PHOENIX Project helping to Uncover the pan-European Cyber Threat Intelligence (CTI) Data Wealth

Written by PHOENIX project on 17. 05. 2021.

Sharing CTI information has been recognized worldwide as a significant step in fighting against cybersecurity breaches. What if, instead of sharing plain cybersecurity incident data, EPES could receive coordinated or cascading context of cyber-attacks at pan-European level? The PHOENIX Incidents Information Sharing Platform (I2SP) employs AI methods to achieve this.

Confidentiality, Integrity and Availability are the properties of communication networks, services or data that could be negatively impacted by a security incident. To cope with the violation of those properties, security is embedded in the architectural designs of communication networks and services. However, security incidents cannot be excluded from happening and one needs to handle them and capitalise on the knowledge obtained. In this respect, sharing of security incident information seems to be a feature, rather than an option, that needs to be inherently supported and maintained, in terms of necessary infrastructure and related processes. Two distinctive roles are foreseen, the Data Owner, which maintains the source information, and the Data Receiver, which is going to obtain information.

Sharing of security incident data could be done without any further processing of such data. In this case, the Data Owner determines the security information that can be shared, indicating also the specific Data Receivers that may obtain such information. The security incident information shared is not processed, enhanced or augmented with information coming from any other Data Owners. This kind of information sharing may be relevant, in case the Data Receiver operates in a similar domain as the Data Owner. Furthermore, it would require an explicit agreement between the Data Owner and the Data Receivers, regarding the type of information to be shared, according to what the Data Receiver may perceive as relevant.

However, the security incident information shared in this case is limited to specific Data Owners and it lacks a holistic or aggregated view of security incidents. A Data Facilitator/Processor, placed between Data Owners and Data Receivers, can support the regional or cross-national perception of security incidents. This new actor could maintain and implement the necessary data sharing policies and communication capabilities for sharing security incident information between Data Owners and Data Receivers. Additionally, it could process the shared information, making the results available to the Data Receivers. In this way, it provides added value services for them, while eliminating any data processing costs for the Data Owners.

In the context of the PHOENIX project, the role of a Data Owner can be undertaken by the Electrical Power and Energy System (EPES) providers, including Utilities, Aggregators and Energy Generators. These are the primary sources of security incident information. They just need to determine which information will be shared and agree that the results of the processed information can also be shared with relevant or interested Data Receivers.

The Data Receivers can be understood as the Computer Emergency Response Teams (CERT) or the Computer Security Incident Response Teams (CSIRT) of EPES or any National or EU-relevant (e.g. ENISA) security organisations. Such entities may have a national, regional or European interest on security incidents.

Finally, the Data Facilitator/Processor role is fulfilled by the PHOENIX Incidents Information Sharing Platform (I2SP). I2SP is a distributed Pan-European IT platform, aimed for sharing Cyber Threat Intelligence (CTI) data and alerts, between the EPES Stakeholders, Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs), at Pan-European level. I2SP considers the sharing authorisations defined by Data Owners, the registered interest of Data Receivers for obtaining security incident information, providing, at the same time, security incident processing services.

I2SP employs statistical and machine learning analysis, in order to process security incident information with the goal to:

Suggest possible mitigation actions and counter measures
Determine possible targets of attacks in terms of
- Geographical location/area that could be affected
- Time window of potential attack
- Administrative entities that could be affected
Identify any coordinated attacks or cascading effects and alert the relevant Data Receivers

In this manner, the introduced Data Facilitator/Processor provides both data sharing and processing capabilities, interconnecting the Data Owners with the Data Receivers. At the same time, I2SP frames this process into a proper sharing policy context which aims to protect and enable the collaboration and coordination among the providers and the relevant cyber security entities.

Cookie	Type	Duration	Description
__cfduid	1	1 month	The cookie is set by CloudFare. It is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
_wpfuuid	0	10 years	Contact form UUID (Universally Unique Identifier) cookie. It allows the plugin to connect entries by the same user and does not contain or represent any personal information or entry details.
cookielawinfo-checkbox-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
test_cookie	0	11 months
viewed_cookie_policy	0	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. It is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors.
_gat_gtag_UA_152331303_1	1 minute	Google uses this cookie to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. It is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.

PHOENIX Project helping to Uncover the pan-European Cyber Threat Intelligence (CTI) Data Wealth

Energy Shield

BRIDGE

Success

Defender

NRG-5

sofie-logo

Elsa

interflex

Intergrid

NobelGrid

PROMOTioN-Logo-RZ-RGB

logo_reserve_sRGB

wisegrid-logo