EDF-2022-RA-CYBER-CSACE: Adapting cyber situational awareness for evolving computing environments
An increasing number of malicious actions targeting governmental and strategic systems occur in cyber space. New or improved solutions, technologies and applications for enhanced cyber situational awareness (CSA) are essential to counter these threats. To address evolving and more complicated activities in cyberspace, including challenges that arise due to the ongoing evolution of battlefield network and systems, decision makers and Security Operation Centre (SOC) operators need the most updated CSA related to cyber threats, in real time, gathering internal and external cyber information. CSA denotes the capability for a decision-maker to know what is going on in the cyber domain in order to be able to make informed decisions and adequately respond to incidents.
CSA needs to be supported by technology to collect, correlate and fuse the several sources of data as well as their different nature (e.g., network, mission, open-source intelligence, structured and unstructured threat awareness) to provide the necessary information so that human decision-makers can assimilate the situation. Cyber threats continue to grow in complexity and scope, new and evolving threats arising from advancing adversary campaigns and tactics and at the same time the volume and diversity of cyber threat intelligence grows all the time. It poses challenges to human operators to visualise and comprehend the variety and volumes of information produced by dynamic and fragmented networks and systems in a battlefield context. The evolving computing challenges will require improved mission awareness capabilities through Cyber Threat Intelligence (CTI) establishing interfaces with
sources of information considered relevant for the planning and conduct phases of an operation in order to provide real time mission information at the correct level of granularity to the common operational picture (COP).
The overall goal is to explore novel concepts and operational opportunities for providing to the Commander essential intelligence about the adversary, their capabilities and objectives while operating in and through cyberspace. CTI enhanced with a Semantic Threat Enrichment module able to analyse both data coming from public repositories and the dark web to generate Indicators of Compromise (IoCs) and Indicators of Attacks (IoAs) will support Cyberspace Operations.
The proposals are expected to develop novel solutions leveraging full-spectrum cyber defence (physical, logical, cyber persona) under an adversarial-focused perspective. The proposals are expected to aim at CSA-supporting technology with a view to provide the necessary technical information elements that are needed to process the vast amounts of information in order to produce from tactical to COPs, as well as other technical artifacts to be used by decision- makers in need of CSA. This includes creation of graphics like timelines, histograms or relationship graphs, personalized dashboards, and reports according to the responsibilities of each user. Special attention shall be paid to the interoperability and collaboration with existing solutions at Security Operations Centre (SOC), Network Operations Centre (NOC) and Computer Emergency Response Team (CERT) level, where duplication of effort is to be avoided.
The proposals are expected to cover state of the art technologies. Enhanced situational awareness information handling and visualisation systems are expected to have a capability to present overarching views of the battlefield environment through COPs via data exportable modules of logic information to be interoperable with other operational pictures be at land, sea, air or space, taking into account ongoing evolution of the C2 military systems towards the Internet of the Military Things (IOMT) scenario which poses additional complexity, and sustain against a massive attack to critical battlefield system.
The proposals must include studies and design. The proposal may include generating knowledge and integrating knowledge activities.
The following tasks must be performed as part of the required activities:
- Development of a number of typical user scenarios based on stakeholder needs. Entails analysis of battlefield IOMT technology requirement and their impact on the collection, correlation and presentation of information. It will include advances in terms of organisational, leadership and human training capability aspects. These will take into consideration human-machine interphases and performance optimisation in e.g., cyber SOCs.
- The use of the digital twin concept and human factors analysis to improve operator information acquisition and processing through enhancing the current COP artefact technologies. Digital twins can allow to overcome operational technology (OT) constraints due to the need to be continuously operational and the fact they often provide only limited in-depth analysis capabilities. Digital twins can run in parallel to their physical counterparts and allow inspection of their behaviour without the risk of disrupting operational services.
- Development of different hierarchical models to support IOMT mission awareness. These should establish means of aggregating dependency information to propagate only mission relevant, abstracted information rather than entire network configurations. Moreover, these systems must be able to exchange dependency information between and across federated IoT systems from different organisations/trust domains.
- Design of an AI multi-stage (i.e., multi kill chain steps) attack detection architecture that maps AI-based anomaly detection models onto the distributed enterprise This will enable efficient temporal and spatial correlations of the event streams from different endpoints. This is expected to exceed the performance of conventional centralized security systems through improved detection of cross- network attacks and greatly reduced data communication. Moreover, it is essential to integrate threat modelling and sharing with attack detection to achieve efficient real-tie detection using AI.
- The use of federated learning to create a collaborative intrusion detection system (CIDS) to enhance the inter-domain sharing of mission-oriented CTI as well as remove many of the trust and privacy issues associated with CTI sharing. In this approach no actual alerts are shared, rather the AI model parameters are shared. This will ensure that there is no leakage of sensitive network, organisational or personal information. Moreover, the CIDS pattern can be implemented within a single organisation through judicious partitioning.
- The use of digital ledger technologies to facilitate more dynamic and incentivised mission-oriented CTI sharing analysis between organisations well as increasing trust in sharing of intrusion model parameters between cross-domain federated learning entities will be investigated.
- The following tasks may be performed as part of the eligible activities:
- linking observed tactics and techniques to specific Advanced Persistent Threat (APT) behaviour, which may assist with adversary characterization and identification;
- use of deception technologies, including decoys, both for monitoring the threat landscape and attackers’ behaviour, and for intrusion detection. Particular attention should be on making the data from such systems can be presented in useful ways, and integrated with other sources of information;
- use of machine learning
- The proposals must substantiate synergies and complementarity and avoiding unnecessary duplication with projects awarded under EDIDP calls for proposals.
Proposals should meet the following functional requirements:
- Definition of a number of use-case scenarios to test the
- Development of proof-of-concept implementations to verify the
- Design of a cyber-range-based environment simulation to both generate representative data sets to validate the AI models and to provide a testbed to evaluate the overall
The outcome is expected to contribute to:
- Better understanding of how CTI along with future technology will be able to support an analyst’s build-up and conservation of a high level of CSA.
- Improved visualisation metaphors and information handling processes arising from IOMT scenarios.
- Improved CSA management through simulation capabilities provided by digital
- Improved mission-to-asset awareness for IOMT supported mission
- Increased CTI sharing due to use of federated learning to prevent leakage or need to share sensitive information.
- Better understanding on the use of distributed anomaly detection in both single organisation constituencies as well as the effectiveness of collaborative intrusions on improving attack detection.
EDF-2022-DA-CYBER-CIWT: Cyber and information warfare toolbox
The continuously and rapidly increasing flow of information in the information environment, facilitated through cyber capabilities, is a well-established fact. We are witnessing an increasing number of malicious actions targeting the information environment. In the more and more digitalized battlespace, the Cyber and Information domains become decisive to anticipate and manage conflicts in the full spectrum of threat activities from sub-threshold interference to open warfare.
Threats posed by new and evolving cyber and hybrid tools (e.g., disinformation, deep fakes) are fully part of Cyber and Information Warfare24. These threats need to be addressed with appropriate holistic resilience measures including detection and appropriate countermeasures. Cyber and Information Warfare system performance, in terms of total defence effectiveness and cooperation in cyber defence as referred in the EU Capability Development Plan Priorities, could be improved.
Proposals are expected to address development of a European coherent library of software configurable components to easily integrate in Cyber and Information Warfare systems. This requires capabilities in detection, analysis, fusion and threat targeting to support activities of Cyber and Operational Centres for operational use cases (e.g., attacks against deployed forces in operations; attacks aiming to destabilize one and/or several European countries). Various relevant technologies processing multi-sources data for Cyber and Information Warfare operations needs to be addressed. In addition, enabling items such as standardization, data exchanges rules, multi-source fusion applications, AI-based analytics, methods & tools for integration, qualification in defence systems should be covered. The disinformation phenomenon includes also cultural and social aspects (so called “social science & humanity”) that may be studied by multidisciplinary teams to provide a holistic perspective.
The outcome is expected to become both a reference repository of AI-based configurable applications and an experimental platform for the various AI techniques addressing the specificities of Cyber and Information Warfare (for example disinformation tracking applications).
The proposals must include design and prototype activities. The proposal may include studies, testing, qualification, certification, and increasing efficiency activities.
The following tasks must be performed as part of the required activities:
1. Define toolbox concept that enables the use/implementation of hardened AI techniques including rules, method and tools to develop, integrate, realize orchestration and share configurable assets (data, modules, analytics, applications, etc.) for Cyber and Information Warfare system;
2. Provide standardization and interoperability recommendation;
3. Functional analysis of typical scenarios covering use cases that will be implemented to support Toolbox demonstrations, such as:
- Attacks against deployed forces in operations;
- Attacks of hybrid nature below the threshold of conventional warfare against critical entities and functions in whole-of-society, including defence and military.
4. Operational concept of usage, including use of AI and efficient situation awareness tools, consistency with rules of engagement (RoE), management of counterintelligence, and trustworthiness;
5. Algorithm prototyping, implementation and verification, including the data sets and metrics to be used to do so for the purpose of the above use cases;
6. Development tools including algorithm insertion, integration in demonstration environment and run of demonstration to illustrate the use of the Toolbox for the two above use cases.
The proposals must substantiate synergies and complementarity with general command and control processes and functions, avoiding unnecessary duplication with projects previously awarded.
The following task may be performed as part of the activities:
- Studies regarding societal and cultural impact of disinformation and (blue &red) state- led communication campaigns.
The proposals could benefit from framework, or results coming from projects previously awarded, increasing synergies and effectiveness of targeted activities.
Proposals should meet the following functional requirements:
I Information Warfare
Developing information manipulation identification, “Disinformation Tracking” use case (including modelling influence and opinion propagation, user behaviour analysis, community detection in social graphs, detect disinformation campaigns, identify disinformation, with trustworthiness score) in favour or against Information Warfare Operations in the context of Multidomain Operations.
In order to offer situational awareness and support to decision process, proposals should elaborate on:
- identified threats activities (hostile influencing avatars and groups);
- campaign with scorings levels like trust, importance (followers, retweets), severity and friendly targets;
- used artifacts (pictures, texts, video) that can be identified as fake/reused items;
- when possible, additional information providing hints on physical sources of information operations attacks (e.g., images metadata or details, IP addresses, etc.)
- identification of “archetypes or patterns” of fakes to increase interception capabilities, both in a ‘humanity’ and through a ‘technology’ approach;
- Interactions with other sources of information, such as open source and human intelligence (OSINT, HUMINT), that could be related with operations in cyber domain and used for optimisation and synchronisation.
II Emerging Technologies
Proposals should identify emerging technologies that can be applied on automatic image/video/text entities extraction/indexing/classification/fusion and be subject to further research and development, such as:
- Active Learning (to allow operators to make their own classifiers with their own data)
- Case-based Reasoning (CBR) or other metacognition enablers to create different levels of knowledge abstraction
- Transfer/Frugal Learning (to be able to learn from small amounts of data)
- Hard and Soft Fusion (to fuse data and information from different sensors and sources, including semantic information)
- Explainable AI (to ensure that all AI algorithms are transparent and that the operators can have a look into AI decisions for understanding if needed)
- High precision 3D modelling
- Method and toolkit for assessing performances and security aspects (ethics guidelines, elimination of biases, compliance with GDPR, system protection etc.).
- Situational awareness and corresponding decision aids (to track incidents, link them into a campaign, and issue recommendations and alerts).
III Standards and interoperability
To develop and promote assets in the Toolbox, proposals should comply requirements such as technology standards (API, encapsulation), data exchange and interoperability standards, intellectual property protection, traceability, and authentication.
- Define a set of standards’ proposals that allows multi-national collaboration, sharing of data and sharing of assets like for example machine-learning models for military use.
- Define guidance for AI-based defence projects development.
- Contribute to a proposal to standards integration of new technologies such as AI in Cyber and Information Warfare system and more broadly for defence application.
- Compile existing standards and contribute to a proposal to standards for trustworthy AI in defence.
- Ensure that the project leverages technological capabilities while at the same time addressing the ethical issues involved.
- Explore harmonisation of existing tactics, technologies, and policies.
The outcome is expected to contribute to:
- Optimizing the development and integration of analytics in Cyber and Information Warfare systems with the possibility to decrease cost;
- Increasing the European technological sovereignty in the field of Cyber and Information Warfare applications based on AI;
- Increasing of the overall Cyber and Information Warfare system performance as new technologies will give better results in terms of total defence effectiveness;
- Gain on costs, availability and interoperability by optimizing the development and integration of analytics in Cyber and Information Warfare systems and capitalizing at European level Cyber and Information Warfare assets.
EDF-2022-DA-CYBER-CSIR: Cybersecurity and systems for improved resilience
Kinetic and digital military operations increasingly rely on computers and networked communications for information gathering, intelligence, coordination and weapon control. At the same time as the dependencies on digital technologies rapidly grows, so does the potential threats and vulnerabilities. The global community, military, and battlefield may be affected by increasing threats. Furthermore, the Internet of Things (IoT) has become widely integrated into a variety of sectors and industries, offering “readymade” solutions for surveillance, monitoring, healthcare, and military platforms. Examples for IoT devices are drones, software defined radios, sensors (cameras, humidity, temperature), TV devices, cars/vehicles). Many IoT solutions are designed primarily for functionality, without being properly secured. As a result, attacks on IoT environments have gained momentum due to the increased attack surface. Therefore, the need for cybersecurity services, including ensuring an appropriate level of control and prevention (e.g., over data, communications, systems), must be addressed.
Currently, many cybersecurity solutions are being used or under development or research. However, cyber threats continue to evolve affecting the systems and services on which today’s community relies.
A test environment is imperative to determine how to enhance the security of a system, product, or component, through the generation of effective tests for analysing the system in question, its threat response capability, resulting in forensic dissemination, procedures, and proposals of improved architectures.
Most legacy specialized military systems are not directly vulnerable to cyber-attacks and malware employed in the open Internet, yet a growing use of ICT/IoT Commercial Off The Shelf (COTS) components and increasing connectivity may increment the likelihood of targeted attacks using the methods, if not the tools, used in cyber-attacks on the open Internet.
The increasing use of the cyber domain will require defence forces to operate in unexpected scenarios and consequently systems to function outside the environments they were designed for.
It is thus essential to understand the extent of the threat, develop infrastructure to continuously assess security against an evolving threat landscape, build resilience by guaranteeing mission assurance even with a partial compromise also using trustworthy hardware, software applications, communication protocols and trustworthy operating system.
Proposals are expected to prepare, design and/or demonstrate a Cyber Physical Test lab with hardware and software tools supporting expertise focusing on generation of effective tests for common and relevant Cyber Physical systems, products and components with realistic data from a relevant use case.
It must provide capabilities for cybersecurity analysis of the actual and planned system architecture, including a demonstrated threat analysis of a selected system or component. Based on this analysis, the architecture can be updated in order to increase the security of the system to an appropriate level.
Integrated tools for automated cost-efficient cyber validation tests based on requirements indicated by international standards may be included. The tools should be able to emulate system being tested, store detailed configurations, conduct automated testing and validation of military architecture, store the results and be able to repeat testing periodically in a cost- effective manner, considering system reconfiguration and extension during the lifecycle and the updated threat landscape.
The proposals are expected to contribute to enhancing cybersecurity in the Member States and Norway critical digital information infrastructure- solutions and services within security, encryption and communication systems, from strategic to tactical level.
The proposals must include study and design activities. The proposal may include other eligible downstream activities.
The following tasks should be performed as part of the required activities:
- Phase 1: Perform requirements analysis, development of concepts and procedures, definition of architecture and design a Cyber Physical Test lab with expert hardware and software test tools and integrated tools for validation.
- Phase 2: Implementation and demonstration of a Cyber Physical Test lab with HW25 & SW26 test tools that focus on generation of effective test, forensic dissemination, procedures and architecture to ensure cybersecurity for common and relevant Cyber Physical systems, products and components, including addressing Digital Twin applications in the military supply chain over the lifecycle.
The final product/ system must be able to analyse the security of a system in order to ensure:
- Data integrity
- Data control
- Data Loss Prevention
- Communications control
- Meta Data control
- Operational control of Cyber Physical components for common and relevant Cyber Physical systems, products and components
- Ability to guarantee mission-essential capabilities even with partial compromise.
The final product (Cyber Physical Test Lab) must comply with existing and foreseen standards, including military standards.
The proposal should support the development of the final product.
The final product (Cyber Physical Test Lab) should meet the following functional requirements:
- Provide physical access to dedicated computers for instrumentation and software development. Part of the Lab may be restricted (classified) according to specific needs deriving from the products and components being testedGenerate effective penetration tests to evaluate the security of a system or a component, using state-of-the art tools;
- Generate customizable network traffic for testing and evaluating systems and solutions, and their security;
- Provide specialized resources for simulating attacks with and extendable and customizable database cyber tools for network traffic, services, IoT devices and communication in a customizable with the capability to automate attacks;
- Provide solutions and support to develop and debug embedded systems;
- Perform static analysis of embedded software, in order to improve security in IoT;
- Configure Cyber Physical systems according to appropriate and robust architecture for specific and customised use by Member States and Norway;
- Address the use of Digital Twin applications in the military supply chain over the system lifecycle;
- Monitor and control the communications between cyber physical components, systems, and the external environment through a state-of-the-art software;
- Provide a library of procedures to render a component or a system safe to use under specific conditions;
- Create a database with information on the risk of using various components of a system;
- Provide recommendations on risk mitigating techniques and risk management for a system or a component of a system;
- Provide capability in order to store the configuration of systems/components to be tested, enabling efficient periodic testing and whenever possible automated setup of configuration to be tested;
- Provide capability to store results, formal description of the system being tested, performed attacks, attack propagation, effect on functionalities and services, and compute a set of KPIs specialized for different types of technology / solution being tested;
- The lab should be a centralized or federated system. Federation should be used when needed in order to ease testing and validation, within a common technical and methodological framework, of components of national interest;
The outcome should have a major impact on the Member States and Norway’ economy and cybersecurity cooperation, through:
- Establishing state-of-the-art test facility and competences, procedures and forensic software for Cyber Critical systems.
- Enabling IoT third parties to be used in a more secure, effective and economical way both in legacy, and novel systems.
- Decreasing implementation cost and shortening implementation time for advanced cyber security systems for the cooperating Member States and associated countries.
- Enabling the use of secure third-party components in Cyber Critical systems, leading to increased flexibility and competitiveness for the cooperating Member States and associated countries.
- Contributing to the certification of systems and to the EU Cybersecurity Certification framework, including contributing to enhance “security by design” of new systems and identify threats related to the supply chain.