Periodic Reporting for period 2 - CYRENE (Certifying the Security and Resilience of Supply Chain Services)
Berichtszeitraum: 2022-04-01 bis 2023-09-30
The importance of modern supply chains can not be overstated as they underlie almost any activity of modern societies. Their smooth operation is top requirement, whereas their disruption typically has profound societal, economic and political impact. The certification of supply chain service security and resilience increases the confidence of consumers and contributes to a competitive and trustworthy Digital Single Market.
The objectives of CYRENE are:
- Create tailored and risk-based security and privacy certification schemes for trusted supply chain services powered by ICT systems.
- Develop a novel dynamic cybersecurity risk and conformity assessment process to support different types of conformity assessment.
- Develop a certification scheme for supply chain services.
- Specify model and simulation services to dynamically forecast, detect and prevent supply chain cyber security and privacy risks and define mitigation strategies.
- Validate the CYRENE solution through its application to real SC services.
- Develop Best Practices and Standards Enhancements for supply chain service risk assessment and certification.
- Contribute towards strengthening EU’ cybersecurity capacity and tackle future cybersecurity challenges.
Further work focused on the design and implementation of the prerequisites (i.e. assets, vulnerabilities, supply chain services, business processes in a relational database schema compliant with CVSS3.1) to facilitate the horizontal calculation of the risks between interconnected supply chains that involve multiple actors (i.e. supply chain providers, auditors and assessors).
Automatic crawling services were designed and implemented to collect and mine information from the dark web. Similarly, a data pipeline for data processing, curation, storage, graph and text analytics was implemented. Machine Learning has been employed to classify text according to the relevance of its content to cyber-attacks, illegal activities and emerging events detected in dark web forums, marketplaces and sites. The Threat Intelligence Sharing Platform has been used to bind and classify the extracted terms from the dark web into cyber concepts correlated with cyber security incidents and malware.
Appropriate technologies have also been setup to allow successful integration of the aforementioned developed modules. They include a GitLab repository for uploading of relevant module code to the integration system, a number of integration tools such as Kafka broker, Elasticsearch, and keycloak for secure access. Additionally, the Redmine environment has been setup for issue reporting and tracking of project activities. The continuous integration tasks include the aforementioned GitLab environment for code repository for the process that runs the tests and deploys the code for every iteration. Finally, a template for info collection that will lead to the testing scheme of individual modules as well as the integrated system has been circulated. Moreover, WP5 activities include the design of the experimentation methodology with the creation of appropriate templates to lead to the actual design of the experiments to take place in WP6.
The Conformity/Certification Assessment Scheme: The proposed scheme extends ENISA's EUCC (Cybersecurity Certification Scheme) and focuses on complex interconnected supply chain services, which are viewed at three abstraction layers, namely, business processes, interconnected infrastructures, and digital assets. The resulting highly diverse ecosystem of actors, processes, and supporting technologies is a Target of Evaluation for which conformity requirements are expressed for ensuring its security and resilience.
The Risk and Conformity Evaluation (RCA) Process & Multi-Level Evidence-Driven Supply Chain Risk Assessment: The methodology has specified the steps of a RCA process and the functions, formulas, computations that are required to perform a collaborative SC risk assessment across different organizations and roles. The steps include the stakeholders involved in the collaborative process, the roles and authorizations of each stakeholder, and the collaboration workflows associated with the assessment and simulation processes. The process is of dual use: it may be used by SCS stakeholders to assess their part of the supply chain and also formulate security claims, but can also be used by third party assessors and certification bodies to certify expressed security claims.
The CYRENE Ontology for Infrastructure Dependencies and Events: the Ontology models relations of SC assets and cyber dependencies among them when they participate in business processes. The business processes compose supply chain services where organizations and people with various roles participate with different and hierarchical access rights.