EffEctsplus 3rd clustEr workshop ‘Exploitation and impact of trust and sEcurity rEsEarch projEcts’

u to discuss potential exploitation and impact of current research projects . . . . . . . . . . . . . .

uidentify common trends and gaps in the research-to-innovation-to-market process

u cluster workshop: 6th september, padua , italy

6th Sept 2012

Effectsplusclustering

Effectsplus 3rd Cluster Report

Date: 6th September

Location : Padua, Italy

Contributors : Effects+ consortium

(WIT, SAP, UNITN, ATOS, HP)

Participating attendees, presenters

and keynote speakers.

Welcome and Opening - Michele Bezzi ( SAP)

Aim of cluster Workshop: Focus for this cluster workshop was on the exploitation and business models and the impact and transfer of research results coming from research projects. This event provided an opportunity for projects in the security and trust area to present their ideas and directions on their exploitation and impact activities . Through such a dissemination activity and open discussion this formed the basis for research projects to learn and gain recommendations from each other on a variety of exploitation avenues to investigate and pursue, to gain greater impact from their research outputs.

Session I (Research-to-innovation-to-market process by examples) has the aim to provide Industry examples of how they transfer results from research to industry to utilise and maximise research outputs. Initial speakers included1. Making an Impact: Perspectives on technology transfer from research to business, Hewlett Packard, Nick Wainwright2. Exploiting research outcome at Engineering (Massimo Canducci (Engineering)

Session II (Impact and Exploitation of research results: the project point of view) in-volved presentations coming from research projects in the trust and security domain and how the have or plan to exploit their research outputs. Projects participating in-cluded

This session II commenced with an Effectsplus presentation highlighting ‘Overview of the Technology Transfer Potential of EU Security and Trust R&D Projects’ by Mr Fabio Massacci & Ms Martina de Gramatica (University of Trento)

- Trust and Security Project Presentations and responsibles included: - uTRUSTit - Dániel Petró - PoSecCo - Serena Elisa Ponta - Spacios - Luca Compagna - Massif - Pedro Soria-Rodriguez - Aniketos - David Llewellyn-Jones - Passive - Eamonn Power - SysSec - Stefano Zanero - Twisnet - Felix von Reischach - DEMONS - Sathya Rao - ASSERT4SOA - Michele Bezzi

Session III involved 2 presentations of 2 new initiatives in this area and also provided opportunity for open discussion amongst all. Participating projects and representa-tives included - SEREN2 - Piotr Swierczynski - FIRE – Facilitate Industry & Research in Europe - Ulrich SeldeslachtsExpected Outcome of the workshop was to gain a global view at the programme level of what the various different trust and security research projects exploitation and impact plans are, with a view to highlighting recommendations for improvement for research projects to learn and investigate new avenues to have greater impact on their

Session I : Research-to-innovation-to-market process by examples.

Making an Impact: Perspectives on technology transfer from research to business, Hewlett Packard, Nick Wainwright

The focus of Mr Wainwright’s presentation was about making an impact with your re-search. Impact is not random. How to really have an impact with the business you are in is a very important question no matter whether your organisation is an industrial or an academic research organisation.

Topics covered during the presentation included innovation in ICT Security, collaborative R&D, and business aspects around this. Mr Wainwright has worked in HP Labs which has been an “Engine of Innovation” for HP for many years, with considerable experience in actively working in FP related research projects and devel-oping research partnerships in HP security research area.

HP has many tens of thousands of people completing R&D products in the business units, they are largely involved in product and advanced development. HP Labs, the corporate research organisation, focusses mostly on applied research which is by far the larger type of research in HP labs. In terms of roles, they are responsible for creating breakthrough technologies, turning those into opportunities for business and for their customers, completing fundamental science and engaging with customers and partners.

As with all research organisations, HP Labs have important stakeholders who fund their activities and the impact on those activities need to be seen and conveyed at all times to justify the investment.

Mr Wainwright commented on the Big Picture Vision – and continued his presentation by showing a video of Chandrakant Patel, acting director of HP labs and vice president for research – talking about HP Labs sustainability program, the big picture and the vision.

Mr Wainwright highlighted that the main message here is that there were no silos, when thinking about innovation in the Lab they try to avoid restricting their thinking to the silos that organisations work in.

Technology and working collaboratively is most important, as is seeing the bigger picture. “Technology is great, but we have to meet the needs of the customer”. Engag-ing with and having good communication with customers is key to understanding their needs and requirements.

Mr Wainwright proceeded to show another video, this time of HP Labs research director Jaap Suermondt , who is actively involved in engaging with customers, particularly in health case studies.

Mr Wainwright proceeded to discuss main cloud security issues, as this is one of the prominent research topics that HP Labs Bristol focuses on. Mr Wainwright highlighted the following main three issues that motivate their research:

1. The increasing pervasiveness of technology in everything we do.2. An increasingly contested cyberspace3. The prevalence of data and the business imperative to turn data into to value.

When thinking about impact, whether its HP’s industrial research lab or HP’s academic research lab a main concern is how that research can help and grow HP’s security business which comprises the Enterprise Security business as well as the security products that support it. HP enterprise security looks at areas such as the constant threat, changing role of IT, the complicated regulatory environment, understanding what processes are in place, look at cost v’s benefit/risks .

HP labs continue to engage beyond the technology business. In the technology world, its easy to think of only the technological solution, but in HP Labs a significant part also supports their activities around a consulting and services business to customers, providing consultation process to customers on how to they plan their security operations and support.

HP enterprise security services include the following for example: Discovery risk assessment, planning, transformation of security, transformation of security, application security, end-point security, network security, data security. Having such a vast amount of services also leads to having a vast array of partners that you must engage with.

Mr Wainwright discussed the Open TC project as a case study in collaborative R&D. Open TC (http://www.opentc.net/) is a Research & Development project focusing on the development of trusted and secure computing systems based on open source software. The main point here is that the project kicked off in 2004 and the impact coming from the project has taken a lot longer than initially anticipated to bring it to market. This timeframe for having an impact is a concern for participants and stakeholders nevertheless it often takes longer than many anticipate to deliver a business impact.

Mr Wainwright commented that HP Labs is involved in quite a few research FP7 type projects, but HP labs are always cautious about the projects they commit to, focus on those that can have real value for the HP Business. Another example of their involvement is in the BonFIRE research infrastructure testbed project that deals with experimental cloud infrastructure. The value of such a testbed is vitally important as it provides a mechanism to train people, to flush out their ideas, to experiment, gaining vast expertise and knowledge around the advanced infrastructure management technologies. Are they creating a product that will be sold immediately, probably not , but right now it has a future and a value for HP Labs.

Another video showed by Mr Wainwright at this point in the presentation, showed an overview of a HP labs data protection tool, the HP Privacy Advisor, as this was another research area of importance to HP demonstrating the impact from such activities.. With the main point being that building tools is another way of having impact, but the tools don’t have to be super complicated to have an impact.

In conclusion and to wrap up his presentation, Mr Wainwright concluded with the fol-lowing main points:

• Usetechnologytoaddressanunmetneed• Talktocustomers• Understandthebusinessmodel• Thoughtleadershipisgood,butnotifno-oneknowsaboutit!• IncrementalimprovementsarenotworththeeffortofcollaborativeR&D• Producetangibleartefactsthatcouldscale• Buildgooddemonstratorsandshowthemtocustomers• Academicpublicationsarenotimpact,neitheraredemonstrators• Standardsareonlyworthwhileifproductsandservicesusethem• Codeoftengetsre-writtenbeforeitbecomesaproductorusedinaservice• Techtransfertakesfarlongerthanyoucouldpossiblyimagineatthestart

PRESENTATION LINK : http://www.effectsplus.eu/files/2012/09/Padua-NickWClean.pdf

Exploiting research outcome at Engineering (Massimo Canducci (Engineering)

Mr Canducci, is the commercial Director of engineering. Engineering is a large compa-ny based in Italy and Belgium in Europe and is a global player in EMEA area and LATIN America. Engineering is a partner with strong vertical business skills and a cross cutting view of technology and solutions, addressing market areas such as Telco, finance, industry services and utilities, public administration.

Mr Canducci, proceeded to present in more detail, the type of company Engineering are, highlighting the main divisions ( e.g. research and innovation division, competence centre, innovation, Business Unit , Software Factories ). Within the research and innovation division of Engineering they have completed 150 research projects to date, with 30 currently active projects and 250 researchers. In this space they have many active collaborations with academics and industry. Their main research areas include • Trustworthiness/Security• UserExperience• IntelligentSystems• Usage• ServiceEngineering• ComputingInfrastructure

Mr Canducci referenced Fig 1 slide below as probably the most important in his slideset. The innovation is the main driver that helps Engineering to move research results towards production. How do they accomplish this? First of all with the view of moving research results from research to production, they utilise their innovation process where they, utilise research results and move innovative technologies from innovation to production. There is also another branch involving moving ideas from production to research, this involves moving architectural and market needs from production to innovation and then in turn generating potential ideas for future research projects.

Figure 1 Engineering Innovation Model

The principles of exploitation for Engineering are 1. The involvement in research projects are an investment2. The main goal of a research project is the placement of the results on the market.3. To ensure success, they start this process from the beginning of the proposal.

Mr Canducci highlighted the main actors in the process, the Research and Development Manager, Business Unit Development Manager, Architects and Developers (R&D and business unit). Such actors are involved in a variety of phases as identified on slide 12 of Mr Canducci’s presentation.

• Duringthebeginningofaproposal,weneedtofindtherightideaconsideringthe call properties and the needs from the market. ( here the main actors involved include R&D team and business development manager)

• Duringtheproject,theyworktodeveloptheprojectgoal,allthewhileconsidering the future placing on the market. ( mixed team R&D lab – BU Lab)

• Followingtheproject,themainactivityaroundthedeliverableconsolidation, improvement and specialization, and sometimes rewriting is necessary, as the way a research projects outputs are written can be different to the terminology and writing of a business world. This phase mainly involves the business unit of engineering.

• Towardstheendoftheprocessfollowingtheabovesteps,theyhavetheidea, prototype or product that can be placed within the market. The main actors here remains the business Unit of engineering.

The general approach Engineering use involve a model in which a Business Unit and the R&D labs Participate together in a research project. This is different from the usual technology approach because they work together, rather than apart. What are the advantages of having such an approach? Integration of the team from the start helps to set up and align the development to business needs at the very beginning. This in turn helps to create better awareness within the organisation on both the R&D and business side. Having this structure in place then helps to setup partnerships with other organisations.

One such example is the project Perseus belonging to the domain maritime surveillance. Here the D&S (defence and Space) Unit of Engineering were actively involved.The main approach involved every person in the defence and space unit working with the team in the R&D division, to define a data model and an architecture enabling all the systems to talk to each other. D&S implements some versions of these Interfaces (called PERSEUS connectors) to actually make the Italian system talk to the other systems. R&D refines the data model based on the real-life results of these interfaces.

What is the result : Perseus today is a pilot with real-life exercises. For engineering this is beyond a technology transfer, this is a collaboration that is actively promoting the visibility of our company of the EU scene.

Example No 2 project SEMIRAMIS The purpose is to deploy a pilot across Europe to enable citizens that move from one EU country to another (for instance students from one university to another, a family moving with one parent changing jobs etc) to transfer their administrative information between two city administrations, two universities etcIn this information transfer they had two challenges: •communicatetheinformationrelatedtoacitizenbut•letthecitizentohavecontrolonthistransfer,meaningthatdependingonwhoreceives this information, the citizen can control which part is provided.

Engineering utilised the following approach.They used the same model - collaboration between a business unit (EngiWeb – a company in Engineering Group) and the R&D labs.

•EngiWebhadthesolution(asystemtomanageuseraccesstoinformation),but it is used mainly within single (large) organizations. •ThecombinationofR&DandthebusinessunitmeansthatthroughSemiramis,the EngiWeb solution will be extended to function across different organizations and countries.

The end results included the following •Engiwebhadanewreleaseofthesolution,readytogoonEUmarket.•CollaborationoutsideofItalyisdesignedtobringadditionalcommercialopportunities for the Engineering solutions.

Lesson learned:•Technologytransferismadeeasierwhencollaborationstartsearlier.•Real-lifecanhappen-forinstance,whenabusinessunittransformsintoaspin-off.This does not mean technology transfer approach used is dead, it increases the competency acquired at R&D level who can then take it into collaborationas well as creating joint market opportunities between the spin-off and the main company.

PRESENTATION LINK: http://www.effectsplus.eu/files/2012/09/20120906_Exploitation_and_Impact_v03.pdf

Session II : Impact and Exploitation of research results : the project point of view

‘ Overview of the Technology Transfer Potential of EU Security and Trust R&D Projects’ by Mr Fabio Massacci & Ms Martina de Gramatica (University of Trento)

Context

Call 1 and Call 5 were general ICT calls, while the Joint Call: ICT-SECURITY related mainly to the requirements of critical infrastructures.WP2 has sought to answer the question “where do projects results end up, -, at the end of the day will these results really become a product?”

•dotheyleadtoorcontributetofurtherresearch?•dotheycontributetoorleadtomoretangibleoutcomes–productsorstandards, say?•whatcanbedonetoraisetheproductivityandeffectivenessofresearchoutcomes?

Participation landscape

A survey has been made of the landscape of the partners involved in the projects. More than – 400 partners participated in two or more projects. The social relationship of the projects was mapped to help understand synergies and dynamics between the projects and the participants. The size of the node on the graph determines - the number of links between them (rather than the grant budgets); this means that a partner represented by a large node is not necessarily well-funded, but is a well-connected organization.

A constituency of a small number of major hubs acts as bridge between smaller partners. There are no disconnected partners. The core of the community is represented in Call 1 and the Joint Call by a few general software companies and IT integrators. In Call 5, telecom operators participation is increasing, since few telecom operators participate in a lot of projects. and almost the same number of integrators. The same trend is visible, still largely dominated by software vendors and integrators, but with a significantly larger participation of telecom operators.

Why did the constituency change?• Call1-strongerfocusonprivacyandidentitymanagement more software integrators• JointCalloncriticalinfrastructure more “non-IT” partners• Call5-strongerfocusonInfrastructuresandplatforms more telcos

Why do some Universities act as large hubs?• Diversegroupsareabletoparticipate e.g., in the case of KU Leuven, there is a broad spectrum of skills: cryptography, software security, and legal aspects.

Research beneficiaries

There are two very different groups of potential beneficiaries of the results outside the consortium partners themselves: citizens and ICT specialists..There is an other special category of projects that contribute research results that cannot be easily transformed into products, but that represent a significant contribution to the state of the art, such as databases of information collected from surveys and analyses: software vulnerabilities (SHIELDS); network threats , or biometric testing – honey net, WOMBAT.

Results themselves are difficult to market even within the consortium, because there is no obvious, direct generally no deliverable product intent behind it. It is very difficult to sell an architecture, say; nobody buys an architecture itself or a design, it is easier to buy the implementation (the code, the hardware). Innovation contributions

Some Call 1, specific results that offer early product potential.

ACTI-BIO project is going to deliver potential innovation for the citizen by developing and piloting a driver-authentication model for motorcars, based on the biometric technology that makes use of facial expression, gesture, gait, body dynamics to recognize and identify the owner of the car.

SECURESCM deals with confidentiality-preserving methods for market-data aggregation; a software product like this could be very useful to carry out benchmarking.

TECOM deals with integrated packages for secure operating systems and the AVANTSSAR project will check that the protocols have no errors.Knowledge-based contributions by INTERSECTION and SHIELDS deal with the development of databases of software vulnerabilities, therefore, as above, they do not deliver a product in itself; there is no product to sell behind it. WOMBAT provides a database on current malware distribution.

In Call 5

TABULA RASA deals with the study of the vulnerabilities, such as spoofing attack, that exist in biometric-based systems, analysing the vulnerabilities themselves, and developing (or suggesting) possible counter¬measures.

SEPIA and SPACIOS are more related to the ICT specialist developer: process isolation for embedded platforms, and model-checking and runtime analysis for services.

Knowledge-based contributions by NESSOS project aim to create a database for secure software engineering approaches and tools.

Pilots and trials

A trend is for few projects actually to run a pilot to validate results (ABC4TRUST, PICOS), rarely having the time or resources in the workplan to develop and run a pilot. A pilot may be unattractive to academic participants where it may be difficult to transfer or present the results of a pilot into formal publications. After the delivery of a technical result there is generally no time scheduled for a pilot. However instruments, such as CIP – Collaborative Innovation Projects and the Pre-Commercial Procurement, do exist that allow for piloting. However they may still be (incorrectly) evaluated not as a follow-on, but as new projects with all the attendant problems.

A possible solution might be for some simpler and faster instrument to provide a level of support for trials by a subset of the consortium – probably the industrial partners – who would be able to benefit. Running a pilot could be very useful for identifying and exploring key features that could be productised.

Another interesting observation is that very few projects have a structured relationship with the product group from the very beginning, where there can be a well-defined product-related goal,

Products and markets

It is more difficult for the results of projects to be taken up in product if there is not already a relationship with some industry product group. If that relationship does exist, the project goals can be aligned with known industry requirements or directions.

This is not to say that this should be the only approach: a product-oriented goal may inevitably imply some sort of conformance constraints; genuine, parallel, ‘off the wall’ innovation is also absolutely necessary for the programme.

The question is asked whether the EC could or should encourage projects to consider establishing a structured and visible relationship with an industry product group from the very outset; or would this become a hurdle – a piece of bureaucracy that could stifle innovation, spending time in meetings rather than carrying out the research itself?

There is still the ongoing question in the security market paradigm – “why should I pay extra for security”? (Maybe the question should be “do I really want an insecure product or system”.) We have spoken of awareness-raising for many years; the awareness is now largely out there, but the economics of security are still by no means clear: What IT security requires is a change in the paradigm: the investment in security may not give an immediate and visible profit, but it must be made in order to prevent and avoid economic losses and further consequences. Think insurance – there are areas of life where insurance is already the norm, and in some cases actually mandatory.

Further problems and needs

There is often only anecdotal information about the extent and severity of security lapses or attacks due to a natural reluctance by the victim to reveal the damage and its extent. A European-wide (or even international) regulatory initiative to mandate the controlled disclosure of security (-related) incidents could be part of a trusted framework for the exchange of cyber-security data.

Many projects claim to create a community: it is not really clear how successful and measurable in the short term this is. As part of the project clustering mechanism, a group (or groups) could be set up to interface – or collaborate with existing interfaces – to larger industry product groups. A by-product would be a need for a common documentary approach within any product-oriented groups.

Discussions pursued about how to go about doing user trials, the best approach for projects. The absence of user trials in projects needs to be addressed. For user trials you need the finalised results, you need a user interface or a partner that works directly on user interfaces (UI). If you involve the user right from the very start then you have a chance to come up with some useful innovations.

The proposed solution of having such a follow up would be beneficial following the project lifespan, hence working towards that next step. Also the proposal of involving the industry product groups at the very start of the project would prove beneficial and projects need to focus more on developing such a relationship at the start of a project so it can be beneficial right through.

PRESENTATION LINK: http://www.effectsplus.eu/files/2012/09/EFFECTSPLUS-WP2-Padua.pdf

Session II: Trust and Security Project Presentations:

uTRUSTit - Dániel Petró

Usable Trust in the Internet of Things

uTRUSTit developed a communication framework that provides trustworthiness information to the IoT user about the surrounding devices in a user-friendly way.The birth of UTrustit: More and more devices are surrounding us in our everyday life. The transfer of data, levels of privacy and level of involvement of the user are questions posed. Because of the lack of such information end users tend to over trust devices that are otherwise insecure or under trust devices that are otherwise secure. Perception of security and perception of trust in the real world should be balanced and trust should be kept. Another problem is that even if the end user has information relating to the security of devices, often end users cannot understand the level of security being offered. Users have different abilities and approaches and these are not always accounted for when dealing with security related aspects.

uTrustit created a trust feedback tool. This is a framework that is aware of the systems and the devices in the IoT. It also incorporates the security properties and the environment and the security environment. It has the group files of the different personas, which has a set of rules, which provides feedback to the user. To cover the different aspects of the personas of the people ( 5 different personas were created). Three different scenarios were then chosen, smart home smart office and evoting, as these were considered representative IoT scenarios.Timeline of the uTrustit project included 1. Personas and scenarios2. trust definition and requirements3. mock ups and prototypes4. user evaluations5. advanced trust feedback *uTrustit are currently at this stage in the process*6. virtual reality evaluations7. mock up and prototypes (2)8. user evaluations (2)9. outcomes

Mr Petró provided an example of being an IoT developer and the types of questions that would need to be considered– How can my IoT devices provide trust feedback?– How can I categorize my users?– How can I build up the rules?– How can I implement trust feedback mechanisms (TFT) to my IoT?

To answer such questions uTrustit delivers Guidelines to address such issues.

uTrustit Exploitation aspects

Impact is difficult to understand as long as its hard to measure. The main aspects con-sidered valuable to contribute towards the exploitation and impact are the trust feed-back tool (TFT) and the guidelines produced by the project.

1. TFT: as a supported, licensed product; as part of another framework. 2. Guidelines: as a service to adapt & maintain the TFT on new devices

Other results coming from the projects technical WP activities can be utilised as stan-dards, publications, methodologies, basis for further research.

Another aspect includes Partnering with other projects– On trust management in HCI.– On IoT, sensor networks, distributed systems where user interaction is relevant.– On developing any device that has a user interface.

uTrustit is ongoing until 2013,and are planning ahead for their dissemination and exploitation paths. Next year collaborating with other projects is another activity be-ing planned for, also the project will have its final tryouts of the uTrustit framework for exploitation purposes.

Discussion pursued following the presentation with the following comments

1. As it was understood the target audience is IT industries, developers etc . 2. The project goal is also to grow the amount of people through testing their concept, e.g. having people is small for quantitative measurements, but has added advantages of providing valuable information.3. The project will build online community and send out questionnaires to gain qualitative results.4. If producing recommendations and guidelines, they need to distributed into to the wider audience to be effective.5. In the projects community, the community of practice is very broad and this is a challenge, focus is needed to have an impact.

Presentation Link : http://www.effectsplus.eu/files/2012/09/uTRUSTit_Effectsplus_2012.pdf

PoSecCo - Serena Elisa Ponta

Posecco focuses on the Scenario: Service Provider Landscape •Supportserviceprovidersinthedesignandruntimephaseofasecurityconcept•Increasesecurityandcomplianceofserviceprovidersbyreducedoperationalcosts

System can be audited and checked by the service provider itself, with the goal to increase the compliance at any point in time, starting at the design phase to providing support at critical runtimes.

The challenges of completing this include the following•Selectandimplementefficientandcost-beneficialsecuritycontrols•Maintainsecurityandcomplianceatoperationstime•Improvetransparencyforinternalsandexternals(auditors)

The key idea for doing this is to build the policy chain, that creates a link between the higher level requirements and the lower level requirements.

Now PoSecCo is looking at the work they have completed and what level of exploita-tion each partner can contribute to help increase the impact of the project. First of all from the point of view of industry, the idea is to transfer the results of the project to industry.

One of the main ideas of PoSecCo is to add features to existing products. The chal-lenges of transferring include, collaborating with industry and their roadmaps, and this is not always easy as they have fixed timelines in their strategy. Another challenge is that prototypes produced during research projects, their level of maturity do not al-ways match with the expectations of industry. The last challenge highlighted was the requirements and the type of requirements coming from customers against the type of requirements coming from research projects, highlighting the difference between.

Ms Ponta then proceeded to provide a SAP example and how SAP plan to exploit the project within SAP. Within SAP they focus on certain scoped aspects of the project and work to exploit these aspects rather than focusing on the project outcome as a complete objective for exploitation. They work to identify the topic, looking at what is being completed within the research project and what is being completed within the company. In the case of PoSecCo, they have focused on the topic of Configuration validation. The identification of the topic involves Analysis of stakeholders and Feasi-bility study of the project core, and must be completed as early as possible within the project.

Another aspect is to identify the easiest way to integrate the prototype and this de-pends on the type of feature, but in the case of PoSecCo and the identified topic, it was suitable to make it available as a service. Then work in the area of a proof of concept is necessary to demonstrate how this product can interact with the service.

To complete this phase requires discussions with stakeholders and product owners, in order to have the necessary support in order to proceed to create this interaction. What is initially required is the need to have a prototype running, to visually show and demonstrate, in order to gain the required interest.

From the point of view of the academic partners the following main exploitation as-pects are considered

1. Open Source distribution of the prototypes. – Requires unanimous approval (to solve conflict with industry) – Ensure provisioning of documentation and prototype maintenance

2. Submit Proposal for standard extension. – Reuse and enhancement of previous projects‘ results and concepts

E.g. In PoSecCo they have reused partners prototype tools, the The MoVE and the ProM tool .

Regarding collaboration with FI-Ware the aim here is to transfer PoSecCo outcomes as FI-Ware Generic Enablers (GE), e.g. “Security Monitoring“. To do so this will require the following aspects to be considered

• GEsneedAPIsdefinition• Alloweasierprototypereuse• Largebenchmarkavailable• Variousandnumeroususers

To conclude Ms Ponta summarised the following main conclusions

1. Industrial dissemination is topic-dependent and requires a. Stakeholder’s interest b. “Easy” integration strategy

2. Coexistence of industrial and academic partner exploitation plans requires clear interfaces and processes

3. Importance of reuse of existing tools/prototypes

During the open discussion, the following comments were addressed and answered

At what level do you componentise things, do you have generic platform, or do you have your own definition of a prototype/component? Each partner is responsible for their own components and for declaring what their components are and what is

integrated into the project. They did not start by setting the platform, it was the re-verse.

The question was asked if the project has agreed to release any software and if the us-ing and building on previous project results , can this be a barrier to exploitation, are there complexities in intellectual property and how does that effect the exploitation. The agreement is that everyone uses open source under certain licences.

A discussion pursued around open source, and licensing. It was commented that li-censing software as open source and providing access via website, is not a solution, it is not effective enough to do this and you are not pushing the exploitation of the proj-ect by doing this.

Presentation Link : http://www.effectsplus.eu/files/2012/09/PoSecCo-3rdWorkshop.pdf

Spacios - Luca CompagnaSecure Provision and Consumption in the Internet of Services

The main objective of Spacios is to combine different techniques for model testing, security testing and penetration testing to explore what they call property based security testing with the aim of having a framework and tool at the end of the projects lifespan that will provide implementation of these techniques and validate this tool against a variety of test cases. E.g. some of the test cases will focus on security standards.

SPaCIoS Tool

•Property-drivensecuritytesting •Vulnerability-drivensecuritytestingAssesstheSPaCIoSTool •Securityprotocols:SAML,OpenID,OAuth •Webapplications:WebGoat,eHealth,InfoBase,PervasiveRetail •MigrateSPaCIoStechnology •industry(SAPandSIEMENSbusinessunits) •standardisationbodiesandopen-sourcecommunities

An important activity in the project is to try to migrate the results to industry. A dedicated WP activity in Spacious is responsible for progressing this activity, looking to take the most promising results from the project, match to potential interests of the industrial partner and try to exploit these results.

The aim is to expedite the transfer of SPaCIoS results to industry, including standardiza-tion organizations and open source communities

•MigrationtoSAPandSIEMENSbusinessunits(80%oftimeallocatedtothisactivity).•Migrationtoindustrialandopen-sourcecommunities(20%oftimeallocatedtothisactivity).

Transferring research to industry has many challenges and is not an easy process.Intrinsic challenges of SPaCIoS include:

1. Formal Model: who is providing the formal model and how? 2. Usability: what does this weird output mean? How do I interact with this tool?3. Performances: how long is this validation going to take? How can I make it faster?

What is Spacious strategy, they try to focus on a few scenarios, use cases and business aspects that look promising, and in doing this they try to use the language of the tar-geted client, making it easier for such clients to see the potential of using such tech-nologies and research results.

For example, foster opportunities for adoption of SPaCIoS results in industry by•Useofestablishedstandardizedlanguagesfortesting(e.g.TTCN-3)•Supporttestlifecyclemanagement•Supportdebuggingoftestsforeasierfaultidentification

During the project lifecycle, put in place consultancy between the research project and the business units in Siemens and SAP. People from projects who are the experts, gain feedback from experts in the business unit. Having such a consultancy process in place provides an open communication channel, which generates ideas, providing focus and priority on specific aspects of the research project for further exploitation.Mr Compagna proceeded to provide an example, SAP OAuth2

•Goal:formallymodel,validate,andtestthenextgenerationSAPOAuth2solution.•Businessunit:SAPTIPCORESIM•Migrationmode:full-consultancy,butideasemergingtomovetotoolintegration. client, making it easier for such clients to see the potential of using such technologies and research results.

For example, foster opportunities for adoption of SPaCIoS results in industry by•Useofestablishedstandardizedlanguagesfortesting(e.g.TTCN-3)•Supporttestlifecyclemanagement•Supportdebuggingoftestsforeasierfaultidentification

During the project lifecycle, put in place consultancy between the research project and the business units in Siemens and SAP. People from projects who are the experts, gain feedback from experts in the business unit. Having such a consultancy process in place provides an open communication channel, which generates ideas, providing focus and priority on specific aspects of the research project for further exploitation.Mr Compagna proceeded to provide an example, SAP OAuth2

1. Goal: formally model, validate, and test the next generation SAP OAuth2 solution.2. Business unit: SAP TIP CORE SIM 3. Migration mode: full-consultancy, but ideas emerging to move to tool integration.

To conclude Mr Compagna provided a summary of his presentation.

SPaCIoS’ systematic validation approach is challenging to implement

•However,SPaCIoShaspotentialtosupportsecurityvalidationprocessforupcoming trends such as services on-demand and cloud computing with a pre-installed base of services•Shorttermmigrationstrategy(withinSPaCIoStimeframe)•Full-consultancymodeforsuggestedindustrialapplicationscenarios•In-betweenmode,e.g.provisionoftestsuites•Longtermmigrationstrategy(beyondSPaCIoStimeframe)•Domain-specificapproachapplyingtheSPaCIoSToolforspecializeddomainssuch as cloud computing

During the open discussion Q& A session the following points were discussed

Tools that require experts to operate. The Issue you are faced with, is that people from research are in turn completing a specialist consulting service. The concern is , can you complete a successful transfer of knowledge on such tools to industry/sme’s

who may not have the indept knowledge to be able to understand the tools and its operational aspect. Is there a need for a security consulting business model to aid such a process.

Regarding Tool integration, formal models don’t know how to connect. Nessos project has the idea of creation of a set of repository of tools, so it might be an idea to embed some of the projects tools in this repository.

Presentation Link : http://www.effectsplus.eu/files/2012/09/spacios-exploitation-201209-effectsplus-no_backup.pdf

Massif - Pedro Soria-Rodriguez

Mr Soria Rodriguez provided a summary of the consortium partners (industry and academic partners). Massif addresses the problem statement Management of Security Information and Security-related events (SIEM). With growing ICT infrastructures and service orientation, MASSIF will provide a new generation SIEM framework for service infrastructures covering features and challenges such as

• Multi-domaincapabilities• Cross-layercorrelation• Highinteroperability• Highscalability• Highelasticity• Predictivesecuritymonitoring.• Reactioncapabilities• Distributedoperation• Resilientoperation

Example markets where there is potential to apply MASSIF include for example Finance, energy & utilities and health and many more. MASSIF will be demonstrated in various scenarios. Mr Soria Rodriguez gave examples of current SIEM solutions, and such industries were interested in advancing their products.

MASSIF have identified the following items as exploitable items1. MASSIF system - involves components form all the partners 2. MASSIF components: Complex Event Processing, Resilient Event Bus3. SIEM enhancements/concepts: Resilience, predictive security

MASSIF has two workshop commitments, the 1st workshop they already held at the CSP EU Forum 2012 event with the main goal here being to attract industry in the SIEM sector and market to present the results of the project and to explore how such results can fit into the solutions of industry today. The first workshop was successful in getting in touch with an initial industry base in this area.

Mr Soria Rodriguez continued his presentation around Impact creation in the MASSIF project. MASSIF plans to address exploitation on three different levels

Business Improvement of existing products or service lines Development of new products or new services Licensing agreements/ patents Creation of start-ups

Knowledge Link to technical/scientific communities Standardization (e.g. IPFIX) Educational/Training programs

Public Awareness Digital Agenda for Europe (e.g: Pillar III: Trust&Security) European Policies (e.g: CIP) Projects on socio-economic aspects (e.g: SESERV)

ATOS have been heavily involved in promoting the results coming from the MASSIF project to potential customers and clients (with a lot of interest being expressed todate) and will continue this work on an ongoing basis. Likewise other consortium partners active in the group are completing similar independent actions to promote and exploit the project results.

Rather than a consortium wide exploitation approach, an individual partner exploitation approach is deemed the most progressive and efficient and once interest is declared by a potential customer, then at this stage a business agreement will be considered.

MASSIF completed a SWOT analysis and also highlighted the other potential market areas and competition in this space. See presentation for further details.

During the Q& A session the following topic was highlighted for discussion.

The main discussion here was around the problem of the timeframe of getting a proposal idea in place, getting it funded and then implementing it in time before another competitor in the market gets there before the resulting outputs from the project come to fruition. This is an ongoing problem and has a clear impact on the potential exploitation and impact of a project.

Presentation link: http://www.effectsplus.eu/files/2012/09/Effectsplus-3rd-Clustering-Event_MASSIF_v1.pdf

Aniketos - David Llewellyn-Jones(in collaboration with Zeta Dooly and Marina Egea González) Aniketos project focuses on Ensuring Trustworthiness and Security in Service Composition.

David provided an overview of the Aniketos project, highlighting the technical aspects of the project. If you have services being used by end users then they are likely to be made up of composite services, created for example from webs services, made available by service providers, created by service developers, and when they come together the end user wants to know how trustworthy this service is, and whether it will fulfil their needs from a security perspective.

The main users involved in the process are e-service developers, service providers and the end users that are actually using it. The Aniketos process is split into 2 stages: design time and runtime stages. From Aniketos’s point of view, the developer also wants to understand what the security properties of those services are, and to create contracts that specify policies that someone using the service would be able to expect. Aniketos is working to augment existing platforms and their security and trust elements. A service provider offers a composed service to end users in the market place. The end user has a certain set of user requirements that they want to fulfil. There are multiple stages and multiple technologies for each of the stages.

Having good dissemination and good exploitation is crucial to get the benefits from the research project’s work. Aniketos exploitation and dissemination plan is split into 4 main pillars:

•Tutorialsandtraining(Search-Lableads,andhasdevelopedstandardtemplatesthatthey will then turn into manuals and materials for tutorials, automated document generation tools; they also ran specific workshops during 2011).

•Demonstration(LedbyItaltel,involvedinTradeshowsandconferences,demoevents and building software VMs).

•Communitybuildingandstandardisation(LedbyTSSG,Aimstobuildcommunities, contribute to standardisation, Generate interest, Foster an open source community. Other activities also include Capitalising on social networking - Github, YouTube, LinkedIn, Twitter, etc. and finally this pillar aims to combine both commercial and open source).

•Disseminationandexploitation(LedbyATOS,andcoversactivitiessuchasPublications, Case Studies – Future telecom services, Governance: land buying, Air traffic service pool – Demos, Real-world deployment with project partners).

David summarised the audiences that the Aniketos project targets, detailing them further in his slideset

• CommercialSector(ICTIndustry)• Softwaredevelopersandproviders• Servicearchitectureproviders• SecurityExperts• ICTproviders,ITvendors• InternetServiceProviders,CloudProviders• End-usersfromSafetyandSecurityCriticalDomains

Aniketos strategic partners • OtherEUprojectsworkinginsimilardomain• EUtechnologyplatforms• OtherresearchinitiativesandbigITcompanies

Academia • Scientists,Students(especially,MasterandPhDstudents)• EuropeanCommission,EuropeanSociety

An overview of the Aniketos Outreach Boost Plan can be viewed below.

The boost plan involves promoting three key ideas from the project: the key message, they key results and the key outputs.In order to maximise this outreach, the project is focussing on approaching specific target groups that the project partners believe will be most interested in these key ideas.David commented on the importance of the Aniketos project website and trying to improve and utilise the website, maximising its potential. In the project they are currently going through a plan to increase the dissemination and exploitation activities and this has been focused on getting the key message, results and output out there to the right people.The audience raised some interesting points in relation to this. Most notably, it was suggested that while all projects claim to make good use of social networking tools, few actually seem to have much success. It was agreed that finding convincing methods for capitalising on social networking and the Web for dissemination is a hard task.

To conclude David summarised the following main points coming from his presenta-tion.

Four targeted areas for increasing impact• Tutorialsandtraining• Demonstrations• Communitybuilding• Disseminationandexploitation

Dissemination through outreach boost• Keymessage• Targetedusergroups• Keyresults• Successstorypublication• Keyoutputs• Codeandbusinessmodels• Improvedsharing

Some interesting comments were made by the audience during the presentation.

It was asked asked about the use of Conspec as a policy language. It was recommended WISP as being a potentially relevant technology to consider for the ser-vice composition framework.

It was also asked about the success of the use of social networking. It was explained that every project tends to mention social networking, but he hasn’t seen a successful example of its use. Attendees were therefore curious to know whether Aniketos was having success in this area. While the project is focussing on this at present, this remains a challenging task for Aniketos too.

As noted above, from the audience response it seems that this is a challenging aspect for all projects.

Presentation link: http://www.effectsplus.eu/files/2012/09/aniketos.pdf

Passive - Eamonn PowerExploitation Overview

Mr Power commenced with a brief overview of the project, partners and industrial advisory board that was set up, and having such an advisory board was a direct link to industry. The PASSIVE project focuses on Policy-Assessed system-level Security of Sensitive Information processing in Virtualised Environments.Mr Power continued his presentation detailing the need and motivation for PASSIVE research project

ICT-based eGov services - meet citizen needs

Currently have - heterogeneous deployments - single purpose hardware and software - large vertical solutions Large scale infrastructure - But not core competency Each new eGov Service - New vertical solution - New hardware deployment - New servers and lifecycles Expensive and time-consuming

Mr Power provided an overview of what needs protecting, providing examples such as confidential information, restricted information, protected information etc.

To summarise Passive aims to provide– Policy-based Security Architecture– Virtualised Resource Access with Fine-grained control– Lightweight dynamic system for authentication of hosts and component in virtual environments

For more details on the research aspects of PASSIVE project architecture and software components please see supporting slideset.

PASSIVE exploitation and standardisation Plan.Mr Power highlights the PASSIVE exploitation methodology as seen in diagram below.

Main key targeted audience for the exploitation phase included National Key Organisations and Strategies, Ministries and Departments from each partner member state. European Key Organisations (ISA – Interoperability Solutions for European Public Administrations, European Commission, EU Data Protection Supervisor, ENISA, Cloud Security Alliance).

PASSIVE has a question around licensing in the EU part of their exploitation plan. PASSIVE project put together a model for this. The process breaks down into 6 steps, this can be viewed in the supporting presentation.

Mr Power proceeded to provide 2 case studies that have some impact, the first one called ALUCID - Anonymous, Liberal, and User-Centric Electronic Identity and this has further licensing opportunities in commercial projects. The second case study called NOVA - NOVA OS Virtualization Architecture, Brought into PASSIVE as GPL background IP with a Specific view of releasing additions via GPL at the end of the project. New features have been added during the PASSIVE lifecycle. More information can be viewed in PASSIVE deliverable PASSIVE, D4.1 - Virtualisation Experiment Environment.

PASSIVE Presentation: http://www.effectsplus.eu/files/2012/09/passive-exploitation-effectsplus.pdf

SysSec - Stefano ZaneroIndustrial impact of a NoE: the approach of SysSec

SysSec is a network of excellence in system security. NoE’s typically have no industrial partners and with pressure from the commission for exploitation and industrial impact, this is an aspect that SysSec had to look at and how best to approach it. The main purpose of syssec is to address change in technology, society and attackers. Besides basic research , sysec also addresses the work plan, this involved creating three working groups covering Malware and Fraud, Smart Environments , Cyberattacks. The purpose of such groups being to brainstorm and identify emerging threats and main research areas.

Many of the identified research areas have industrial fallout.

Eg area of Privacy• Helpusersgaincontroloftheirdata(businessadvantageopportunity)• Detectattempts,tocorrelatedata,tode-anonymizeuseraccountsbycorrelation• Consumerproduct(s)opportunity

Mr Zanero proceeded to provide an example of Industrial Fallout. One of the areas that they identified as being areas of priority, is emerging technologies, especially smart environments, in particular smart meters, smart cars. On the topic of smart cars, they are beginning to use smart devices that the user carriers for offloading interface for the user to set etc.

Industrial engagement best practices

• Createdanindustrialadvisoryboard(IAB)• Getfeedbackonourdeliverables• Getinputfortheroadmap• Getinputonthecurriculum• Inviteindustrialexpertstoourconferencesandschools• Interactwiththeindustrialcontactsofpartners• Weareheretodaytohearotherbestpracticesfromotherprojects

Mr Zanero commented on how interested parties can get involved and contribute to the SysSec activities.

1. Comment on our Roadmap2. Join our mailing list 3. Attend our School - Oct. 11-12, 2012 in Amsterdam Topic: security of critical systems4. Contribute to our curriculum On systems security5. Become an associated member

From the Q&A session there was the following main comments

The Syssec school is mainly for academics and students, but it is quite applicable to industry as well and they are most welcome.

Output of R&D smart people who understand the concepts of security, there is a need for more experts in the area to train up new people in the area of security. There is a clear lack of security experts coming through or available and there needs to be more, hence the need for more training from current experts.

SysSec Presentation : http://www.effectsplus.eu/files/2012/09/zanero-effectsplus-sept-2012.pdf

Twisnet - Felix von ReischachTrustworthy Wireless Industrial Sensor Networks

Combining a security project with a sponsoring project in SAP – called sailing - the aim being to try to exploit what they are doing in Twisnet in the sailing project (secure sailing project).

So what is Twisnet? The main objective of Twisnet is to provide a platform for an efficient, secure and reliable integration of sensor networks into large scale industrial environments. The project focused on 4 main scenarios as can be viewed in the diagram below.

The main interest is the connection to the SAP sailing project, here SAP sponsors Olympic discipline of sports sailing. Exploiting the Twisnet results using this SAP sailing project is an excellent way of generating impact. Within the sailing project they have built a mobile application that allows them to track the sailing boats during the sailing competition. While running the 2 projects simultaneously, they noticed that similar security issues were appearing for example ( in his presentation slideset Mr Reischach expanded on these issues)

• PrivateTracking• Dataintegrity/authenticity/confidentiality• Traceability• Authorization/authentication• Securebackend• Sensoraccuracy/integrity/availability/continuity• Secureremoteconfiguration

To conclude Mr Reischach highlighted the following points, and see his supporting slideset for next steps in the design and exploitation phase.

TWISNet and Secure Sailing Tracking share many requirements

1. Secure Sailing Tracking is a great opportunity to apply TWISNet to a relevant problem.2. Secure Sailing Tracking is a great way to generate publicity for TWISNet

Q&A Session comments as follows.

It was asked to clarify if the sailing aspect is another project and it was confirmed that the sailing project is another strategic project outside of the TWISnet project.

The question was posed what is the feedback from the commission towards demonstrating the technology using such a pilot use case. This is an additional activity that TWISnet has incorporated into their activities, so the outcome is sure to be posi-tive as it creates publicity, and hence a lot of positive feedback.

A clear collaboration existed and was produced and followed up on between the TWISnet and Sailing project, in order to run such a pilot initiative for validation purposes involving user-trials.

The question was posed if there was intent to productise this as a service in mobile apps. Yes there is potential, but yet it is not quite clear how, but will be investigated.

Presentation Link: http://www.effectsplus.eu/files/2012/09/TWISNET-Secure_Sailing_Tracking_FvR.pdf

DEMONS - Sathya RaoDEcentralized, cooperative, and privacy-preserving MONitoring for trustworthiness

Mr Rao commenced his presentation with an overview of the motivation for the DEMONS project and the DEMONS vision for its research work leading to the DEMONS approach of decentralised data analysis, cross domain sharing. Details can be viewed in the supporting slideset.

Blockmon - Blockmon is a modular system for flexible,high-performance traffic monitoring and analysis. In the DEMONS project the Blockmon was tested and released as open source.

Blockmon provides the best from both worlds: flexibility plus high performance

•conductedextensiveperformanceexperimentstoverifythis•Availableasopensource•Implementedthreeapplications: – SYN flood detection – Heavy hitter statistics – VoIP anomaly detection

Mr Rao discussed the DEMONS project workflow deployment, the IXP design and the 2 main GUI’s used within the DEMONS project

– Programming and Administrative Interface (PAI) •Programming,administeringandmaintainingDEMONS •DEMONSprogrammers

– Application User Interface (AUI) •Monitoringbyuserswithinagivendomain •DEMONSapplicationsusers

Mr Rao concluded his presentation highlighting the main dissemination activities and channels utilised within the DEMONS project , these included

•ProjectWebsitewww.fp7-demons.eu

•PressRelease,Factsheets,Publicpresentations

•Publications:Workshops,conferences,Journals

•Standards:Contributionto •ETSI:INSandMOIISGs •IETF:2RFCspublished,5I-DsasWGitems,1interophosted,1WGfounded •ITU:SG17Liaison,ContributiontoQ4 •SG17chairmanisouradvisoryboardmember •ENISA:Jointactivities;Summerschool

Presentation link : http://www.effectsplus.eu/files/2012/09/DEMONS_Padova.pdf

Assert4SOA , Michele Bezzi

Currently, certification of systems – hardware, software, or in combination – evaluated using the Common Criteria is long, expensive, and generally applied to monolithic, specialist systems rather than components that may be required to build a specific service or environment. It is not generally applicable to the development and composition of a multi-faceted, possibly dynamic, system that delivers a complex service.

Security and trust are increasingly important qualities of services, not least in possible cloud-based environments where there is little scope for testing the assurance of the claims made by many providers. The offer software-as-a-service, platforms-aas, infrastructure-aas. This assurance of security is critical where there are specific operational and regulatory requirements – personal privacy and data-protection, and non-disclosure and integrity of financial and other mission-crit-ical information and functionality for commerce and administrations. The developer and the provider of the service need to know the specific security requirements and functionality.

Vision

The goal of Assert4SOA is initially to provide a means of making practical use of exist-ing certification, and then to lead to the possibility for faster, cheaper assurance facilties.

The specific aims are to be able to express certification information in machine-read-able and -processable form, and to provide the means to utilise this information in the construction of complex service-oriented applications. This will enable multi-party trust models suitable for open service eco-systems, and make the certificate life-cycle faster. This machine-readable security certificate is labelled an ASSERT. This approach will also allow for living certification over the lifetime of a system as components are adopted, discarded, or modified.

There are two aspects to what Assert4SOA provides•designtime:amarket-placefortheselectionofcertifiedsystemcomponentsthatsatisfy certain selection requirements and criteria;

•runtime:discoveryofservicesthatsatisfyfunctionalandoperationalsecurityrequirements; e.g., what security characteristics are provided by a cloud-based storage service?

Outline – technical challenges

To demonstrate the usefulness and usability of those assured properties, sup-porting the selection of components to meet specific security requirements, and integrating them using a service-development environment: an ecosystem/framework; a service development tool-kit, and a prototype marketplace App-Store to go shopping in.

The ASSERT language has to express both aspects of security properties (claims)•functionality–whatsecuritypropertiesareprovided?•detailsoftheassuranceoftheclaimedfunctionality–preciselyhowarethe security properties achieved?

The processing of the CC certificate leads to a processable certificate – an ASSERT containing three components:•anAssertCorecontainingdetailsofthe(human)agentsinvolved;theservice_ binding; security property (what?); the target of evaluation (about what?)•theevidence=assurance(how?)•possibilityforspecificuser-definedextensions

Example modus operandi for CloudThe figure below shows the flow of envisaged operations and elements between the actors, together with resulting benefits and enhancements over the current position.

Assert4SOA exploitation

Certification for Services

The goal is to transfer the results into the (CC) certification community, and to make available the knowledge and tools – language and development environment – that have been developed by the project.Processing machine readable security certificatesProvide the deliverables to service providers, platform providers & end-users

• ASSERTlanguageandASSERTtechnology,• ASSERT-awarediscoveryfacilityandstore• ASSERT-enableddevelopmentenvironmentandSDK.

Conclusions

Assert4SOA addresses the security challenge of adoption of cloud-based services by providing usable certification, and recertification of composed services. The project will deliver light-weight, machine-processable security certificates for cloud services and applications.The results will be exploitable by application developers, service providers, and end-users, making use of the concepts and concrete deliverables developed by the project.

The question was asked if there has been any activity on standardising this activity. Yes this activity is being looked at, utilising the clustering activities, the last meeting in berlin( cluster workshop on day 2 that assert4soa took part in this was part of the agen-da, but this is an ongoing task up for discussion.

Presentation Link: http://www.effectsplus.eu/files/2012/09/assert4soa_padova_3.pdf

Session III : How to improve market take-up for successful results research work

SEREN2 Piotr Świerczyński

Mr Piotr Świerczyński during his presentation, provided information relating to the SEREN2 project highlighting General aspects, Who we are, What we do.

SEREN2 is an EU funded project with the aim of promoting and enhancing trans-na-tional cooperation among Security National Contact Points (both at the level of people and institutions appointed in this respect), by reaching a balanced distribution of pro-ficient services to be delivered by Security NCPs to their clients while assisting them to write high quality proposals to be submitted in the future calls. This will ensure better quality of the service provided and added value to the work of each Security NCP.In SEREN2 26 Security NCPs from 25 countries participate.SEREN2 provides various ser-vices and assistance, acting as an official supporting instrument to the EC.

Services offered by SEREN2 include

1. Guidance on choosing the appropriate theme / call / topic2. Guidance on choosing the appropriate theme / call / topic3. Advice on administrative procedures and contractual issues4. Training and assistance on proposal writing5. Distribution of documentation6. Assistance in partner search7. Organization of information days on recent open calls

For further information on specific details relating to the NCP contacts within the member state countries participating in SEREN2, please see the accompanying slideset.

Mr Świerczyński continued to discuss the activities of the SEREN2 project, such activi-ties include the following

– Joint Brokerage Events– Mapping of security research competencies– Partner search– Monitoring of Security research area– Communication and dissemination– Capacity Building

MAPPING OF SECURITY RESEARCH COMPETENCIES (SEREMA)

SEREMA has the main objective of identifying the Security Research Competencies in Europe. The SEREMA database has approx 400 profiles currently. SERMA helps with the following main aims.

1. Data base – who is who - online registration of security research Organisations2. Awareness-raising activities - promoting the database within the national security communities.

Mr Świerczyński provided an online live demonstration of the SERMA database and its functionalities. Partner search is also another functionality available ( project search forum/partner search forum). SEREN2 also completes activites around the monitoring of security research area, with the main objective of providing to both NCPs and stakeholders an improved flow of security research area information.

•Providethestakeholderswithsynthesizedpracticalinformationonsecurityre search.

•Enablingsmalleractors(SMEs,researchcentres,universities)toadjusttheirefforts for proposals development by having an improved general overview of the security research context in Europe.

•MonitoringtheECcallsforproposals-securityrelatedtopicscanoftenbefoundin other calls for proposals (e.g. ICT, space, transport, health, SSH) and identify all the

security relevant topics that could be of potential interest to security research stake-holders

•MonitoringothersecurityrelatedEuropeanandinternationalcallsforproposals (ESA, EDA, NATO )

•Monitoringofsecurityresearchsystemsandprogrammescountrieswithasecurity specific research countries preparing such programmes (e.g. Czech Republic, etc.)

•Countrieswhereinformaldiscussionsonthismatterareundergoing(e.g.Turkey, etc.).

Various communication/ dissemination tools ( website, newsletters, training sessions) are available. For further information and details relating to this project can be ac-cessed and viewed in Mr Świerczyński slideset online.

Presentation Link : http://www.effectsplus.eu/files/2012/09/SEREN2_presentation_Padua_September_2012.pdf

FIRE – Facilitate Industry & Research in Europe, Ulrich Seldeslachts

Mr Ulrich Seldeslachts started his presentation with an overview of LSEC and their expertise and activities in the area of security innovation and events on security trends (referencing ISSE Brussels 2012). FIRE is a new CSA that started 1st september 2012. website /logo will be available in the coming months. FIRE involves the following consortium partners.

FIRE aims to reduce the gap between industry and research in Europe, organize activities that reduce the fragmentation in the information security industry itself, and support in coordinating the European Trustworthy ICT research by linking researchers with the needs of the industry and finally raising the European industrial competitiveness in the markets of trustworthy ICT.

What they focused on was trying to find different cluster organisations, that bring together industry on a regular day to day basis, and all these associations bring together research to support industry. In the last few year they have seen that there is a serious gap between research to industry and the FIRE CSA will try to address this issue. Give research access to what industry is really looking for. They plan to accomplish this in many ways, via workshops etc.

Coordination and support actions are needed to improve Europe’s industrial competitiveness in markets of information security and trustworthy ICT. By helping to coordinate Europe’s research activities of both academic and industry research organizations, and supporting the further development of a European network of industry and academic experts, this project will stimulate companies and researchers to identify joint challenges and to learn how to further support the development of the European information security market.

First activity is mapping out of where ICT research is coming from in Europe , who is doing what from each organisation , department , research centre etc. Below is an example of an initial idea of what such a mapping will be like (this was a first attempt for the FIRE proposal writing phase), validation of such a mapping will be completed via interviews with relevant experts from each individual organisation to confirm their expertise. A similar database will be completed from an industry point of view in Europe (mapping out their specific challenges and needs). By completing this exercise, it will open up the gaps and challenges of taking research results to industry.

To summarise the following main objectives will be focused on during the first 24 months of the FIRE project.

•Mobilizingtheinformationsecurityindustrytogetinvolvedincurrentandfuture trustworthy ICT projects which have been identified

•IdentifyingothersecurityresearchcompetencesandcompetencecentresinEurope

•IdentifyinggapsbetweensecurityindustryandtrustworthyICTresearchinEurope

•Definingastructuralapproachandmethodologytoalignresearchandindustry’s needs

•Identifyingsecurityresearchtopicsbasedongapsidentifiedbytheindustry (examples: using data correlation techniques to prevent damages from cyberattacks, using sandboxing and virtualization techniques to overcome physingand malware challenges, technologies allowing the widespread deployment of Internet of things, challenges in social media, …)

•Creatinganinventoryoftopics,centersandexpertsandmappingtheactivitiesin the European landscape

•BringingtogethersecurityindustryandICTindustry’sexpertstoinvestigatethe inventory and evaluate against their needs for their internal technology roadmaps and strategies

Presentation Link: http://www.effectsplus.eu/files/2012/09/LSEC_FIRE_prop.pdf

Workshop Conclusion

During the presentations and discussion various points emerged:

•Largediversityintechnology,targetusers,andbusinessmodelspresentincurrent projects

•Transfermaytakeplaceindifferentforms:“newproducts”release,newcommercial services, support to sales, community building, expertise transfer, and contributing to the company technology vision.

•Differenttimeframeofresearchvsbusiness/developmentconstitutesoneofthe major obstacles for having transfer/commercialization of project results (at least during project lifetime), and result in difficulties in tracing back the business results to research work in projects.

Let us analyse these points in some details:

As pointed out in the analysis of Call 1 project (see Effectsplus Deliverable D2.2), the panorama of innovation potential of current projects is highly diversified. Some projects are developing technologies that are usable by citizens (e.g., uTRUSTit framework) others are targeting ICT specialists at different levels: developers (e.g, Aniketos), IT administrators and IT governance (e.g., PoSecCo), business process designer (e.g., ASSERT4SOA) or security specialists (e.g., Demons and SPACIOS).

From a technological perspective, projects are typically developing framework and services, with a strong emphasis in the latter, to support easy consumption.The main point emerged from the presentations during the meeting is that the results coming from projects can cover a broad spectrum of target users and technologies. Similarly, the channels and the instruments for transfer may highly differ.

In fact, there are multiple ways used by organizations to use research results. The typical path: research to innovation, innovation to new products , is clearly in the focus of most industrial partners involved in EU projects. Nevertheless, this process is far to be a linear one, in many cases project results are only partly used, and often mixed with state-of-the-art and internally developed technologies. In other words, the resulting end product may implement only a subset of the technologies developed within a research project (and not always the “fanciest” ones, at least from research point of view), integrated with other existing technologies and offers, and come to the market few years after project end. Examples include HP Privacy Advisor, or SAP Precision Retailing offer. As a result, the backtrack to the original research project is often difficult, especially from an external prospective.

Beyond new products, industrial partners take advantage of research outcomes in many different ways. They include: contributing to the image of the company as an innovator (especially in presence of high profile demonstrator activities, e.g, ATOS Olympic Games pilot in MASSIF), contributing to the shaping of the corporate innovation agenda and technology vision, co-developing and presenting pilots with

customers (e.g, Engineering in the Perseus project). All these aspects constitute a very relevant, although hardly measurable, outcome of research work.Part of the discussion was devoted to what the main issues are for a quick innovation transfer process.

Timeframe of research project is probably the most evident one. The time between the first idea of a proposal, to project start (in case of project acceptance of course) can last easily one year. Project execution covers 3-4 years, with finalized prototype usually coming in the last phase of the project. This typical timeline, which is pretty standard in the research world, hardly fits with business or developing units’ timelines (typically less than one year, and becoming shorter in recent times). Accordingly, although most of research labs align their research agenda with the company product strategy (and often contribute to shape it), a direct involvement of development and business units during the research project lifetime is not common.

More often, research results, demonstrated using research prototypes during project lifetime, are taken up after project ending ..In this taking-up phase, we often assist to a complete rewriting of the code developed in the research project, because the quality of the code may not comply with the company standards (in large IT company multiple quality gates are normally present), IP issues, or should be integrated with internal existing code or standards.

As a matter fact this innovation-2-market process may last one of more years after project termination.

All presentations from the workshop can be viewed at the following Effectsplus web-site link http://www.effectsplus.eu/3rd-clustering-workshop-presentations/

Registered Attendees to the Workshop