ICT SECURITY SECURE ICT SYSTEMS OF THE FUTURE



Similar documents
Cybersecurity Risk Assessment in Smart Grids

PRISMACLOUD. Privacy and Security Maintaining Services in the Cloud Thomas Loruenser AIT Austrian Institute of Technology GmbH

Smart grid security analysis

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience

DoD Strategy for Defending Networks, Systems, and Data

EU Threat Landscape Threat Analysis in Research ENISA Workshop Brussels 24th February 2015

Research Topics in the National Cyber Security Research Agenda

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Concept and Project Objectives

National Cyber Security Policy -2013

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

ENISA What s On? ENISA as facilitator for enhanced Network and Information Security in Europe. CENTR General Assembly, Brussels October 4, 2012

Partnership for Cyber Resilience

IT Infrastructure Services. White Paper. Cyber Risk Mitigation for Smart Cities

Chapter 1: Introduction

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

Some Thoughts on the Future of Cyber-security

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

2011 Cyber Security and the Advanced Persistent Threat A Holistic View

Secure cloud access system using JAR ABSTRACT:

ESKISP Conduct security testing, under supervision

Security Risk Management For Health IT Systems and Networks

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Sytorus Information Security Assessment Overview

Developing a National Strategy for Cybersecurity FOUNDATIONS FOR SECURITY, GROWTH, AND INNOVATION. Cristin Flynn Goodwin J.

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

Software Defined Security Mechanisms for Critical Infrastructure Management

CyberSecurity Solutions. Delivering

Analyzing HTTP/HTTPS Traffic Logs

Cybersecurity Enhancement Account. FY 2017 President s Budget

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

The Comprehensive National Cybersecurity Initiative

White paper. The Big Data Security Gap: Protecting the Hadoop Cluster

How can Identity and Access Management help me to improve compliance and drive business performance?

How To Write An Article On The European Cyberspace Policy And Security Strategy

Effective Software Security Management

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Germany: Report on Developments in the Field of Information and Telecommunications in the Context of International Security (RES 69/28),

Risk and Security Assessment. Zbigniew Kalbarczyk

Testimony of Eunice Santos. House Oversight and Government Affairs Committee Subcommittee on Information Technology

2. Cyber security research in the Netherlands

NATIONAL CYBER SECURITY AWARENESS MONTH

Cyberspace Situational Awarness in National Security System

Social Impact of Privacy in Cloud Computing

Microsoft s cybersecurity commitment

Protecting against cyber threats and security breaches

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

How To Discuss Cybersecurity In European Parliament

Kangas Cybersecurity strategy

CYBER SECURITY STRATEGY OF THE CZECH REPUBLIC FOR THE PERIOD

Strengthen security with intelligent identity and access management

FAQ to ENISA s report on technologies to improve the resilience of communication networks

Developing Secure Software in the Age of Advanced Persistent Threats

Security Issues in Cloud Computing

The Next Generation of Security Leaders

Written Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security.

Software Development for Medical Devices

Service-Oriented Architecture and its Implications for Software Life Cycle Activities

COMMUNIQUÉ ON PRINCIPLES FOR INTERNET POLICY-MAKING OECD HIGH LEVEL MEETING ON THE INTERNET ECONOMY,

Cloud Computing Security Considerations

The IBM Solution Architecture for Energy and Utilities Framework

Network Mission Assurance

CHAPTER 1 INTRODUCTION

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

Cyber-Security. FAS Annual Conference September 12, 2014

Cybersecurity: Mission integration to protect your assets

Preface Introduction

TUSKEGEE CYBER SECURITY PATH FORWARD

UNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 8 R-1 Line #50

CYBER SECURITY GUIDANCE

Oil and Gas Industry A Comprehensive Security Risk Management Approach.

Comprehensive European Security Approaches: EU Security Programmes. Robert HAVAS EOS Chairman of the Board

Enhancing Cybersecurity with Big Data: Challenges & Opportunities

Advanced Threat Protection with Dell SecureWorks Security Services

SPARKS Cybersecurity Technology and the NESCOR Failure Scenarios

Managing Security Risk In a World of Complex Systems and IT Infrastructures

Embracing Microsoft Vista for Enhanced Network Security

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

Cyber and Operational Solutions for a Connected Industrial Era

Enterprise Security Architecture for Cyber Security. M.M.Veeraragaloo 5 th September 2013

September 20, 2013 Senior IT Examiner Gene Lilienthal

Transcription:

OVERVIEW Critial infrastructures are increasingly dependent on information and communication technology. ICT-systems are getting more and more complex, and to enable the implementation of secure applications on these distributed IT infrastructures, new technologies for the efficient implementation of security requirements are required, and an integrated view on security of the systems is necessary. Because of this we at AIT Austrian Institute of Technologywork on new approaches and technologies to be able to implement security aspects efficiently in the ICT systems of the future. Future networks require new security concepts in order to meet the citizen s demand for ubiquitous, secure and trusted communication and information access. The research topic ICT Security at AIT deals with specific problems related to secure information access in distributed service architectures on different levels, such as those employed in the context of complex business and communication processes. New security policies must be adequate for protecting infrastructures and data across borders and administrative domains that involve dozens of different stakeholders, each conforming to disparate legislation and/or having their own specific security requirements. SPECIFICALLY WE ARE WORKING ON THE FOLLOWING TOPICS: "Security by Design" in large and complex systems Safety & Security Engineering Security and Risk Management for Smart Grids and Critical Infrastructures Cloud Computing for High-Assurance Applications National Cyber Defense Cyber Situational Awareness CONTACT AIT Austrian Institute of Technology Safety & Security Department Donau-City-Straße 1, 1220 Vienna DI THOMAS BLEIER, MSC, CISSP Thematic Coordinator ICT Security Phone: +43(0) 664 8251279 Fax: +43(0) 50550-2813 E-mail: thomas.bleier@ait.ac.at Web: www.ait.ac.at/ict-security

SECURITY BY DESIGN Complex ICT systems need to be engineered with security built in from the beginning. A research focus within the ICT security program is to develop methodologies, techniques, and tools to facilitate secure and efficient system design and implementation. Research includes ICT security of currently operational as well as future systems. The developed methodologies leverage existing technologies such as cryptography and federated identity management as well as innovative approaches such as model-driven security for ensuring confidentiality, integrity, and availability of large-scale distributed systems Reference projects include application areas like the., SOA-based Austrian egovernment system or global geospatial information systems. A system is as secure as its weakest link. So security engineering tools have to make it easier for system engineers to adhere to security requirements in different stages of the software development lifecycle like design, implementation and testing. Research initiatives also include the development of security by design architectures and supporting tools for secure software development lifecycles. REFERENCE PROJECT: PARIS - PrivAcy preserving Infrastructure for Surveillance PARIS will define and demonstrate a methodological approach for the development of a surveillance infrastructure which enforces the right of citizens for privacy, justice, and freedom. It takes into account the evolving nature of such rights, e.g. aspects that are acceptable today might not be acceptable in the future, and the social and anthropological nature of such rights, e.g. the perception of such rights varies. REFERENCE PROJECT: MoSeS4eGov - Model-based Security System for e-government Current e-government systems are characterized by a wide range of functions, many different applications and interfaces to various IT-systems. This circumstance does not only complicate the maintenance of existing applications but impedes and prevents the creation of new applications. These would be possible through the connection of data coming from existing and future registers for new fields of application in the area of security as for example for crisis management. With MoSeS4eGov a solution to this problem should be pointed out through the employment of model based approaches (MDA- Model Driven Architecture). It focuses on the combination of the modeling of functional exigencies and security requirements. Query number of affected population (Image: Google Grafiken 2012 Kartendaten)

SAFETY & SECURITY ENGINEERING The design of future ICT systems in critical infrastructures requires a new approach to system design and development. Currently, many ICT systems are designed with a focus on "Safety" (such as embedded control systems) or are exclusively designed with a strong focus on "security" (such as internet-connected systems or applications, where "safety" and system reliability plays a minor role). The built-in ICT systems in future energy, transport or communications networks require both: people or units must be protected against the harmful effects of a faulty system, but it must also be ensured that the system is adequately protected against attacks by malicious adversaries. Currently applied approaches for solving these problems mostly rely on shortterm measures such as the separation of sub-systems, reducing the attack surface, the isolation of components, or monitoring and intrusion detection systems, etc. This allows the security of such systems to be improved, without having to replace a large amount of components. Taking into account the investment cycles in these areas this is a reasonable approach. With the further penetration of the networked subsystems in such infrastructures however, such approaches are facing their limits. In the long run, the individual components in every part of the critical infrastructures themselves must be able to withstand an attack. This requires the combination of "safety" engineering methods and processes with "security" (Security by Design). Currently, the development methods for both disciplines are difficult to correlate and often contradictory. Therefore AIT is working on a consistent approach to safety and security engineering, and subsequently on the development of supporting tools and methodologies. AIT can build on expertise from both the safety domain (with the parallel Research Area Highly Reliable Systems within the department) and the security domain. REFERENCE PROJECT: ARROWHEAD Our society is facing both energy and competitiveness challenges. These challenges are tightly linked and require new dynamic interactions between energy producers and energy consumers, between machines, between people and systems, etc. Cooperative automation is the key for these dynamic interactions. The objective of the ARROWHEAD project is to address the technical and applicative challenges associated to cooperative automation. For example, to provide a technical framework adapted in terms of functions and performances, propose solutions for integration with legacy systems, implement and evaluate the cooperative automation through real experimentations in applicative domains: electro-mobility, smart buildings, infrastructures and smart cities, industrial production, energy production etc.

CLOUD COMPUTING FOR HIGH-ASSURANCE APPLICATIONS Cloud computing adoption is taking place in different application areas, also such which have higher security requirements. Existing cloud offerings are not well placed to address these issues. Due to the opacity and elasticity of cloud environments, the risks of deploying critical services in the cloud are difficult to assess specifically on the technical level, but also from legal or business perspectives. Therefore AIT s research focus in this area is to analyze and evaluate cloud computing technologies with respect to security risks in sensitive environments, and to develop methodologies, technologies, and best practices for creating secure, trustworthy, and high assurance cloud computing environments. REFERENCE PROJECT: SECCRIT - SECURE CLOUD COMPU- TING FOR CRITICAL INFRASTRUCTURE IT Cloud computing is one of the major trends in IT in recent years, as a consequence, major companies such as Google, Microsoft, and many more massively invest in cloud infrastructures. However, since the cloud computing paradigm changes many aspects of current enterprise IT infrastructure such as organization security management, trust management and policy integration, it raises many concerns in terms of security, reliability, and information assurance. The mission of the SECCRIT project is to analyse and evaluate cloud computing technologies with respect to security risks in sensitive environments, and consequently to develop methodologies, technologies, and best practices for creating a secure, trustworthy, and high assurance cloud computing environment for critical infrastructures. REFERENCE PROJECT: ARCHISTAR The Internet is constantly evolving and increasingly pervading our lives at all levels. Currently we are facing two major trends, relevant in the context of Archistar: the permanent gathering and storage of personalized data at large service providers as well as general outsourcing of data processing and storage, namely the "cloudification" of the Internet. In both cases customers are facing new security risks due to the change in the trust model and novel threats which are not regarded by current technological development are constantly arising. Archistar addresses the development of a new kind of privacy preserving distributed storage system based on the paradigm of fault-tolerant and secure distributed computing to facilitate privacy preserving and resilient data outsourcing.

SECURITY AND RISK MANAGEMENT FOR SMART GRIDS AND CRITICAL INFRASTRUCTURES Critial infrastructures are increasingly dependent on information and communication technology. As a specific example future energy grids will make extensive use of the integration of ICT technologies. Thus, cyber security risks become a threat even for energy suppliers. We are focusing on developing technologies and tools to strengthen the resilience of smart grids against cyber attacks, leveraging synergies within AIT by cooperating for example with the Energy Department. Research includes specific risk management approaches for utility providers, processes and guidelines for implementing security in smart grid environments and also security assessment and monitoring solutions. REFERENCE PROJECT: SG2 - Smart Grid Security Guidance The project (SG)2 deals with a systematic study of smart grid technologies in terms of ICT security issues and the research of countermeasures. Based on a thorough threat and risk analysis from a national perspective and a security analysis of Smart Grid components, (SG)2 explores measures for power grid operators that serve to increase the security of computer systems deployed in the future critical infrastructure of "smart energy". REFERENCE PROJECT: FastPass This project will establish and demonstrate a harmonized, modular approach for Automated Border Control (ABC) gates. Border control is a major challenge for security and mobility within the EU. Travellers request a minimum delay and a speedy border crossing, while Border Guards must fulfill their obligation to secure the EUs borders against illegal immigration and other threats. FastPass will serve both demands at the same time to keep security at the highest level while increasing the speed and the comfort for all legitimate travellers at all border control points aiming at a minimum of privacy intrusion. REFERENCE PROJECT: PRECYSE - PREVENTION, PROTEC- TION AND REACTION TO CYBERATTACKS TO CRITICAL INF- RASTRUCTURES Today, attackers are using more sophisticated technologies, making existing "add-on" security solutions obsolete or insufficient, and the number of stakeholders involved -both human and machines- is always increasing. Thus, design and embedding of new security mechanisms directly into the systems is needed to drastically increase reliability and security levels, and provide higher levels of resilience. To tackle these challenges, PRECYSE will define, develop and validate a methodology, an architecture and a set of technologies and tools to improve -by design- the security, reliability and resilience of the ICT systems supporting the Critical Infrastructures.

ICT SECURITY NATIONAL CYBER DEFENSE & CYBER SITUATIONAL AWARENESS The potential impact of cyber-attacks against critical infrastructures is remarkable the malfunction or total loss of public energy grids, the banking system, supply chains or public administration can cause enormous economic damage and massively affect entire nations. A key asset of AIT for research in this area is tight cooperation with national stakeholders in Austria on solutions and technologies to prevent those threats and mitigate devastating effects. Our strategy allows researchers to work together with stakeholders from industry and government in realistic environments on the design, implementation and validation of methods, technologies and processes for establishing an increased level of defense against cyber attacks. To detect previously unknown types of attacks on computer networks, existing technologies are facing huge challenges. Anomaly detection methods have to deal with a huge amount of data, where "normal" and "suspicious" activities have to be distinguished. AIT is working on the development of anomaly detection algorithms and automatic classification and recognition of suspicious activities. REFERENCE PROJECT: CAIS - CYBER ATTACK INFORMATION SYSTEMS The project CAIS deals with the implementation of a Cyber Attack Information System on a national level, whose ultimate goal is to strengthen the resilience of today s interdependent networked services, and increase their overall availability and trustworthiness. Main objectives of this project are identifying expected future cyber risks and emerging threats, evaluating novel anomaly detection techniques, creating highly modular infrastructure models used in agent-based attack simulations for risk and threat analysis, and finally investigate the deployment and instantiation of a national "Cyber Attack Information System".

CONTACT AIT Austrian Institute of Technology Safety & Security Department Donau-City-Straße 1 1220 Wien Austria www.ait.ac.at/safety-security DI Helmut Leopold Head of Department T +43 (0) 50550-4101 F +43 (0) 50550-4150 helmut.leopold@ait.ac.at Mag. (FH) Michael Mürling Marketing and Communications T +43 (0) 50550-4126 F +43 (0) 50550-4150 michael.muerling@ait.ac.at AIT Austrian Institute of Technology v03 13062013 Errors excepted. Images: AIT, istockphoto.com, freedigitalpfotos.net KROMKRATHOG

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information