Post on 29-May-2020
Digital Security R&D&I
in Horizon 2020 (and the Workprogramme 2014 -2015)
Trust and Security Unit H4
DG Communications Networks, Content and Technology European Commission
Summary
1. Overview
2. LEIT – ICT 32 – 2014: Cybersecurity, Trustworthy ICT
a. Cryptography
b. Security-by-design for end to end security
3. Societal Challenge 7 – Secure societies "Protecting freedom and security of Europe and its citizens" – Digital Security: Cybersecurity, Privacy & Trust
1. Privacy,
2. Access Control,
3. Risk Management & assurance models
2
... a survival kit...
3
• Participant Portal
http://ec.europa.eu/research/participants/portal/desktop/en/home.html
• H2020 Cybersecurity – Workprograms
• http://ec.europa.eu/research/participants/data/ref/h2020/wp/2014_2015/main/h2020-wp1415-security_en.pdf
• http://ec.europa.eu/research/participants/data/ref/h2020/wp/2014_2015/main/h2020-wp1415-leit-ict_en.pdf
• Trust & Security
http://ec.europa.eu/digital-agenda/en/telecoms-and-internet/trust-security
• Questions?
CNECT-TRUST-SECURITY@ec.europa.eu
What's new, what's different ...
H2020 FP7
R&D = Policy
R&D Policy = support to Policy
broader objectives => more flexibility
4
5
EU Policy Cyber Security
EU Cyber
Security Strategy
Technology / Industry
R&D industrial
strategy
pilots,
business cases
education
International
cybercrime
Resilience
Directive R&D
In summary...
• R&D = incentive to increase ICT security
• R&D = satisfy end-user needs - public and/or private
• R&D = policy instrument
=> H2020 Digital Security WPs
6
Where to find cybersecurity R&D&I in H2020?
Everywhere!
7
change of mindset
8
LEIT Excellence
Societal Challenges
FET
1-6 7!
Cross-cutting!
Embedded!
Example: smart grids
• quantum teleportation => FET
• cryptography? => LEIT
• SCADA? => SC7
• smart meter? => SC3
• smart city? => SC3
=> determine your focus!
9
LEIT ICT 32 – 2014:
Cybersecurity, Trustworthy ICT
LEIT
"Technology-driven approach to develop enabling technologies that can be used in multiple areas,
industries and services"
Scope: Experimentation with innovative research ideas
Strategic Vision:
Long term goal to replace the current business model to provide security as add-on by a security-by-design approach
Outcome:
Assist industry to adjust their business model to the strategic
vision
11
Instrument: Research and Innovation Actions Coordination and Support Action (CSA) Technology readiness level: Next generation technology and generation thereafter Time to market introduction: 5-7 years (indicative) Research and Innovation Actions: Small contribution: between 2 and 4 MEuro (indicative) Large contribution: between 5 and 8 MEuro (indicative)
12
Specificities of LEIT
CALL: ICT 32-2014 Cybersecurity, Trustworthy ICT
• Cryptography
• Research & Innovation Actions (small and large)
• Coordination and Support Actions
• Security-by-design for end to end security
• Research & Innovation Actions (small and large)
13
Call Details
Timeline:
11 Dec 2013 Publication
23 Apr 2014 Submission Deadline (17.00.00)
16-20 Jun 2014 Evaluation
Sep 2014 Information on outcome of the scientific evaluation
Dec 2014 Signing grant agreements
Budget:
ICT32.a 37 Meuro (Security-by-Design & Cryptography R&I Actions)
ICT32.b 1 Meuro (Cryptography CSA)
14
15
Cryptography – which results?
Research projects have to address the key challenges to guarantee the security for the lifespan of the application it
supports, to stay ahead of the evolution of the ICT environment and keep pace with the performance increase of
ICT technology.
• net increase in performance • reduction in energy or power consumption, • validation in realistic application scenarios, • Relevance to current trends (cloud, mobile, IoT,etc) • methods for provable security against physical attacks • security certification.
Cryptography – Challenges (1/2)
• Resource efficient, real-time and highly secure technology for
1. hardware based cryptography; or
2. homomorphic cryptography.
• Distributed cryptography including functional cryptography;
• Cryptographic tools for securely binding applications to software, firmware and hardware environments, with or without adaptation of primitives which are used;
16
Cryptography – Challenges (2/2)
• Post-quantum cryptography for long-term security;
• Quantum key distribution (QKD) systems and networks for long-term security-by-design (etc.) addressing:
1. low-bit-rate QKD with low cost components for short-distance;
2. high-bit rate QKD systems, tolerant to noise and loss.
17
Cryptography - CSA
18
• durable integration and structuring of the European cryptography community;
• strengthen European excellence in this domain; • provide technology watch, joint research agendas and
foresight studies; • identify technology gaps, market and implementation
opportunities; • technical expertise to cybersecurity and privacy communities; • development of European standards (incl. public sector) • solve training needs and skill shortage • evaluation and verification of cryptographic protocols and
algorithms. • open competitions with benchmarking. • dissemination and outreach, strengthening the link with
institutional stakeholders.
19
Security-by-design
"Security-by-design paradigms have to be developed and tested, to provide end-to-end security, across all hardware and software layers of an ICT system and application and business
services." Paradigms for complex environments: • Highly connected, complex and interoperable networks. • Multi-layer and multi-service systems, spanning multiple
domains or jurisdictions
Security-by-design – what? (1/2)
Aiming at:
• Platform-independent solutions for context-aware and self-adaptive security
• Automated security policy governance for run-time verification, customisation and enforcement between operators or virtual entities,
Important Considerations:
• Interaction of Layers
• Holistic Approach
20
Security-by-design – what? (2/2)
Special Attention to:
• Open and dynamically reconfigurable environments
• Reliance on other, potentially untrustworthy, providers
Importance of Usability:
• Deployment and implementation with usability in mind against improper use or misconfiguration for higher degrees of trust by users.
21
Expected Impact of ICT-32 (1/2)
22
Macro: • New paradigms for the design and implementation. • European ICT with a higher level of security and/or privacy. • Compliance with Europe's security and privacy legislation. • Measurably higher level of security and/or privacy with
marginal additional cost. Societal: • More user trust in ICT and online services. • Better ability of users to detect breaches of security and
privacy. • Better privacy protection and legal compliance with privacy
rules • More resilient critical infrastructures and services.
Expected Impact of ICT-32 (2/2)
23
Research: • User empowerment in new generation of ICT • Security and privacy as a built-in feature • Easier understanding and management for users. • Simpler implementation of cryptographic primitives. • New ICT technology approaches more secure than
traditional ones
Security and Privacy LEIT ICT Have a look!
• ICT 1 – 2014: Smart Cyber-Physical Systems (privacy/security by design)
• ICT 4 – 2015: Customised and low power computing (security) • ICT 5 – 2014: Smart Networks and novel Internet Architectures
(security, trust, privacy) • ICT 7 – 2014: Advanced Cloud Infrastructures and Services (security,
privacy) • ICT 14 – 2014: Advanced 5G Network Infrastructure for the Future
Internet • ICT 22 – 2014: Multimodal and Natural computer interaction (Robotics,
security) • ICT 26 – 2014: Photonics KET • ICT 30 – 2015: Internet of Things and Platforms for Connected Smart
Objects (security)
• EUB 1 – 2015: Cloud Computing, including security aspects (Joint Call with Brazil)
• EUJ 4 – 2014: Experimentation and development on federated Japan – EU testbeds (Joint Call with Japan) 24
Contacts:
ICT 32-2014 Cybersecurity, Trustworthy ICT
martin.muehleck@ec.europa.eu
Documentation:
http://ec.europa.eu/research/participants/portal/desktop/en/opportunities/h2020/topics/96-ict-32-2014.html
Societal Challenge 7
Secure societies: Protecting freedom and security
of Europe and its citizens
Digital Security: Cybersecurity, Privacy & Trust
Content
27
• Targets: End-users & Impact
• Only instrument: "Innovation Actions"
• Security: A Societal Challenge
• Topics (H2020-DS-2014-1)
Privacy
Access Control
Risk Management & assurance models
Targets: End-users & Impact
28
• Focus on addressing the needs of end-users!
• The extent of end-user participation is an important factor when evaluating the proposal's impact.
• The scope of a proposal may be limited within the specific needs of clearly defined stakeholder communities i.e. individual sectors of economic activity (e.g. finance, transport, energy, etc.), public administration, public safety and security end-users.
Targets: End-users & Impact
29
• Proposals should pay particular attention to the "Expected Impact" section of each topic.
• Three evaluation criteria: Excellence, Impact, Quality and efficiency of the implementation
• In this call, to determine the ranking, the score for the criterion ‘impact’ will be given a weight of 1,5.
Only instrument: Innovation Actions
30
• Activities directly aiming at producing plans and arrangements or designs for new, altered or improved products, processes or services.
• Prototyping, testing, demonstrating, piloting, large-scale product validation and market replication.
Innovation Actions (1/2)
31
A ‘demonstration or pilot’ :
• aims to validate the technical and economic viability of a new or improved technology, product, process, service or solution… (ie, validate innovation)
• in an operational (or near to operational) environment, whether industrial or otherwise…
• involving where appropriate a larger scale prototype or demonstrator.
Innovation Actions (2/2)
32
• Projects may include limited research and development activities.
• Funding rate: 70% (except for non-profit legal entities, where the rate is 100%)
Security: a societal challenge
33
• It concerns the protection of citizens, society and economy as well as Europe's assets, infrastructures and services, its prosperity, political stability and well-being. Any malfunction or disruption, intentional or accidental, can have a detrimental impact with high associated economic or societal costs.
Digital Security
• Address the economic and societal dimension of security and
privacy in the digital ecosystem.
• Secure and increase trust in the digital society.
• Demonstrate the viability and maturity of state-of-the-art solutions.
Three Topics
34
• Privacy
• Access Control
• Risk Management & assurance models
• For each topic, in next slides:
Challenge
Scope
Expected Impact
Practical Info
Privacy - Challenge
35
• Increasing privacy concerns.
• Complexity of data protection and privacy frameworks in Member States and Associated Countries.
• Data Transfers.
• Increase transparency, control, usability.
• Understand the value of personal information.
Privacy - Scope
36
• Demonstrate solutions that protect individuals' privacy and assist them in making informed choices on the use of their data.
• Address privacy in varied contexts (big data, cloud services, IoT, criminal investigations).
• Apply privacy-by-design frameworks to promote the usage of privacy enhanced technology.
Privacy – Expected Impact
37
• Privacy by design architectures.
• A practical, user friendly and economically viable implementation of relevant legal obligations related to personal data processing and/or prior consent.
• Increased user trust, resulting in a higher uptake of online services.
• Positive business cases for online privacy.
Privacy – Practical Info
38
• Call identifier: H2020-DS-2014-1
• Topic: DS-01-2014
• Published: 11 Dec 2013
• New Call deadline: 28 August 2014, 17.00.00 CET
• Indicative budget: 19.04 million EURO
• "The Commission considers that proposals requesting a contribution from the EU of between €2m and €5m EURO would allow this topic to be addressed appropriately"
Access Control - Challenge
39
• Currently the most widespread approach relies on passwords.
• Managing the passwords has its limits and poses a challenge to the user, which adds vulnerabilities.
• Common practice is to use the same or similar password, which increases significantly the risk should the password be broken.
Access Control - Scope
40
• Development and testing of usable, economic and privacy preserving access control platforms based on the use of biometrics, smart cards, or other devices.
• Management of the access rights.
• Guarantee interoperability and portability between systems and services.
Access Control – Expected Impact
41
• Deliver secure, but user-friendly, access to ICT systems, services and infrastructures.
• Consumerisation of devices for access control.
• Demonstrable increase in level of security.
• Support the creation of commercial services making use of electronic identification and authentication.
Access Control – Practical Info
42
• Call identifier: H2020-DS-2014-1
• Topic: DS-02-2014
• Published: 11 Dec 2013
• New Call deadline: 28 August 2014, 17.00.00 CET
• Indicative budget: 18 million EURO
• "The Commission considers that proposals requesting a contribution from the EU of between €3m and €8m EURO would allow this topic to be addressed appropriately"
Risk Management & assurance models Challenge
43
• Increased reliance on ICT leads to greater risk.
• The use of public communication networks and commercial off-the-shelf components in industrial environments.
• Complexity & massive interconnectivity
Risk Management & assurance models Scope
44
• Demonstrate the viability and scalability of state-of-the-art risk management frameworks.
• Perform socio-economic assessment to evaluate the cost-benefit of implementing proposed framework.
• Main track - framework should addresses
real time risk assessment/mitigation,
dynamic threat landscape
on-demand composition of services and massive interconnectivity
Risk Management & assurance models Scope
45
• Side tracks:
development of tools to evaluate the risks and its impact on business
tools providing a simple view and understanding of a complex system, and tools to detect social engineering attacks.
ICT supply chain.
Assurance models, control & audit frameworks.
"Cyber" Insurance
Risk Management & assurance models Expected Impact
46
• all of the above...
• the comprehensive comparison between sector specific or national approaches to risk management.
• facilitate the implementation of existing and emerging requirements obligations on risk management.
Risk Management & assurance models Practical Info
47
• Call identifier: H2020-DS-2014-1
• Topic: DS-06-2014
• Published: 11 Dec 2013
• New Call deadline: 28 August 2014, 17.00.00 (CET)
• Indicative budget: 10 million EURO
• "The Commission considers that proposals requesting a contribution from the EU of between €2m and €5m EURO would allow this topic to be addressed appropriately"
CNECT-TRUST-SECURITY@ec.europa.eu
@EU_TrustSec
http://ec.europa.eu/research/participants/portal/desktop/en/opportunities/h2020/calls
/h2020-ds-2014-1.html