||System architecture v1
The key objective of this task will be to create the overall architecture of the EnergyShield toolkit. Towards this scope, the specification of the various components of the system and the system as a whole will be designed to fulfil the existing requirements of stakeholders, but also being extensible to future demands. The architecture will be modular, so that each individual component can be upgraded independently by the relevant technology provider. The architecture will also be integrated, meaning that the different EnergyShield modules will be able to exchange information, therefore providing significant value-add in comparison with independent cybersecurity solutions operating in silos.
||Socio-cyber-physical threat model
In practice, enterprise decision-makers consult experts, e.g., network penetration testers. While consulting experts certainly is valuable, resulting estimates come with three significant limitations: they are only valid for 1) the time that they were carried out, 2) the parts of the enterprise architecture that were studied by the expert, and 3) the competence of the consulted expert. These limitations are especially problematic given the dynamic nature of enterprise IT systems and the lack of resources available for analyses. We will therefore implement an easy to use socio-cyber-physical threat model reflecting the needs of the EPES sector.
||Updated security culture framework and tool
The aim of this deliverable is to present the underlying Security Culture Framework which shall allow automated planning and implementation of security culture programmes.
||VA tool release incl. usability and performance report
We will implement an easy to use Vulnerability Assessment (VA) tool for the EPES sector, allowing security analysis by attack simulations, testing the cyber security resilience over time, holistically and in a low-bias manner.
||Anomaly detection tool release
We’ve extended the SIGA anomaly detection engine to use various new approaches to timeseries analysis. We developed a new additional planned algorithmic layer focusing on phase detection and transitions. We improved significantly the informative linkage between the anomaly and the raw data generating it. We created a new low footprint agent intended to run on selected new models of PLC, either solely or in parallel to operational functionality. We have added new raw I/O data sources to process analysis and anomaly detection. We have used the same algorithmic abilities to be applied on the process information from higher levels above the existing level 0/1 connection (in parallel or instead the low-level data).
||DDoS mitigation tool release
The tool has been extended to consider smart meter botnets and attacks using the AMI as a vector. In parallel to this, analytical models have been developed to better understand attack parameters and to explore new dynamics unique to the smart grid context. Both were explored using realistic network simulations to validate the approach. These simulations also provide a means to begin defining how DDoS information can be defined, captured, and measured for sharing with other tools.
||SIEM tool release
The current document describes the Security Information and Event Management tool. This deliverable provides detailed definition of SIEM’S components, such as Event Logging, Secure Authorization with role based access, Monitoring, Alerting, Visualization and System Diagnostics
||Data privacy and data security report
This task aims at developing a searchable encryption tool that can allow the security analyst to anonymise and search data in the encrypted domain using the state-of-the-art homomorphic encryption techniques. It can extract any type of security event data and can provide the necessary levels of access control for multiple parties to search based on policies. It can also help the analysts to develop threat graphs on the anonymised data so that the privacy on the nodes and devices are protected. The tool is GDPR compliant and is scalable and can handle single, multiple key words and string queries. In addition, it can also do ranked searching in the encrypted data providing a list of most frequently occurring threats to the security analysts.
||Integration and test plan
This task will plan the activities in tasks 5.2, 5.3 and task 5.4 and will create the corresponding deliverable (Integration and Testing Plan). The plan will be based on the architectural document since it relies on dependencies among components. The test plan will contain the testing strategy, testing setup and test cases (preconditions, test execution and expected results). The test cases will be marked passed or failed during task 5.4 and acceptance criteria will be set based on priority and percentage of passed test cases. This testing specification documentation will also aim to stress out platform capabilities (functional and non-functional) in relation with all the defined use cases.
||Communication report v1
This report presents the activities of the consortium partners during the first year of the project.
||Dissemination report v1
This report analysis the activities of the consortium partners on a quantitative basis.