Digital security, privacy, data protection and accountability in critical sectors

Array ( [0] => Array ( [value] => Recherche [safe] => Recherche [view] => Recherche ) )
Domaine de recherche :
Sécurité
Type de financement :
H2020
Type d'instrument :
Innovation Action
Budget indicatif :
3 à 4 millions d'euros max. par projet
Budget total :
8,5 millions d'euros
Code de l'appel : SU-DS05-2018-2019
En savoir plus
À noter :
TRL visé: 
6 et +

Specific Challenge:

In critical vertical sectors/domains, cybersecurity technologies deployed in several application domains should be aligned to the specific domain needs, linking the demand and supply sides for such cyber technologies. In the context of an increased digitization and also of growing complexity of cyber-attacks, there are certain sectors/subsectors identified as critical from the point of view of cybersecurity needs in the NIS Directive: energy (electricity, oil, gas), transport (air transport, rail transport, water transport, road transport), banking, financial market infrastructures, health sector (health care settings, including hospitals and private clinics), drinking water supply and distribution, and digital infrastructure. These sectors are important customers of cybersecurity solutions; hence it is of outmost importance to facilitate the engagement of end-users towards defining and providing sector-specific common requirements about digital security, privacy and personal data protection. Building security, privacy and personal data protection by design and by default, principles and standards should be clearly defined to protect the critical infrastructures in these sectors and ensure personal data integrity and confidentiality.

For transport domain, security must be managed pro-actively over the system as a whole. This must also extend to include interfaces to critical supporting infrastructures such as communication networks and satellite systems. The complexity of the transport sector finds its roots in the diversity of components that build the solutions in use and the very long lifecycle of these components. The challenge is to migrate these solutions, systems, and infrastructures to a higher level of cybersecurity.

ICT enables the healthcare sector to provide efficient, effective, cross-border top-quality healthcare services improving the public healthcare. Healthcare operations, services and applications are provided via various interconnected infrastructures, systems, entities and people. Personalized medicine is on the brink of becoming a successful approach in treating diseases. This increases the complexity of the pharmaceutical supply chain and raises the importance of achieving a zero error rate in the supply of personalized medications. Cybersecurity in this respect is safety critical and novel approaches are needed to ensure traceability and zero error deliveries. Moreover, requirements related to data protection legislation should also be taken into account, as health is a very sensitive sector from this point of view[1].

This interconnectivity reveals various threats, making the healthcare ecosystem vulnerable to catastrophic attacks with high impact to healthcare institutions and people's lives. The healthcare industry has seen a major rise in cyber-attacks over the past two years, and data breaches increasingly damage the healthcare industry as well as the privacy and personal data protection of the people. Vulnerable patients’ records management systems can be attacked leading to unauthorised disclosure of and access to personal data concerning health. Connected medical devices are increasingly used, in particular wearables and home health monitoring devices which often transmit sensitive data over unsecure wireless networks from the patients’ home to the hospitals exposing the privacy and personal data of the patients and the resilience of the healthcare infrastructures.

Digital technologies are also profoundly changing the financial sector. Cybersecurity solutions are essential to make possible digital technologies for finance and for the stability of the financial sector which must respond to increasingly sophisticated cyber-attacks.

Scope:

Among the critical sectors mentioned in the NIS Directive[2], proposals should treat generic aspects for at least two of them, by identifying common threats and attacks, and by developing proof of concepts for managing cybersecurity and privacy risks. In addition, proposals should treat specific aspects for one of the three critical sectors/domains mentioned as sub-topics, i.e. transport, healthcare and finance, by identifying specific vulnerabilities, propagation effects and counter measures, by developing and testing cyber innovation-based solutions and validating them in pilots/demonstrators. During the conception and development steps, critical sectors/domains' specificities, such as complexity of infrastructure and their large scale, should be taken into account. These pilots/demonstrators are encouraged to use relevant transversal cyber infrastructures and capabilities developed in other projects.

Proposals should also include (but should not be limited to) the delivery of specific social aspects of digital security related to training, in particular practical, operational and hands-on training, including: (i) increasing the dynamics of the training and awareness methods, to match/exceed the same rate of evolution of the cyber attackers; that is to say new methods of awareness/training offering more qualification tracks to fully and efficiently integrate ICT security workers and employers in the European e-Skills market; and (ii) integrating awareness into the eco-system of humans, competences, services and solutions which are able to rapidly adapt to the evolutions of cyber attackers or even surpass them.

 

 [2018]: Digital security, privacy and personal data protection in finance

Proposals under this sub-topic should tackle at least one of the following items:

(1): Development of resilience enhancing technologies. Proposers are expected to develop innovative solutions tailored for the finance domain, ensuring that a proactive preparedness helps financial market participants and infrastructures to share information and better cope with technological shortfalls. Proposals should (i) deliver tools for making the exfiltration of data for attackers unattractive, both for ‘data at rest’ and 'data in transit'; (ii) consider incipient trends (e.g. digital on boarding based on biometric data); and (iii) collaborate with CERTs/CSIRTs.

(2): Development of new/enhanced, parameterized, automated and collaborative ICT tools for insurance companies, which are needed in order to collect security, privacy, personal data protection and accountability requirements from their clients and upgrade their insurance and liability policies respecting the EU legislation on cybersecurity, privacy and personal data protection, as well as cybersecurity standards (e.g. ISO27001, 27005).

(3): Standardization to allow the quick adoption of cybersecurity best practices in the domain. Applicants should propose novel solutions for promoting common standards for conducting stress and resilience testing across systemic financial market infrastructures and institutions or for certifying companies/organizations that can perform accredited conformity tests.

 

Type of Action: Innovation action

Projects should also foresee activities and envisage resources for clustering with other projects funded under this topic and with other relevant projects in the field funded by H2020.

 

Expected Impact:

 

Short term:

  • The technological and operational enablers of co-operation in Response and Recovery will contribute to the development of the CSIRT Network across the EU, which is one of the key targets of the NIS Directive.
  • Identified relevant generic and specific aspects related to cybersecurity and digital privacy in the respective critical domains/sectors addressed.
  • Advanced holistic systems and innovative proof concepts for managing cybersecurity and privacy risks in the respective critical domains/sectors addressed.
  • Advances in the state-of-the-art analysis of specific aspects of the respective critical domains/sectors addressed, such as related cyber threats, attacks and vulnerabilities;
  • Sound analysis of cascading effects of specific related cyber threats within the supply chain of the respective critical domains/sectors addressed.
  • Improved cybersecurity information sharing and collaboration among stakeholders of the respective critical domains/sectors addressed, and with CERTs/CSIRTs.
  • More targeted and acceptable security management solutions addressing specificities of the respective critical domains/sectors addressed.
  • Trigger the fast adoption of cybersecurity/privacy/personal data protection best practices in the respective critical domains/sectors addressed.

Medium term:

  • Better response and recovery technologies and services that will help organizations in the respective critical domains/sectors addressed to significantly reduce the impact of propagated and cascaded threats, vulnerabilities and breaches.
  • Enhanced protection against emerging novel advanced threats in the respective critical sectors/domains addressed.
  • Improved security governance of the respective critical domains/sectors addressed.
  • Greater and more mature EU cybersecurity market in the respective critical domains/sectors addressed.
  • Reduce the impact of breaches with various levels of success in penetrating the defences.

Long term:

  • Better cybersecurity for specific standards in the respective critical domains/sectors addressed, that will trigger fast adoption of best practices in the related industry.
  • Established trust chains among all entities in the eco-systems of the respective critical domains/sectors addressed.
  • Better implementation of the relevant EU legislation (e.g. NIS, eIDAS, GDPR) in the respective critical domains/sectors addressed.
  • Companies/organisations in the respective critical domains/sectors addressed are more willing to promote cyber security, privacy and personal data protection in the whole EU specific ecosystem.
Présence de partenaires internationaux indispensable