RESIlience enhancement and risk control platform for communication infraSTructure Operators

Periodic Reporting for period 3 - RESISTO (RESIlience enhancement and risk control platform for communication infraSTructure Operators)

Reporting period: 2020-05-01 to 2021-10-31

Communications play a fundamental role in the economic and social well-being of the citizens. Most of existing CIs rely on communication infrastructures, therefore they are a primary target for cyber-criminals, physical attacks and even more coordinated cyber-physical events. But also extreme weather events and natural disasters represent a challenge due to their increase in frequency and intensity. That requires smarter resilience of the Communication CIs, which are extremely vulnerable due to the ever-increasing complexity of their architecture. The fact that most enterprises still manage physical and cyber security systems independently represents a further source of vulnerability.
RESISTO platform aims to be an innovative solution for CI holistic (physical/cyber) situation awareness and enhanced resilience. Based on an Integrated Risk and Resilience analysis management, RESISTO implements an innovative Decision Support System to protect from combined cyber/physical threats, exploiting cyber/physical data improved correlation, integrated threat propagation modelling, and the Software Defined Security model.

The following objectives are foreseen:
• Help managers of Communication CIs to guarantee improved business and asset continuity, delivering an innovative platform for optimized decision support in the face of physical, cyber and combined cyber-physical.
• Develop an Integrated Risk and Resilience analysis and management tool, that takes account of cyber and/or physical threats and disruptions jointly at the level of telecommunication service functions and performance functions.
• Provide, experiment and assess a suite of innovative cyber/physical security solutions for prevention, protection, detection and reaction that can deliver unprecedented cost-effective performances in a holistic technology framework.
• Support a progressive adoption path for the RESISTO platform and services through extensive validation in relevant use cases.
• Contribute to the European Programme for Critical Infrastructure Protection and to the objectives of the Cybersecurity Strategy of the European Union.

Despite the pandemic emergency, most of the project's objectives have been achieved: all the RESISTO components have been developed and integrated, several scenarios were defined and implemented. The pilots demonstrated how the RESISTO platform can detect, identify and mitigate many combined events, highlighting the added value of the RESISTO system compared to the conventional security systems, that are also unable to correlate physical and cyber threats.
During the first year of the project, system engineering activities have been carried out: Telco operators needs have been translated in coded system requirements and system architecture has been defined. The main sub-systems, Long Term Control Loop in charge of off-line Risk and Resilience assessment and management and the Short Term Control Loop in charge of the run-time activities to detect, react and mitigate threatening events, have been designed.
During the second year, 9 use cases were defined to test and demonstrate the performance of the RESISTO platform. New detection systems, for both cyber and physical events, and the RESISTO correlator have been developed. Concerning the prediction capabilities, the CISIApro system has been improved and adapted to the specific complexity of a distributed telecommunication system. These elements have been integrated and the corresponding outcomes reported to the user through the Leonardo SC2 platform. Use case environments have been consolidated and testbeds implemented.
During the last period, each pilot has been executed according to a two-phase – two run- approach. The first run results allowed us to target early flaws and challenges. In the second run, a more mature and stable version of the pilots has been tested.

Overall, despite the heterogeneity of the use cases, a few common conclusions can be highlighted:
• the RESISTO system managed to correlate events using data from a wide variety of sensors (both cyber and physical), to identify and assess potential cascading effects, and to suggest appropriate mitigation actions, assisting network operators to cope with the scale and complexity of new advanced threats
• KPI measurements showed that the risk predictor and the correlator provided adequate performance
• RESISTO proved to be a reliable solution to enhance network security, complementary to traditional solutions, particularly for combined cyber-physical attack scenarios.

The RESISTO platform, that reached TRL 7, fits most of the key success factors identified for the CI protection market: a proper exploitation strategy has to be implemented leveraging on the most promising Key Exploitable Results (KERs). The main drivers are expected to be the LEs (Leonardo and Ericsson) and TELCOs (Telecom Italia, British Telecom, OTE Group, Orange Romania, Altice Labs, Retevision) given their customer base, financial strength and organization. The best market opportunities are represented by the widespread adoption of 5G and associated investments by the TELCOs, and the more than 700 billion stimulus packages put in place by the EU Commission through the Recovery & Resilience Facility.
In the last period the dissemination activities were carried out more extensively to cover a broader audience: the consortium produced 16 scientific contributions, participated to 7 conferences and 4 workshops, organized 2 workshops and 1 conference, and published 3 newsletters, produced 3 videos, co-organized with other EU project 2 events. Over 2500 people, including scientific communities, industry, general public, and policy makers were reached by these actions.
The progress Beyond State of The Art can be summarized as follows:
• Innovative tools, concepts, and technologies to face, in a unified approach, physical, cyber and combined physical/cyber threats to Communication CIs
• An integrated framework to cover off-line Identification and Prevention activities as well as Detection, Reaction and Mitigation on-line activities
• An approach applicable to different kind of CIs and, most important, to address physical/cyber threat protection of interconnected CIs as those providing public services
• A modular framework based on versatile technologies easily adaptable
• Innovative physical and cyber threatening events detectors.

The RESISTO results are aligned with the New EU Cybersecurity Strategy to make physical and digital critical entities more resilient. A series of best practices is recommended:
• A consistent and scalable framework, composed of processes and software recommendations, is meant to help telecommunication operators to improve the assessment of specific vulnerabilities in their network assets
• Traceable methods for assessing the cascading effects of (at minimum) such threats as those described in the RESISTO test scenarios
• A means of objective representation of resilience indicators that applies to most telecommunication operators
• A liability framework: a system such as RESISTO that models, simulates cascading effects and recommends mitigation actions should have clear policies that are reliable when the results cause damages and harm.
• Further research is needed for automating recommended mitigation actions such as using SDN to automate security, common message formats, etc.