H2020 CYRENE Project: Certification of the security and resilience of supply chain services
- Type Project
- Status Filled
- Execution 2020 -2023
- Assigned Budget 4.992.750,00 €
- Scope Europeo
- Main source of financing H2020
- Project website Proyecto CYRENE
Managing supply chain (SC) activities is becoming increasingly complex. One reason for this is the lack of an integrated system for security officers and operators to protect their interconnected critical infrastructure and cyber systems in the new digital age. The EU-funded CYRENE project seeks to improve the security, privacy, resilience, accountability, and reliability of supply chains through a novel and dynamic Conformity Assessment Process (CAP) that assesses the security and resilience of SC services.
The PAC also assesses the interconnected IT infrastructures that comprise these services and the individual devices that support CS operations. A new collaborative, multi-level, evidence-based approach to risk and privacy assessment will be validated under realistic scenarios/conditions involving real CS infrastructures and end-users.
CYRENE began by collecting legal and security requirements for supply chain services (SCS). Security requirements were collected from SCS stakeholders (both project partners and external stakeholders via online questionnaires), while legal requirements were collected by the consortium's legal partner. Requirements were categorized, analyzed, and reported. The requirements analysis led to the specification of the conformity certification assessment scheme and the conformity assessment process, defined as a stepwise, multi-level, evidence-based evaluation process between different actors (auditors, assessors, supply chain service providers, administrators, and security officers) with hierarchical access control rights. Furthermore, ontological models were developed for infrastructure dependencies and events, as well as for hardware and software assets, threats, vulnerabilities, cyberdependencies, actors and their interactions, and algorithms for the cascading effects of threats, risks, and vulnerabilities.
Likewise, an architecture for a platform that will support the conformity assessment process was defined. The successful completion of the aforementioned deliverables marked the fulfillment of the project's first three milestones: MS1, MS2, and MS3. Subsequent work focused on the design and implementation of prerequisites (i.e., assets, vulnerabilities, supply chain services, business processes in a CVSS3.1-compliant relational database schema) to facilitate horizontal risk calculations across interconnected supply chains involving multiple actors (i.e., supply chain providers, auditors, and assessors). Automated crawling services were designed and implemented to collect and extract information from the dark web. Similarly, a data pipeline was implemented for data processing, curation, storage, graphing, and text analysis. Machine learning was employed to classify text based on its content relevance to cyberattacks, illegal activities, and emerging events detected on dark web forums, marketplaces, and sites.
The Threat Intelligence Sharing Platform was used to match and classify terms extracted from the dark web into cyber concepts correlated with cybersecurity incidents and malware. Appropriate technologies were also set up to enable the successful integration of the previously developed modules. These include a GitLab repository for uploading the relevant module code to the integration system, and various integration tools such as Kafka Broker, Elasticsearch, and KeyCloak for secure access.
Additionally, the Redmine environment has been set up for issue reporting and tracking project activities. Continuous integration tasks include the aforementioned GitLab environment for the code repository, the process that runs tests, and deploys code for each iteration. Finally, a template has been distributed for gathering information that will lead to the testing scheme for individual modules as well as the integrated system. Furthermore, Work Package 5 activities include the design of the experimentation methodology with the creation of appropriate templates to guide the actual design of the experiments to be performed in Work Package 6.
CYRENE addresses the problem of assessing and certifying the security and resilience requirements of Supply Chain Services (SCS). To this end, the project provides services, building blocks, and components for an enhanced Risk Assessment (RA) process that can also serve as a Conformity Assessment (CA) process to evaluate security threats and vulnerabilities, as well as to assess the security and resilience of SCSs and their security objectives.
An important innovation of the project is the dual use of the RCA Methodology. It can be used by individual SCS providers and business partners to assess and manage SCS risks and generate SCS Protection Profiles (PPs, i.e., security declarations). It can also be used by external auditors and certification bodies to access the cybersecurity objectives, requirements, and validity of SCS PP declarations. The CYRENE certification scheme is an extension of ENISA's EUCC. Furthermore, the project is developing a platform and a set of complementary tools to support the certification process.
The certification process, scheme, and toolkit will be validated in two real-world trials. The results of the trials will inform the development of a set of best practices. Modern supply chains are of paramount importance, as they underlie almost every activity in modern societies. Their proper functioning is essential, while their disruption often has profound social, economic, and political impacts. Certifying the security and resilience of supply chain services increases consumer confidence and contributes to a competitive and trustworthy Digital Single Market.
CYRENE's objectives are:
- Create customized, risk-based security and privacy certification schemes for trusted, ICT-based supply chain services.
- Develop a novel, dynamic cybersecurity risk and compliance assessment process that supports different types of compliance assessments.
- Develop a certification scheme for supply chain services.
- Specify modeling and simulation services to dynamically predict, detect, and prevent cybersecurity and privacy risks in the supply chain, and define mitigation strategies.
- Validate the CYRENE solution by applying it to real-world supply chain services.
- Develop best practices and improved standards for risk assessment and certification of supply chain services.
- Contribute to strengthening the EU's cybersecurity capacity and addressing future cybersecurity challenges.
Despite the tremendous socioeconomic importance of supply chains (SCs), security actors and operators still lack an easy and integrated way to protect their critical infrastructures (CIs) and interconnected cyber systems in the new digital age. CYRENE's vision is to improve the security, privacy, resilience, accountability, and reliability of SCs through the provision of a novel and dynamic Conformity Assessment Process (CAP) that assesses the security and resilience of supply chain services, the interconnected IT infrastructures that comprise these services, and the individual devices that support SC operations.
To meet its objectives, the proposed CAP relies on a collaborative, multi-layered, evidence-based risk and privacy assessment approach that supports SC security officers and operators at different levels in dynamically recognizing, identifying, modeling, and analyzing advanced persistent threats and vulnerabilities, as well as in managing daily cybersecurity and privacy risks and data breaches. CYRENE will be validated under realistic scenarios/conditions involving real-life supply chain infrastructures and end-users. Furthermore, the project will ensure the active engagement of a wide range of external stakeholders as a means of developing a broader ecosystem around the project's outcomes, laying the groundwork for CYRENE's large-scale adoption and global impact.
The following project deliverables have advanced the state of the art: The Conformity Assessment/Certification Scheme: The proposed scheme extends ENISA's EUCC (Cybersecurity Certification Scheme) and focuses on complex interconnected supply chain services, which are visualized in three abstraction layers, namely business processes, interconnected infrastructures, and digital assets.
The resulting highly diverse ecosystem of actors, processes, and supporting technologies is an Assessment Target for which conformance requirements are expressed to ensure its security and resilience. The Risk and Conformity Assessment (RCA) Process and the Multi-Level Evidence-Based Supply Chain Risk Assessment: The methodology has specified the steps of an RCA process and the functions, formulas, and calculations required to perform a collaborative SC risk assessment across different organizations and roles. The steps include the stakeholders involved in the collaborative process, the roles and authorizations of each stakeholder, and the collaborative workflows associated with the assessment and simulation processes.
The process has a dual purpose: it can be used by SCS stakeholders to assess their part of the supply chain and formulate security claims, but it can also be used by external assessors and certification bodies to certify stated security claims. The CYRENE Ontology for Infrastructure Dependencies and Events models the relationships between SC assets and cyber dependencies as they participate in business processes. Business processes comprise supply chain services, where organizations and individuals with various roles participate with different hierarchical access rights.
- MAGGIOLI SPA (MAGGIOLI)
Related projects
