The constant discovery of vulnerabilities in ICT components, applications, services and systems is placing our entire digital society at risk. Insecure ICT is also imposing a significant cost on users (individuals and organisations) who have to mitigate the resulting risk by implementing additional technical and procedural measures which are resource consuming.
Smart systems, highly connected cyber-physical systems (CPS) are introducing a high dynamism in the system to develop and validate. Hence, CPS are evolving in a complex and dynamic environment, making safety-critical decisions based on information from other systems not known during development.
Another key challenge is posed by domains, such as medical devices, critical infrastructure facilities, and cloud data centres, where security is deeply intertwined and a prerequisite for other trustworthiness aspects such as safety and privacy.
The challenges are further intensified by the increasing trend of using third party components for critical infrastructures, by the ubiquity of embedded systems and the growing uptake of IoT as well as the deployment of decentralized and virtualized architectures.
In order to tackle these challenges, there is a need of appropriate assurances that our ICT systems are secure and trustworthy by design as well as a need of certified levels of assurance where security is regarded as the primary concern. Likewise, target architectures and methods improving the efficiency of assurance cases are needed in order to lower their costs.
Scope:a. Research and Innovation Actions - Assurance
Providing assurance is a complex task, requiring the development of a chain of evidence and specific techniques during all the phases of the ICT Systems Development Lifecycle (SDLC for short: e.g. design verification, testing, and runtime verification and enforcement) including the validation of individual devices and components. These techniques are complementary yet all necessary, each of them independently contributing towards improving security assurance. It includes methods for reliability and quality development and validation of highly dynamic systems.
Proposals may address security, reliability and safety assurance at individual phases of the SDLC and are expected to cover at least one of the areas identified below, depending on their relevance to the proposal overall objectives:
Proposal should strive to quantify their progress beyond the state of the art in terms of efficiency and effectiveness. Particular importance within this context should be placed on determining the appropriate metrics.
Proposals should take into account the changing threat landscape, where targeted attacks and advanced persistent threats assume an increasingly more important role and address the challenge of security assurance in state-of-the-art development methods and deployment models including but not limited to solutions focussing on reducing the cost and complexity of assurance in large-scale systems.
Proposals should include a clear standardisation plan at submission time.
The Commission considers that proposals requesting a contribution from the EU between EUR 3 and 4 million would allow this specific challenge to be addressed appropriately. Nonetheless, this does not preclude submission and selection of proposals requesting other amounts.
The outcome of the proposals are expected to lead to development up to Technology Readiness Level (TRL) 3 to 5; please see part G of the General Annexes.
b. Innovation Actions – Security Certification
Proposals should address the challenge of improving the effectiveness and efficiency of existing security certification processes for state-of-the-art ICT components and products including the production and delivery of the corresponding guidance materials.
In terms of effectiveness, proposals should address, amongst other factors, emerging threats, compositional certification and reuse of components in the context of certified systems and certification throughout the operational deployment of a product or a service.
In terms of efficiency, proposals should strive to reduce the cost and duration of the certification process.
Proposals may address security certification in any area of their choice. Consortia submitting proposals are expected to approach the selected topic as widely as possible including all necessary actors – e.g. industry, academia, certification laboratories - and involve the relevant certification authorities from at least three Member States in order to achieve added value at a European level.
Proposals are encouraged to work towards moderate to high assurance level protection profiles as a way to validate their results.
The Commission considers that proposals requesting a contribution from the EU between EUR 3 and 4 million would allow this specific challenge to be addressed appropriately. Nonetheless, this does not preclude submission and selection of proposals requesting other amounts.
The outcome of the proposals are expected to lead to development up to Technology Readiness Level (TRL) 6 to 7; please see part G of the General Annexes.
c. Coordination and Support Actions
To complement the research and innovation activities in security assurance and certification in this topic, support and coordination actions should address the following:
Building trustworthiness: economic, legal and social aspects of security assurance and certification
Engage with multidisciplinary communities and stakeholders.
The Commission considers that proposals requesting a contribution from the EU of up to EUR 1 million would allow this specific challenge to be addressed appropriately. Nonetheless, this does not preclude submission and selection of proposals requesting other amounts.
Expected Impact:
Please Log In to See This Section