This deliverable of the CS-AWARE project is the first in an iterative series of three deliverables (D2.1 System and dependency analysis (first iteration) – Cybersecurity requirements for local public administrations, D2.2 System and dependency analysis (second iteration) – Pilot scenario definition and D2.3 System and dependency analysis (third iteration) – Pilot scenario specification and self-healing strategies) that will be delivered throughout the project run time. The first iteration focuses on an overview analysis of cybersecurity related aspects, relevant to CS-AWARE in the context of local public administrations (LPAs). The analysis is based on three thematic focus points: an initial threat assessment for LPAs, an analysis of external information sources that may be relevant to CS-AWARE (for both the system and dependency analysis phase and the monitoring and pattern recognition phase and an analysis of the piloting scenarios based on the first round of soft systems analysis workshops. The results of this deliverable are a substantial input for the CS-AWARE framework (D2.4 – CS-AWARE Framework) as well as the software development and integration of work packages WP3 and WP4.
In the initial threat assessment we have investigated threat assessment reports from relevant network and information security (NIS) authorities, law enforcement authorities and the security industry. We have discussed the most relevant threats and threat actors and identified those threats and threat actors that are relevant for LPAs. Based on this analysis we have created an initial risk assessment. We have identified that the most valued asset in LPAs is the potentially sensitive and/or private citizen and employee data that is managed by LPA systems, and that unauthorized data access, modification and destruction as well as data theft are the most relevant threats towards LPAs. We assess that LPAs are not a high valued target (like for example critical infrastructure or financial institutions are, due to the potentially high pay-off for a threat actor) and therefore assess the risk against LPA data as medium (on a high, medium and low scale). We assess that untargeted large-scale attacks with the goal of extortion, like Ransomware or Distributed Denial of Service (DDoS) attacks carry a higher risk for LPAs. We have identified the cyber-criminal (high) as well as the malicious insider (medium) as the most relevant threat actors. Furthermore, disgruntled citizens, script kiddies and hacktivists are also seen as relevant threat actors, but we assess the risk from those actors to be low due to low potential pay-off for those actors as well as the low expected damages for LPAs.
In the analysis of relevant information sources for CS-AWARE we identified potential information sources in following categories: NIS Competent Authorities, Law Enforcement Agencies, Cyber Intelligence Sources and Information Sharing Tools (both open source and commercial providers), Cybersecurity Intelligence Data Feeds, Malware Analysis, Vulnerability Data, Social Media and Cybersecurity visualizations. We have seen that there are many organizations, commercial providers and open source projects/communities that provide information related to cybersecurity that can potentially be utilized by CS-AWARE to assess the global cybersecurity situation. Some of the identified sources, especially in the categories of “NIS Competent Authorities” and “Law Enforcement Agencies” provide more static information in aggregated form, such as threat assessment reports. Such information can be utilized by CS-AWARE in the system and dependency analysis phase, in order to gain a better overview picture of the global cybersecurity situation and be able to map it to the concrete LPA context. Other information sources provide more dynamic information in structured or unstructured form, like feeds with information about the latest threats or vulnerabilities. Those sources can potentially be utilized by CS-AWARE in the monitoring and pattern recognition phase, to set specific events or security incidents in context with the events or incidents observed in LPA systems. In this deliverable we provide an extensive list of potential information sources, no concrete assessments of which information sources (especially the sources providing dynamic content) are the most relevant to CS-AWARE for data collection have been made.
In the pilot scenario analysis we present a high level overview of the relevant systems and dependencies that we identified in both piloting municipalities of Larissa in Greece and Roma Capitale (RC) in Italy. Our analysis is based on the first round of workshops that were conducted by the CS-AWARE analysts in both municipalities. In those workshops the method of rich pictures drawn by the administrators of the systems (e.g. technical personal, management or subcontractors) was utilized in order to identify the most critical assets, dependencies and monitoring points present in the LPA systems. This method is part of the analysis according to the soft systems methodology (SSM) that was chosen for CS-AWARE. In CS-AWARE the analysis and identification of assets, dependencies and monitoring points of the existing and organically grown complex socio-technological systems found in all larger organizations – like LPAs – is an integral part of the proposed cybersecurity awareness solution. We argue that in complex systems good cybersecurity awareness can only be provided if the relevant relations between the mission critical aspects of the system are understood, and relevant case specific monitoring points can be utilized. The first round of analysis has only strengthened our argument. In both municipalities, we were able to achieve good analysis results and were able to identify the most mission critical systems and their dependencies, as well as potential monitoring points for CS-AWARE. While the individual set-ups and procedures in the two municipalities are significantly different from each other, especially due to the substantial difference in complexity in the operations of the two very differently sized municipalities, we were able to draw some generalized conclusions that will allow us to develop guidelines and procedures that will help to further simplify future analysis efforts in LPAs. In line with the initial risk assessment we have identified that the potentially sensitive and/or private data managed by LPAs is their most valuable asset. A cybersecurity awareness solution has to monitor the possible data flows in day-to-day operations. We have investigated potential monitoring points at 4 different levels that allow to identify suspicious behaviour related to data operations: The database level, the application/service level, the network level and the security appliance level. On the database level and the application/service level built-in logging and auditing mechanisms can be utilized to monitor relevant data operations, since most modern database systems and applications/services provide good logging and/or auditing capabilities. On the network level, most modern networking products have built-in logging and sometimes even analysis capabilities for monitoring relevant network traffic. Security appliances, like for example firewalls, intrusion detection systems (IDS) or Security Information and Event Management (SIEM) systems are another class of software or hardware based system that can provide relevant information specifically related to security through built-in logging features.
In the second iteration of this deliverable (D2.2 System and dependency analysis (second iteration) – Pilot scenario definition), due in M16, we will focus on substantiating the initial overview analysis and identify 1) those information sources that are most relevant to CS-AWARE and which will be interfaced with CS-AWARE and 2) the concrete piloting scenarios and monitoring points in the municipalities CS-AWARE will interface with. This will allow the project to define the concrete pilot scenarios in preparation for the deployment of the CS-AWARE solution.