01 September 2019
31 August 2022
In the digital era, Critical Infrastructures (CIs) are operating under the premise of robust and reliable ICT components, complex ICT infrastructures and emerging technologies (e.g. IoT, Cloud Computing, Big Data) and are transforming into Critical Information Infrastructures (CIIs) that can offer a high degree of flexibility and efficiency in the communication and coordination of advanced services and processes. The increased usage of information technology in modern CIIs means that they are becoming more vulnerable to the activities of hackers and other perpetrators of cyber-related crime (cyber criminals).
Over the last few years, it is a common phenomenon to see daily headlines describing major cyber-attacks or some new strain of malware or insidious social engineering technique being used to attack ICT infrastructures. Moreover, an increase on encrypted flows over the Internet is noted. In particular, CIIs have become lately targets for cyberattacks attracting the attention of security researchers, cyber-criminals, hacktivists (e.g. Anonymous, LulzSec) and other such role-players (e.g. cyber-spies). These cyber actors have significantly evolved their tactics, techniques and procedures to include next-generation malware toolkits available on various locations on the internet (e.g. deep web, dark web) and new data exfiltration methods that give them an asymmetric quantum leap in capability. In the past years, there have been a number of cybersecurity meltdowns and high-profile breaches affecting critical infrastructures for example, healthcare data of more than half of Norway's population (over 2.9 million individuals) were stolen from a Norwegian healthcare organization (Health South-East RHF). The ransomware attack, WannaCry or WanaCrypt0r 2.0, that took place recently, affected more than 230,000 computers in over 150 countries, with the UK National Health Service, Spanish phone company Telefónica and German state railways among those hardest hit. OilRig APT attacks conducted by a Iran-linked APT group, using a significantly more advanced malware toolkit, have been used to compromise critical infrastructures such as banks, airlines and government entities in a range of countries, including Saudi Arabia, Qatar, United Arab Emirates, Turkey, Kuwait, Israel, Lebanon and the United States. Another wave of ransomware attacks (called Petya; NotPetya; Nyetya; Goldeneye; GrandCrab) were also reported over the last two years, infecting networks in multiple countries, like the US pharmaceutical company Merck, Danish shipping company Maersk, and Russian oil giant Rosnoft. In most cases, in order for the adversaries to achieve their goal; they targeted the organizations’ interconnected infrastructures as a means of targeting the broadest audience for their malware as possible. Obviously, the impact of a compromised CII can extend far beyond the corporate boundaries, putting not just individual organizations but also their dependent entities at risk.
As a response to such increasingly hostile environment, there have been some efforts to support CIIs. In 2013 the House of Representatives in the USA released the National Cybersecurity and Critical Infrastructure Protection Act establishing the framework for enhancing cybersecurity and critical infrastructure protection including real-time, integrated, and operational actions to protect from, prevent, mitigate, respond to, and recover from cyber incidents. In 2016, the Commission introduced the E.U. Directive NIS 2016 that enforces all CIIs to report to an appropriate Computer Security Incident Response Team (CSIRT) any incident having substantial impact on the provision of their services. Unfortunately, these efforts mostly focused on providing just the legal basis and creating an assurance framework for boosting the cyber security culture across sectors which are vital for the EU economy and society and moreover rely heavily on ICTs (e.g. energy, transport, water, banking, healthcare, digital, financial market infrastructures). Nevertheless, we still lack appropriate approaches that support and facilitate swift and effective cooperation among the CIIs entities in terms of exchanging specific cybersecurity incidents information and sharing information about risks and threats. In addition, there has been a lack of innovation to capture and correlate events and information associated with cyber-attacks in CIIs. In addition, the available security information and event management solutions lack significant reactive and post-incident capabilities for managing incidents and events in the scope of the ICT-based CIIs providing inadequate technical guidance to the incident response professionals on how to detect, investigate and reproduce attacks. As such, and despite the socio-economic importance of tools and techniques for handling incidents there is still no easy, structured, standardized and trusted way to manage and forecast interrelated, cybersecurity incidents in a way that takes into account the heterogeneity and complexity of the CIIs and the increasingly sophisticated types of attacks. Therefore, there is a pressing need for devising novel systems for efficient CIIs incident handling and support thorough and common understanding of cyber-attack situations in a timely manner.
CyberSANE proposes a state of the art solution that improves the detection and analysis of cyber-attacks and threats on CIIs and increases the knowledge on the current cyber threat landscape. Additionally, CyberSANE supports human operators (such as Incident Response professionals) to dynamically increase preparedness, improve cooperation amngst CIIs operators, and adopt appropriate steps to manage security risks, report and handle security incidents. Moreover, CyberSANE is fully in-line with relevant regulations (such as the GDPR and NIS directive), which requires organizations to increase their preparedness, improve their cooperation with each other, and adopt appropriate steps to manage security risks, report and handle security incidents.