Safeguarding critical information infrastructures
Increasing digitalisation has made a tremendous positive impact on the efficiency and effectiveness of public and private organisations. However, simultaneously, it has made Europe’s critical infrastructures vulnerable to continuously evolving cyber threats increasing in sophistication. These critical infrastructures, whose disruption or destruction would have serious negative impact on society, are increasingly referred to as critical information infrastructures and they are vital within fields including energy, transport, health and defence. The EU is taking note and taking action, enhancing funding for related research such as the EU-funded CyberSANE project. Well-invested funding led to a holistic centralised platform to manage critical information infrastructures’ cybersecurity incidents, including protection, identification, response and recovery.
A one-stop shop for security incident handling
According to project coordinator Luis Ribeiro of PDMFC: “The CyberSANE platform integrates five modular tools with a central engine that coordinates the core platform. LiveNet is used to monitor, analyse and visualise an organisation’s internal live network traffic in real time. DarkNet monitors the deep web, including the dark web to analyse and evaluate global malware/cybersecurity activities. HybridNet receives information on potential cyber threats from both LiveNet (internal) and DarkNet (external) to analyse and evaluate the security situation inside an organisation. ShareNet disseminates incident-related intel to stakeholders. PrivacyNet provides privacy and data protection capabilities, among others.” The CyberSANE tools have algorithms to deal with security incidents that are aligned with the MITRE ATT&CK® taxonomy. The tools can be integrated with multiple cybersecurity tools and devices, such as firewalls and intrusion detection and prevention systems. The platform summarises the current and past security situation in a straightforward way and provides high-level and lower-level dashboards to help stakeholders get a handle on the current situation quickly, for all security incident handling phases. Trainable AI models help reduce false positives. Overall, “the CyberSANE platform enables rapid information exchange, harmonisation of information security management systems with partners and sharing of incidents to help avoid new attacks,” explains Ribeiro.
Security incident handling: real-world validation
The CyberSANE platform was piloted in real-world conditions in the areas of cargo container transportation, solar energy production, storage and distribution, and real-time hospital patient monitoring and management. A look at one of the pilots illustrates the system’s use and utility. The Port of Valencia in Spain is Europe’s sixth largest port in traffic volume and the Mediterranean’s most important import, export and trans-shipment port. Numerous services are automated. LiveNet detected malware installations. DarkNet searched related terms for information relevant to the attack. HybridNet detected access from an unknown, suspicious IP address. ShareNet shared the incident to avoid the same attack on other infrastructures, and PrivacyNet executed data anonymisation functions.
Automation and integration with major impact
“The CyberSANE system has exceeded expectations in terms of automation and streamlining of incident handling processes via integration of its modules and tools. This will have numerous benefits, including increasing efficiency, reducing incident response time and the risk of human error, improving collaboration and improving decision-making,” adds Ribeiro. CyberSANE’s installation can be cloud-based, software as a service, or on premises, with a monthly/annual subscription or a perpetual license. The highly ambitious CyberSANE project and its outcomes are ready to keep our critical information infrastructures secure – and European society functioning without disruption.
Keywords
CyberSANE, cybersecurity, critical information infrastructures, security incident handling, automation, critical infrastructures, AI, dark web, MITRE ATT&CK