any large company
via acquisition. Venture capital and investment funds must be available
either at national and European level. This type of companies’ business
really depends on the available talent, so specific actions to promote,
identify and retain talent in cybersecurity must be developed. (KPIs 1, 4, 5,
6)
8.2.3 Boosting SMEs
Europe is 95% SME market, in the cyber domain SMEs are even more dominant. Therefore, SMEs should be the
backbone of the European economy by developing R&D that enhances global competitiveness and plays a relevant
role in raising the level of cybersecurity solutions for market demand. Yet recent statistics show that the number of
European SMEs innovating in-house or collaborating with other companies on innovation or market-oriented
projects is still too small. They often lack organisational resources, capacities and knowledge.
SMEs need practical, hands-on support to overcome this challenge, particularly as new value chains develop that cut
across transversal industrial sectors demanding cybersecurity products.
Essential barriers that avoid penetration of SME’s into European cybersecurity market have been classified in the
following categories:
a. Difficulty accessing to European cybersecurity market consumers
Scalability is a challenge for SMEs that usually initiates their activities in their own country market, finding serious
obstacles for internationalisation. The European Cybersecurity market is taken by a reduced number of global
brands, mainly non-European-based companies.
So European SME’s are usually forced to compete in a hostile environment and export efforts become too
challenging, as big IT security players protect their niches from newer and outer menaces and competitors benefiting
from their strong market presence and adjusting of costs to enhance competitiveness. Smaller companies are
confined in local markets and still dependent on public procurement in their home country.
Envisaged actions (with links to KPIs)

Common procurement calls made by public authorities and companies, to
allow cybersecurity SMEs selling their niche products at larger scale. In
order to ease start up and SME participation, specific communication
actions should be envisaged.

Link cybersecurity SMEs with their innovative products to concrete needs
identified by a wider platform also for opening new and wider market
together and have easier access.
European Cyber Security cPPP Strategic Research & Innovation Agenda

Strength the linkage between research and innovation, including the
support of University and research programs for start-up creation.

Explore the possibility of a European Cybersecurity Small Business Act to
facilitate oriented procurement oriented towards SMEs.

Develop a certification program for cybersecurity SMEs (in the image of
PCI-DSS), vetting SMEs for products and services, beyond ISO 27000 to
protect and facilitate SME business (avoiding high certification costs and
dull procedures).
b. Difficulty accessing finance for innovation
Shortage of the SME’s own financial resources is a seemingly perennial problem, but one that has certainly been
exacerbated by the recent global financial crisis and current economic slowdown. Innovation is costly, and
companies face investment choices regarding scarce resources. Innovation is often in competition with other
business functions for this investment.
Envisaged actions (with links to KPIs)

Further promote specific Research & Innovation mechanisms for SMEs in
the cybersecurity sector with adequate financial support: e.g. the H2020
SME Instrument of the European Commission and COSME. An extension of
this approach, better linking SMEs with other companies, even large to
reach the market and have easier access to funds, could be provided by the
creation of a European programme similar to the French RAPID for civilian
applications. Specific support for the use of these instruments, helping
cybersecurity SMEs as well as SMEs cybersecurity users, could be provided
with the creation of a specialised cybersecurity officer position.

Similarly to the Future Internet PPP, funding instruments for accelerators
and SME associations need to be in place which creates the situation where
the reporting obligations towards the Commission are handled by the
accelerators, associations etc., who in turn distribute the funds to the startups and SMEs who by themselves are unable to cope with the
administrative burdens of these financial instruments or even just being
present in the working formats. At least 30% of the funds should be
committed to such instruments.
c. Lack of innovation and market-oriented management skills in SME’s
Market processes need to be managed from the generation of innovative ideas to the generation of profits with new
products/services. Moreover, an increasingly complex innovation system combining ‘open innovation’ approaches
with closed ones requires more sophisticated management skills.
Envisaged actions (with links to KPIs)

Help SMEs (as suppliers and users of cybersecurity solutions) to find skilled
expert resources (registry of cybersecurity experts) – e.g. accreditation by
ENISA or by another organisation. Help users’ SMEs to better define their
cybersecurity needs.

Measures for improvement of professional conditions to mitigate the
outflow of qualified experts, who leave Europe to look for better research
European Cyber Security cPPP Strategic Research & Innovation Agenda
opportunities.

Set up a European accelerator for cybersecurity start-ups to support
development of excellence and reduce risks of failure in the first years of
operation. An accelerator for European cybersecurity start-ups could
provide mentoring, entrepreneurial support, innovation management and
funding capabilities with the support of academic centers, universities,
governments, private sector and European Commission, to foster
technology development for the European market and to share these
results among the companies in Europe.

Information flow and exchange of ideas are needed to create impactful
innovations. cPPP needs to support mobility of cybersecurity experts
between SMEs, larger companies, research organisations and universities.
This will help in growing and diversifying the competence resource pool.
d. Weaknesses in networking and cooperation with clusters, research communities and
external partners
Successful innovation is highly dependent on the identification, cultivation and maintenance of good linkages
between the different components of the global value-chain, and as ‘open innovation’ becomes more embedded in
SME business strategies.
Envisaged actions (with links to KPIs)

Use sectoral SME clusters and Networks of Innovation intermediaries as
mechanism at local level and beyond (Regional / National) to develop the
market, support cybersecurity SMEs and as multiplier of European
initiatives.

Foster the dialog among local and regional cybersecurity supplier hubs as
an effective way to organise transnational networking events, in
conjunction with government bodies or other interested parties (insurers,
academia) to the benefit of both buy- and sell-side.

Establish a representative group of cybersecurity SMEs or a representative
body to serve as a communication channel to SMEs in Europe to suggest
solutions for SMEs and small market players.

Develop regional / local Security Operations Centers (SOCs) to help
cybersecurity SMEs and clusters (public or privately owned, depending on
the business model, also with support of regional funds).

Budgetary strong support to SMEs in co-operation initiatives with research
organisations. The goal is technical innovation and rapid technology
transfer from research to business.
8.3 Standardisation, regulation and certification
8.3.1 Standardisation
As a common enabler for cybersecurity activities the standardisation process should evolve into a coherent,
proactive, transparent, inclusive (open to all stakeholders) process.
As an example, the near future of Smart Infrastructures may need processes and resources more adaptive,
decentralized, transparently collaborative and efficiently controlled. The more pervasive usage of ICT to comply with
such requisites the more interoperable and hyper-connected it must be.
European Cyber Security cPPP Strategic Research & Innovation Agenda
Due to the dynamic nature of cybersecurity and its threats, new products and services may need to be deployed
continuously at the same time they should co-exist with other legacy systems still under depreciation, so
interoperability is a major challenge. An equal level playing field for security and privacy in the EU and its 28 Member
States and the other countries participating in the cPPP is key for creating trust in the Cybersecurity market.
The exponential explosion and availability of new ICT solution based on products and services as well as the diversity
of components, applications and services, created, integrated and deployed from anywhere in the world, may need
an extra effort of standardisation if we want any end-user to trust cross-boundary interoperable and privacy
guaranteed communications as an example. First, better political and regulatory support is needed for a crossborder effective approach, and secondly, an industrial transparency of hardware and software components and
functionalities used may happen. It should guarantee an appropriate balance between harmonisation through
standardisation and innovation for standards. Regulations shall give guidance to standardisation by

Establishing minimum requirements for security and privacy,

Ensuring high degree of interoperability and openness to innovation.
Following this guidance and in order to prevent too divergent practical implementations, these standards could
develop respective profiles which offer practical implementation guidelines regarding specific technologies. Besides,
the European Standardisation body should receive the mandate to elaborate new security and privacy standards
earliest possible, e.g. not waiting until the ICT rolling plan is validated by the Multi-stake holder platform (MSP).
Cybersecurity must be considered as industry-transversal impacting many markets. As such, it needs to take into
consideration the different markets where cybersecurity is critical. Moreover, the introduction of smart and
connected objects is creating new and increasingly more security considerations on new markets. It is important to
assess if the standardisation and certification schemes in place are effective toward those new problematic. The
European standardisation bodies shall be commissioned to conduct a full assessment if and in which form
standardisation and ICT related standards shall be updated.
There is a business opportunity for the European Industry to be the blueprint in privacy and security-by design to
end users with crypto standardisation, its interoperability and usability is still being a challenge currently hindering a
widespread adoption. Pre-standards can drive a faster adoption of R&I results by the Industry. But at the same time
policy makers shall enable a more effective policy creating an equal level playing field for security and privacy.
Instead of plugging holes and fighting hazards (hacks, leaks, spying) regulation shall define minimum requirements as
guidance and give trust to end users and planning certainty for industry.
Envisaged actions (with links to KPIs)
8.3.1.1

European Standardisation Body to conduct study if and in which form
standardisation and ICT related standards shall be updated. We should foster
the adoption of existing standards when these fit the needs. (KPI 2)

All contributions and proposals shall recommend how the proposed solutions
or innovations can be taken up from standardisation and propose how
standardisation shall be updated. (KPI 2)

Leverage smartcard-related standards as well as other international standards
in which European companies are involved (e.g. Global Platform, Trusted
Computing Group (TCG), FIDO ("Fast IDentity Online") Alliance). (KPI 2)

Request to have a permanent set at the Multi-Skate-Holder Platform (MSP).
(KPI 2)

Create liaison with the European Standardisation Organisation & international
ones (ISO, ITU, W3C). (KPI 2)
Regulation
Standards may play an important role in the elaboration of legislation and regulations dealing with technical matters,
such is the case of cybersecurity. In this an area the European legislation has at least four main horizontal
European Cyber Security cPPP Strategic Research & Innovation Agenda
instruments in force or close to be adopted (NIS, GDPR, eIDAS, CIP) that need to be transposed and implemented at
national level, and may require the adoption of more detailed secondary legislation at European level (i.e.
implementing or delegated acts). Additionally cybersecurity aspects are more and more frequently considered in
specific sectorial legislations, which may also need to rely on standards to define technical requirements.
A well-established tradition of cooperation between the European Institutions and the ESOs (in particular via
standardisation mandates) allows timely availability of the standards needed in legislation, and facilitates the
contribution of the technical expertise from NSOs to the legislative process. Furthermore, Member States and the
other countries participating in the cPPP may be easily involved in the standardisation process through its
representation in NSOs. For all these reasons European Standards shall be taken as the default option for any
technical requirement to be included in legislation or in its implementation.
This is particularly important in case of mandatory features of technical characteristics that may be imposed as
“essential requirements” for specific products or systems. The New Legislative Framework (NLF) together with the
CE marking system, which guarantees compliance with the relevant European Standards, has proved to be an
efficient mechanism for the definition and supervision of those requirements while promoting the internal market in
many areas, including highly sensitive areas13. It should be then the reference for the adoption of any mandatory
technical requirement and its conformity assessment in the areas of cybersecurity.
Finally, technical specification also play an important role in public procurement processes, which on the other hand
may be used as a driver for the adoption or promotion of specific facilities or technologies. Special attention should
be paid to the influence of the technical specifications for cybersecurity requirements in public procurement
processes, which should be based as much as possible in European Standards, while fully respecting the relevant
European legislation on public procurement (in particular Directive 2014/24/UE).
8.3.2 European Cybersecurity quality/ trust label
There is a recognized need for a European Certification for cybersecurity products and services and corresponding
Trust Labels. As suggested in topic 110 of the EP resolution of March 12th 2014). A European trust label for
cybersecurity and secure ICT products, services, and mutual certification, respecting European values and
empowering the national CERT (complement to national trust labels) shall be created to help identify trusted
European products and services and be a seal of trustworthiness: it could use existing labelling procedures such as
the CE Mark14, Ecodesign or Energy Label. Support of lightweight labels such as “IT security made in Germany”,
“France Cybersecurity” can be raised in addition as needed.
The creation and operation of European Cybersecurity Labels plus a transparent certification mechanism shall follow
a defined set of criteria – based on minimum requirements (these should be selected in order not to unnecessarily
hinder product development). This would benefit label holders as a seal of guarantee of security as well as privacy in
products or services, and can help corporates and consumers to identify secure providers. Labels shall be built on
best practices and internationally recognised existing certifications, based on industry requirements. The benefit of
this European label resides in its European-wide recognition and acceptance, thus helping to fight the
defragmentation of the European market, and creating competitive advantages with the creation of stronger market
positions for trustworthy companies. Besides, a label will define the basis for a European equal level playing field and
international products will have to follow the defined quality and trust level to stay competitive.
Different levels for the label can be devised, corresponding to increasing levels of security and privacy in the
products and services (e.g. from G to A+++). Citizens, customers or companies of these products shall not be obliged
in any way by law or regulation to buy higher labelled products. But with a defined level of basic security and privacy,
they will choose better quality over time as transparency as well as awareness help them to make better buying
decisions. Where labels have been used, compliance to the label requirements must be monitored and regularly
13
E.g. civil explosives, lifts or measurement instruments, and will be soon applied in p yrotechnic articles medical devices, gas
appliances or personal protective equipment, among other area
14
European Regulation 765/2008, Dec 768/2008 provides for CE Marking a sign of conformity and forbid other markings/labels
that overlap with the CE Marking.
European Cyber Security cPPP Strategic Research & Innovation Agenda
checked and made fully transparent to consumers and buying industries. The set of requirements, methodology and
process for the certification of trusted solutions, ought to be defined at the European level, coordinated by an
European-level agency in agreement with national security agencies of Member States and the other countries
participating in the cPPP (CERT), while enforcement can be delegated to national agencies in charge of cybersecurity
practices. The set of requirements will be a single one for the whole of Europe (baseline) but the implementation will
be under the responsibility of the national CERT. The National CERT can decide to sub-contract the Label award to
some non-profit association.
Some critical infrastructures at the national level might require some specific local criteria. In this case, additional
local criteria will come on top of the baseline criteria. Compliance validation shall be conducted in the same manner
by any national agency, and shall be recognised European-wide. The setting up and operation of this label
mechanism will imply costs, so resources must be allocated to put this mechanism in place. The requirements for the
basic level of label shall be defined at European-level. Higher levels shall be in the realm of sectoral stakeholders
(Automotive, Health, Energy, etc.) in accordance with their respective regulatory authorities.
Envisaged actions (with links to KPIs)
8.3.2.1

Set-up of a real-world labelling pilot, e.g. for an electronic, connected device
with several security (privacy) building blocks such hardware, software,
communication. This pilot will include pre-specification of the building blocks /
components – if not certified already – user involvement in the specification,
e.g. ease of use, transparency and in the implementation phase. Accompanying
research will make sure neutrality and that best practices can be identified. (KPI
2)

Multi-Stakeholder dialogues with industry and society to define minimum
requirements for security and privacy to derive the label definition. (KPI 2)

Strengthen cybersecurity and privacy by design through the establishment of a
European security certification / European trust label (also following European
regulations / standards) for sensitive IT components. (KPI 2)

Support European / National procurement for sensitive applications and use
European cybersecurity trust labelled products for instance, in European bids
and first of all for in European infrastructure (space, transport, energy,
communication etc.) and as a tool to support emerging tools and services. (KPI
2)
New certification processes
The current European certification process for security products is a worldwide reference and it is used in most of
the countries in world that want to have a resistant product against potentials attacks. It is even reference by the
major payment brands for their security certification.
The new European certification process shall be based on this long-term experience and follow the provisions of
Regulation765/2008 and Decision 768/2008. It should be extended to following the new cybersecurity eco-system.
Certainly, the proposed approaches not only are related to critical infrastructures, also to any (hyper-) connected
infrastructure and even applicable for SMEs and private consumers.
8.3.2.1.1 Evolution of the Mutual Recognition Agreement in the European Cybersecurity landscape
Common Criteria evaluation scheme and European SOGIS MRA shall be leveraged and extended. A sector approach
– energy, automotive, health, …- should be developed further together with the active participation of private
stakeholders: the deployment of a security certification scheme supported by advanced Technical Communities
(aTCs) can be considered. SOGIS MRA members and private stakeholders - suppliers and evaluation labs – will work
jointly in advanced Technical Communities to run per-sector security certification schemes.
An advanced Technical Community (aTC) should:

Reference Common Criteria standard as the basis for security evaluations
European Cyber Security cPPP Strategic Research & Innovation Agenda

Reference Common Criteria Levels of Assurance (EAL) as minimum security levels, or determine and
standardize specific Assurance packages suiting the specific products, objects, and applications to have a fair
competition approach

SOG IS MRA and CCRA certificates should be considered, with their corresponding EAL levels

Write collaborative Protection Profiles, without a-priori restrictions on security levels nor evaluation
methods.
Above generic aTC governance rules should be defined by the WG on Standardisation, Certification and European
Label.
In addition to the sectoral approach, new efforts are needed to define security and privacy building blocks /
components to be certified. ICT devices related to various or converging sectors, e.g. mobile payment could be
certified easier and faster if they comprise already certified building blocks / components. Alternatively, the
component certification can be used to prove a label for security and privacy (see chapter 4.3.2).
Within the cPPP, the WG on Standardisation, Certification and European Label should be mandated to define all the
points above.
Have clear definition of Evaluation Assurance Level
The EAL (existing or to be specifically defined) provides an increasing scale that balances the level of assurance
obtained with the cost and feasibility of acquiring that degree of assurance.
Establishment of European certified trademark is a key marketing / positioning issue. This could be supported by
ENISA as the general umbrella and using in the operational mode the nationally licensed laboratories and qualified
certification bodies following common agreed procedures agreed by the national cybersecurity Agencies (National
CERT)– which will be developed in all European countries as requested by the NIS Directive) for test, validation and
certification of European cybersecurity solutions.
The European certified trademark should be compliant with existing SOGIS MRA rules & with its extension proposed
in the chapter here below “new certification process”.
The platforms and the related marketing activities, developed with the support of European funds (e.g. structural,
scientific infrastructure) should be used for static and dynamic code analysis, security validation, proof of concepts
and demonstrations.
A testbed will allow to test security solutions and this will be especially profitable to SMEs which do not always have
the resources to pay the necessary hardware to test and validate concepts and innovative solutions. Moreover, SMEs
have a lack of demonstration platforms because it requires space. It will be increase collaboration within European
cybersecurity industry and interoperability of European solutions. In addition, it can also be a vitrine to showcase
European solutions and could thereby increase market visibility.
The mentioned independent platforms could also provide assessment of non-European components / equipment /
services / software that cannot be mastered (developed or produced) in Europe (for whatever reason) but that are
used in critical European / national systems (validation of all links of the security chain). This assessment
infrastructure should guarantee that the components used in our systems are secure (secure certification / quality
label and respective of European values).
Envisaged actions (with links to KPIs)

Creation of a European validation and certification infrastructure for
providing assessment on cybersecurity and secure ICT products. (KPI 2)

Definition of the generic aTC governance rules, and applicable standards for
the certification methodology (ISO CC). This task should be handled in the
WG on Standardisation, Certification and European Label. (KPI 2)

Accreditation of any new aTC creation should be put in place with the cPPP
at the WG on Standardisation, Certification and European Label (KPI 2)
European Cyber Security cPPP Strategic Research & Innovation Agenda
8.4 Societal aspects
As pointed out in the NIS Platform WG3 SRA, the development and implementation of raising awareness campaigns
on cybersecurity for society at large, including companies (large and especially SMEs) and citizens, is of major
importance, as ICT and its applications are changing so rapidly, alongside with their subsequent risks. While it is
currently unclear who is best placed to take responsibility for these activities and would have the resources needed,
national initiatives exist. For instance, in Portugal, public and private organisations have joined forces in the recently
announced prevention seminars targeted to businesses and residents 15. While this focus is often focused more on
the concept of safer communities as a whole, the joint model is highly relevant to the cybersecurity domain as a
whole.
Therefore, cPPP members could spearhead, along with the support of ENISA and relevant Member States and the
other countries participating in the cPPP actors, and H2020 projects expertise, and undertake a new paradigm shift
towards raising awareness campaigns in relation to cybersecurity to a wider variety of public and private
stakeholders.
The cPPP could act as a catalyst in this awareness raising activity as they could be responsible for centrally collecting
information that could be used from various sources, from projects, Member States, other countries participating in
the cPPP, trans-European bodies (ENISA) and they would be well placed to assist in the planning and implementing
of raising awareness activities, if given proper resources.
The benefit of having the cPPP carrying out a central role in this activity would be their close proximity and
awareness to the stakeholders that would gain maximum benefit, if given the right information within a reasonable
time frame to attain maximum benefit.
Envisaged actions (with links to KPIs)
1515

Encourage Member-States and the European Institutions to organise transEuropean awareness campaigns around cybersecurity particularly
dedicated to SMEs and citizens. ENISA could play a role in these
communication actions. This could take the form of regular (at least
quarterly) information provision of tangible examples about how
cybersecurity solutions contribute to the day to day live of European
citizens and the economic sector by using various communication channels
like social media, web, video, etc. (KPI 14)

Develop, possibly with the support of ENISA and in coordination with public
and private companies, material for market awareness and board room
“education “ better suited for European businesses (large and small), while
also supporting Member States and the other countries participating in the
cPPP with less developed capabilities in cybersecurity through European
training and awareness programmes. This could take the form of awareness
and information actions for promoting the PPP activities to a broad range
of stakeholders: events with European and National Institutions, targeted
Newsletters, targeted use of social media, etc. At least quarterly events,
provision of information via media outlets, email and/or other social media
postings (without being too intrusive) to raise continuously awareness of
cybersecurity starting from 2017. This should include adequate
dissemination of cyberthreat and vulnerability information (as a major
awareness building element) along target group oriented channels ranging
from CERT newsgroups and trust circle exchange groups for corporates
down to simple, easy-to-understand and appealing social media or mobile
app distribution of information to consumers. (KPI 14)
http://www.theportugalnews.com/news/new-initiatives-aimed-at-tackling-cybercrime-announced-at-cascais-
seminar/37356
European Cyber Security cPPP Strategic Research & Innovation Agenda

Provide and regularly update a review of European cybersecurity
companies and their services to ensure that European companies have an
overview over interesting start-ups all over Europe: visibility to European
companies and their products, in particular for SMEs but also for larger
companies. This could be carried out in a more strategic way, with the
holding of an annual cPPP conference, which can be used to highlight these
issues and solutions being offered and researched. (KPI 14)

Use urban communities’ initiatives to involve citizens in cybersecurity
exercises, with a focus on linking cyber-exposure and risks levels to citizens’
actions. This element is key in increasing the understanding of citizens of
their own role in increasing cybersecurity. (KPI 14)
9 Key Performance Indicators KPIs
The European Cybersecurity cPPP has three main strategic objectives:

The protection from cyber threats of the growth of the European Digital Single Market

The creation of a strong European-based offering and an equal level playing field to meet the needs of the
emerging digital market with trustworthy and privacy aware solutions

The growth and the presence of European cybersecurity industry in the global market.
To reach these objectives, the Cybersecurity cPPP should leverage complementary work:

The coordination of R&I in the frame of H2020 characterized by a cross-sectoral, technology-neutral,
interoperable, and holistic approach

The development of industrial policy activities to support the growth of the cybersecurity and ICT industry in
Europe and broadly deploy innovative solutions and services for the most economically important and
growing end markets as well as for security sensitive applications
To achieve maximum leverage for impact all proposed cPPP activities will:

be designed and deployed to be technology-neutral, interoperable and transparent;

combine security and privacy improvements – not only partially but with positive, measurable impact for the
system solution all along the value chain;

elaborate and indicate a reasonable level of security and give a workable guideline for supportive policy
activities such as certification and labelling;

provide evidence how the approach enhances trust and acceptance by citizens, consumers and businesses.
To better follow these objectives and the activities of these work streams, we introduce hereafter Key Performance
Indicators (KPIs).
They are defined for all stakeholders engaged in the cPPP from industry, SMEs, associations, research organisation,
to Member States, other countries participating in the cPPP and the European Commission. The KPIs are used to give
guidance to any planned contribution or proposal and they can be used as evaluation criteria to select the best
initiatives spurring Europe to become leader in creating and using secure and privacy respecting solutions.
Starting from the approach of the NIS-P WG3, the SRIA has defined a number of technical and non-technical
priorities in a bottom up approach considering the inputs of experts from different sectors and using existing
material produced from several communities (including the NIS WG3 SRIA as planned). These priorities will be
regularly reviewed by the cPPP members to better adapt to the evolution of needs.
European Cyber Security cPPP Strategic Research & Innovation Agenda
Moving to the cPPP industry driven context, these priorities have been analysed in a top down view, in order to
provide a consistent and sustainable strategy for the protection of the DSM and the increase of European digital
autonomy to secure sensitive applications.
The proposed KPIs structure therefore reflects the way in which an industry driven cPPP will be implemented.
KPIs are not always suggesting quantitative objectives, but looking for identification of the evolution of certain
parameters (the “indicators”) which could show, year by year, the evolution of the market and of the cyber / ICT
security ecosystem.
The KPIs are divided into 3 main categories:



Industrial Competitiveness;
Socio-Economic Security;
Implementation and operational aspects of the cPPP.
Certain KPIs are directly related to funding and activities foreseen in the cPPP and, as such, they can be more easily
measured. Yet, they have a real impact on the main cPPP objectives only when H2020 funded projects are showing
results. Thus, it could take a few years before planes actions will start to generate significant value and some of the
objectives mentioned for the following KPIs could be reached only at the end of the initial cPPP period (i.e. 2020).
Other KPIs, in the first years of the cPPP, are closer to present market values and will only progressively be affected
by the industrial policy actions envisaged in the cPPP approach. These KPIs have an indirect impact to the cPPP but
are important to provide the status and evolution of the market, to better track progress in the implementation of
the cPPP and the uptake of the innovations created through the R&I work stream.
The KPIs here presented are considering the main topics that will allow tracking the objectives of the cPPP.
Industrial Competitiveness
KPI 1: MARKET DEVELOPMENT
Description: Evolution of cybersecurity revenues in the European and global market, including positioning and
market share of the European industry
KPI 2: FROM INNOVATION TO MARKET: STANDARDS, TESTING, CERTIFICATION AND TRUST LABELS
Description: Contribution to standards, use of testing, validation, certification infrastructures as well as European
trust labelling procedures, best practices and pilots for innovative elements of the supply chain
KPI 3: USERS AND APPLICATIONS
Description: Increased use of cybersecurity solutions in the different markets / applications, implementing
Europe-wide strategic projects for specific deployments of existing or near-to-market technologies that
demonstrate the potential impact of cybersecurity products across sectors.
KPI 4: PRODUCTS and SERVICES SUPPLY CHAIN
Description: development of the European cybersecurity industry and of the European cybersecurity capacities.
KPI 5: SMEs
Description: support the creation and development of start-ups having products and services that effectively
reach the market.
Socio-Economic Security
European Cyber Security cPPP Strategic Research & Innovation Agenda
KPI 6: EMPLOYMENT
Description: Develop employment in cybersecurity sectors (supply and users / operators)
KPI 7: ECOSYSTEM: EDUCATION, TRAINING, EXERCISES
Description: Development of cybersecurity education and training for citizens and professionals to enhance the
awareness of threats and needed skills for safe use of IT tools.
KPI 8: PRIVACY & SECURITY BY DESIGN
Description: Development and implementation of European approaches for cybersecurity, trust and privacy by
design.
KPI 9: DATA AND INFORMATION EXCHANGE & RISK MANAGEMENT
Description: Facilitate process for information sharing between national administrations, CERTs and Users to
increase monitoring and advising on threats; better understanding risk management and metrics.
KPI 10: IMPLEMENTATION OF LEGISLATIONS
Description: Implementation of the NIS Directive and market driving Regulations / Guidelines
Implementation and operational aspects of the cPPP
KPI 11: INVESTMENTS / LEVERAGE
Description: Investments (R&I, capability, competence and capacity building) in the cybersecurity sector defined
by the ECS cPPP objectives and strategy.
KPI 12: cPPP IMPLEMENTATION MONITORING
Description: Efficiency, openness and transparency of the cybersecurity cPPP implementation process.
KPI 13: COORDINATION WITH EUROPEAN and THIRD COUNTRIES
Description: Coordination of the cPPP implementation with EU Member States, Regions, other countries
participating in the cPPP and Third Countries.
KPI 14: DISSEMINATION & AWARENESS
Description: Dissemination and Awareness rising making the cybersecurity cPPP action and results visible in
Europe and globally, to a broad range of public and private stakeholders.
10 Contributors
This document has been based on several previous documents prepared by NIS WG3 and other organisations as EOS,
thus the credit goes also to those. Below there is the list of experts that directly contributed in the cPPP SRIA WG
coordinated by Fabio Martinelli.
Hendrik
Luis
Eric
Juan
Ana
Pascal
Abma
Antunes
Armengaud
Arraiza
Ayerbe
Bisson
European Cyber Security cPPP Strategic Research & Innovation Agenda
hendrik.abma@eusemiconductors.eu
lfa@dcc.fc.up.pt
eric.armengaud@avl.com
jarraiza@vicomtech.org
ana.ayerbe@tecnalia.com
pascal.bisson@thalesgroup.com
Thomas
Rolf
Menouer
Geraud
Alexis
Jim
Fabio
Piero
Alexandru Cătălin
Christian
Zeta
Jürgen
Andreas
Thomas
Matthias
David
Detlef
Paul
Klaus-Michael
Artur
Jacques
Peter
Helmut
Johan
Salvador
Irene
Jorge
Volkmar
Stefan
Fabio
Marina
Gisela
Alessandro
Stefane
Gerd
Mats
Victor
Veronique
Carlos
Aet
Kai
Luigi
Raul
Erkuden
Stephen
Martin
Eva
George
Pauli
Thomas
Franck
Miroslavas
Javier
Bleier
Blom
Boubekeur
Canet
Caurette
Clarke
Cocurulo
Corte
Coşoi
Derler
Dooly
Eckel
Eckel
Fitzek
Fisher
thomas.bleier@t-systems.at
rolfb@sics.se
boubeKM@utrc.utc.com
geraud.canet@cea.fr
alexis.caurette@atos.net
jclarke@tssg.org
fabio.cocurullo@selex-es.com
Piero.Corte@eng.it
acosoi@bitdefender.com
christian.derler@joanneum.at
zdooly@tssg.org
Eckel.J@ikarus.at
andreas.eckel@tttech.com
thomas.fitzek@infineon.com
Matthias.Fischer@bmi.bund.de
Ginard Pariente
Houdeau
Kearney
Koch
Krukowski
kruse-brandao
Leitner
Leopold
Lindberg
Llopis
Lopez de Vallejo
López Hernández-Ardieta
Lotz
Marksteiner
Martinelli
Martinez
Meister
Menna
Mouille
Muller
Nilsson
Paggio
Pevtschin
Prietos
Rahe
Rannenberg
Rebuffi
Riesco Granadino
Rios
Rhodes
Ruubel
Schultz-Kamm
Sharkov
Stigell
Stubbings
Thomas
Tribockis
Valero
DGINARD@minetur.es
Detlef.Houdeau@infineon.com
paul.3.kearney@BT.COM
KOCH@technikon.com
Artur.Krukowski@rfsat.com
jacques.kruse-brandao@nxp.com
peter.leitner@synyo.com
helmut.leopold@ait.ac.at
johan.lindberg@vinnova.se
salvador.llopis@eda.europa.eu
irene.lopezdevallejo@digicatapult.org.uk
jlhardieta@minsait.com
volkmar.lotz@sap.com
stefan.marksteiner@joanneum.at
Fabio.Martinelli@iit.cnr.it
marina.cdti@sost.be
Gisela.Meister@gi-de.com
alessandro.menna@finmeccanica.com
Stefane.Mouille@gemalto.com
gerd.mueller@secunet.com
mats.f.nilsson@ericsson.com
v.paggio@nbu.cz
veronique.pevtschin@eng.it
carlos.prietosaiz@sgs.com
aet.rahe@guardtime.com
Kai.Rannenberg@m-chair.de
luigi.rebuffi@eos-eu.com
raul.riesco@INCIBE.ES
erkuden.rios@TECNALIA.COM
stephen.rhodes@culture.gov.uk
martin.ruubel@guardtime.com
eva.schulz-kamm@nxp.com
gesha@esicenter.bg
pauli.stigell@tekes.fi
thomas.stubbings@tsmc.at
franck.thomas@eurosmart.com
miroslavas.tribockis@mil.lt
jvalero@ametic.es
European Cyber Security cPPP Strategic Research & Innovation Agenda
Edgar
Artsiom
Arvydas
Weippl
Yautsiukhin
Zvirblis
European Cyber Security cPPP Strategic Research & Innovation Agenda
EWeippl@sba-research.org
artsiom.yautsiukhin@iit.cnr.it
Arvydas.Zvirblis@smn.lt
11 Annexes
11.1 Detailed technical topics with timeline
11.1.1 Assurance and security and privacy by design
11.1.1.1 Scope
The “quest for assurance” in cybersecurity is a long-standing issue with many facets and related aspects. It is
commonly agreed that, in order to be effective security, privacy and trust considerations should be involved from
the very beginning in the design of systems and processes (i.e. security/privacy/trust by design). This entails a whole
series of activities, including social and human aspects in the engineering process until the certification that the
developed systems and processes address the planned security/privacy/trust properties.
In addition to the aim of building a secure system, we often need to prove (through evidence) that the system is
secure. This is also necessary when considering systems of systems, whose security could depend on the security of
subcomponents. The engineering process of the systems should thus take into account those
security/privacy/trust/compliance requirements and should consider, in addition, notions of cost and risk in the
development process and well as in the system lifetime.
This process of enabling assurance techniques and processes can be addressed by regulators. Indeed, the
introduction of regulatory actions could ease the adoption of assurance techniques (having a benefit on the overall
security level of the infrastructures, systems and products). It has been noticed that cost and risk are two relevant
factors in building and operating security-sensitive systems. The cost of developing security countermeasure should
be related to be assets to be protected (and often in the digital world these are less tangible). A strong component of
any risk management is the capability to predict the current strength of the system. Thus security and corresponding
risk metrics are crucial (as other quantitative aspects of security).
For the sake of design and security evaluation complexity, the assurance techniques and processes as well as the
technological countermeasures are often focused on critical areas of the system, which are therefore partitioned
from less critical functions.
Starting from these considerations, residual risk could be managed with other approaches rather than just security
countermeasures.
11.1.1.2 Research challenges
We suggest to structure along the dimensions of security / privacy by design, security / privacy validation, and
processes.

Security / Privacy by Design. By “security / privacy by design” we understand all methods, techniques and
tools that aim at enforcing security and privacy properties on software and system level and providing
guarantees for the validity of these properties. Since the required security and privacy properties depend on
the system context and the application domain, understanding these requirements and being able to
precisely define them is a prerequisite. Hence, security requirements engineering, is part of this discipline.
In order to come up with practical, feasible techniques, emphasis should be on close integration with
existing software requirements engineering approaches (like, for instance, those based on UML, but with a
stronger focus on automation and modularisation) and the inclusion of risk considerations. The identified
requirements need to be formally traceable to security features and policies throughout all phases of the
secure development lifecycle, considering the complete system view (which might include assumptions
about the context that need to be enforced upon deployment). Research into secure engineering principles
supports this approach.

Secure (programming) languages and frameworks establish some requirements by default via enforcing
secure architectures and coding. While there is an existing body of research in the field, there are typically
good reasons why developers prefer potentially insecure approaches: performance, interoperability, ease of
use, etc. The challenge is to provide secure development and execution environments that are up to the
traditional environments with respect to these qualities, and still allow the flexibility and expressiveness
developers are used to (e.g., including higher order language constructs).
European Cyber Security cPPP Strategic Research & Innovation Agenda

Security validation Security validation comprises all activities that aim at demonstrating the security
qualities of (specified, implemented or deployed) software and systems. Hence, it includes formal
verification, static code analysis, dynamic code analysis, testing, security runtime monitoring, and more.
Since all of these methods have particular strengths and weaknesses, emphasis should not only be on their
individual advancement (which includes increase of automation, coverage analysis, modularisation,
soundness, efficiency), but also on the understanding of their complementarity. For instance, promising
results have been achieved by combining static and dynamic code analysis, and further combination and
interaction of different techniques is seen as a valuable approach towards managing complexity and
increasing the quality of results.

Metrics are key to understand the security status of a system under development or in operation. Hundreds
of metrics have been proposed, but they still lack a mapping to the actual risks that relate to a particular
measurement. Hence, metrics should be derived from risk models and assessments, taking technical and
business context into account and adapting to system and context evolution. This contributes to the
quantification of security and privacy risks, as an ingredient of balancing the cost of security measures and
their potential risk reduction.

Open Source Security. A significant share of today’s security vulnerabilities stems from the fact that typical
software applications are no more monolithic but composed of hundreds, sometimes thousands of opensource components, whereby each component’s life-cycle is disconnected from that of the application and
beyond the control of the application developer. A prerequisite for effective and efficient response
processes is, on the one hand, complete transparency of an application’s supply chain (with the ability to
track & trace every single application dependency) and, on the other hand, accurate and comprehensive
vulnerability intelligence, e.g., with regard to affected component functionality, code and versions. Based
thereon, application developers must assess the impact of a given open-source vulnerability in the context of
a specific application, and contrast it with alternative mitigations and related costs.

Methods for development of functional correct and error free security protocols and interfaces. Security
protocols and interfaces appear everywhere in secure system designs and their functional correctness and
security properties are key to guarantee the overall security of a system. To enable efficient development
and verification of security protocols and interfaces tools and mechanism for reliable and systematic
protocol verification is needed. Academic efforts in this area include e.g. formal methods for protocol
analysis based on model checking, epistemic logics and other formalisms. However, existing tools and
mechanisms are limited and would need to be extended and made more efficient to be able to handle the
complex real life protocols used in current security solutions where security features are deeply
intertwined with low level details of the system functionality. Further, there is a gap between languages and
descriptions used by typical security engineers and those used by existing tools. This gap needs to be closed
to bring the benefits of the academic work into industrial use.

Combination of functional safety and security. There is a great interest on developing engineering methods
that can tackle and the same moment functional and non-functional aspects. Security and safety are crucial,
for instance in the interplay of real time aspects (e.g. delays introduced by crypto operations). Safety critical
systems and applications increase the demands for dependability of systems and components; this extends
to Functional Safety (a.o. ISO26262 certification), Security and QoS. Fault detection and handling techniques
for functional safety purposes can be applied to security and vice-versa; same for error propagation analysis,
failure notification, safe state handling etc. etc. In other cases these techniques interfere with each other. To
understand the synergy and mutual reinforcement opportunities is key to offer cost effective secure and
safe solutions. Additionally, degraded modes due to safety or security issues, should be taken into account
with the aim of the role of cybersecurity on avoiding them and dealing with them.

Methods for developing resilient systems out of potentially insecure components. Building on research
performed in the context of composing (secure) service oriented systems and system assurance and
verification, models for specifying security and trust attributes of hard- and software components, that can
be formally validated and verified, provide a baseline for system development methodologies which must
guarantee a minimum (defined) level of resiliency for complex (cyber-physical) systems.

Cybersecurity architecture for application, network and subsystem levels. A cybersecurity and privacy
architecture is the result of unified and cohesive design principles, which are used to describe and model
European Cyber Security cPPP Strategic Research & Innovation Agenda
how security services and countermeasures are adopted, provided and implemented considering the overall
system infrastructure and design, as well as running applications and processes. A cybersecurity and privacy
architecture should be structured as a modular composition of interconnected, possibly depending and
cooperating, security and privacy components and should specify how security components are structured,
arranged, interconnected and managed to maintain system quality attributes, fulfil security and privacy
requirements, and limit the impact on performance and service availability. It should result in an architecture
which efficiently and effectively addresses vulnerabilities and cyber threats, counteracts the effects of
cyberattacks, and maintains system security throughout a system's life cycle, from its design, deployment,
operation and maintenance, to its final decommissioning. A stronger level of security should be applied to
critical areas partitioned within the system: depending on the context, hardware-based roots of trust
(technology similar to the one used in smartcards or in eSE/HSM/TPM) should be used to ensure the
expected security. Such hardware-based roots of trust can conveniently be evaluated and certified and these
steps should in particular be done by European companies or entities. The work in this area should develop
methods, design principles, design patterns, mechanisms and technologies to enhance current
frameworks and mechanize the design process to yield repeatable designs of trusted architectures.
11.1.1.3 Expected outcome

Integrated assurance frameworks with risk and cost notions, able to merge security and safety aspects

End-2-end adaptive security engineering frameworks

Consideration of individual operating context and related risk exposure (and their evolution)

Security partitioning guidelines including the concepts of hardware-based roots of trust

Support of diverse deployment models (cloud, mobile, platform, platform services)

User-friendliness, i.e. easy to comprehend and evaluate evidence
11.1.1.4 Time line
Topic / Timeframe
Short (1-3)
Security / Privacy by Design
Medium (3-5)
Long (5-8)
Schemes for focused problem
areas
Generic
theories
frameworks
and
Security Requirements
Engineering
Requirements specification
and elicitation languages for
security, privacy and trust
Tool support
Fully integrated security
requirements engineering
Secure Engineering Principles
Security Guidelines, focused
tool support
Comprehensive methodology
and tools, Security IDE
Theoretical foundations and
supporting methods and
tools
Secure
Programming
languages, type systems
Integrated
secure
development and operation
frameworks
Integrated analysis based on
formal semantic models
Secure Languages and
Frameworks
Security Validation
Static and dynamic analysis
Integrated analysis
Metrics
Security Process KPIs
Security Quality KPIs
Open Source Security
Software
supply
chain
transparency, vulnerability
intelligence
impact
assessment
mitigation
Analysis of how Functional
Safety measures positive and
adversely affect Security and
QoS requirements
Analysis of options and tradeoffs focus on optimizing
overall cost and avoid overdimensioning at component
level
Combination of functional
safety and security
European Cyber Security cPPP Strategic Research & Innovation Agenda
and
Secure and safe architectural
framework
Topic / Timeframe
Short (1-3)
Medium (3-5)
Methods for developing
resilient systems out of
potentially insecure
components
Assurance and verification
model
for
componentattributes
Generic system-development
methodology
for
guaranteeing
defined
resiliency levels
Cybersecurity and privacy
architecture
Security
partitioning
guidelines
featuring
in
particular
hardware-based
roots of trust
Hardware-based roots of trust
integration within end-device
connected to the cloud
Long (5-8)
Tool support
11.1.2 Identity, Access and Trust Management
11.1.2.1 Identity and Access Management
11.1.2.1.1 Scope
Identity and access management (IAM) has gained in importance with every new personalized service on the
Internet. While Identity management and access management are often mentioned together there are subtle
differences as e.g., the development for access control solutions shows. Several access control solutions have been
proposed over the years, including variations on the “classical” mandatory, discretionary, and role-based access
control models. In the last years, particular attention has been given to solutions departing from user authentication
and supporting credential-based and attribute-based authorisation. Credentials represent statements certified by
given entities (e.g., certification authorities), which can be used to establish properties of their holder. Credentialbased and attribute-based access control solutions make the access decision of whether or not a party may access a
resource or service dependent on properties that the party may have and can prove by presenting one or more
certificates, and/or on properties associated with the resource/service. The basic idea behind these solutions is that
not all access control decisions are identity-based. For instance, information about a user's current role (e.g., doctor)
or a user's date of birth may be more important for deciding whether an access request should be granted than the
user's name as given on an ID card.
Several areas within IAM have developed and can be taken as basis for further research and innovation.

Identity Governance and Administration (IGA). Solutions provide a set of processes to manage identity and
access information across systems. This can include (1) creation, maintenance and deletion of user’s (partial)
identities (2) governance of access requests – including approval, certification, risk scoring and segregation
of duties enforcement. IGA solutions support provisioning of accounts among heterogeneous systems,
access requests (either IT administered or via user self-service), and access to critical systems. Other typical
IGA capabilities include role management, role and entitlements mining, and identity analytics and
reporting. An IGA solution is typically tightly integrated with one or more user authentication (UA) solutions
in the target deployment scenario.

User Authentication (UA) UA vendors deliver software/hardware that makes real-time decisions for users
using an arbitrary end-point device to access one or multiple applications, systems or services across
multiple possible use cases. Vendors also deliver client-side software or hardware allowing end-users to
make real-time authentication decisions. While password methods are still most widely used, other
authentication methods providing higher trust levels have also been developed and adopted by the market.
Broad methods include (1) password-based approaches, (2) “out of band” techniques leveraging SMS, voice,
push and email factors among others, (3) hardware and software tokens, (4) biometrics, and (5) emerging
contextual authentication approaches among others. Like many other segments, mobile and IoT trends in
particular are creating new UA challenges and market opportunities, as well as providing new authentication
delivery options.

Identity as a Service (IDaaS) IDaaS has emerged as a cross-cutting market sub segment within IAM that
supports delivery of cloud-based services in a multi-tenant or dedicated/hosted delivery model that supports
IGA brokering, as well as access and intelligence functions to target systems on both customer’s premises
and in the cloud. IDaaS originally focused on web-application use cases, supporting SMEs with most of their
key applications in the cloud and with a preference for buying rather than building IAM infrastructure. IDaaS
providers typically create one-off connections to SaaS providers to support authentication, single-sign on
European Cyber Security cPPP Strategic Research & Innovation Agenda
(SSO) and account management, with SaaS providers typically enabling API support. They then reuse these
APIs for multiple clients, relieving SaaS clients of the need to build their own client connections, and by
extension offer increased IAM automation.

eIDAS implementation: While the eIDAS regulation is giving an advanced framework for the trustworthy
European interoperability of user authentication there are still many implementation challenges. While
some areas are already being standardized trust levels need to be synchronized and the respective risk
assessments need to be made. This includes the long-term stability of digital signatures, credentials and
other crypto based mechanism and the applicability towards the respective applications, e.g. in egovernment. Existing national applications like e.g. the Estonian applications for e-Voting, e-cabinet, eresidency could be assessed for the applicability and trustworthiness in other countries.

Industry standardisation for multi-factor authentication: Industry groups such as the FIDO Alliance16 are
developing technical specifications towards an open, scalable, and interoperable set of mechanisms to
reduce the reliance on passwords to authenticate users. They are also operating industry programs to foster
the successful worldwide adoption of their specifications and manage a consortium standardisation process
to prepare technical specification and upon maturity submit them to recognized standards development
organisations.
Despite being a well-established market in its own right the IAM marketplace is still a dynamic and growing one:
notions of extended enterprises and more advanced B2B interactions based on Internet services become more
commonplace, driven by e.g. cloud services, new hosting models and diversifying partners and relationships.
Developments as the Internet of things trigger diversity of form factors and capabilities of authentication tokens.
Hence, legacy IAM approaches are no longer sufficient. Core challenges exist around cross-domain authentication,
authorisation in new distributed contexts and the need to avoid monopoly situations and single points of failure,
when users are authenticated and their authorisations are being checked. For end users being able to build trust into
the digital society they need to be able to understand the level of security they get by each provider and to control
the degree of identification they support.
11.1.2.1.2 Research challenges
The complexity of identity and access management infrastructures is often underestimated. Therefore currently only
very primitive solutions scale easily, but they ignore relevant stakeholder requirements and security concerns, e.g.
by transferring too much information for authentication, which can later be misused for e.g. identity fraud.
Therefore the complexity of the advanced solutions needs to be overcome.
16

Usability of authentication: Overcoming the dangers caused by the sloppy use and management of
passwords will only succeed, if the alternatives are usable and reasonably embedded into applications.
Strong authentications systems based on multiple factors can be implemented technically; however, the
more authentication steps are needed, the harder it is for users to comply with them and to accept and not
circumvent the systems. Therefore more specific research is needed for increasing the usability aspects of
authentication schemes like choosing the appropriate degree of authentication (which factors in which
situation?), embedding authentication schemes into applications, and secure use of easy-to-sense but
sensitive information (such as biometric or location information).

Flexibility of authentication and authorisation: To support the appropriate degree of identification during
authentication and authorisation the respective identity service providers need to offer enough choices, so
that users and relying parties can agree on a mutually acceptable way of authentication. This means e.g.
upgrading towards privacy-respecting technologies for authentication. Scenarios with e.g. differing
requirements are consumer cloud storage services on the one side and tax declarations on the other side.
Protocols that allow the authentication and authorisation of users based on attributes (e.g., attribute-based
credentials) need to be fully developed and combined with electronic identities to provide a flexible
framework.

Partial identities: Research is needed to build technologies that allow users to separate their identities for
different aspects of life. While the basic concepts have been understood and are partly standardized in e.g.
ISO/IEC 24760 “A framework for Identity management” they need to be implemented at both the
https://fidoalliance.org/
European Cyber Security cPPP Strategic Research & Innovation Agenda
application and physical levels enabling users to keep their partial identities partial and unconnected. The
respective innovations through anonymisation, pseudonymisation, tokenisation or use of purely ephemeral
data need to be progressed including guidance on their degree of protection, so that they can be integrated
with standard consumer devices such as smartphones. Furthermore, research is needed on authentication in
services that do not require a persistent identity.

Certificate and signature sustainability: Identity certificates and other digital signatures need to survive the
test of time, i.e. their integrity needs to sustain the whole period of commercial relevance and/or legal
validity. Currently there are neither European wide standard criteria nor easy-to-use technical solutions in
place. The solutions that national archives are developing are only used for a very small part of all the digital
documents. Solutions for mainstream everyday use still need to be developed and trialled. The approaches
of member state committees advising on the sustainability of cryptographic operations (e.g. hash functions)
and key lengths need to be synchronised.

Scalability of authentication: Scalability has several facets. It refers to the number of transactions that need
to be supported as well as to and to the abilities of the respective devices. It also needs to cover the
management of sensitive authentication data. To be able to support the number of transactions expected a
thorough decentralisation strategy is needed. Research needs to establish ways to offer equivalent degrees
of authorisation via different and separate paths avoiding single points of failure. The abilities of devices
need to be considered especially in the context of the Internet of Things, where often very primitive devices
are sensing and processing very sensitive data, e.g. biometric data on user behaviour or body functions.

Interoperability of authentication: As interoperability via intermediaries is creating major overheads and
security risks more direct approaches to interoperability need to be researched and trialled, e.g. by
establishing flexible interfaces on the side of identity service providers, so that the relevant information can
be accessed by those who need it, be it users, who want to qualify towards relying parties or relying parties
themselves.
11.1.2.1.3 Expected outcome
 Best practices in authentication are supported by usable technologies embedded seamlessly into
applications. Users don’t need to “help themselves” with passwords noted on post-its or similar media.

Users and relying parties are provided with the authentication choices thy need to agree on a mutually
acceptable way of authentication avoiding over-identification delivering the degree of assurance and liability
appropriate for the respective service.

Citizens can enjoy the privileges of services needing strong authentication for exactly those of their
attributed that need to be assured.

Certificates and signatures sustain for at least a long as the corresponding documents and trust relations are
commercially relevant and/or legally valid.

Authentication operates in a distributed fashion without single points of failure on critical paths and
considering small scale devices as uses in the Internet of Things.

Authentication operates in an interoperable fashion without overheads and additional security risks
11.1.2.2 Time line
Topic / Timeframe
Short (1-3)
Medium (3-5)
Long (5-8)
Usability of
authentication
Proposed extensions to
existing standards with
regards to usability and
seamless embedding
into applications.
New standard architectures,
tools and processes
available.
User-friendly client apps
match the usability of
physical wallets for 95% of
application cases.
Flexibility of
authentication and
authorisation
In typical
authentication and
authorisation
For all authentication and
authorisation scenarios there
is more than one choice for a
User-friendly client apps
match the usability of
physical wallets for 50% of
application cases.
European Cyber Security cPPP Strategic Research & Innovation Agenda
In all authentication and
authorisation scenarios,
where legally allowed, users
Partial identities
Certificate and
signature
sustainability:
Scalability of
authentication
scenarios, e.g. access
to Internet or cloud
services, users and
relying parties have
more than one choice
for a way of
authentication.
way of authentication.
Efficient protocols for
unconstrained devices
Interoperable protocols for
constrained devices (e.g.,
smart cards and IoT devices)
Efficient protocols for
constrained devices (e.g.,
smart cards and IoT devices)
Solutions for
mainstream everyday
use have are tested for
sustainability based on
basic European wide
criteria.
European wide assessment
of mainstream cryptographic
mechanisms for typical
authentication scenarios. At
least two different solutions
are assessed to sustain for at
least 15 years.
European wide assessment
of mainstream cryptographic
mechanisms for 95% of
authentication scenarios. At
least four different solutions
are assessed to sustain for at
least 15 years.
In typical
authentication and
authorisation
scenarios, e.g. access
to Internet or cloud
services there is an
option to avoid single
points of failure.
In typical authentication and
authorisation scenarios
including IoT scenarios
avoiding single points of
failure does not create extra
effort compared to the
standard solution.
In typical authentication and
authorisation scenarios
including IoT scenarios
avoiding single points of
failure and using privacy
preserving authentication is
affordable as standard
solution.
At least 3 different IoT
compatible
authentication
solutions are available.
Interoperability of
authentication
For typical
authentication and
authorisation
scenarios, e.g. access
to Internet or cloud
services. Identity
service providers offer
flexible interfaces so
that the relevant
information can be
requested for
certification.
In typical authentication and
authorisation scenarios users
and relying parties can
choose the attributes they
would like to be used for
authentication and
authorisation within limits of
e.g. consumer protection.
Scalable privacy-preserving
authentication solutions are
in the market.
In typical authentication and
authorisation scenarios
including IoT scenarios
identity service providers
offer flexible interfaces so
that the relevant information
can be requested for
certification.
and relying parties can
choose the attributes they
would like to be used for
authentication and
authorisation within limits of
e.g. consumer protection.
In typical authentication and
authorisation scenarios
including IoT scenarios
interoperable and privacy
preserving authentication is
affordable as standard
solution.
Interoperable privacypreserving authentication
solutions are in the market.
11.1.2.3 Trust Management
11.1.2.3.1 Scope
Indeed individuals need to be empowered to develop trust into digital services and/or apps for them to make
informed decision. This calls for methodologies and tools to not only focus on Security and Privacy by design but also
Trustworthiness by design. This calls also for proper lifecycles to be covered from development to management
(monitoring) going through important steps such as certification, distribution and deployment. This part has been
also highlighted in other focus areas.
When it comes to AoI 2 focusing on Digital Interconnected society, Trust management has also been advocated in
many places since seen as key to fully embrace the Digital Society. As such researches on models for fostering Trust
at the collective layer have been called for together with trust assurance, trust accountability and trust metrics.
Among others what is expected here by AoI 2 is to enable Trusted (Cloud) Services to be developed in any layer
(IaaS, PaaS, SaaS) in order to reduce the consequences of the vulnerabilities at each layer; Trust models for the
European Cyber Security cPPP Strategic Research & Innovation Agenda
digital civilisations (Trust areas for the “cyber world”); Security engineering embedding properties as security,
privacy and trust, compliance in the very early phases of system and services design to increase trustworthiness of
systems.
Looking at AoI3 concentrating on trustworthy (hyperconnected) infrastructures (and especially critical
infrastructures due to their importance for the European Cyberspace and the European Economy) research and
development on trust and trustworthiness management the way needed is seen as a gap to be covered to achieve
the Vision. If AoI3 share a number of research actions with other AoIs it also puts additional emphasize or even bring
some new ones. Indeed AoI3 calls as others for measurable indicators of trustworthiness but here in the
combination of safety and security means for infrastructure. At such it puts additional emphasize on research
needed on security architecture for Trust and Trustworthiness measurement and management (calling for not only
reactive measures but also and most importantly proactive measures). As other AoIs, AoI 3 calls also for users to be
provided with access to information that allows the confirmation of the trustworthiness of the infrastructure and its
services (even if partly) but also calls for increase trust in information sharing and some more freedom of
information legislation.
On a very specific aspect, cyber physical security and IoT security systems relate to physical objects that are
physically manufactured in various locations around the world before being shipped and distributed within their
area of usage, and in particular in Europe. Hence, manufacturing can be done outside of Europe while usage is
eventually in Europe. Initial security credential provisioning (personalisation) is a critical step within the system and
the chain of trust that must be ensured in a trusted manner no matter the security technologies employed.
11.1.2.3.2 Research challenges
We envisage the following research areas to be further investigated:

Computational trust models. There is the need to define sound computational trust models able to cope
with the heterogeneity of modern ICT infrastructures, ranging from IoT to cloud services. The computational
trust models should be robust enough to resist to attacks as defame and collusion. New aggregation and
filtering approaches should be identified. Overall unified trust and reputation models/principles should be
also investigated.

Decentralized trust frameworks (e.g. blockchain). When dealing with trust it is always relevant to be able
not to rely on single authorities but also considering decentralized trust models, also in several application
domains. Such models should be reliable, accurate and robust to attacks. Recently methods as blockchain
emerged as a practical framework of interest. Methods for assessing trust in decentralized networks,
including distributed consensuses making should be investigated. Also the applicability of blockchain to
several other trust services, both in the public and private domains should be analysed.

Trust and big data. Big data heavily interplay with trust. On the one hand, we need to trust on the collected
data, i.e. who are the providers, who manipulated etc., on the other hand data helps to define proper trust
and reputation systems, often based on recorded evidence by several parties. In particular, we need to
develop and monitor techniques for trusted information sharing (including several incentives schemas).

Trusted security credential provisioning and personalisation. Initial security credential provisioning is a
critical step within the chain of trust that must be ensured in a trusted manner no matter the security
technologies employed. In particular, if the manufacturing of the device cannot be done within an
environment that guarantees sufficient trust for security credential provisioning (e.g. subcontracting
factories outside of Europe), alternative systems and schemes must be envisaged, designed and
implemented. These can include in particular secure elements, which act as hardware-based root of trust on
devices: they are highly secure to remain integer no matter the devices’ logistic processes and are
manufactured and personalised within trusted environments.
11.1.2.3.3 Expected outcome
 Increased trust in the cyber world;

Wide adoption of blockchain technologies in several fields

Requirements for trusted security credential provisioning (e.g. trusted secure elements)

More efficient on-line Business
European Cyber Security cPPP Strategic Research & Innovation Agenda
11.1.2.3.4 Time line
Topic / Timeframe
Short (1-3)
Computational and
distributed models of
trust
Methods to define,
compute,
and
aggregated trust in
complex domains
Decentralized trust
frameworks
(blockchain)
Improved theoretical
foundations should be
investigated.
Trust and big data
Credibility and integrity
of big data sources
Trusted security
credential provisioning
and personalisation
System
architecture
design enabling trusted
credential provisioning
Medium (3-5)
Long (5-8)
Unified computational trust
models able to cope with
several scenarios
Applicability of decentralized
trust models to several
application domains
Integration
of
secure
hardware-based roots of
trust within systems from
the application segments
11.1.3 Data security
11.1.3.1 Scope
A major characteristic of current and future systems and applications, which has been recognised by all different
viewpoints as represented by the AoIs, is the ever-increasing amount of valuable data that needs to be properly
managed, stored, and processed. Data can be produced by systems as a consequence, for example, of
interconnected devices, machines and objects in the Internet of Things, and by individuals as a consequence, for
example, of business, social and private life moving on-line, thus including data resulting from observations (e.g.,
profiling) and data intentionally provided (e.g., the prosumer role of individuals). As the value of data increases,
opportunities based on their exploitation and the demand to access, distribute, share, and process them grows.
Highly connected systems and emerging computing infrastructures (including cloud infrastructures) as well as
efficient real-time processing of large amounts of data (including Big Data methods and applications) facilitate
meeting these demands, leading to a new data-driven society and economy.
The collected data often are of a highly sensitive nature (e.g., medical data, consumer profiles, and location data)
and need to be properly protected. With data being stored and processed in the cloud, and being exchanged and
shared between many previously unknown and unpredictable parties, this protection cannot stop at a single
system’s border, but need to be applied to the data over their full lifecycle, independent of what system is
processing the data, what access channels are used and what entity is controlling the data. Hence, a system-centric
view on security and privacy, including, among others, secure devices and infrastructures (cf. sections below), needs
to be complemented with a data-centric view, focusing on data lifecycle aspects.
Providing transparency on where data resides, who has access to them, and for which purposes they are being used,
together with mechanisms that allow the data owner to control the usage of their data, have been identified by all
AoIs as essential aspects of a data-centric view and a prerequisite of a secure and privacy-preserving digital life.
While research has already produced a number of relevant contributions (e.g., sticky policies, privacy policies, and
techniques for protecting data at rest), many challenges are still open, including enforcement and usability. These
challenges are not only of a technical nature: for example, lack of awareness of the value of data (and what data are
actually produced when engaging in digital life) has been mentioned as an inhibitor.
11.1.3.2 Research challenges
A variety of challenges need to be addressed to take advantage from the availability of large amounts of data in a
secure and privacy compliant way. These challenges should include at least the ones from AoIs and Landscape, and
cover issues related to the protection of data as well as the use of data for security.

Data protection techniques. The size and complexity of collected data in most cases leads to the use of
cloud technology and to their storage at external cloud-based repositories using cloud-based services, which
offer flexibility and efficiency for accessing data. While appealing with respect to the availability of a
universal access to data and scalable resources on demand, and to the reduction in hardware, software, and
European Cyber Security cPPP Strategic Research & Innovation Agenda
power costs, the outsourced storage may produce the side effect of exposing sensitive information to
privacy breaches. The security and privacy requirements then create the need for scalable and wellperforming techniques allowing the secure storage and management of data at external cloud providers,
protecting their confidentiality from the cloud providers themselves. However, protecting data means
ensuring not only confidentiality but also integrity and availability. Integrity and availability of data in storage
means providing users and data owners with techniques that allow them to verify that data have not been
improperly modified or tampered with, and that their management at the provider side complies with
possible availability constraints specified by the data owner. The variety of data formats (i.e., structured,
unstructured, and semi-structured) makes the definition and enforcement of such techniques a challenging
issue.

Privacy-aware Big Data analytics. We are in the era of Big Data where the analysis, processing, and sharing
of massive quantities of heterogeneous data can bring many benefits in several application domains. For
instance, in the health care domain the data accumulating in health records can be at the basis of predictive
models that can lower the overall cost and significantly improve the quality of care, or can be used to
develop personalized medicine. The application of Big Data analytics, however, can increase the risks of
inferences that can put the privacy of users at risk. Anonymizing the sensitive data as a prior step can be of
help, even though it diminishes the utility of the data for the latter analysis. We then need to develop
techniques addressing issues related to data linkage, the knowledge of external information, and the
exploitation of analysis results.

Secure data processing. Distributed frameworks (e.g., MapReduce) are often used for processing large
amounts of data. In these frameworks, cloud providers processing data might not be trusted or trustworthy.
There is therefore the need of solutions providing guarantees on the correct and proper working of the cloud
providers. This requires the design of efficient and scalable techniques able to verify the integrity of data
computations (in terms of correctness, completeness, and freshness of the computation results), also when
the processing of the data is real-time, and to ensure that data are distributed, accessed and elaborated only
by authorized parties.

User empowerment. For users or organisations there is great convenience in relying on a cloud
infrastructure for storing, accessing, or sharing their data, due to the greater availability, robustness, and
flexibility, associated with significantly lower costs than those deriving by locally managing the data.
Unfortunately, such convenience of resources and services comes at the price of losing control over the
data. Although cloud providers implement some data protection features, possibly demanded by legislation
and regulations, such protection typically consists in the application of basic security functionality and does
not provide the data owner with effective control over her data. This situation has a strong impact on the
adoption and acceptability of cloud services. In fact, users and organisations placing data in the cloud need
to put complete trust that the providers will correctly manage the outsourced information. There is
therefore the need to re-empower users with full control over their data, enabling them to wrap the data
with a protection layer that offers protection against misuse by the cloud provider.

Operations on encrypted data. The confidentiality of data externally stored and managed is often ensured
by an encryption layer, which prevents exposure of sensitive information even to the provider storing the
data. Encryption makes however data access and retrieval a difficult task. The problem of supporting
efficient fine-grained data retrieval has recently received the attention of the research community and led to
the development of solutions based on specific encryption schemas or on the use of indexes (metadata) that
support query functionality. With respect to the use of specific encryption schemas, any function can be, in
theory, executed over encrypted data using (expensive) fully homomorphic encryption constructions. In
practice, however, efficient encryption schemas need to be adopted. An interesting problem is then how to
select the encryption schemas that maximize query performance while protecting data according to possible
security requirements imposed over them (e.g., data should be encrypted in a way that the frequency of
values is protected). With respect to the use of indexes, we note that indexes should be clearly related to
the data behind them (to support precise and effective query execution) and, at the same time, should not
leak information on such data to observers, including the storing provider. Also, there may exist the need of
combining indexes with other protection techniques (e.g., access control restrictions) and such combinations
should not introduce privacy breaches. The design of inference-free indexes that can be combined with
European Cyber Security cPPP Strategic Research & Innovation Agenda
other protection techniques without causing privacy violations are all aspects that still require further
investigation.

Provenance of data. The impact of data in our daily lives is growing. For instance, it is possible to collect
medical data from individuals via smartphones or medical “self-tracking” devices. The collection, analysis,
and use of these data allow people to take preventive actions or to take healthy choices. In this and other
scenarios, it is important to establish a given level of trust on the data. Tracking data provenance can then be
useful for: i) verifying whether data come from trusted sources and have been generated and used
appropriately; and ii) evaluating the quality of the data. The definition of a formal model and mechanisms
supporting the collection and persistence of information about the creation, access, and transfer of data is
therefore of paramount importance.

Query privacy. In several scenarios neither the data nor the requesting user have particular privacy
requirements but what is to be preserved is the privacy of the query itself (e.g., a query that aims at
retrieving information about the treatments for a given illness discloses the fact that the user submitting the
query is interested in this illness). It is therefore important to design efficient and practical solutions
(possibly exploiting the presence of multiple providers for increasing the protection offered) that enable
users to query data while ensuring the access confidentiality (i.e., protecting the data the users are looking
for) to the provider holding the data. Effective protection of query confidentiality requires not only
protecting confidentiality of individual queries, but also protecting confidentiality of access patterns.

Data-centric policies. When data are stored and managed by external cloud providers, they can be subject
to possible migrations from one provider to another one to balance the system load or to perform
distributed computations. This migration introduces many challenges with respect to the proper protection
of data confidentiality. In fact, each provider can use different security mechanisms and may be subject to
different security requirements (e.g., providers operating in different countries may be subject to different
law regulations). When therefore data are migrated from a provider to another it is important to guarantee
that the protection requirements characterizing the data are still satisfied. The fully distributed cloud
architecture introduces however a lack of traceability on the data and makes the correct enforcement of
such requirements complicated. To this purpose, we need to define: i) a model and language for easily
expressing the requirements on the data usage and for regulating information flows among different
servers/cloud domains; and ii) data-centric policies (i.e., policies attached to the data) that aim at facilitating
the enforcement procedure by allowing the access of the security policies anywhere in the cloud.

Economic value of personal and business data. The large amount of data collected, processed, and shared
range from personal data (e.g., user-generated content, social data, location data, and medical data) to
business data. The economic value of these large collections of data is increasing rapidly as technological
innovations are introduced. In this context, both users and organisations should be able to estimate the
economy-wide benefits achievable through the analysis of such large amounts of data to find the right
balance between the required information and the desired insight.

Big data storage Protection and security of data, especially of those of public interest (data relevant to CII
and IIS) are crucial. The amount of data processed in both public and private sectors is growing and so is the
need for their storage. New forms of data storage such as cloud storage have thus appeared. Nevertheless,
the use of online services and clouds often leads to non-transparent security solutions of doubtful credibility.
11.1.3.3 Expected outcome

Secure and privacy aware data processing and storage

Advanced mechanisms that protect effectively users’ privacy and guarantee the confidentiality of their
sensitive data
Users have more control over their data

11.1.3.4 Time line
Topic / Timeframe
Short (1-3)
Medium (3-5)
Long (5-8)
Data protection
(confidentiality)
Models
expressing
(overall and flow) data
confidentiality
Efficient techniques for
enforcing the secure data
storage and management
Continuous Monitoring and Certification
of data confidentiality
European Cyber Security cPPP Strategic Research & Innovation Agenda
constraints
Data protection
(integrity and
availability)
Model
expressing
(overall and flow) data
integrity
and
availability constraints
Provenance of data
Model
and
mechanisms
supporting the lifecycle of provenance
information
Secure data processing
Efficient probabilistic
techniques
for
assessing the integrity
of query results
Access
control
model
regulating
access
and
distribution of data and
computations
Design of inferencefree
indexes
supporting
efficient
and fine-grained access
to encrypted data
Physical
design
of
encrypted data according
to operations to be
supported and possible
requirements
on
the
needed protection
Operations on
encrypted data
Techniques
enforcing
integrity and availability
constraints and verifying
compliance
Query privacy
Practical
solutions
exploiting
multiple
providers
for
protecting access and
pattern privacy
Data-centric policies
Requirements on data
usage and data flows
Static data-centric policies
User empowerment
Models expressing user
control constraints
Self-protecting solutions
Privacy-aware Big Data
analytics
Models
expressing
privacy properties and
policies suitable for big
data
Inference-free
analytics techniques
Adaptable data-centric policies
data
Model and metrics for
evaluating the economic
gain obtained from the
analysis of large collections
of data
Economic value of
personal and business
data
Big Data Security
Continuous Monitoring and Certification
of Data Integrity
Specification of usable
security
properties
and policies suitable
for big data
Verified enforcement of
security properties of big
data
Privacy-friendly
management
and
secure
big-data
11.1.4 Protecting the ICT Infrastructure
11.1.4.1 Cyber Threats Management
11.1.4.1.1 Scope
Before the era of the Internet, computer attacks used to spread in the form of viruses on floppy disks. However, the
advent of the Internet clearly demonstrated that attacks can compromise hundreds of thousands of computers in a
few hours or so. The ability to remotely compromise a computer coupled with the value that a compromised
computer may bring quickly moved organized crime into the cyber world completely changing the motives and
dynamics of the cybersecurity scene. Although the cyber attacker of yesterday was often seeking fame and peer
recognition through a massive cyberattack that would demonstrate his/her computer skills, the modern day attacker
European Cyber Security cPPP Strategic Research & Innovation Agenda
prefers to stay below the radar, move around the Internet undetected secretly seeking financial and/or political
rewards.
Organisations today face what is commonly called "advanced persistent threats" or "APT", programs particularly
pernicious used by an attacker to obtain an illegitimate network access and to remain unnoticed. The objective of
the APT mainly is sabotage or recovery of sensitive data and targets organisations with a high informational and
financial value, such as R&D centers, financial or defence industries.
To achieve their goals cyber attackers employ a number of offensive mechanisms including:

Malware: Malicious software is usually the most common mechanism to remotely control a computer. Being
installed immediately after a computer is compromised, malware is used to communicate with the attacker,
receive instructions and perform malicious and illegal tasks

Botnets: Compromised computers, also called bots (from robots), are usually organized into networks called
botnets. These networks may grow as large as tens of thousands of machines having a significant firepower
than cannot be easily mitigated.

Buffer Overflows: In order to compromise a remote computer an attacker usually triggers some bug that
diverts the flow of control from its usual legitimate path to a path favourable to the attacker. Buffer
overflows are the most common such bug. They enable the attacker to write arbitrary data in the stack (or
heap) of a vulnerable process and even divert the flow of control to the attacker’s code. Although safe
programming languages and non executable stacks have limited the effectiveness of software exploitations,
buffer overflows have not been eliminated and can still be used coupled with new programming styles such
as return-oriented programming.

Exploit packs: attackers may use readily available exploit tools on the Internet that are available for free or
even for a small fee.

SPAM: Users have been and are still lured by attackers via unsolicited email messages. Such messages may
contain malware, may trick users to provide private information (such as passwords and credit card
numbers)
There are several research challenges related to cyber threats management.
11.1.4.1.2 Research challenges
 Advance threat modelling, focusing on complex attack scenarios mixing physical, logical, social-engineering
based attack steps, to feed system security toolset

Threat analysis/cyber intelligence. Threat Intelligence is about collecting data, semantic analysis, correlating
and deduce security actions and implement (e.g. in SIEM …). Threat intelligence is the process of generating
intelligence on threats from multiple sources, thus improving results of an investigation. Threat intelligence
is often presented in the form of Indicators of Compromise (IoCs) or threat feeds. Threat intelligence
requires organisations to understand themselves first and then understand the adversary. If an organisation
does not understand its assets, infrastructure, personnel and business operations – it cannot understand if it
is presenting opportunity to malicious actors. If an organisation does not and identify what malicious actors
might be interested in they own activity – then it cannot properly recognize the intent of actors. Threat
intelligence is analysed information about the intent, opportunity and capability of malicious actors. As a
type of intelligence, it is still performed through the intelligence lifecycle: plan, collect, process, produce and
disseminate information. The key difference is that it is focused on identifying threats. This information must
be matched against an organisation to determine if the threat intelligence is valuable to that organisation.
This is where the planning phase becomes vital. If the organisation that is receiving threat, intelligence does
not know how to identify what information is applicable to them – the threat intelligence will be mostly
useless. At some point, someone has to make the decision on whether the intelligence is applicable. It can be
the vendor tailored to your needs, it can be the customer and ideally, it will be both. However, if no one is
tailoring threat intelligence it is just an inapplicable mass of data. The ability to produce or consume tailored
threat intelligence to the organisation can provide actionable strategic and tactical choices that impact
security. One way to share tactical level threat intelligence, and in return help identify the bigger picture for
strategic choices, is through the use of Indicators of Compromise. Even if the environment is properly
secured, it is not realistic to assume that no successful attacks will ever take place. The amalgam of
European Cyber Security cPPP Strategic Research & Innovation Agenda
interconnected, dynamic systems will not only affect the situational awareness of all entities, but also will
open new avenues of attacks, such as cloud-based and IoT-based targeted malware. Just as a body needs an
immune system, it is essential to provide control and intrusion prevention systems to effectively monitor
the state of the environment and react against all kind of (potential) threats - from punctual to severe and
continued. The challenge is to create such systems taking into consideration various factors such as the
massive amount of event sources, the interaction with related subsystems (e.g. trust management systems,
autonomous response systems), and the development of intelligent, adaptable, and interoperable detection
and mitigation mechanisms, among others. All of this while aiming to maintain several properties such as
scalability, autonomy, usability, fault tolerance, and responsiveness.

SIEM Security information and event management (SIEM) market is defined by the customer's need to
analyse security event data in real time for internal and external threat management, and to collect, store,
analyse and report on log data for incident response, forensics and regulatory compliance. While larger
enterprises and government organisations will typically staff and maintain their own SOC, small and midsized players are increasingly looking to MSSPs (Managed Security Service Provider) to provide SIEM-based
support. The delivery spectrum between MSS and SIEM going through SIEM as a Service (aaS) need to be
further investigated as well as the driving requirements. Further research need also to be spent on additional
features such SIEM can provide in cooperation with other cybersecurity tools. Research should especially
target here: 1) the outputs of SIEM to feed wider correlation capabilities through other tools such log
management system, 2) SIEM distribution, 3) capacity of next generation SIEM to deal with new detection
capabilities (e.g. log abnormal behaviours and data flows). Overarching goal could be here to research and
deliver an advance SIEM at European level embracing needs of Cybersecurity market and able to support
IoT, industrial control systems (ICS), 5G, … .
o

Indeed Internet of Things and or (Critical) Infrastructure comprises various aspects, such as
wearables, smart homes and smart buildings and suffers from a fierce competition with a number of
proprietary apps, OS and/or protocols while waiting for the dominating ones to come.
Big Data analytics for Security In the domain of big data analytics for security intelligence, big data
capabilities are envisioned to add predictive and proactive capabilities to existing security tools and systems.
With the inclusion of correct data sources and types and the application of adequate correlation functions
the threat environment and the attack surface can be analysed in real time and appropriate
countermeasures could be applied to prevent attacks, rather than responding to them. This would be a
major change and breakthrough from the current information security practice where attackers seem to be
one step ahead of the defenders. The underlying challenge in this respect is to be able to create a data set
that includes the correct inputs, then to correlate these inputs in the right context using the correct
analytical tools.
11.1.4.1.3 Expected outcome
 New threats are rapidly handled, solutions are found and the corresponding security practices are added to
the assessment routine of security system managers.

Wider range of data is available for a more comprehensive and precise security analysis

Security control and intrusion prevention systems become more efficient and adapted to new environments
11.1.4.1.4 Time line
Topic / Timeframe
Short (1-3)
Medium (3-5)
Long (5-8)
Advance threat
modelling
Proactive and effective
detection
Effective
and
efficient
detection
of
persistent
malicious activity
Automated mitigation
malicious activity
Threat analysis/cyber
intelligence
Automated
security
management based on
assets awareness
Actionable and adaptive
threat intelligence for to
date
&
to
come
cybersecurity tools
Anti-tampering
intelligence
SIEM
Improve solutions for
remote
security
information and event
Develop new approaches for
holistic SIEM
Incentivise
collaboration
between SIEMs.
European Cyber Security cPPP Strategic Research & Innovation Agenda
of
threat
management
Big Data analytics for
Security
Determine the areas
where big data can be
used for improving
security, possible data
providers and required
data analysis
Develop privacy-preserving
methods
for
providing
sensitive data.
Implement security solutions
for security data collection
and analysis.
11.1.4.2 Network Security
11.1.4.2.1 Scope
The society, business and government more and more depend on the correct operation of networks, both global
ones (e.g., the Internet) and local: businesses shift to clouds, government provides its services on-line, industrial
systems become interconnected (IoT) and have access to the Internet, people become attracted by endless utilities
proposed by social networks. On the other hand, cyber criminals and terrorists also put more and more effort to
improve their capabilities and skills to compromise the networks developing more sophisticated and targeted. These
tendencies increase the need for advanced means of attack detection and prevention, which also will take into
account the changes ongoing in the networks and adjust its functionality for increased complexity, speed and
heterogeneity. The advanced attack detection and prevention systems are required as for local networks, as well as
for the global ones, to detect and eliminate global threats, such as botnets.
11.1.4.2.2 Research challenges
 At the network level, research on security topics is especially required for security-by-design, risk
assessment, privacy and data leakage, attack/malware/misuse detection and mitigation, at all layers. This
includes both network usage and network management. On the usage side, network security research
needs to take into account the move towards network virtualisation, ubiquitous though heterogeneous
connectivity, and the general move towards Ethernet/IP as a unique transport over physical media for all
applications and services. On the management side, network security research needs to take into account
network deployment and management, connectivity, resilience of network operations under malicious and
accidental faults.

As the networking elements evolve on several dimensions (for example number of deployed units,
capabilities, and cryptographic operations required to implement secure communication) there is a need of
continuous transition on some of these dimensions. An immediate and well understood example is the
necessary transition from IPv4 to IPv6 protocol which brings about new cybersecurity risks. Similarly,
SSL/TLS protocols widely used in accessing securely web sites have been demonstrated to have
vulnerabilities at certain versions and require transition in the entire infrastructure. These risks must be
minimized in order to successfully implement and secure these protocols both at the public administration
level and in private entities

Botnets and DDoS/DoS attacks protection. Botnets, used for the very common DDoS/DoS attacks, are
gaining on robustness, resilience and stealth. It is therefore necessary to raise awareness of defence
possibilities with regard to DDoS/DoS attacks. More generally, the detection of the activities of other types
of botnets on local and global network infrastructures should be developed.

Network IDS. Intrusion Detection Systems are based on the “perimeter security” paradigm. That is, each
organisation has a clearly defined perimeter: everything outside it is not trusted and everything inside it is
trusted. The IDS monitors this perimeter to make sure that it detects any breaches. Unfortunately, this
security model is rapidly changing. The externalisation of IT resources to outside providers and new
approaches to hardware, such as BYOD (bring your own device), make the notion of the perimeter obsolete.
IDSes need to adapt in order to be able to work in an environment where there is no perimeter or where the
perimeter is assumed to have already been breached.

Complexity in modelling attack patterns: rules have evolved from memoryless simple string matching to
stateful automata (such as regular expressions). Yet, this is sometimes insufficient to capture the attack
mechanism and describe it in a generic manner that will detect all the possible ways of carrying out the
attack exploiting a specific vulnerability. Also, the increase in the complexity of protocols makes modelling
their normal behaviour increasingly difficult. Speed: over the past few years network speeds have been
rapidly increasing. At the same time, IDSes need to invest more computing cycles per packet either checking
European Cyber Security cPPP Strategic Research & Innovation Agenda
against more elaborate rules, or trying to detect sophisticated anomalous behaviours. These effects
combined put significant stress to the computing resources needed. Whole System Image: Although
traditional IDSes monitor only network events (such as incoming network packets), their efficiency and
accuracy can be significantly increased when they monitor the whole system image and correlate events
happening at several different points, such as correlating network packets with system calls and buffer
overflows. Collecting and correlating such data can be challenging, but it may be the only way forward.
11.1.4.2.3 Expected outcome
 More dependable and secure networks

Safer transition from IPv4 to IPv6 protocol, and, in general, from obsolete protocols to new ones.

Timely detection and destruction of Botnets

Intrusion detection systems adapted to new (highly demanding) conditions, in order to efficiently provide
protection to modern networks.
11.1.4.2.4 Time line
Topic / Timeframe
Short (1-3)
Medium (3-5)
Long (5-8)
Network virtualisation
and management
Security of existing
market trends and
standards (SDN, NFV,
5G)
Virtual isolated networks
with
guaranteed
independence of security
properties
Privacy-friendly and secure
by design virtual network
overlays for all applications
and services
Identify possible risks
Propose security solutions
for these cyber risks
Find
best
model
for
implementing the most
appropriate solutions worldwide.
Improve existing tools
for preventing seizing
control over nodes
(e.g.,
anti-viruses,
scanners, etc.)
Develop new methods for
botnet detection on global
scale
Prepare legal foundation and
business models for fighting
botnets and deploy the
botnet
detection
and
prevention
mechanisms
across the Internet
Provide anti-steganography
countermeasures for realworld environments
Provide line-speed detection
and
prevention
of
information
leakage
in
complex documents formats
(streaming,
multi-layer
embedding, etc.)
Improve the capabilities in
detection of attacks and in
processing larger amount
and higher diversity of
information.
Add the capability of
automatic
information
sharing and search for
solution.
Security risks related to
or requiring transition
to new protocols (e.g.
IPv4 to IPv6)
Botnets and DDos/DoS
attacks protection
Novel Malware/
Steganography in the
Network/Novel Data
Leakage
Network IDS
Develop new models
for
network-wide
IDSes.
11.1.4.3 System Security
11.1.4.3.1 Scope
All areas of interest identified and their ICT based instruments for gaining trust depend on a secure execution
environment and systems. Such secure execution environments not only includes the execution platforms
themselves plus the operative systems, but also the mechanisms (e.g. security supporting services, control and
intrusion prevention systems) that ensure an adequate level of security in the execution of all processes. Moreover,
it is also essential to approach this topic from a holistic point of view, where multiple execution environments
interact with each other due to the delegation and distribution of tasks. If these execution environments cannot be
secured, then major problems will arise.
For example, individuals cannot really control the data flows out of their domain, e.g. their mobile phone data, as
the mobile phone device platform can be manipulated by other parties. The same holds for anybody and any
institution that works towards a resilient digital civilisation: institutions in a civilisation need to provide reliable and
European Cyber Security cPPP Strategic Research & Innovation Agenda
stable behaviour, e.g. when documenting facts (such as a crime scene or the ownership of real estate), making
decisions (on any kind of applications) and archiving the respective records for accountability. Any loss of integrity in
these processes is an opportunity for manipulation and possibly corruption. If it is easy to manipulate an institution’s
information processing, the institution’s integrity and reputation are at risk. With more and more information being
processed outside of secured premises (e.g. by a police patrol using a laptop or smaller device) the need for secure
execution environments and corresponding devices is rising. Last but not least many of the trustworthy
(hyperconnected) infrastructures depend on secure execution environments. This holds for institutions in the public
administration as well as for other critical infrastructures such as the health care sector, smart grids, and industrial
control systems for water, food/agriculture, nuclear, and chemical operation. Secure execution environments are
then even a critical factor for public safety.
11.1.4.3.2 Research challenges
 Secure execution platforms. In order to provide a secure execution environment, the platforms themselves
(e.g. cloud servers, mobile devices, processors in cars, IoT devices) must guarantee the secure execution of
all operating systems and services. However, this is not a trivial task. In current paradigms, like cloud
computing, the attack surface has expanded, and new risks and threats have appeared. We need to
overcome challenges such as malware exploiting and bypassing virtualized environments. Therefore, novel
methods for virtualisation and compartmentalisation need to be investigated including but not limited to the
hardware acceleration required to implement them efficiently, thus supporting the advanced research
performed in leading European providers of cores and system-on-chips. Moreover, personal devices (mobile
phones, tablets, etc.) will become key players. Thus, the platforms where the mobile devices will be running
should be trustworthy. For example, such devices might be based on a secure core that could help the
trustworthy engineering process and can also be used for monitoring trustworthiness at runtime.

Operating systems security. Each application is only as secure as the OS it runs on. As a result, the isolation
of applications and the minimisation of the attack surface becomes a necessity. The benefits from
component-oriented design (i.e. reusability, adaptability) can be brought to operating systems by defining
standards to which operating systems components must adhere. This requires integrating the minimum TCB
(Trusted Computing Base) mindset with this software engineering approach, such as only running a small
subset of components in privileged CPU modes and running legacy OS components in virtualized or
restricted environments.
As we estimate that the usage of open source solutions as operating
systems and applications will increase in critical security devices, the defined principles and design guidelines
will have to be promoted, contributed, and supported to the open source software community, including, if
needed, the spin-off of secure versions of open source operating systems in cases where the respective
communities do not share the outlined vision.
From an implementation standpoint, it is also necessary to find a balance between low-level close-to-thehardware languages and safe languages that do not suffer well-known vulnerabilities such as buffer
overflows. The research has to find the blend of technologies that allow both protection against
vulnerabilities and limited performance degradation while allowing the huge base of legacy programs to
continue to be used, technologies that span across hardware assistance, compiler assistance, and run-time
assistance for a given programming language. Also, it is important to extend the secure boot and remote
attestation techniques to component-based OSs that can be updated at runtime. New patching strategies
must cover the upcoming scenarios of highly dynamic, resource-constrained embedded devices such as
sensors and control units. Finally, as a transversal concern, it is important to keep HCI (human-computer
interface) security and usability in mind.

A secure execution environment requires several security-supporting services, such as data protection and
secure communication protocols. Software services can be complemented by the use of security-supporting
devices, such as specific cryptographic hardware (Hardware Secure Modules). There are, however, several
issues that need further research in this particular topic. For example, the emergence of cloud services calls
for enhanced cryptographic techniques that enable encrypted processing, attribute-based cryptography and
policy-based decryption techniques, since they are the only way to ensure that data remains opaque in
transit, at rest, and during processing and accessible only to those with legitimate access. It is also of
paramount importance to address information leaking, side channels and covert communications together
with off-the-record properties to encrypted channels, such as forward secrecy and plausible deniability.
Another issue is the implementation, in personal devices, of secure elements on top of the operating system.
European Cyber Security cPPP Strategic Research & Innovation Agenda
The goal of these secure elements is to protect devices and allow them to protect themselves. For example,
devices such as assurance tokens and wallets could verify their respective controllers by an extra
communication channel, which demands a portfolio of communication and redundancy mechanisms. Also,
secure elements on mobile devices could allow the holder to influence the type of identification information
to be displayed.

Even if the environment is properly secured, it is not realistic to assume that no successful attacks will ever
take place. The amalgam of interconnected, dynamic systems will not only affect the situational awareness
of all entities, but also will open new avenues of attacks, such as cloud-based and IoT-based targeted
malware. Just as a body needs an immune system, it is essential to provide control and intrusion prevention
systems to effectively monitor the state of the environment and react against all kind of (potential) threats from punctual to severe and continued. The challenge is to create such systems taking into consideration
various factors such as the massive amount of event sources, the interaction with related subsystems (e.g.
trust management systems, autonomous response systems), and the development of intelligent, adaptable,
and interoperable detection and mitigation mechanisms, among others. All of this while aiming to maintain
several properties such as scalability, autonomy, usability, fault tolerance, and responsiveness.

Secure Integration. As multiple systems and paradigms will interact with each other in a distributed and
dynamic environment, it is crucial to achieve a full secure integration of all of them. On this topic, several
areas need further research. Not only do we need to allow novel technologies to cooperate with each other
(using strategies such as compatible protocols or intelligent gateways), but also we need to consider the
migration of legacy systems, whose components and protocols are not usually up to the security and privacy
risks. Other issues, such as the security and privacy implications of scaling (up & down) storage systems,
need further investigation.
The complexity integration with untrusted services and devices must also be carefully considered
guaranteeing (formally proven) the E2E trust & security requirements through the chaining of services. Of
special interest will be the case of the BYOD (Bring your own device) paradigm. Another important area is
the interaction with mobile applications (Apps). They must guarantee privacy and integrity of the
information they handle in order to protect the data of their users. Hence, their integrity and compliance
need to be protected and they will potentially require dedicated evaluation methodologies - as the number
of these Apps is huge, and their life cycle pretty short - to allow verify they do not harm the security level of
the platforms, by imposing for example the use of specific path to a third-party, or requesting services
(localisation, specific rights…) in contradiction with the security policy of the platform.

Internet of Things and (Critical) Infrastructure comprises various aspects, such as wearables, smart homes
and smart buildings. Infrastructure (but not limited to critical infrastructure) is also central for this area. As
major aspects, security-enhancing technology standards (e.g. for communication protocols) and the
handling of legacy systems (e.g. old industry infrastructure or old building automation components which
are now connected to the Internet) must be addressed. Another aspect to be addressed is the monitoring of
IoT/infrastructures and the detection of attacks linked to the monitoring. In addition to this passive
(monitoring/detection) approach, research is required to further improve especially network level security
(e.g. secure routing, cryptography, network-level privacy).

Secure update in the field. Many information systems cannot be stopped or halted for implementing critical
security updates. At the same time, these systems are also vulnerable to possible attacks. There is a need for
models, methods or approaches to install the required updates while the system still provides its functions.
Moreover, the update should be safely reverted if an unknown error occurs during the installation. In
particular, special attention needs the topic of upgradeable cryptographic engines for the new devices that
will be produced to ensure the long product lifetime expectancy in industries like automotive and industrial.
11.1.4.3.3 Expected outcome
 Design guidelines and products implementing secure execution platforms, including secure boot, remote
attestation, and virtualized environments

Operating systems designed according to new security guidelines

Security supporting services that allow data protection and device protection
European Cyber Security cPPP Strategic Research & Innovation Agenda

Control and Intrusion Prevention Systems that react intelligently and autonomous on input from multiple
sensing points

best practices for integration of secure components in a secure system with interoperability and
management in distributed systems

wide deployment of systems allowing secure updates in the field

definitions, criteria, and organisations that implement security certification and labelling program plus
supporting database for monitoring and notifications

industry adoption of upgradeable cryptographic engines
11.1.4.3.4 Time line
Topic / Timeframe
Short (1-3)
Medium (3-5)
Long (5-8)
Secure Execution
Platforms
Protection mechanisms
for
existing
virtualisation
ecosystems.
Novel approaches for secure
HW/SW virtualisation.
Development of trustworthy
mobile platforms.
Secure
componentbased OS approach.
HCI
security.
Low-level, safe languages.
Secure
boot,
remote
attestation.
Dynamic,
resourceconstrained patching.
Effective protection of
IPv6
and
other
communication
protocols.
Feasible crypto for cloud.
Effective protection against
side channels and data
leakage.
Secure core and
protective devices.
Effective
monitoring
and threat prevention
on specific systems.
Integration of diverse control
and intrusion prevention
systems, interaction with
other subsystems, intelligent
threat analysis.
Intelligent,
holistic,
autonomous
defence
systems against insiders and
Advanced
Persistent
Threats.
Secure integration
Identification of major
hurdles. Definition of
integration
best
practices.
Integration
of
several
ecosystems, including apps
and BYOD.
Full interoperability and
management of dynamicity
in distributed environments.
Handling of Legacy
Systems
Provide
better
monitoring for legacy
systems
Provide security solutions
which protect but do not
break legacy environments
Replace legacy systems;
make them upgradable
Secure update in the
field (including of
crypto engines)
Develop
new
approaches
for
updating IT systems in
the field
Implement new prototypes
of “updatable” systems.
Substitute the existing IT
systems
with
new
“updatable” ones.
Operating Systems
Security
Security-supporting
Services
Control and Intrusion
Prevention Systems
self-
11.1.4.4 Cloud Security
11.1.4.4.1 Scope
Cloud Computing is an approach in which infrastructure and software resources are provided by an external vendor
or by an internal IT department over the Internet. These resources are highly scalable and at competitive costs,
which make cloud services highly attractive for organisations that need to reduce their IT costs as well as improve
flexibility of their IT service delivery. These benefits and the rapid acceptance of popular consumer Cloud enabled
services have led to increasing levels of interest in Cloud Computing. Normally, in such approaches, management of
the infrastructures, applications, data in the cloud are managed by the Cloud Service Provider (CSP).
As Cloud computing is increasingly used by citizens and organisations such as banks, hospitals, universities (e.g. to
storage data), the security of cloud computing becomes ever more important. Cloud computing is a completely
internet dependent technology where client data is stored and maintained in the data center of a cloud provider and
the limited control over the data may lead to security issues and threats such as data leakage, insecure interfaces
and inside attacks. Cloud computing consists of segments which perform different operations and offer different
European Cyber Security cPPP Strategic Research & Innovation Agenda
products such as software as a service, utility computing, web services and platform as a service. As cloud computing
involves many technologies (e.g. networks, databases, operating systems) it faces a broad variety of security
challenges.
Building trust and confidence in Cloud Computing services is, nowadays, one of the main challenges for
organisations, as well as other open issues such as the concern over maintaining data privacy, integrity and security,
how to handle regulatory compliance in a cloud environment, unproven service level agreements, the difficulty of
integration of existing applications and data, and so on. Voiced concerns are mainly related to the effectiveness and
efficiency of traditional governance and protection mechanisms, for example the collection of events by security
event and information management tools or forensics in the cloud, and maintaining the security and integrity of data
retained in the cloud, potentially where retained over many years.
Even though the security issues in the current cloud computing models are getting better, the fast evolution of cloud
models is already threatening with new challenges. The second generation, also known as “Future Cloud”, will be
move from federated clouds to multi-cloud provisioning through broker with lower trust levels.
The introduction of identity as a service (IaaS) is also making cloud service chain more complex. Authentication and
authorisation in the cloud involves trust certificates and identity data spread across different trust silos.
The Future Cloud delivery model will likely be based on a wide range of trust agreements, identity management
options, and compliance mechanisms to ensure that other parties are adequately enforcing privacy and security. In
the Future Cloud computing scenarios, security will not rely solely on a set of static system configurations defined by
a human administrator, but an ongoing adaptive process in which policy based techniques are used to provide
automated configurations to dynamically handle security events. The security management will follow the same
feedback loop encountered in network and systems management, which includes monitor, analyse, plan, execute.
On the other hand, mutability of identity attributes introduces the need to execute the usage decision process
continuously in time. One of the main problems in the Future Clouds is not assurance of an individual service, but
rather end-to-end (E2E) assurance, where we have to deal with services that offer their security assurances as well
as assess the security of their sub-services (including storage or computing services). Therefore, we first need to
define a common framework that enables providers to advertise their security events and allows customers to
monitor the actual security of a service.
The cloud paradigm also introduces a change in lifecycle aspects, characterised by the term “DevOps” – a seamless
integration of development and operation of systems, leading to continuous system updates (for instance, daily
software releases). In a DevOps environment, product security activities (development processes, testing, security
mechanisms) and operational security activities (configuration, system monitoring, alerting) need to go hand in
hand, asking for novel approaches to security management extending to the development phases, novel KPIs
considering the overall security posture of a dynamically evolving system, higher degree of automation of security
related development activities, security analysis as a continuous process, and more. There is also a big opportunity in
serving the DevOps model, since – if adequately addresses – it facilitates faster reaction to incidents and changing
threat landscapes as well as a continuous improvement of the security posture.
11.1.4.4.2 Research challenges
 Secure middleware. Security of public clouds, especially the ones that are reluctant to reveal the internal
details about implemented security protection, must be assured. The client must know that the service
acquired is protected enough for processing sensitive data. This can be achieved both through secure
software mechanisms or cryptographic hardware devices. Especial attention should be devoted to assurance
that novel vulnerabilities are timely patched and appropriate countermeasures for new threats are installed
(e.g., placement algorithms).

Secure Virtualisation. Cloud providers organise their services using virtual machine. This organisation raises
the risk of contagion of malware infections across virtual instances. Virtualisation techniques allow to
securely compartmentalize operating systems and applications of different criticality or owners and to retain
a level of control in case of an attack by accessing the host and isolating the infected virtual machine. Thus,
virtualisation architectures should enable full security/performance isolation at all levels. In addition,
Container technologies are gaining momentum over hypervisors, especially in constrained environments, as
it is the case for embedded systems. There is a need to analyse the data flow in hypervisors applying
statistical machine learning to detect attacks to efficiently detect possible contagion.
European Cyber Security cPPP Strategic Research & Innovation Agenda

Cloud integrity and remote attestation. Service providers in most cases do not have access to the physical
security system of data centres: they must rely on the security measures taken by the infrastructure
provider. An important research question related to this is how a situation can be reached in which service
providers and other parties involved can assess and evaluate the security measures taken by the
infrastructure provider. Trust mechanisms should be built on every architectural layer of the cloud.

Multi-tier architectures. In the development of multi-cloud scenarios, trust, risks, self-healing and legal
compliance will be aspects to be considered. Secure cloud interoperability: the ability of separate clouds to
exchange and use each other’s data in a secure way. Many public cloud networks are configured as closed
systems which makes it difficult for organisations to benefit from shared data. A research challenge is the
development of industry standards that help cloud service providers to develop secure interoperable
platforms.

Security levels negotiation. In the Future Cloud, the combination of multitude of cloud services of different
nature for the provision of a composite service will ask for the dynamic negotiation of the Service Level
Agreements with the providers. Dynamic in the sense that the selected combination may evolve depending
on the customer needs or the Cloud providers’ performance. There is the need for clear specification of the
required security measures and security levels in the contracts with the providers, as well as mechanisms
and tools that enable the automation of the negotiation, computation and control of the offered overall
security in the composite service.

Continuous monitoring of cloud security. The empowerment of the user for controlling overall service
security in multi-cloud environments will need that understandable evidences are defined for each of the
cloud layers, and evidence (measures) tracking and aggregating systems are offered. The trust building
systems should rely on continuous monitoring mechanisms that are able to provide transparency of the
security behaviour of the cloud providers in use, while at the same time do not overwhelm the user with
information and permission requests.

Security in the DevOps paradigm. Advanced security management covering both development and
operational lifecycle path of the system; continuous, seamless and transparent improvement of security and
privacy posture, real-time adaptation of systems and services to changes in risk assessment and threat
exposure.
11.1.4.4.3 Expected outcome
 Concepts for secure multi-cloud environments, including security monitoring

Secure virtualisation environments ensuring isolation for different architecture paradigms (e.g., virtual
machines, containers, etc.)

Trusted cloud operational environment based on dynamic root of trust and anti-tamper security hardware

Integrated security management frameworks for development and cloud operations
11.1.4.4.4 Time line
Topic / Timeframe
Short (1-3)
Medium (3-5)
Long (5-8)
Compliance (with a security
standard) checking schemas
for cloud
Liability of cloud providers
for providing weak security
Secure Middleware
Incentives for public
clouds to improve their
security
European Cyber Security cPPP Strategic Research & Innovation Agenda
Methods for detection
of
contagion
of
malware
infections
across virtual instances
(e.g., by hypervisor)
Secure Virtualisation
Analysis of implications
of
container
technologies on system
security in comparison
to virtualisation
Models
implementations
fine-grained
virtualisation
and
of
Different virtualisation
options for mobile
devices
More secure methods of
virtualisation
Analysis of performance
penalties
of
container
technologies
and
the
comparison
against
hypervisor
technologies.
Secure deployment options
for
applications
using
containers
and/or
virtualisation.
Machine learning techniques
for detection of contagion
across virtual instances by
hypervisor
Virtualisation and container
technologies for low-power
devices
Improved
usability
in
virtualisation for mobile
devices
TPM based assurance
methods
for
verification of basic
security level
Remote (trusted) attestation
of a cloud infrastructure by
any external party.
Dynamic remote attestation
tests,
which
allow
modification
of
tested
parameters (i.e., with up-todate security requirements,
standards, etc.)
Multi-tier architectures
Methods to express
and specify security
level by a provider
Methods for aggregation of
security levels for a multi-tier
architecture
Dynamic ways to aggregate
security levels for a multitier architecture
Continuous monitoring
of cloud security
Models of standard
cloud security controls
and metrics
Seamless monitoring of
cloud security levels across
layers
Continuous monitoring of
the security level in multicloud orchestration
Security levels
negotiation
Models
for
the
specification
of
security levels in multicloud environments
Mechanism for automatic
negotiation and combination
of security levels with cloud
providers
Risk-driven mechanisms for
automatic negotiation and
combination of security
levels with cloud providers
Security metrics and
KPIs for development
and operations
Secure
software
development for continuous
delivery models: security
controls, testing, patching
Integrated
standards,
concepts and tools covering
application security and
security management
Cloud Integrity and
remote attestation
Security in the DevOps
paradigm
11.1.4.5 Trusted hardware/ end point security/ mobile security
11.1.4.5.1 Scope
Trusted hardware addresses a broad range of components, including IoT devices (which could be stationary and
mobile) and secure crypto-processors (e.g., HSM or TPM). All these trusted hardware are connected to a network
like the web or mobile network (GSM, UMTS, LTE, 5G). There are some pre-requisites to trust a connected device in
the field whether it is used in the field of Critical infrastructure, Industry 4.0, Automotive (ADAS, V2V, V2X), Smart
City, Smart Home, Building Automation, Healthcare, Wearables or any other connected system.
Trusted hardware could be having different form factors such as: vehicle: connected card (V-2-V, V-2-I), machine:
industry 4.0, mobile device: smartphone, tablet, others stationary device: PC, server, data bank, others, energy:
energy network train transportation, finance: finance network, governments: government 2.0
Trust into IoT devices and nodes like Gateways, Routers, Connectors, Actuators, Sensors and End Nodes require
trust into the components used and the related implementation of those into the device.
Starting with the trust into the hardware, meaning the semiconductor components like application microcontrollers,
secure elements and sensor ICs, they need to fulfil basic security requirements and minimum standards which might
defer on sectors like Industry 4.0 or Automotive.
European Cyber Security cPPP Strategic Research & Innovation Agenda
The root of trust and the secure boot loaded from end nodes to the back end system is based on components with
secure key storage to offer security for deviceID and encryption. Securing keys in software-only has never been
proven as being secure, therefore keys need to be stored into a certified tamper resistant storage. Key security
features like mutual authentication of IoT devices (or strong authentication in critical infrastructures) or
authentication against backend systems, Secure Boot, Secure Firmware Update and secure authorized access to the
device and its generated data are essential functionalities to gain trust an IoT device and are part of the
implementation.
All devices which are connected could be defined as cyber physical systems (CPS). It needs to be taken into account
that the definition of security for a complete system cannot be higher than the definition of security for the storage
of keys for cryptographic operations on IC level (e.g. in Common Criteria EAL4+). Raising the use of certified
components in IoT devices will therefore raise the general security level and should be a common objective.
Interoperability with other IoT devices within the infrastructure is a desirable objective.
IoT devices should be marked with security labels to generate trust into connected IoT devices towards citizens, end
users and businesses.
One of the main strategically axis for Mobile security is to protect the access of the future 5G European network. It is
strategic cybersecurity issue and a strong authentication protocol should be invented in Europe.
11.1.4.5.2 Research challenges
 Establish whether a peer review for device, network, or system is trustworthy even if the domain is
unknown or appears to be trusted, the peer review is already use for the eIDAS regulation related to the eID
notification, the Cooperation Network running under the Commission responsibility should use a reference
implementation for the future Cybersecurity peer review for Cybersecurity product & certification

Establish the threat posture to assume toward any peer entity in the heterogeneous environment.
Currently, the level of trust afforded during interactions is defined as a dichotomy of trusting or not trusting
the other party or parties. Identifying more nuanced approaches and determining whether those
alternatives have practical value is an open problem.

Dynamically measure the degree of trustworthiness in devices and systems as their software and
operational environments change. Current approaches and implementations don’t work across domains;
require significant investment in infrastructure for deployment; and suffer from a variety of other
challenges.

Discover trustworthy devices, systems, and networks, to ensure optimal risk levels of the common
electronic processes. Currently, there are no viable approaches to optimizing processes based on trust
establishment with other participants in the process (devices, networks, applications, or users).

In order to work towards new approaches for trust, we need to determine what parameters could
constitute the evidence of trust. Elements of trust evidence are known by many different names and have
been defined for specific domain, e.g., mobile telephony. For example, the proof that a device or platform is
running a good configuration, or acquisition, path, and origin for data are important. Most environments are
dynamic, with entities (e.g., devices) joining and leaving during a process. Cross-domain processes are
common (see a simple illustration of the issue in figure below).

Tamper protection technologies. Anticipating new potential attack on hardware and software is key topic to
prepare the future cybersecurity products and services. The JHAS has created a unique forum for hardware
potential attack method and now we envisage how to create the community for the pure software potential
attacks.

Cybox crypto certification. The challenge that white-box cryptography aims to address is to implement a
cryptographic algorithm in software in such a way that cryptographic assets remain secure even when
subject to white-box attacks. The certification of this new technology is also a key cybersecurity issue.

Hardware protection. The increasing number of technology users and providers carries the risk of
‘backdoors’ intentionally planted into the hardware. Those may subsequently be misused e.g. for strategic,
personal, or sensitive data tracking and mining.
European Cyber Security cPPP Strategic Research & Innovation Agenda

Mobile Computing. Mobile computing comprises various domains, ranging from mobile telecommunications
via cell phones to on-board computers in cars. The security of smart devices/smart phones, especially in the
bring-your-own-device (BYOD) scenario is a crucial research topic in this area. Another topic highlighted in
the WG3 deliverables is the protection from malware and data leakage (also in the cloud computing area).
Forensics of mobile computing platforms and fraud protection are also research gaps here. BYOD is a main
trend in organisations, several solutions have been depicted, still this is a very relevant research challenge,
mixing several of the topics previously mentioned.

Sophisticated malware protection. The growing sophistication of malware and of attackers themselves
significantly limits the options for attack source tracing, i.e. reverse engineering and forensic analysis
(backtracking). These analytical procedures shall form part of training of cybersecurity experts

Embedded security anchor for long lifetime devices. Overworked Secure element which allows fieldupdates of SW, security functions and protocols. Specify HSE which allows re-programming hardware in
FPGA. The field updates of SW and re-programming of hardware can be done along Trusted Execution
Environment, a White-Box-cryptography or other approaches.

5G authentication to the Mobile operator network. A European standard should be created to harmonize
the Authentication of the future 5G network. This standardised authentication protocol should
guarantee the highest level of security has it will be technology lock to the Mobile network security

Intrusion detection/prevention systems (IDS/IPS). There are several approaches to detect and further
prevent the malware intrusions on smartphones that resemble the approaches in the PC, still with
specific features, being the features of mobile phones peculiar (as sensor presence):

o
prevention-based approaches: using cryptographic algorithms, digital signatures, hash functions,
important properties such as confidentiality, authentication or integrity can be assured; in this scenario,
IDSs have to be running online and in real-time;
o
detection-based approaches: IDSs serve as a first line of defence by effectively identifying malicious
activities. Intrusion can be detected with two main approaches, anomaly detection and signature based,
i.e.

anomaly-based (anomaly detection, behaviour-based), which compares the “normal” behaviour with
the “real” one;

signature-based (code-signature detection, knowledge based, detection by appearance), based upon
patterns recognition of specific features. Most of the actual approaches are currently on signature
based mechanisms. For anomaly detection, there are also some approaches mainly focussed at
specific levels of observation. We can summarise as follows these layers: user; application; virtual
machine or guest OS; hypervisor; physical. Recently, also multi-layers approaches have been
developed.
Application security frameworks. There are several existing frameworks for the protection of applications
for mobile devices:
o
Static mechanisms: These allow classifying applications on mobile device through code inspection at load
time. Techniques as control/data flow, model checking and related activities have been adopted. Proof
carrying code techniques are also investigated for embedding proofs of properties of application code in
the downloaded package. Multi-criteria analysis methods have also exploited to rank and classify the
risks related to applications running on the devices (mainly based on static factors).
o
Application Policy Run-time Enforcement: The basic idea of these activities is to impose policies on
specific applications and enforce those at run-time trough application monitoring. Several policy models
can be enforced. Recently usage control policies have been enforced on such devices, using rich
authorisation and obligation languages (as variant of XACML).
o
Hybrid approaches: Rich approaches in security merge static and dynamic approach as security-bycontract that merges proof carrying code with run-time policy enforcement.
European Cyber Security cPPP Strategic Research & Innovation Agenda
11.1.4.5.3 Expected outcome
 Built a trustworthy IoT frameworks
 Develop secure execution devices able to work in untrusted environments
 Being able to build and operate long living secure evolving devices / systems
Cope with system vulnerabilities
11.1.4.5.4 Time line
Topic / Timeframe
Short (1-3)
Medium (3-5)
Long (5-8)
Cyber physical system
with long lifetime
New standard on
HSE/TPM/eSE,
feasibility test
Product availability &
certified
Standard plug-in of secure
anchor
Establish whether a
peer review
Establish the rules for
the peer review using
the eIDAS peer review
group
Extend this concept of peer
review in all security
related topic
5G authentication
protocol
New European
standard for 5G
authentication
protocol
Certification of the
Protocol
Smart Phones / BYOD
Embedded
device
protection (firewall,
application-level
firewall)
Handling vulnerable
IoT devices
Definition of
vulnerable devices,
related system
vulnerability levels
and related actions
verification measures to
link certified and deployed
products; first tests of
defined actions
Defined procedural and
technical handling process
of vulnerable IoT devices
Successful
tests
interoperability
scalability
Fully interoperable
scalable
Authentication for IoT
Devices
Definition of minimum
requirements
with
regards to security
and privacy features;
ideally find related
common framework
on components level
Big Data Privacy
Definition of privacy in
Big Data (e.g. in V2X)
and
related
measurements
Definition of technical
solution to handle privacy
issues ideally based on a
generic framework
Operating system
application vetting
validation
Deployment in Europe
and
and
on
and
Secure-by-design
operating systems for
secure and privacy-friendly
enforcement
of
applications behaviour
and
Management and technical
solution to handle privacy
issues
11.1.5 Cybersecurity Services
11.1.5.1 Auditing, compliance and certification
11.1.5.1.1 Scope
Auditing techniques (penetration and intrusion testing). A security audit is a systematic evaluation of the security
of a company's information system by measuring how well it conforms to a set of established criteria. A thorough
audit typically assesses the security of the system's physical configuration and environment, software, information
handling processes, and user practices. Security audits are often used to determine regulatory compliance, in the
wake of legislation that specifies how organisations must deal with information.
Evaluation Laboratory accreditation: For the security evaluation of IT products/solutions, the Common Criteria
Evaluation Methodology describes the minimum work needed for evaluation, but it also provides guidance for
Certification Bodies. One of these matters that schemes may choose to specify is related to specific requirements in
European Cyber Security cPPP Strategic Research & Innovation Agenda
ensuring that an evaluation was done sufficiently, so that every scheme has a means of verifying the technical
competence of its evaluators. The main goal for this is to provide evidence to the certification body that all ITSEFs
are adequate and comparable, through the licensing process, as defined by the SOG-IS MRA. The Evaluation Facilities
to be accredited according to the requirements of ISO 17025 only covers a part of this licensing process.
Compliance Checking: The next step, after the creation of the policies, is to compare the current status of the
system in terms of configuration when compared to the defined policies. Compliance checking can be applied to
many different administrative domains and operating systems though a central console. An example of compliance
checking is the checking the password requirements as drawn from the defined policies (e.g., checking if the
passwords are strong in terms of number of characters and symbols, or checking whether the passwords are
periodically changed).
Security certification: It is of primary importance to have mechanisms to be able to certify the security and the
correctness of the complex ICT services that Future Internet offers. Security is an inherently difficult problem. We
need new certification technologies especially for complex systems that can evolve with the system evolution in
order to avoid re-certification needs. These certification approaches and procedures should be made automatic as
much as possible, including the simple automation of the data shared. In this ambit, there is a great need of
mechanism for studying asserting and certifying the security of cloud infrastructures as well as of complex services
built on top of those. The sharing of information, the trust among the involved stakeholders are also elements to be
considered. All the certification should be standardized in order to maximize the impact of the results.
Mutual recognition: The first certification recognition agreement was established in March 1998 for the security
evaluation of IT solutions/products, and is designated as the Senior Official Group for Information Security of the
European Commission. This agreement covers CC certificates up to the highest level of assurance EAL7 (since April
1999). On the worldwide basis (27 countries) the CCRA agreement covers CC certificates from EAL1 to EAL4,
renewed in 2012, the CCRA agreement now allows recognition until EAL2 and therefore concentrates international
efforts on establishing a mutual basis for general purpose security products covering a basic level attacker. The
differences between these two agreements reside mostly 1) in the level of verification of the evaluation labs and
certification bodies’ technical expertise: in addition to the CCRA audit requirements, the SOG-IS agreement requires
further verifications of the resources and tools of certification bodies, and of the technical expertise of individual
evaluation labs. 2) the achievable trust level you can mutually recognize, the SOG-IS recognition allowing for a higher
mutual trust level amongst its members covering therefore the protection of EU sensitive information and
contributing to a better EU digital autonomy.
11.1.5.1.2 Research challenges
 A penetration test, or the short form pentest, is an attack on a computer system with the intention of
finding security weaknesses, potentially gaining access to it, its functionality and data. The process involves
identifying the target systems and the goal, then reviewing the information available and undertaking
available means to attain the goal. A penetration test target may be a white box (where all background and
system information is provided) or black box (where only basic or no information is provided except the
company name). A penetration test can help determine whether a system is vulnerable to attack, if the
defences were sufficient and which defences (if any) were defeated in the penetration test. Penetration tests
are a component of a full security audit. Penetration testing goes beyond vulnerability scanning to use
multistep and multisector attack scenarios that first find vulnerabilities and then attempt to exploit them to
move deeper into the enterprise infrastructure. Since this is how advanced targeted attacks work,
penetration testing provides visibility into aggregations of misconfigurations or vulnerabilities that could lead
to an attack that could cause serious business impact. As a minimum, penetration testing provides a means
for prioritizing the highest risk vulnerabilities

Vulnerability and intrusion analysis. Vulnerability analysis, also known as vulnerability assessment, is a
process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or
communications infrastructure. In addition, vulnerability analysis can forecast the effectiveness of proposed
countermeasures and evaluate their actual effectiveness after they are put into use. Vulnerability analysis
consists of several steps:
a. Defining and classifying network or system resources
b. Assigning relative levels of importance to the resources
European Cyber Security cPPP Strategic Research & Innovation Agenda
c. Identifying potential threats to each resource
d. Developing a strategy to deal with the most serious potential problems first
e. Defining and implementing ways to minimize the consequences if an attack occurs.

Multi-standards compliance: For products under security constraints, many standards and regulations may
need to be complied, originating both from the wide range of trustworthiness facets that need to be
addressed (security, privacy, risk management, software quality, etc.), and also from the number of
countries and jurisdictions where a product may be used. This poses specific challenges regarding how to
meet the requirements of different, heterogeneous standards and regulations, and how to identify and
manage commonalities, variabilities, and conflicts in them. The key difficulty appears when trying to reuse
products from one application domain in another, because they are constrained by different security
standards and the full assurance process is applied as for a new product, thus reducing the return on
investment of such reuse decision.

Quantification of Risk for cybersecurity. Most of the cases, good enough security is exactly what one needs
to ensure, i.e. that the security mechanisms are appropriate for the protection of the assets. This requires
security mechanisms that fit the purpose and are able to allow security managers to trade-off between cost
and risk. New security metrics frameworks able to be easily computed should be envisaged. These security
metrics could be merged with risk analysis methods to decide the appropriate security controls to be put in
place. This is in relation to risk management aspects.

Cyber Insurance. In the long term, such concepts can lead to a viable business model for cyber insurance.
Insurance models and prices need to be established and trialled within the market. This on the one hand
needs to measure the security level of a system assessing the current security level and considering how this
evolve with the time as well as the capability to prove cyber incidents responsibilities (that connects this
area with forensic etc.). Formalisation of liability of system produced and service deployed is also a relevant
are where investments should be made. The way Cyber Insurance can benefit from certified products and
services is also to define for the EU.

Certification Schemes based on Common Criteria standard. We can split the system in two parts: Products
(hardware and/or software) & Services. Product certification should be based on schemes like Common
Criteria ISO 15480, where evaluations are performed by independent laboratories and then certified by
certification bodies. To ensure an equivalent level of confidence between laboratories, laboratory audits
must be performed on both quality and technical aspects. Theses audits should comply with international
standards whenever possible (current technical licensing audits, as put in place by the SOG-IS MRA, do not
solely rely on a standard but on Certification Bodies expertise). In the same way, audit according
international standards should be done for certification bodies. These principles are in place for mutual
recognition agreements such as CCRA or SOGIS-MRA in the case of Common Criteria. For services,
some well-identified sectors such as Incident Response, Incident Detection in cybersecurity or Certificate
Delivery, Electronic Signature can be certified using, once again audits based on international standards such
as the ISO 27000, but will necessitate the control of additional service specific requirements, as already put
in place in some MS schemes.

Product & Systems ICT certification, Certification composition. An ICT system is composed by several items
that can be product, sub-product and integration services. These items can be provided by different
companies and the final customer should trust the complete chain. Taking into account the different
development timing & business model (hardware product design timing is between 12 to 24 months with
integration services is using agile development mythology). It is important to segregate the Product
certification to the integration services certification. To do so Certification composition between different
products is key element. The ISO 27000 ICT certification process should be used to Certifying the complete
solution and its should reference all product certification that composed the complete solution. Different
sector need security certification. The SOGIS MRA is covering the mutual recognition for some
products/solutions used in multiple systems, including critical infrastructures and is a key assets for the
Cyber security industry. But Cyber security is also impacting most of the connected devices, and these
devices are manufacturers by commercial devices companies where the time to market is extremely short:
therefore, they will necessitate an update of the current certification practises, to better reflect the use of
the “security by design” principle. An important consideration is that security certification demands a
European Cyber Security cPPP Strategic Research & Innovation Agenda
systems perspective, in which the software is viewed as one component of many, working in concert with
other components (be they physical devices, human operators, or other computer systems) to achieve the
desired effect. Hence, a long term solution can only be found by taking a product-centred,
composable/modular system view of the certification problem. This would imply that certification
approaches should be extended to use certification data in terms of the component/system interface only. A
common approach that follows this principle is contract-based assurance and certification.

Verification & Maintenance measures to link certified and deployed products. Product certification is a
picture at a given moment of the level of the security of a given product. Making sure that the product is still
having the right level of security when the level of potential attack is increasing is a key issue. Today few
process are existing to cover this potential risk, only ANSSI & BSI CERT have put in place a
surveillance/reassessment process that can guarantee that the product is still at the right level of product
security.
11.1.5.1.3 Expected outcome
 Definition of the Generic aTC governance rules and applicable standard for certification methodology (ISO
CC) should be defined within the WG on Standardisation, Certification and European Label.

Definition of the any aTC creation should be put in place with the cPPP at the WG on Standardisation,
Certification and European Label Composite certification

Certification maintenance

Define new attack method for pure software products

Extended the SOGIS MRA with a sector oriented approach
11.1.5.1.4 Time line
Topic / Timeframe
Short (1-3)
Medium (3-5)
Quantification of Risk
Risk metrics
Risk assessment
frameworks based on
publicly available data
Operational insurance
schemes
Cyber Insurance
Multistandards compliance
Certification Schemes
based on Common
Criteria standard
aTC common rules
Penetration test :Define
Attack method for
Hardware and Software
Long (5-8)
Identification of
commonalities and
variabilities between
security standards.
Tools for multistandard compliance.
Automation of compliance
management activities
against multiple standards.
Reuse methods and tools
of secure products assured
against multiple-standards
Define the Common
aTC rules hosted into
the cPPP, ISO
standardisation
activities
Create aTC per strategic
market sector in line with
the NIS directive and new
threat coming come from
the commercial market
Preparer cross mutual
recognition between aTC
Leverage on the JHAS
expertise
Add Software attack
method & potential into
the JHAS
Leverage Security
engineering to create
European context for
ethic hacking
European Cyber Security cPPP Strategic Research & Innovation Agenda
Product & Systems ICT
certification,
Certification
composition
Vulnerability and
intrusion analysis
Verification &
Maintenance measures
to link certified and
deployed products
Identification of
component properties
related to
compositional security
(e.g. resilience in case
of attacks).
Guaranteeing security
properties of contemporary
systems that are built up
from smaller components,
when each component is
secure in isolation
Methodology for
intrusion analysis
Create a European standard
Methodology for
product surveillance
over the time
Maintenance metrics
Scalable analysis of large,
complex systems by
constructing their security
proofs from separately
constructed proofs of
properties of the simpler
components from which
they are built.
11.1.5.2 Risk Management
11.1.5.2.1 Scope
There is a common understanding across the AoIs that the new developments in ICT technology and its applications
are increasing the complexity of system and provide a challenge for managing this complexity and the related cyber
risks.
On the other hand, the state of play today, as contributed by NIS WG1 “Risk Management” to NIS WG3, indicates
that however several approaches and frameworks to risk management exists, the lack of awareness of decision
makers, the lack of interoperability and standardized metrics, the costs-benefit ratio (especially for SMEs), the lack of
statistical information for predictive approaches, the existing frameworks’ outdated status, their static assessment
model, as well as the perception of weakness and coverage not sufficient for the complex business and cybersecurity
risks of today, it is becoming a real and important disincentive and barrier for adoption either by larger or smaller
organisations.
The complexity has been increased during recent years as threats also evolve along the time. Their very nature as
well as their motivations, techniques and tactics are becoming polymorphic and more sophisticated day after day,
making them unpredictable for any risk analyst. Vulnerabilities in technology are found at a rate that renders current
cybersecurity solutions and strategies rapidly obsolete. In addition, there are threats, such as APT, state-sponsored
attacks or governmental surveillance programmes, for which no effective solution exists, leaving our organisations
and society dramatically exposed.
This ever changing and unpredictable nature of the threats and the technology on which the organisation depends
makes expert judgment for risk assessment incomplete and inaccurate. As a consequence, this assessment should be
continuously reviewed and verified against the updated state of the system under observation.
The system under observation has to be expanded, especially in the supply chain model, where organisations need
to incorporate the risk level of their suppliers into their global picture. The security paradigm has changed, although
traditional security approaches are based on the existence of a perimeter that needs to be protected, this paradigm
does not hold anymore. We need to operate in a world where a perimeter is not there or has already been
breached.
Another important factor it is the ability to decide and execute effective courses of action in timely fashion in order
to mitigate and remediate the impact of attacks, when occurring on real time.
Historically, technical security controls (anti-malware, firewalls, IDS/IPS, etc.) have focused on prevention of
compromise. However, it is now widely recognised that no matter how good your preventive controls are, they can
only reduce the number of and severity of security breaches and not eliminate them. The emphasis has now shifted
to augmenting preventive controls with detection and remediation measures. Clearly, the time taken for detection,
diagnosis, remediation planning, and action is critical in limiting the impact of an attack. In the future, we can expect
the sophistication and speed of execution of attacks to increase, and the difficulty of formulating a timely response
European Cyber Security cPPP Strategic Research & Innovation Agenda
to become correspondingly more challenging. A capability for autonomous response will become essential, because
there will simply not be enough time to have a man in the loop. However, an inappropriate response may be more
damaging than the original attack, so that the controls need not only to be speedy, but also trustworthy. This implies
that they must understand the limits of their authority and the consequences of their actions. To be trusted as well
as trustworthy, they must be able to explain and justify their actions in retrospect. Of course, the attackers will
attempt to evade the defences, so that the defensive technology must be able to adapt dynamically to the attackers’
tactics. Despite the automation, people must remain in ultimate control, being able to set and modify policies that
govern the actions of the autonomous agents. Establishing effective means of man-machine co-operation will be a
research challenge in itself.
Current frameworks and methodologies, in the way they were conceived, cannot provide a solution for all these
problems. We need novel / modern, simpler, disruptive, dynamic, multi-stakeholder, interoperable (based on formal
sustainable models), standardized, predictive, reactive and holistic approaches capable of estimating and reducing
the risk in real-time, feeding from real-time operational information and threat intelligence sources, and automating
the risk assessment and management activities (especially detection and remediation ones) for a new perimeter
paradigm as never before.
At the same time the cyber risk surface increased at all levels, especially in Critical Infrastructure Protection, where
the solution is too complex and significant to be left to an ad hoc collection of volunteers. On the other hand this
opens to Europe the opportunity to address this by an executive and collaborative approach between European
countries in order to keep a permanent and standardized protection of European essential services.
That is to say, Europe needs and has the opportunity to harnessing barriers to become enablers and opportunities.
11.1.5.2.2 Research challenges
Translating the above findings into research priorities in detail, especially those coming from NIS WG1 (“Risk
management”), as well as those emerging from each of the AoIs and the research landscape document, we suggest
to structure along the dimensions of the following research priorities:

Methods to reduce and manage systems complexity. The limitations of existing risk management
methodologies in terms of addressing the cascading effects from the interdependent threats, the change of
the security perimeter paradigm, the increasing complexity and nature of threats and the need to manage a
multi-stakeholder supply chain inside a global risk management picture between other different facts, justify
the need of more research in reducing complexity, improving accuracy of impact calculations at the same
time the availability of simpler tools, simpler interfaces supporting these processes allow cost-effective
solutions in order to avoid more barriers to adoption.

Dynamic risk assessment and management. In order to achieve a comprehensive and continuous situational
awareness, we need novel, disruptive approaches capable of estimating the risk in real-time, feeding from
real-time operational information and threat intelligence sources, and automating the risk assessment and
management activities as much as possible. Dynamic risk management should take care about systems
evolution for a sustainable assurance. Dynamic discovering, the way the system inference new topologies as
well as the usage of new advanced multi-dimensional sensors of different nature (such as environmental
sensors) as inputs to the risk analysis could improve the accuracy and efficiency of the management process.
For a broader impact, information sharing and the effective and automatic use of exchanged data tampering
of field devices, roadside and infrastructure equipment along the value chain, should be considered.

Formal interoperable models to enable comparisons and compatibility between multi-disciplinary
environments. Interoperability and standardisation of the way the risks are calculated. Without this,
comparing and interpreting results of two different approaches is not possible, undermining the objective
evaluation of the performance and effectiveness of new solutions. This is especially relevant in the supply
chain model, where organisations need to incorporate the risk level of their suppliers (including physical,
human, the cyber layer, processes and services) into their global picture. There is a need to progress toward
comparability of risk assessment results, whatever method is used. As we go to ever large scale
interconnected systems, and the development of new risk management models and systems for cyber
societies is necessary wide activities towards a holistic risk management framework.

Statistical and predictive risk analysis. Considering that statistical risk methods do not work well with
intentioned threats, new methods should be researched. Furthermore acknowledging that most common
European Cyber Security cPPP Strategic Research & Innovation Agenda
risk assessments models depend on past information to picture the current risk scenario, additional data
models that helps to predict probabilities and impacts of threats in Europe could be extremely useful for
example as a tool for remedial actions, investment prioritisation or even for a risk externalisation. For Cyber
Insurance, the capability to predict the current strength of the system is considered to be a strong
component of any calculation. Thus security and corresponding risk metrics (as explained below) are crucial
(as other quantitative aspects of security). The way this data can be shared effectively and re-used at scale it
is a key factor to provide organisational and shared benefit in Europe.

Autonomous detection and remediation by a man-machine effective cooperation. A capability for
autonomous response will become essential to fight against cyber-attacks, because there will simply not be
enough time to have a man in the loop. However, an inappropriate response may be more damaging than
the original attack, so that the controls need not only to be speedy, but also trustworthy. This implies that
they must understand the limits of their authority and the consequences of their actions. To be trusted as
well as trustworthy, they must be able to explain and justify their actions in retrospect. Of course, the
attackers will attempt to evade the defences, so that the defensive technology must be able to adapt
dynamically to the attackers’ tactics not only as an active defence but also to know more about the attacker
while in the attack. Despite the automation, people must remain in ultimate control, being able to set and
modify policies that govern the actions of the autonomous agents. Establishing effective means of manmachine co-operation will be a research challenge in itself.

Integrated risk metrics and indicators. In order to evaluate to what extent current metrics can be
incorporated (and enhanced) into new solutions, there is a need to have a better comprehension of the
metrics currently being used in traditional frameworks and methodologies. They are usually said to be based
on the 'experience' of the designer, but this doesn't mean anything if the method is not justified based on
solid criteria. Calculation methods should at least be auditable. Current metrics tend to focus on individual
organisations and not take into account supply chains or dependencies across sectors and borders. It is also
easy to focus on those things that are easy to measure and possibly ignore the real indicators of success or
failure. The increasing scale and connectivity of cybersecurity issues means that organisations can no longer
live in their own silos (and measures things that only affect them) and new approaches to identifying and
setting realistic metrics should be considered. i.e. that the security mechanisms are appropriate for the
protection of the assets. This requires security mechanisms that fit the purpose and are able to allow
security managers to trade-off between cost and risk. New security metrics frameworks able to be easily
computed should be envisaged. These security metrics could be merged with risk analysis methods to decide
the appropriate security controls to be put in place or even facilitate the risk externalisation (i.e. Cyber
Insurance).

Visual decision making governance frameworks. The increasing complexity force simpler interfaces for an
effective man-machine governance framework. We lack of a coherent framework that puts all these pieces
together and helps to identify gaps that need to be filled with further research. For example, with the
aforementioned solutions it is not possible to effectively translate the risk level into business impact, moving
the analysis from the operational/technical layer to the business layer. This achievement would significantly
support and ease the decision-making process for risk owners. New techniques are also needed to enable
more consistent and appropriate security decision making as well as allowing aggregation and composition
of different pieces (Software and Hardware) without losing the control of risks either including all the value
chain sensors or other factors like legal and economics.

Legal risk assessment and management. For a holistic and complete approach, legal risks should be
integrated in the organisations decision making process. It may enable the evaluation and comparison of
alternative regulatory and non-regulatory responses to complex and interdependent risks and selecting
among them. This process requires knowledge of the legal, economic and social factors, as well as
knowledge of the business world in which legal teams operate. Risk-preventive, reactive and mitigation
services, including process identification, empirical analysis, quantitative evaluation, cost analysis and
dynamic support. The system’s basic concept is to solve enterprise legal risk problems by means of
management, and the basic principle is to describe the enterprise legal risks in the language of economics
although its value should be added to the enterprise risk decision making. Research should provide medium
and long-term, holistic and dynamic legal risk management solutions compatible and interoperable with
other technical and business risks. At the same time, legal and contractual obligations could also facilitate
European Cyber Security cPPP Strategic Research & Innovation Agenda
the adoption of risks management practices by “hard to reach” organisations as an enabler as noted by NIS
WG1.

Incentives for adoption of risk management best practices and reducing barriers (especially for SMEs). As
noted by NIS WG1, there is a strong belief, backed by feedback, that SMEs are not applying even basic cyber
risk management methods or best practices. A research is needed to establish how to communicate with
‘hard to reach’ organisations and to incentivise the adoption of best practices due to the fact that still most
damaged cyber-attacks against this kind of organisations are considered basic (social engineering, phishing,
default passwords, patching) however all the efforts being done in awareness raising. Of specific interest is
further research into the use and take-up of risk management methods and practices by SMEs. Barriers
already identified by NIS WG1 include the lack of awareness, the complexity of risk assessments, the
imbalance between resources devoted to analysis and the benefits for the organisation (usually seen as oneoff static exercise rather than part of on-going activity within a governance framework that is maintained). In
addition to this, the executive and decision makers’ perception is all about cost and expense rather than
preventing financial and material loss. Usually in smaller organisations, the lack of expertise, training,
dedicated staff are also barriers. There is a need to look and research about potential incentives for take-up
and maintenance, both within an organisation and across supply chains.
11.1.5.2.3 Expected outcome
 Develop agile risk management framework for companies and SMEs

Develop reliable risk metrics

Enable decisions makers to develop risk prediction models for cyber threats
11.1.5.2.4 Time line
Topic / Timeframe
Short (1-3)
Medium (3-5)
Methods to reduce and
manage systems
complexity
Methods and process
for
managing
risk
interdependencies
Simpler tools and interfaces
available to support these
processes
Dynamic risk
assessment and
management
Automation
analysis
Advanced real time multidimensional
sensing
capabilities
Statistical and
predictive risk analysis
Theoretical
foundations
and
supporting
methods
and
tools
for
intentioned
threats
prediction
of
risk
Autonomous detection
and remediation by a
man-machine effective
cooperation
Auditable
methods
metrics
calculation
for
risk
Visual decision making
governance
frameworks
New techniques for
appropriate
risk
decision making
Legal risk assessment
and management
Incentives for adoption
of risk management
best practices and
Significant improvements on
real time risk estimation
Statistical
methods
to
estimate
the
current
strength of the system
against
current
and
predictive risks
Effective means of manmachine co-operation
Integrated risk metrics
and indicators
Long (5-8)
Pseudo-autonomous
realtime reasoning systems for
detection and remediation
Integrated KPI
Integrated visual decision
frameworks to support this
new techniques
Legal risk semantic formal
models
Research into the use
and take-up of risk
management methods
European Cyber Security cPPP Strategic Research & Innovation Agenda
Comprehensive legal risk
guidelines and interoperable
standards approved and
established in practice
Lightweight certification and
other effective models
reducing barriers
and practices by SMEs
11.1.5.3 Cybersecurity operations
11.1.5.3.1 Scope
It is widely recognised that even organisations with state-of-the-art cybersecurity are vulnerable to attack. It is not
enough to deploy protective security appliances and software, these measure need to be actively monitored,
managed and maintained. Furthermore, organisations need to be vigilant in detecting emerging threats, attacks in
progress and actual security breaches, and be able to respond in appropriate and timely manner. This is the role of
Cybersecurity Operations (CSO).
Managed security services (MSS) are around-the-clock remote management or monitoring services of IT security
functions delivered via strategically positioned security operations centres17, often outsourced to a service provider
(managed security service provider (MSSP)). Here we use the term MSS to denote either in-house or outsourced
provision of operational security functions.
According to recent industry research, the majority of organisations (74%) manage IT security in-house, but an even
bigger part (82%) have either already partnered with, or plan to partner with, a managed security service provider18.
Traditionally, organisations have been reluctant to outsource security functions. But the sheer complexity and extent
of cybersecurity makes managed security services increasingly desirable, even a necessity. Many privacy and
cybersecurity technologies traditionally installed and managed internally by end-users are now provided and
managed directly by third parties on a pay as you use basis across Infrastructure, Systems, Content and Governance
solution types in PACS. Such providers are viewed as being crucial to allowing organisations to reduce capital
spending on security technology and in allowing them to increase bandwidth for handling security issues within
corporate IT teams. For many SMEs, managed security services will be the only way to become fully secure, and
many such services will be adopted via cloud solutions.
Businesses turn to managed security services providers to alleviate the various pressures they face on a daily basis in
relation to information security, such as targeted malware, customer data theft and resource constraints19.
Functions of a managed security service include real-time monitoring, intrusion detection systems and firewalls,
incident response and emergencies handling, security assessments and infrastructures’ security audits, post
compromising forensics. A holistic, enterprise wide security posture that is proactive and predictive versus reactive is
recommended. This would mean a better interaction and strengthened intertwining between cyber core expert
functions (security operators, analysts, incident response experts, security architects).
Security services may be conducted in-house through the in-house Security Operations Centre or outsourced to a
service provider that oversees other companies' network and information system security. Businesses will
increasingly resort to trusted European products and partners, in order to be fully compliant to new regulatory rules
and constraints.
Typical services provided include: APT detection and remediation, Distributed Denial of Service (DDoS), email
filtering, emergency response services, endpoint AV, endpoint patch management, firewall management, host and
network IDS/IPS management, IAM services, log management and monitoring, server patch management, SIEM
managed services, threat intelligence, vulnerability testing, web application firewall, and web application
monitoring.
Key characteristics of leading MSSP providers include significant breadth of security technology skills, effective cost
structures, strong customer services, experienced and trained staff, and strong operational flexibility depending on
client needs.20
17
IDC MarketScape: Worldwide Managed Security Services 2014 Vendor Assessment
(http://www.idc.com/getdoc.jsp?containerId=248646))
18
2014 Security Pressures report, TrustWave
(http://www2.trustwave.com/rs/trustwave/images/2014%20Trustwave%20Security%20Pressures%20Report.pdf)
19
http://www.csoonline.com/article/2134337/employee-protection/study-shows-those-responsible-for-security-facemounting-pressures.html
20
IPACSO Market Study p 92
European Cyber Security cPPP Strategic Research & Innovation Agenda
Markets and Markets forecasts the Managed Security Services Market is expected to grow from $14.32 Billion in
2014 to $31.86 Billion in 2019, at a Compound Annual Growth Rate (CAGR) of 17.3% from 2014 to 2019. Europe is
one of the growing market and is expected to experience increased market traction with high CAGR’s, during the
forecast period.
11.1.5.3.2 Research challenges
The attacker already has the advantage in the cybersecurity battle; highly-damaging security breaches appear in the
press on a regular basis, many security compromises are not detected until long after the initial penetration, it is
often difficult to identify and prosecute the people responsible, and so on. Threat agents are many and diverse, but
include sophisticated criminal organisations and nation-state proxies with significant technical skills and financial
resources as well as ideologically-motivated groups. Current challenges include:

Early detection of attacks in preparation or in progress; characterisation of the attack and identification of
the attacker; accurate, prioritised, informative and timely alerting with low false-positive and negative rates;

Assessing the situation, planning and effecting an appropriate and timely response;

Recovering to normal business operations, while cleaning up remaining effects of the breach and removing
vulnerabilities exploited in the attack, and preserving evidence for forensic investigations;

Simultaneous and retrospective investigation to examine in detail how the breach came about, attribute
responsibility and gather evidence for disciplinary action or criminal prosecution (those research challenges
also concern the law enforcement sector as the same forensic methods and tools might be developed and
used).
These challenges will be exacerbated as threat agents and automated attack software become even more
sophisticated, organisations become even more dependent on complex ICT infrastructure and on each other, and
innovation in technology and business practices.
Preceding sections have considered specific threats and countermeasures. However, it is also important to develop
processes, platforms, market-places and standards that enable holistic security solutions appropriate to an
organisation’s circumstances to be assembled from constituent services, operated and maintained. Furthermore, it
should be possible to select from a service and deployment models, from fully internally hosted and resourced
solutions to completely outsourced, cloud-based integrated services, with intermediate options including partially
outsourced, partially in-house best-of breed solutions. While security conscious organisations may currently prefer
security operations solutions to be retained in-house or to use dedicated/segregated facilities, use of cloud-based
multi-tenant services will become the norm in the future allowing service providers and their customers to benefit
from collective analysis and intelligence sharing. For this to happen, safe-guards will need to be developed to
prevent leakage of sensitive information.
Currently, security operations involves use of a number of largely independent software tools, with co-ordination,
decision making and integration being the result of human co-operative activity. Timely detection and response are
already problematic under this arrangement, and time available will decrease further as attacks are automated.
Ever-increasing automation and integration of security operations processes will be necessary to keep pace.
Furthermore, more of the decision making authority will need to be devolved to intelligent software, with human
analysts taking on a goal-setting, supervisory role and working in co-operation with autonomous software agents.
Maintaining an audit log, with explanations that are understandable by humans will be important in establishing
trust in automated systems.
These challenges can be grouped under three main headings:

Security operations platforms: development of ICT infrastructure allowing flexible integration of disparate
security products and services to form the technical element of the system and to provide interface allowing
synergistic man-machine co-operation.

Security operations processes and institutions: defining the organisational and behavioural aspects of CSO

Security solution design: devising processes and tools by which security operations systems appropriate to
the circumstances of a given organisations utilising the two other ingredients are brought about and
maintained.
European Cyber Security cPPP Strategic Research & Innovation Agenda
11.1.5.3.3 Expected outcome
 The desired outcome is to give all European organisations access to comprehensive security operations
solutions that are appropriate to their circumstances, are affordable, and are evolvable to keep pace with
escalating threats and innovations in technology and practice.

Such solutions are socio-technical systems on a range of size scales.

They will possess institutions and processes that can detect and respond to internal and external threats and
failures, enable them to function under adverse conditions, and to self-repair in order to resume normal
operations as soon as possible.

This outcome both enables and requires the existence of a dynamic and innovative European market in
cybersecurity products and services, which will itself yield significant economic benefit.
11.1.5.3.4 Time line
Topic / Timeframe
Short (1-3)
Medium (3-5)
Long (5-8)
Security operations
platforms
Baseline multi-tenant
platform
reference
architecture,
integration APIs and
interoperability
standards defined.
2nd
generation
with
increased
flexibility,
integration and provision for
end-end
supervised
automation using machine
learning.
Highly dynamic platform
capable
of
continuous
evolution and adaptive
response to threat activities.
Platform
reference
implementation
available.
Federation
possible.
platforms
Significant
self-learning
capability.
Close
cooperation between software
agents
and
human
operatives.
Definition of security
business processes that
are customisable to the
circumstances of a
wide
variety
of
organisational
contexts. Use cases
exemplifying
best
practices.
Add a time dimension
allowing for the planned and
re-active
evolution
of
processes and institutions
over
time.
Increased
integration with platform
and design processes.
Highly adaptive processes
and
institutions
with
decentralised co-operative
decision-making
and
autonomous
action.
Extensive
interorganisational co-operation.
Scalable processes for
selecting
and
combining
solution
elements to meet the
security needs of an
organisation
Selection and combination
processes acquire a time
dimension, allowing frequent
in-service updates of the
system without disruption.
Guided/autonomous
and
continuous evolution of the
architecture and make-up of
security solutions in order to
keep pace with changing
requirements
and
take
advantage of innovations.
Security operations
processes and
institutions
Security solution
design
of
11.1.5.4 Security training services
11.1.5.4.1 Scope
Traditional training approaches, namely class-room sessions, e-learning and b-learning (as we know them today) do
not suffice to keep our workforce up-to-date and ready to respond in such an overwhelming changing scenario.
Punctual training sessions, however they are provided, continue to lag behind the rapid rate of change of technology
and cyber threats. But, worst of all, current approaches cannot accommodate, in a cost-effective and timely manner,
the particularities of a customer's security problem, neither the technologies nor networks they use in their
operational environments. In other words, the effectiveness of the training is very limited.
Even though training is currently considered a fundamental prerequisite for the adequate protection of cyberspace,
there is still a need for innovative technology capable of providing realistic, flexible, evolutionary and tailored
training services able to reach a large-scale audience in a cost-effective way. As of today this remains a great
challenge both for the academy and the industry.
In recent years, the training concept has been reshaped with the introduction of cyber ranges. A cyber range is a
virtual environment typically built on top of standard hardware and used for multi-tenant hands-on training,
experimentation, test and research in cybersecurity, as well as supporting cyber defence exercises (i.e. cyberEuropean Cyber Security cPPP Strategic Research & Innovation Agenda
exercises). Due to their benefits, cyber range solutions are gaining attention as a key ally to support training
programmes in different civil and military contexts.
Some of the aforementioned required properties (realism, flexibility, etc.) are already met by current cyber range
solutions. For example, a standard cyber range is usually designed to provide realistic settings where the user
interacts with real (virtual) systems and networks that may, to some extent, reproduce real-world scenarios with
real-time feedback and operation.
However, much research and innovation is still needed to accommodate and combine in a single solution all of the
properties above.
11.1.5.4.2 Research challenges
The next challenges have been identified as a priority to implement and provide innovative cybersecurity training
services for the community at large.

Tailored training for large-scale audiences. Combining the capability to tailor a hands-on training course for
a specific customer is, considering current cyber range solutions, impractical if large-scale and cost-effective
properties also need to be provided. With this regard, a smart and automated trainee supervision and
assessment system that guided them through the exercise, providing automated hints when needed, would
permit to deploy the solution for thousands of trainees concurrently without the need of a single instructor.
Also, a cyber range capable of easily deploying on-demand configurations of new tailored exercises would
provide a significant improvement to better tackle with particular needs, specific situations, and
representing new and emerging threats. This capability, however, requires a powerful, flexible and intuitive
course and exercise design tool that could even be used by the customers themselves.

As can be seen, automation is fundamental if a cost-effective training service is to be provided for large scale
audiences. This includes the capability to replicate and simulate users and applications behaviours in the
training scenario, as well as the adversary (defensive, offensive) and allies function inside the training
activity.

Pedagogical foundations by design. If there is one common limitation in current cyber ranges is that, even
when commercialised under the label of training platforms, they support test, experimentation and research
activities (even capture-the-flag competitions) but without any pedagogical features. Current solutions
hardly incorporate metrics and functionality to measure the actual performance of the trainee and manage
their progress along the time. At the most, we observe that some solutions incentivize and motivate the
trainee using quantitative scoring systems or gamification approaches. A more comprehensive and
systematic view is needed. The foundations underlying the learning process should be considered by design.
This may imply implementing different and complementary approaches, such as formal learning,
observational learning, trial and error approach, etc.

All-levels covered. The complexity of the training exercises should be scaled to the trainee’s level,
customising the level of automated guidance and support in each exercise. This is particularly important
when targeting individuals at introductory level. A significant break-through innovation would be that this
adaptation – including the difficulty of the training – is automatically readjusted along the lifespan of the
training, an even dynamically during an exercise, according to the trainee's performance. The system could,
for example, propose new challenges/objectives, reinforce certain attitudes or improve the adversary skills
for highly proficient trainees.
11.1.5.4.3 Expected outcome
 Improved knowledge, skills and abilities of technical staff to detect and respond to cyber attacks.

Increase overall society's awareness and preparedness to cyber threats.

Progress in technologies and processes needed to improve organisations' capabilities to detect and respond
to advanced attacks.
11.1.5.4.4 Time line
Topic / Timeframe
Tailored training for
large scale audiences
Short (1-3)
Medium (3-5)
Long (5-8)
Automated supervision
of trainees and state of
the exercise, being able
Development of powerful
tools to automate the
design and
Smart adversary/ally played
automatically by the cyber
range. The adversary can take
European Cyber Security cPPP Strategic Research & Innovation Agenda
Pedagogical
foundations by design
All-levels covered
to detect deadlocks and
variations in the trainee
performance and take
actions accordingly.
implementation of new
training activities.
Integrate pedagogical
approaches, metrics and
measures to evaluate
the trainee performance
and evolution.
Integrate biometric-based
stress detection systems
to measure and correlate
the level of performance
and stress of the trainee
during the activity.
Develop tools for
assisting in the design of
tailored training
curricula/path (training
activities and the
sequence to follow) for
each
individual/organisation,
depending on particular
needs (desired output)
and the level of the
participant (input).
Develop and integrate
powerful network traffic
analysis and generation
tools that can be
controlled during the
training activity so that
realism is enhanced and
the level of difficulty can
be adjusted dynamically.
on either a defensive role, an
offensive role, or both.
This requires research on
many areas that would
contribute not only to
advanced training services but
also to some cornerstones of
cybersecurity, such as artificial
intelligence and self-healing
systems, dynamic risk
management, or kits and tools
for automated multi-step
attacks (at tactical and
operational level).
European Cyber Security cPPP Strategic Research & Innovation Agenda
Research on adaptive systems
for training purposes,
combining dynamic
adjustments of the activity
setting (objectives, hints, etc.)
as well as dynamic adaptation
of the behaviour of the
automated elements in the
activity (network traffic
generator, adversary, ally,
stochastic elements)
Download